Aura security is achieved by following the best practices around running database instances. Based on our best practices around operating securely Neo4j this is a summary of what we implement.
Safe networking
- Your database sits behind a VPC.
This is a shared VPC for the Professional tier but private to your environment for the Enterprise tier. - Only the necessary ports are open.
Protecting data-at-rest:
-
-
Your data is protected through encryption at rest.
-
Managed access to database dumps and backups is via Aura console only.
-
No access to data files and transaction logs.
-
Protecting data-in-transit
- Access to the Neo4j database is restricted to encrypted Bolt port only (via strong TLS ciphers) and HTTPS to access console.
- We use SSL certificates issued from a trusted certificate authority (CA).
- We rotate these certificates at least every 90 days.
- SSL is enabled for causal clustering. See Intra-cluster encryption.
- Causal clustering is configured to use encryption for backups.
Manage extensions and their security:
-
- No custom extensions running.
- Restricted and monitored security procedures exposed (to ensure that they exclusively contain intentionally exposed extensions):
Access and authorisation
- We always use the latest security patch version of Neo4j.
-
Aura (Enterprise tier only) makes use of SSO for Bloom and Browser and the native Neo4j authentication for the rest.
- As
LOAD CSV
is enabled, we ensure that it only allows authorised users to import data. - The configuration neo4j.conf file has disabled ports relating to deprecated functions such as remote JMX (controlled by the parameter setting
dbms.jvm.additional=-Dcom.sun.management.jmxremote.port=3637
). - We disable Neo4j Browser caching credentials by setting
browser.retain_connection_credentials=false
. - We ensure the correct file permissions is set on the Neo4j files and restrict access to the bin, lib, and plugins directories to protect against the execution of unauthorised extensions.
Comments
0 comments
Article is closed for comments.