Security Best Practices
Best practices should be observed at all times, in order to ensure the security of Couchbase Server itself, the media it uses for data-persistence, the internal and external networks on which it resides, and the applications that query it.
Securing Couchbase Server
Security must be enforced — in order to protect data from being stolen, eavesdropped upon, or corrupted — throughout the entire Couchbase Server-environment: this environment includes the internal memory, processing, and storage-facilities of individual server-nodes within a cluster; the network across which the nodes communicate with one another; and the network beyond the cluster-perimeter. Security procedures must be checked constantly; and should be upgraded with frequency.
Within the Cluster
On each node of the Couchbase Server-cluster, essential security measures include:
- Password enforcement
- Bucket authentication and protection
- Securing administrative access
- Performing encryption
- Maintaining access-logs
All are described in detail, in this section.
Beyond the Cluster
Security must be maintained:
- Across the network, by proper configuration of IP tables and ports.
- Within individual applications, by appropriate use of the client configuration cache, and by performing user input validation.
- In the cloud, through appropriate configuration of Network Access Control Lists (ACLs) and security groups, as well as Cross Datacenter Replication (XDCR).