Security Best Practices
Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud provides secure cloud services. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.
This section provides best practices for enhancing security of GeminiDB Cassandra API. You can continuously evaluate the security status of your GeminiDB Cassandra instances and combine different security capabilities provided by GeminiDB Cassandra API. By doing this, data in GeminiDB Cassandra instances can be protected from being disclosed or tampered with.
Consider the following aspects for your security configurations:
- Avoiding Binding EIPs to GeminiDB Cassandra Instances for Internet Access
- Avoiding Weak Passwords
- Avoiding the Default Port
- Configuring Instance Access Logs
- Enabling SSL
- Enabling Disk Encryption
- Enabling Data Backup
- Configuring Monitoring by Seconds and Alarm Rules
- Upgrading the Version
Avoiding Binding EIPs to GeminiDB Cassandra Instances for Internet Access
Do not deploy GeminiDB Cassandra API on the Internet or DMZ. Deploy GeminiDB Cassandra API on your internal network and use routers or firewalls to protect GeminiDB Cassandra API. Do not bind EIPs to GeminiDB Cassandra instances for Internet access. This prevents unauthorized access and DDoS attacks. You are not advised to bind EIPs to instances. If EIPs are necessary, set security groups.
Avoiding Weak Passwords
When setting or changing an account password, ensure that the password meets the password complexity requirements and do not use weak passwords. By doing so, passwords can be protected from hacker and rainbow table attacks. You can check password strength using the API.
Avoiding the Default Port
The default port of GeminiDB Cassandra API is 9042. To avoid port sniffing, use a non-default port. For details, see Changing the Database Port.
Configuring Instance Access Logs
After access logs are configured, new audit, error, and slow query logs of GeminiDB Cassandra instances will be uploaded to LTS for management. You can view, search for, and download audit, error, and slow query logs of GeminiDB Cassandra instances. The log data is graphically displayed to make it easier to analyze and understand. For details, see Managing Log Configurations.
Enabling SSL
If SSL is disabled, data transmitted between the Cassandra client and server is vulnerable to eavesdropping, tampering, and man-in-the-middle attacks. To improve data transmission security, you are advised to enable SSL. For details, see Encrypting Data over SSL.
Enabling Disk Encryption
Disk encryption improves data security. For details, see the description about disk encryption in Buying a GeminiDB Cassandra Instance.
Enabling Data Backup
GeminiDB Cassandra instances support automated and manual backups. You can periodically back up databases. If a database is faulty or data is corrupted, you can restore the database using backups to ensure data reliability. For details, see Data Backup.
Configuring Monitoring by Seconds and Alarm Rules
GeminiDB Cassandra instances are monitored by default. If a metric exceeds the specified threshold, an alarm is triggered and automatically sent to the cloud account through SMN, so you can stay on top of your GeminiDB Cassandra instance status. Configure monitoring and alarm rules based on service requirements. For details, see Monitoring and Alarms.
Upgrading the Version
A minor version of GeminiDB Cassandra API can be upgraded to add new functions, fix issues, and improve security and performance. You are advised to upgrade the version in a timely manner.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
