Data Encryption with Couchbase Server

With more and more data being stored in Couchbase, big data security is become a hot topic these days. Organization across all verticals and public sectors are increasingly challenged to protect their sensitive data assets, or face severe penalties if they don’t. In a recent insider threat report published by Vormetric, 93% of U.S. organizations report to be vulnerable to insider threats. Data encryption is an effective way to prevent sensitive data access and has become an important security control in many regulatory standards including internal security attacks. This blog will go over the multiple levels at which you can protect your sensitive data for your Couchbase app.

Data encryption at application

Even before data hits the wire and is sent to the server, you can encrypt it inside your application. Couchbase’s data model allows you to store both JSON documents as well as binary data (for example an encrypted blob). In many ways, your app is the best place to encrypt data because it knows exactly whether the information is sensitive or not and can apply protection selectively. For your app to encrypt data, you will need an encryption key and this key should be kept secret either using a secure key ring, or in a hardware security module (HSM). It’s never a good idea to implement your own encryption algorithm and if you want to encrypt data in your app, you should use a standard encryption library. For example, Vormetric provides application encryption libraries that can be used without the complexity and risk of implementing an in-house encryption and key management solution.

Don’t forget to also checkout the sample python code to encrypt data at the field level in Couchbase.

Data in motion encryption

When data is moving between client and server

So, when you’re data is on the wire, it needs to be protected from a man-in-the-middle attacker who is eavesdropping on the connection. Couchbase SDKs 2.0 and higher with Couchbase Server 3.0 enable encrypted data access using SSL for client-server communications. Without SSL (as shown in the image below), a simple wireshark probe of the connection between the client and server can reveal quite a bit of sensitive information.

With SSL enabled, data to and from the server is encrypted using the server certificate that is configured and stored in the client certificate store. It is a good security best practice, to regenerate the SSL certificate periodically as per your organizations security requirements.

In addition to encrypted data access, Couchbase 3.0 also includes support for secure admin access. This enables administrators to securely browse and administer Couchbase Server through the browser, even over a public network. So, what does an encrypted connection look like under wireshark? Take a look at the wireshark screenshot below –

When data is moving between servers within a cluster

Your data needs to be available for your apps 24x7x365. This means that if a server dies in the cluster, your app should still be able to access your data. For high availability, Couchbase replicates data within the cluster and across datacenters – within a cluster, every document stored in Couchbase can be replicated upto 3 times. If all your sensitive data is already encrypted in the documents, the replica copies will be transmitted as is and stored (i.e. encrypted). For added security, it is a good practise to use IPSec on the network between Couchbase server nodes.

When data is moving between datacenters

If you have datacenters across different geographies, and are worried about sensitive data flowing between them, you can use the secure XDCR (Cross Datacenter Replication) feature in Couchbase. Secure XDCR enables you to encrypt traffic between two data centers using an SSL connection. When you use Secure Cross Datacenter Replication (XDCR), all traffic in the source and destination data centers will be encrypted. This will cause a slight increase in the CPU load, since any encryption needs additional CPU cycles. It is a good security practice to periodically rotate the XDCR certificates as per your organization security policies.

Data encryption on-disk

Vormetric offers a powerful, policy-driven, transparent encryption solution for Couchbase Server. With Vormetric, sensitive data in Couchbase will be encrypted-at-rest on disk. This ensures that your data will not be compromised if your database is stolen, copied, lost, or otherwise improperly accessed.

The solution involves Vormetric agents installed at the storage layer, that transparently encrypt data. The agents talk to a distributed data security manager that could be a physical / virtual appliance and is responsible for securely storing encryption keys. Couchbase reads and writes sensitive information to the storage layer without any changes to the application or the database.

To learn more about how Vormetric and Couchbase works together, don’t forget to register for our upcoming live webinar.