Blog Feed Post

Search Guard – Security for Elasticsearch

Note: This is a guest post by Jochen Kressin, the CTO of floragunn GmbH, the makers of Search Guard, an open-source X-Pack Security alternative.

Elasticsearch is a great piece of software. We really love it. However, there is one major drawback: Elasticsearch does not have any security capabilities built in. Anyone who has access to your network can see, modify and delete any data. Which leaves your cluster wide open for malicious hackers, as the Elasticsearch ransomware attacks earlier this year have clearly shown.

Welcome to Search Guard – the security suite for Elasticsearch and the entire ELK stack.

When it comes to security for Elasticsearch, Search Guard is your Swiss army knife to implement security solutions tailored to your needs and your infrastructure. Regardless of whether you just want to encrypt data in transit, authenticate users against Active Directory, use Kerberos or JSON web tokens for Single Sign On or need to monitor and log malicious access attempts, Search Guard is your one-stop solution. And the best part is that the basic version comes for free!


https://sematext.com/wp-content/uploads/2017/05/image6-300x185.png 300w, https://sematext.com/wp-content/uploads/2017/05/image6-768x473.png 768w, https://sematext.com/wp-content/uploads/2017/05/image6-1024x631.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />

The four pillars of security

Encryption – protect against sniffing, snooping and tampering

The first step of securing your data is to implement encryption. Search Guard provides SSL/TLS encryption for node-to-node traffic, REST traffic and transport client traffic. Your sensitive data is always secure as it travels across the network, even if an attacker gains access to your infrastructure. By leveraging TLS, you make sure that

  • No one can sniff your data
  • No one can tamper with your data
  • Only authenticated nodes can join your cluster

In order to minimize the performance impact of applying encryption, Search Guard supports native OpenSSL. OpenSSL provides superior performance over the standard Java Cryptography Extensions, and also comes with a wider, more modern range of cipher suites.

https://sematext.com/wp-content/uploads/2017/05/image1-1-300x224.png 300w, https://sematext.com/wp-content/uploads/2017/05/image1-1-768x574.png 768w, https://sematext.com/wp-content/uploads/2017/05/image1-1-1024x765.png 1024w" sizes="(max-width: 1426px) 100vw, 1426px" />

Authentication and authorization – control who has access to your data

Search Guard offers a wide range of pluggable authentication modules to choose from. The free version comes with an integrated user database, HTTP Basic Authentication as well as certificate- and proxy based authentication. The enterprise version offers advanced authentication modules for LDAP/Active Directory, Kerberos and JSON web tokens. You can even combine authorization modules! Depending on your configuration, Search Guard extracts the user credentials from the request, authenticates them against the configured modules, and assigns roles to the user.

https://sematext.com/wp-content/uploads/2017/05/image2-300x137.png 300w, https://sematext.com/wp-content/uploads/2017/05/image2-768x352.png 768w, https://sematext.com/wp-content/uploads/2017/05/image2-1024x469.png 1024w" sizes="(max-width: 1590px) 100vw, 1590px" />

Role-based permissions – at every level, as granular as you need

Permissions can be configured on cluster, index, document and field level, and they can be as granular as you need them to be.

  • Cluster-level
    • Who can access nodes stats or check the cluster health?
  • Index-level
    • Who can create, modify or delete documents of certain types?
  • Document-level
    • Who has access to sensitive documents in the result set?
  • Field-level
    • Which fields are visible for the currently logged in user?

Search Guard ships with many predefined permission sets, like READ, WRITE, SEARCH or CREATE_INDEX. If you need more fine grained permissions, simply define and use your own permission set. Want to restrict the execution of bulk operations to DevOps only? Want to exclude certain users from creating an index alias? Search Guard gives you full control over all permitted activities, down to the single action level.

Audit logging – stay compliant

The audit log module keeps track of all user activity in your cluster, and lets you configure which events you want to record. From tracking failed login attempts only to record everything that’s going on in your cluster, just configure what you want to see and let Search Guard do the rest.

The audit events can be stored in the same or a separate Elasticsearch cluster for further analysis. You can also use an off-site service such as Logsene, so malicious hackers won’t be able to cover their tracks. Do you already have a SIEM system in place? No problem, Search Guard can ship the audit events to any external system that supports webhooks, too. And it even has a public API so that you can create your own storage implementation if necessary.

https://sematext.com/wp-content/uploads/2017/05/image3-300x259.png 300w, https://sematext.com/wp-content/uploads/2017/05/image3-768x663.png 768w, https://sematext.com/wp-content/uploads/2017/05/image3-1024x884.png 1024w" sizes="(max-width: 1108px) 100vw, 1108px" />

Bonus: Kibana Multitenancy

Kibana does not support multi tenancy out of the box. This means that all saved objects, like visualizations and dashboards, are stored globally and are potentially accessible by any user. This is where the Search Guard multi tenancy module comes to the rescue!

