Previously called the ELK Stack (an abbreviation for Elasticsearch, Logstash, and Kibana), the addition of other tools to the product group (such as Beats and APM) invalidated the acronym and necessitated the name change. Curiously, there wasn’t a security plugin in the free tier distribution of Elasticsearch and Kibana until very recently—and even now, only the very basic security features are included.
Elastic Stack is widely popular because it satisfies the need to have a centralized platform for carrying out searches, log management, and data analysis. With this software solution, engineers can overcome the difficulties of monitoring and managing highly distributed, chaotic, and dynamic IT environments.
Despite its robustness and versatility, Elastic Stack is highly vulnerable to security breaches. In recent months, it has been at the heart of many security incidents that exposed sensitive data belonging to its users. For example, in late 2018, an unprotected Elasticsearch server exposed the confidential data of more than 57 million U.S. citizens. And, in early 2019, several breaches left data exposed in Internet-facing Elasticsearch instances. To cut down on these data breaches, Elastic, the company behind the Stack, recently announced that the software’s core security features are now free for everyone (a paid Gold subscription plan was previously required).
In this article, we explore how to use the Stack’s default security features to keep data secure. We’ll also tell you how to enhance the safety of your Elastic Stack beyond the default capabilities, using an external security plugin such as ReadonlyREST.
Implement User Authentication
User authentication is an important security measure that verifies the identity of the individual accessing a self-hosted or SaaS-deployed ELK solution. It is the first step in safeguarding the sensitive data passing through the Elastic product suite.
With the recent release of Elastic Stack versions 6.8 and 7.1, the most basic level of authentication is now accessible to everyone. Therefore, you can allow your users to identify themselves with a username and password before they log into the Stack. If you don’t enable this essential security feature, unauthorized users can easily access your data. Worse still, connecting your cluster to the Internet could leave your data more vulnerable to attack.
In the past, users relied on Nginx HTTP servers, used as reverse proxies, to implement basic authentication features between the clients and the clusters—a taxing and delicate process. For example, since every node can service external requests, missing a node’s simple firewall rule exposed a cluster and made it accessible to unauthorized individuals. However, with the new versions of Elasticsearch and Kibana, implementing basic authentication measures is easier—and well worth it.
In addition, the Elastic Stack offers a wide range of authentication possibilities. For example, you can use LDAP, Active Directory, Elasticsearch native realm, single sign-on (SSO) options such as SAML, and more. However, none of these advanced enterprise features are included in the free tier.
As of today, ReadonlyREST is the only Elasticsearch and Kibana security plugin on the market that offers an LDAP/Active Directory authentication and authorization connector in the free tier.
Implement User Authorization
Authorization, which is closely linked to authentication, refers to the technique of specifying the level of privileges granted to users who access the Elastic Stack. If you employ role-based access privileges criteria, you can control who does what within the Stack.
The free tier of Elasticsearch and Kibana versions 6.8+ come with a good range of authorization capabilities which ensure that the security of your critical infrastructure is maintained.
Using ReadonlyREST for Kibana, you can assign to a user or group of users fine-grained permissions on which indices, documents, or even fields can be accessed, and which Kibana apps can be used. Optionally, a user or a group can be isolated into its own tenancy.
When two users or groups have their own tenancy, they are free to save their visualizations, dashboards, saved searches, and any other Kibana object to their own index. Both of the users/groups will have the illusion of their own ELK cluster, and won’t step on each other’s toes while they work.
For example, using the ACL, you can define two groups of users: “Sales” and “Ops.” You can go ahead and assign each group permissions to view only its own indices, and you can assign each group its own tenancy.
Now you can associate as many users as you wish to each group. For example, you can create one read-only user who won’t be able to change the dashboards, a read-write user who can manipulate the dashboards, and maybe even an admin user who will be able to manipulate the whole ACL, globally affecting the cluster security settings.
Click here to read more on how to set up multi-tenancy access privileges on Elastic Stack.
The default Elastic Stack distribution comes with free encryption options that enable you to preserve your data’s integrity. But if you do not enable this feature, unencrypted data—including credit card numbers and passwords—is transferred over the network in plain text, which increases the possibility that unauthorized individuals may snoop, sniff, and tamper with it.
The new distributions of Elasticsearch secure internal network communications between the cluster nodes by using the Transport Layer Security (TLS) encryption protocol. And if you use public keys in the TLS certificates, you ensure that only non-malicious nodes can join your cluster. This security feature prevents users from joining a cluster, accidentally or deliberately, without the right certificate. Before the release of versions 6.8+, including TLS in your Stack required some sort of proxy, which was difficult and time consuming to configure. By enabling TLS encryption, you can ensure the security of node-to-node connections, HTTP data transfer, and client traffic across each component of your Elastic Stack.
With the free tier of ReadonlyREST for Elasticsearch, implementing inter-node encryption is much easier, and can be done with a handful of lines of YAML configuration.
Maintain an Audit Trail
Vigilance is key to maintaining the security of your Elastic Stack. By using its audit log features, you can easily keep a record of users’ activities within your cluster and diagnose operational malfunctions.
By scrutinizing access patterns, successful logins, and unsuccessful login attempts, you can get useful insights about possible security breaches and take measures to prevent further damage. However, if you don’t perform audits, you may not know whether a user who logged into your cluster and exfiltrated data was well intentioned or not.
If your audit uncovers any peculiar activities, you can enhance the security of your Stack by placing it behind a VPN service or firewall. With this added protective layer, you can block fraudulent users from gaining access to your cluster. You can also isolate your cluster and nodes in order to minimize the attack surface area.
Install a Plugin like ReadonlyREST
In addition to the default capabilities of Elastic Stack, you can also use a security plugin, such as ReadonlyREST, to optimize the security of your deployments. In the world of security, there is no one-size-fits-all solution, and while achieving security in the Elastic Stack can be challenging, implementing multiple layers can increase security and give you peace of mind.
The ReadonlyREST plugin comes with excellent features, such as authentication, authorization, encryption, and auditing, as well as other powerful components that keep your data safe. It is user-friendly, easy to integrate, and high performing, which can help streamline your security capabilities and put you ahead of the pack.
Using ReadonlyREST allows you to lower human error because the task of configuring Elastic Stack is less complex. This significantly reduces misconfigurations, inefficient processes, and misalignments that can expose your data to breaches.
Security in the Elastic Stack should not be taken lightly, since if data stored in the product suite is lost, your organization’s reputation and bottom line could be jeopardized. Because of this, you should take deliberate measures to safeguard your software stack from malicious actors. And remember that Elastic Stack’s ability to gather, keep, and query data cannot be fully realized if its management is left to people who are not security conscious.
In addition to taking advantage of Elastic Stack’s default security features, it’s important to install trusted external security tools like ReadonlyREST for an enhanced user experience. If you do this, you’ll find that using Elastic Stack is both beneficial and exciting.
HOW CERN SAVES MONEY WITH READONLYREST
This year, CERN (The European Organization for Nuclear Research) optimized the usage of computing resources by consolidating 30+ Elasticsearch clusters into a handful of multi-user clusters.
Watch the presentation CERN organized to understand the guiding principles behind ReadonlyREST.