How to

How to prevent an Elasticsearch server breach

If you’re in the technology space, the phrase “server breach” has probably hit your radar at some point. If you’re not in tech, you’re likely still aware of server/data breaches and security lapses that have resulted in private, personal data ending up in the hands of bad actors. This can mean credit information, social security numbers, and other information you’d prefer to keep to yourself — and not on the darkweb.

All software has to deal with the possibility of a breach or attack. This includes Elasticsearch, an open source software project developed by Elastic. There have been instances in which data that was not securely stored in Elasticsearch was leaked, lost, or stolen.

How to prevent an Elasticsearch server breach

This article will give you an understanding of how breaches come about and how users can best protect against them in the context of Elasticsearch. We’re going to start with a bit of a primer, but if you want, you can jump straight to the section: How do I secure Elasticsearch?

What is Elasticsearch?

Elasticsearch is an open source search and analytics engine, as well as a data store. And with hundreds of millions of downloads, it’s also incredibly popular. We tout its speed, scale, and search relevance, but its wide adoption has also been greatly driven by its ease of use, ability to handle any type of data (text, number, geospatial, etc.), robust set of features, and the fact that anyone can submit a bug fix or suggest an improvement (since it’s open source).

In non-tech speak, imagine having a spreadsheet with billions of rows, but still being able to find or calculate anything in it in a split second. Elasticsearch is like that, and it’s really good at what it does, so a lot of organizations use Elasticsearch for all sorts of things — like powering search on their ecommerce sites, analyzing data sent from Mars rovers, or making sure rideshares shows up on time.

Who is Elastic? Also, do you have my data?

Elastic is the company that develops Elasticsearch, along with the other products of the Elastic Stack (Kibana, Beats, Logstash, etc.). And Elasticsearch is the backbone for a variety of solutions including search, observability, security, and more.

And the short answer is, no, we do not have your data. We develop Elasticsearch, which other companies then run locally or within cloud infrastructure. 

The slightly longer answer is, maybe. Some companies use Elastic Cloud, our managed Elasticsearch offering. We are responsible for maintaining any data our customers put in Elastic Cloud, which includes keeping it secure. This is why all of our Elasticsearch Service deployments come secure by default.

Where does Elasticsearch hold its data?

Since Elasticsearch is open source (meaning anyone can download and install it for free), it can be installed almost anywhere. Some companies download it and install it on their own in-house servers and other companies download and install it in the cloud (on any provider they want). There are also some cloud service companies that offer managed versions of Elasticsearch, which means they host and administer Elasticsearch clusters (that’s what we call them) for customers. 

In fact, Elastic also offers our own managed Elasticsearch Service on Elastic Cloud. With our service, we provide extensive management services (including security by default), and let you choose from a few different cloud providers for the infrastructure.

How do Elasticsearch servers get breached?

There are a variety of ways data stores can be breached, everything from stolen passwords, to hackers, to disgruntled employees. In the case of Elasticsearch, the most common type of breach is caused by a cluster to be left unsecured on the internet, meaning anyone can connect without needing a username or password and access the data. These open clusters are often discovered by security researchers who then publish their findings which is how the world finds out about the data being left on the internet.

When properly secured, an Elasticsearch cluster is at no more risk of being breached than any other database. And it’s for this reason that we provide the features (free and by default) needed to secure an Elasticsearch cluster by anyone who downloads and uses the Elastic Stack. To that end, let’s look at some things Elasticsearch users can do to make sure they’re using these features and keeping their clusters secure.

How do I secure Elasticsearch?

We include Elasticsearch security features as part of our free, default (Basic tier) distribution, meaning anyone can configure security for their Elasticsearch cluster and prevent accidental data leaks. Before looking into using those features, though, let’s first take a look at how to determine if your cluster is already secure or not.

How can I tell if I have an unsecured Elasticsearch cluster?

If you are a user or administrator of Elasticsearch, there are a few simple things you can do to check if you have security enabled and working. 

The best way to determine if you have security enabled and working is to query the settings API. If you issue this query:

GET _xpack/usage?filter_path=security

You will see results that look something like this if security is disabled:

{ 
  "security" : { 
    "available" : true, 
    "enabled" : false, // When security is off, this is set to "false" 
    "ssl" : { 
      "http" : { 
        "enabled" : false 
      }, 
      "transport" : { 
        "enabled" : false 
      } 
    } 
  } 
}

Or this if security is working as expected

{ 
  "security" : { 
    "available" : true, 
    "enabled" : true, // When secure is on, this is set to "true"
    "realms" : { ... }, 
    "roles" : { ... }, 
    "role_mapping" : { ... }, 
    "ssl" : { 
      "http" : { 
        "enabled" : true 
      }, 
      "transport" : { 
        "enabled" : true 
      } 
  }, 
  "token_service" : { ... }, 
  "api_key_service" : { ... }, 
  "audit" : { ... }, 
  "ipfilter" : { ... }, 
  "anonymous" : { ... } 
  } 
}

You can see the results are pretty different. Depending on the version and license level you have deployed you can expect your results to be slightly different as well.

How do I make sure my Elasticsearch cluster is secure?

The two easiest things you can to make sure that outsiders don’t have access to your Elasticsearch clusters are:

  1. Enable authentication so no one has access without logging into Elasticsearch.
  2. Enable TLS so no one can eavesdrop on Elasticsearch data traveling through your network.

We have a lot of great resources available (listed at the bottom) that explain how to secure Elasticsearch, including how to easily implement the above two recommendations. But the quickest way to get secure is to check out our Getting started with Elasticsearch security (TLS and RBAC) blog and its accompanying video — Securing Elasticsearch in 7 minutes

We also have an easy button for all of this in our Elasticsearch Service on Elastic Cloud. When you use our Elasticsearch Service, you can be certain that it comes with security automatically configured for every cluster.

Security takes teamwork

If you have any questions you can always reach out. We have a number of ways to be a part of the Elastic Community such as forums, local events, and lots of documentation (so much more than linked above). We’re also always working to make securing Elasticsearch easier than ever before. Be sure to keep an eye on our blogs to know what’s coming and what we’re doing in this space in the future. If you’re a fan of Spiderman, you’re familiar with the quote, “with great power comes great responsibility”, and this is true for Elastic and anyone using Elasticsearch to store data.

Additional resources for securing Elasticsearch

Blogs

Videos

Documentation

Training