Define one or more tenants for each Search Guard role, and enjoy true separation of saved searches, visualizations and dashboards in Kibana. Create dedicated dashboards for each department, and perhaps share other dashboards company wide. The multi tenancy module integrates deeply into Elasticsearch itself and uses the same battle-proven access control as Search Guard. So even if someone tries to access your sensitive dashboards by circumventing Kibana, your data is always safe.

https://sematext.com/wp-content/uploads/2017/05/image5-300x152.png 300w, https://sematext.com/wp-content/uploads/2017/05/image5-768x388.png 768w, https://sematext.com/wp-content/uploads/2017/05/image5-1024x517.png 1024w" sizes="(max-width: 1999px) 100vw, 1999px" />

Configuration management simplified

The complete user, role and permission configuration is stored in a dedicated Search Guard index in Elasticsearch itself. You can use the sgadmin command line tool, or the REST management API to apply changes.

https://sematext.com/wp-content/uploads/2017/05/image4-233x300.png 233w" sizes="(max-width: 337px) 100vw, 337px" />

This approach simplifies the configuration management in many aspects:

  • Config hot reloading – no restarts required
    • Any changes to the configuration are propagated to all nodes in the cluster automatically. They take effect immediately without requiring a node restart. Add and remove roles, change permissions or activate document level security, all while you’re cluster is running.
  • Single place for configuration
    • Since the configuration is kept in an Elasticsearch index, there’s no need anymore to place sensitive configuration files on each node physically. Manage the complete Search Guard configuration from a single place.
  • Update from any machine
    • You can change the configuration from any machine that has access to the transport port of your cluster.

Security means Open Source by definition

When talking about security solutions, then closed source software is a no go. If you cannot inspect the code, you cannot be sure that the implementation is sound, solid and does what it’s supposed to do. You can’t even make sure that the software does not call home, or that it does not contain backdoors.

We strongly believe that if you are serious about security, you need to have the option to inspect the code, run your own security audits, and build the software yourself if required. Search Guard is completely Open Source, so you have full access to the source code, including all enterprise modules. Don’t just take our word for granted, and audit our code yourself, like many major companies already did.

Where to go next?

Read our post on how to secure Kibana for free by using the Community edition of Search Guard:

Secure Kibana for free

Explore other alternatives to X-Pack components

Head over to the Search Guard GitHub repository and check the quick start guide:


Deep-dive into Search Guard by reading the official documentation:


Ask questions on the Search Guard Google Group:


Read about our fair, flexible and affordable enterprise license model:


Follow us on Twitter to stay up-to-date with new releases and features:



Read the original blog entry...

More Stories By Sematext Blog

Sematext is a globally distributed organization that builds innovative Cloud and On Premises solutions for performance monitoring, alerting and anomaly detection (SPM), log management and analytics (Logsene), and search analytics (SSA). We also provide Search and Big Data consulting services and offer 24/7 production support for Solr and Elasticsearch.

Latest Stories
The dynamic nature of the cloud means that change is a constant when it comes to modern cloud-based infrastructure. Delivering modern applications to end users, therefore, is a constantly shifting challenge. Delivery automation helps IT Ops teams ensure that apps are providing an optimal end user experience over hybrid-cloud and multi-cloud environments, no matter what the current state of the infrastructure is. To employ a delivery automation strategy that reflects your business rules, making r...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
Modern software design has fundamentally changed how we manage applications, causing many to turn to containers as the new virtual machine for resource management. As container adoption grows beyond stateless applications to stateful workloads, the need for persistent storage is foundational - something customers routinely cite as a top pain point. In his session at @DevOpsSummit at 21st Cloud Expo, Bill Borsari, Head of Systems Engineering at Datera, explored how organizations can reap the bene...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Services at NetApp, described how NetApp designed a three-year program of work to migrate 25PB of a major telco's enterprise data to a new STaaS platform, and then secured a long-term contract to manage and operate the platform. This significant program blended the best of NetApp’s solutions and services capabilities to enable this telco’s successful adoption of private cloud storage and launching ...
In his general session at 21st Cloud Expo, Greg Dumas, Calligo’s Vice President and G.M. of US operations, discussed the new Global Data Protection Regulation and how Calligo can help business stay compliant in digitally globalized world. Greg Dumas is Calligo's Vice President and G.M. of US operations. Calligo is an established service provider that provides an innovative platform for trusted cloud solutions. Calligo’s customers are typically most concerned about GDPR compliance, application p...
The past few years have brought a sea change in the way applications are architected, developed, and consumed—increasing both the complexity of testing and the business impact of software failures. How can software testing professionals keep pace with modern application delivery, given the trends that impact both architectures (cloud, microservices, and APIs) and processes (DevOps, agile, and continuous delivery)? This is where continuous testing comes in. D
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone in...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software. They hope to capture value from emerging technologies such as IoT, SDN, and AI. Ultimately, irrespective of the vertical, it is about deriving value from independent software applications participating in an ecosystem as one comprehensive solution. In his session at @ThingsExpo, Kausik Sridhar, founder and CTO of Pulzze Systems, discussed how given the magnitude of today's application ...