Database Security

Image of three MarkLogic databases with a security shield

Key Security Features

MarkLogic Server offers advanced enterprise data security controls that are beyond what any multi-model database offers. Data loss prevention and other security principals are central to what we do.

Secure by default

Security is not a feature that needs to be turned on and configured. When data is loaded, it is immediately secured.

Integration with LDAP, Kerberos, SAML

MarkLogic has scalable controls for authentication, ensuring that the system easily integrates into your environment.

Role Based Access Control (RBAC)

MarkLogic has granular access controls to govern what a user can do and see. Each user is associated with any number of roles, and each role is given privileges that determine what they can do. Also, each document has permissions dictating which roles can see and edit it. Security checks verify the necessary credentials before granting the requested action, and security information is stored in a specific security database in MarkLogic.

Element/Property Level Security

MarkLogic secures data at the collection level, document level, and even element/property level (like cell-level security in a relational database). This goes beyond what other document databases provide as it’s very hard to engineer on the back-end and maintain performance, but MarkLogic does it.

Built-in Auditing

MarkLogic closely monitors database activity and makes it possible to audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.

Advanced Encryption

Cutting-edge data encryption protects against unauthorized access of the database by a SysAdmin or Storage Admin. It allows data, configuration, and logs to be encrypted while the files are resting on disk using AES-256 encryption, and it conforms to FIPS 140 criteria.

Additional Security Models

In addition to RBAC, MarkLogic can also employ other security models such as Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), or Label-Based Access Control (LBAC). These models further restrict access based on attributes (e.g., social security number, IP address, user’s age, or time of day), policies, or simple labels representing “high” or “low” levels of trust.

Advanced Security Add-Ons

Out-of-the-box, MarkLogic provides you with the industry-leading security you need. But your organization may require the Advanced Security add-on, which includes three additional capabilities.

Redaction

Redaction eliminates the exposure of sensitive information by making it possible to remove existing information or replace it with other values when exporting data or sharing. The process is simple, flexible, and is designed to work with large volumes of data.

External Key Management System (KMS) Support

This option makes it possible to use an external KMS (e.g., SafeNet or Vormetric) to help with advanced encryption, which is often done for the additional separation of concerns and ease of management.

Compartment Security

With compartment security, more complex rules can be applied to documents so that a user must have all of the right roles to access or create a document rather than just one of the rights roles. This is often useful when handling classified material.

Learn More

MarkLogic Server Security White Papers

Learn more about MarkLogic’s robust security features, including how we build a secure product, how to develop secure apps on MarkLogic, and how to deploy MarkLogic securely.

Building Security into MarkLogic

Developing Secure Apps

Deploying MarkLogic Securely

MarkLogic deployments are architected to ensure complete data privacy. That is why when you’re using MarkLogic Server, no one except those you authorize ever get access to the data you store in MarkLogic. Ever.

For self-managed MarkLogic deployments, MarkLogic support teams may get access to authorized telemetry data that includes performance data, configuration data, and log data in order to more quickly solve support problems. The telemetry feature can be easily toggled on or off.

Learn about MarkLogic Server

Data Compliance

MarkLogic Server is in production on mission-critical systems with demanding security requirements, which is why the database has achieved top security certifications from various third parties.

Common Criteria

International standard (ISO/IEC 15408) for a common set of functional and assurance security requirements, evaluated by licensed labs.

MarkLogic is the only non-relational database to have this.

Read blog post

STIG

Documented guidelines for deploying in U.S. DoD/DISA IT systems that provide guidance on how to set up and configure a product.

MarkLogic has been “STIG’d” for multiple US federal projects. Broad STIG approval from DISA expected in early 2020.

Request more information

GDPR

General Data Protection Regulation (GDPR) that went into effect in May 2018 with the goal of strengthening personal data protection in Europe.

MarkLogic complies with GDPR, and helps customers comply with GDPR.

Resources

Documentation

Full guide on MarkLogic security

MarkLogic University

Free Self-Paced Course

Presentation

Security Overview

Sign Up for a Live Demo

See how MarkLogic simplifies complex data problems by delivering data agility.