Just because protecting and securing your data against today’s cyber threats is critical doesn’t mean you have to limit access. With MarkLogic you can have fine-grained access controls, proper separation of duties, and the ability to anonymize data so that your data is both secure and shareable.
Out of the box, MarkLogic provides you with the industry-leading security you need. But your organization may require the Advanced Security option, which includes three additional capabilities:
MarkLogic interoperates with third party KMS systems that are KMIP 1.2 compliant (Key Management Interoperability Protocol) in your storage environment to securely manage authentication keys used by the self-encrypting disks in the storage system. Vormetric and SafeNet are two examples of KMIP-compliant systems. This extra layer of security includes:
To implement, a MarkLogic security administrator creates redaction policies that contain rules defining which sensitive information should be redacted, and then chooses which policy to apply when running an export. Administrators can combine built-in or custom rules into policies to match different target needs
Built-in functions for different types of redaction include:
All rules and actions taken by users are logged, ensuring all export activity can be audited later on
Redaction is designed to be used when running large bulk exports. And, by utilizing the MarkLogic Content Pump (mlcp), it’s faster and more secure than solutions implemented at the application layer
Compartment Security provides additional security control to specify that a user must have all of the right roles to interact with a document rather than just one of the right roles using AND semantics or OR semantics.
In MarkLogic, a compartment is a name associated with a role. When a role is compartmented, the compartment name is used as an additional check when determining a user’s authority to access or create documents in a database. Without compartment security, permissions are checked using OR semantics.
For example, if a document has read permission for role1 and read permission for role2, a user who possesses either role1 or role2 can read that document. If those roles have different compartments associated with them (for example, compartment1 and compartment2, respectively), then the permissions are checked using AND semantics for each compartment, as well as OR semantics for each non-compartmented role. To access the document, if role1 and role2 are in different compartments, a user must possess both role1 and role2 to access the document, as well as a non-compartmented role that has a corresponding permission on the document.