Security in the cloud

Security in the cloud

There are a couple of security measures you can implement in a cloud: network ACLs and secure XDCR.

Network ACLs and security groups

For the Amazon Virtual Private Cloud (VPC), security is provided with:
  • Network Access Control Lists (ACLs), which are an optional layer of security that acts as a firewall for controlling traffic in and out of a subnet.
  • Security groups, which act as a virtual firewall for your instance to control inbound and outbound traffic.
To ensure security:
  • On the host level, you can set individual SSL keys using a bashing host. Make sure that accesses to your Couchbase instances are logged and audited through Amazon’s logging capabilities.
  • Obtain customer generated key pairs.
  • Set up an outbound instance of a firewall in the VPC.
  • Sign your calls using a certificate or a customer key to protect your access.

Secure XDCR

Secure Cross Datacenter Replication (XDCR) enables you to encrypt traffic between two data centers using an SSL connection. All traffic in the source and destination data centers will be encrypted, which will result in a slight increase in the CPU load since any encryption needs additional CPU cycles.

As a security best practice, periodically rotate the XDCR certificates and also make sure that you instantiate a new certificate on the remote cluster.

To configure security in XDCR, do the following:
  1. Acces the dialog at XDCR > Create Cluster Reference .

  2. Enter the following information:
    Cluster Name
    Name of the cluster you are adding.
    The hostname or IP address of a node in the cluster you are adding.
    Username and password or the login credentials for the remote cluster
    Enable encryption
    If this option is selected, XDCR data encryption occurs using SSL. A window will open where you have to paste the SSL certificate that has been obtained from the remote cluster. This certificate is available on the remote cluster on the location Settings > Cluster .
    Attention: Do not share the certificate with any unintended entities.
    Attention: Regenerate the certificate periodically based on your organizational requirements.
Note: It is recommended to conduct traffic for XDCR using a Virtual Private Network (VPN).