Controls configuration on AcraServer #
AcraServer’s security controls have the exact way of enabling/disabling and configuring them.
AcraServer can be configured from command line using CLI flags (see the whole list), or from a configuration file which should be defined as
--config_file <options.yml> .
Data protection security controls
There are a couple features that can only be enabled/configured in file passed in
--encryptor_config_fileCLI option. If you need any of these, the encryptor config is a must-have. Each feature is configured per table column (except the last one).
- Transparent encryption — AcraServer will silently replace a plaintext with its encrypted version before storing data in the database;
- Searchable encryption — provides searching capability over encrypted values stored in the database without decrypting them;
- Masking — provides configurable way of partial or zero-disclosure of sensitive data to unauthorized users;
- Tokenization — provides a format-preserving way of storing tokens (number, string, email-looking values) while the original data is stored encrypted in a dedicated separate storage (Redis).
- Zones —
allows using zone-specific keys for cryptographic operations;
configured in encryptor config, but enabled with
--zonemode_enable(deprecated since 0.94.0, will be removed in 0.95.0).
Detecting abnormal activity of clients trying to access data they were no supposed to access.
Telling Acra where the keys are stored, so it can perform crypto-related things.
Performing configured activity (i.e. running a script/binary) on some events (i.e. client attempted to read a poison record).
Actual configuration depends on the feature you deal with.
Ensuring that log produced by AcraServer itself is not altered/corrupted/truncated in any way.
Exporting logs and security events as file or by direct streaming into your SIEM/SOC software.
SQL firewall (aka AcraCensor)
Protecting against SQL injections. Whitelisting/blacklisting specific queries. Logging queries.
--acracensor_config_file <config.yml>, which also specifies a configuration file for this specific feature.
Configuring secure connection between AcraServer and clients, between AcraServer and the database.