The Perfect Balance: YugabyteDB Managed Boosts Security Without Compromising User Experience
October 31, 2023
A key benefit of a fully managed offering over a customer-managed offering (besides the fact that it is fully managed) is the networking and security architecture.
YugabyteDB Managed has continuously improved our networking and security capabilities. While enhanced security can sometimes affect user experience negatively, these capabilities are designed to benefit and enhance the overall user experience.
The table below highlights how new YugabyteDB Managed security capabilities make it simpler and easier for users to operate the database.
| Capability/Requirement | Security Benefits | Simplicity Benefits |
|---|---|---|
| Private connectivity to control the flow of incoming traffic to the cluster. YugabyteDB Managed’s private service endpoints are available in AWS and Azure Cloud for single and multi-region clusters via UI, API, CLI, and Terraform. | Prevents unauthorized access. Unidirectional private connectivity access based on cloud security principals means that the service is only discoverable by, and accepts traffic from, known clients. | Lowers administrative costs. Overlapping CIDR (Classless Inter-Domain Routing) ranges are not a problem, meaning less network administration overheads. |
| Untraceable. Private connectivity is traffic sent over a private backbone. It is not traceable over public networks and their connected devices. | Lowers operational overhead. No need to add or remove any route table entries since traffic is routed over private IPs (i.e. a private network). | |
| Control the flow of outgoing traffic from the cluster | Restrict bad actors. Block all outgoing traffic from the cluster by default. For supported features such as exporting observability metrics, specialized rules are included to an allowlist/whitelist; outgoing traffic to the exporter endpoint. Bad actors cannot establish a reverse tunnel to extract data from the cluster to externally managed storage. | Prevents misuse. Access to the cluster network components is limited to a specified set of client IPs and DNS names. Exceptions are explicitly specified as a subset of assets within the network instead of the whole network. |
| Fine grained role-based access control | Restricts user access. Configure access permissions at a more granular level. This allows you to cater to your own unique processes and workflows, while aligning to the principle of least privilege. | Built-in role simplicity. Built-in roles (Admin, Developer, etc) allow you to assign roles to users in a way that matches the needs of your organization. |
| Customer managed keys (CMK) | Enhanced Security. Ensure your data is encrypted with keys you control, making it much more difficult for unauthorized users to access. | Easy workflow integration. Enable customer-managed key encryption easily in YugabyteDB Managed via the user interface, the CLI, or APIs. |
| Compliance. Demonstrate compliance with data security and privacy regulations by using customer managed key encryption. Manage and control the keys that are in use. Have full ownership over audit logs to easily meet compliance requirements for data privacy and security during audits. |
—-
The enhanced capabilities detailed above help customers achieve PCI-DSS compliance by better controlling what data is stored and transmitted over the network.
Additional Resources
Explore additional videos in YugabyteDB Managed Demo Video Library.
