Redis Labs Security Product Manager Jamie Scott talked at the Redis Meetup today about “New Security Features in Redis 6 Open Source.”
Because of the Corona virus, the lecture was streamed on Youtube instead of presented to a live audience in the Redis Mountain View office.
The new security features in Redis 6 are:
- ACLs – defines users, passwords, access. Errors are logged and viewable.
- TLS now built-in, so stunnel, etc. no longer needed. Available for client, cluster and replication encryption.
Combined with Redis databases and namespaces, ACL users provide granular authentication and permissions.
From a security compliance standpoint, the new Redis security features address help with:
- TLS addresses the encryption-in-transit requirement. Some stunnel users reported that it was 3x slower than patching TLS libraries into the Redis server directly, so this is a huge win considering that for many users, Redis is used as a high-performance cache. It also provides another option to paying for Enterprise or AWS Elasticache licenses.
- ACL users address the requirement to not use administrative passwords and to have least-privilege
- ACL users potentially address the key rotation requirement, if you add a new user/password, then expire the old user/password on a schedule. This would avoid caching layer interruption during the switchover, and lets you use infrastructure-as-code tools to first add the new user/password, then lazily update the application configuration to use the new credentials in the next release, then later drop the old user/password.
(Box wrote a proxy to accept remote TLS connections, then talk to Redis server on localhost. The proxy also managed password rotation by allowing old and new passwords during password rotation.)
mikeperham.com: Storing Data with Redis (2015)