In the past few weeks, you may have noticed news headlines like, A hacker has wiped, defaced more than 15,000 Elasticsearch servers or Unprotected Elasticsearch Server Leaks 5 Billion Records. Unfortunately, this is not the first time or the last time we will see headlines like this. What is this “Elasticsearch” and why is it leaking all my data, and what can I do about it?
Elasticsearch is a distributed, open source search and analytics engine for all types of data, including textual, numerical, geospatial, structured, and unstructured. Elasticsearch is fast, distributed, and comes with a wide set of features that simplifies data ingest, visualization, and reporting.
Elasticsearch is powerful! Within hours you can have an Elasticsearch stack up and running on your Kubernetes cluster collecting every application transaction, log event, and system event happening in your environment. Before you know it, you will have millions to billions of data points that you can slice, dice, and chop to satisfy even the hungriest of data nerds. Like Splunk, Elasticsearch scales to support big data use cases, provides a robust suite of tools to analyze/visualize your data, and can drive huge improvements in your analytics, monitoring, and/or security program depending on your use case. However, if done incorrectly, you could unintentionally put all of your awesome new data at risk and end up in the headlines.
At C2 Labs, we solve data problems at the extreme end of complexity and scale; always with a mindset towards improving security. To that end, Jed Thornock (C2 Labs Senior DevOps Engineer) has developed a list of his top 6 best practices for securing ElasticSearch in Kubernetes.
Top 6 Elasticsearch Security Best Practices:
1. Do not expose Elasticsearch to the Internet. Most hackers can easily create a script to crawl the internet to check for open access to the default Elasticsearch ports. Even with authentication and security enabled, if you expose port 9200, you are a target.
2. Use the latest version of Elasticsearch. The xpack security modules are free in the later versions and keeping your stack up to date will give you the latest vulnerability fixes.
3. Elasticsearch is only as secure as the environment it runs on. Start by securing the Kubernetes environment before you deploy Elasticsearch . An Elasticsearch stack with all the security features enabled can easily be compromised if running on an insecure Kubernetes environment.
4. Enable SSL/TLS communication between your Elasticsearch nodes. To enable Elasticsearch security features, you must configure SSL/TLS for internode-communication.
5. Use the RBAC features in Kibana. With little effort, you can control user access down to the data field level.
6. Enable Elasticsearch Audit logging. Log security-related events such as failures and refused connections. Audit logging also provides forensic evidence in the event of an attack.
So now you are thinking to yourself, thanks for the tips, I could have easily Googled “Elasticsearch Security Best Practices” and came up with a similar list. However, we had a hard time finding information on how to implement some of these best practices when running an Elasticsearch stack on top of a Kubernetes cluster. Increasingly, C2 Labs is moving to run all of our workloads on Kubernetes as we believe it is the future of the data center, whether you run on-premise or in the cloud. It provides a scalable, resilient, and secure environment for application hosting but there is just not a lot of information out there on running complex applications likes an ELK stack on top of Kubernetes; especially in a secure manner.
At C2Labs, we don’t want to just tell you what you should do to secure Elasticsearch on Kubernetes. Instead, we developed a step by step lab to walk you through how to implement the best practices above with example commands, configuration files, and detailed instructions. This tutorial is available for you to clone on GitHub and can be completed in less than an hour: https://github.com/C2-Labs/k8s-security-elasticsearch
Are you struggling to secure your Elasticsearch or Kubernetes environment? Don't know where to start? Let the experts at C2 Labs help you by scheduling your free one hour consultation today.
Comments