Redis Labs Security Product Manager Jamie Scott talked at the Redis Meetup today about “New Security Features in Redis 6 Open Source.”
Because of the Corona virus, the lecture was streamed on Youtube instead of presented to a live audience in the Redis Mountain View office.
The new security features in Redis 6 are:
- ACLs – defines users, passwords, access. Errors are logged and viewable.
- TLS now built-in, so stunnel, etc. no longer needed. Available for client, cluster and replication encryption.
Combined with Redis databases and namespaces, ACL users provide granular authentication and permissions.
From a security compliance standpoint, the new Redis security features help with:
- TLS addresses the encryption-in-transit requirement. Some stunnel users reported that it was 3x slower than patching TLS libraries into the Redis server directly, so this is a huge win considering that for many users, Redis is used as a high-performance cache. It also provides another option to paying for Enterprise or AWS Elasticache licenses.
- ACL users address the requirement to not use administrative passwords and to have least-privilege
- ACL users potentially address the key rotation requirement, if you add a new user/password, then expire the old user/password on a schedule. This would avoid caching layer interruption during the switchover, and lets you use infrastructure-as-code tools to first add the new user/password, then lazily update the application configuration to use the new credentials in the next release, then later drop the old user/password.
(Box wrote a proxy to accept remote TLS connections, then talk to Redis server on localhost. The proxy also managed password rotation by allowing old and new passwords during password rotation.)
Redis Labs, Inc 700 E El Camino Real #250 · Mountain View, CA