MarkLogic Server offers advanced enterprise data security controls that are beyond what any multi-model database offers. Data loss prevention and other security principals are central to what we do.
Security is not a feature that needs to be turned on and configured. When data is loaded, it is immediately secured.
MarkLogic has scalable controls for authentication, ensuring that the system easily integrates into your environment.
MarkLogic has granular access controls to govern what a user can do and see. Each user is associated with any number of roles, and each role is given privileges that determine what they can do. Also, each document has permissions dictating which roles can see and edit it. Security checks verify the necessary credentials before granting the requested action, and security information is stored in a specific security database in MarkLogic.
MarkLogic secures data at the collection level, document level, and even element/property level (like cell-level security in a relational database). This goes beyond what other document databases provide as it’s very hard to engineer on the back-end and maintain performance, but MarkLogic does it.
MarkLogic closely monitors database activity and makes it possible to audit document access and updates, configuration changes, administrative actions, code execution, and changes to access control.
Cutting-edge data encryption protects against unauthorized access of the database by a SysAdmin or Storage Admin. It allows data, configuration, and logs to be encrypted while the files are resting on disk using AES-256 encryption, and it conforms to FIPS 140 criteria.
In addition to RBAC, MarkLogic can also employ other security models such as Attribute-Based Access Control (ABAC), Policy-Based Access Control (PBAC), or Label-Based Access Control (LBAC). These models further restrict access based on attributes (e.g., social security number, IP address, user’s age, or time of day), policies, or simple labels representing “high” or “low” levels of trust.
Out-of-the-box, MarkLogic provides you with the industry-leading security you need. But your organization may require the Advanced Security add-on, which includes three additional capabilities.
Redaction eliminates the exposure of sensitive information by making it possible to remove existing information or replace it with other values when exporting data or sharing. The process is simple, flexible, and is designed to work with large volumes of data.
This option makes it possible to use an external KMS (e.g., SafeNet or Vormetric) to help with advanced encryption, which is often done for the additional separation of concerns and ease of management.
With compartment security, more complex rules can be applied to documents so that a user must have all of the right roles to access or create a document rather than just one of the rights roles. This is often useful when handling classified material.
MarkLogic deployments are architected to ensure complete data privacy. That is why when you’re using MarkLogic Server, no one except those you authorize ever get access to the data you store in MarkLogic. Ever.
For self-managed MarkLogic deployments, MarkLogic support teams may get access to authorized telemetry data that includes performance data, configuration data, and log data in order to more quickly solve support problems. The telemetry feature can be easily toggled on or off.
MarkLogic Server is in production on mission-critical systems with demanding security requirements, which is why the database has achieved top security certifications from various third parties.
International standard (ISO/IEC 15408) for a common set of functional and assurance security requirements, evaluated by licensed labs.
MarkLogic is the only non-relational database to have this.
Documented guidelines for deploying in U.S. DoD/DISA IT systems that provide guidance on how to set up and configure a product.
MarkLogic has been “STIG’d” for multiple US federal projects. Broad STIG approval from DISA expected in early 2020.
General Data Protection Regulation (GDPR) that went into effect in May 2018 with the goal of strengthening personal data protection in Europe.
MarkLogic complies with GDPR, and helps customers comply with GDPR.