Portal26 named GenAI Visibility/Governance/Security Leader in Houlihan Lokey Cybersecurity Update 

Best Practices For Securing Data In Elasticsearch And OpenSearch

It is important to keep Elasticsearch and OpenSearch data secure from attacks and exposures. In this blog, we are going to dive into the best practices for securing data in Elasticsearch and how Portal26 can help keep you and your business protected.

What are Elasticsearch and OpenSearch, and are they Secure?

Elasticsearch and OpenSearch are often-used enterprise search engines that provides scalable and real-time query searches. The most common uses for Elasticsearch and OpenSearch include analytics logging, full-text searches, analytics, and both security and operational intelligence. Needless to say, Elasticsearch and OpenSearch are prime targets for cybercriminals.

Enterprise search platforms like Elasticsearch and OpenSearch often ingest large amounts of data and file them into several high-performance search and analytics. In order for this to succeed, live data (or data no longer at-rest) cannot be encrypted. Encryption at this level would render the platform incapable of running full search operations, making the whole platform useless.

Furthermore, cybercriminals have targeted and exploited Elasticsearch and OpenSearch in recent years by searching for misconfigured or exposed clusters. Once they have leveraged these to get inside access into systems, these threat actors are then able to steal large amounts of data for extortion purposes.

Finally, these Elasticsearch and OpenSearch platforms are also targets for insider attacks. Despite at-rest data being encrypted, being forced to keep data unencrypted while using the platform for search makes the data extremely vulnerable. For this reason, Elasticsearch and OpenSearch are often the focus on large scale cyberattacks and ransomware. Misconfigured Elasticsearch and OpenSearch clusters are far more dangerous than other misconfigured data stores since they hold enormous amounts of unencrypted data in one place. All attackers need to do is find a misconfigured deployment or if they are lucky, get hold of a valid user credential. Once in, data is readily available in clear text.

The Importance of data security in Elasticsearch and OpenSearch

One of the strongest data security measures ever developed is encryption. Encryption, which renders stolen data unreadable, is the only control that can truly fend off data related extortion that results from ransomware and other cyberattacks. By including data-in-use under its protective sphere in addition to data-at-rest and data-in-transit, Portal26 uses encryption to secure data inside Elasticsearch while still retaining full featured search and analytics that are native to the platform. Enterprise search systems are no longer vulnerable to external attacks, malevolent insiders, or unintentional disclosure thanks to this enhanced safeguard in place via the Portal26 enterprise search plugin.

To avoid cyberattacks, illegal access, and data breaches, which can have serious repercussions, including financial losses and reputational damage, it is essential to secure data inside Elasticsearch. Implementing robust security measures, such as searchable encryption that has received NIST FIPS 140-2 certification, will dramatically lower the danger of these incidents and guarantee that your data is safeguarded.

Elasticsearch Security and OpenSearch Security – Features and Best Practices

The best practices for securing data in Elasticsearch and OpenSearch include:

  • Using SSL/TLS encryption for communication between nodes Implementing proper authentication and authorization to protect systems and information from being broken into by cybercriminals.
  • Encrypting sensitive data at rest to prevent the attacker from accessing the unencrypted data.
  • Encrypting sensitive data-in-use using searchable encryption to ensure that even if attackers gain access to the cluster, they cannot leave with unencrypted data
  • Regularly monitoring and auditing your Elasticsearch or OpenSearch cluster to know who is accessing your clusters.
  • Enabling alerting for unusual or suspicious behavior so that you can monitor and protect your company from someone accessing important information that shouldn’t.
  • Setting up firewalls to limit access to the cluster from specific IP addresses to shield your network from malicious network traffic.
  • Keeping software up to date to stay protected against known vulnerabilities to enable hackers from planting malware on your network.

Role-based access control (RBAC)

 One of the main techniques for advanced access control, role-based access control (RBAC), limits network access based on a person’s role inside an organization. The levels of access that employees have to the network are described by the jobs in RBAC.

SSL/TLS encryption

 Data sent over the internet, or a computer network is protected by SSL (Secure Sockets Layer) encryption and TLS (Transport Layer Security), which is a more recent and secure successor. By doing this, data sent between two nodes—typically a user’s web browser and a web/app server—is shielded from attackers (and Internet Service Providers) accessing or manipulating.

Read More >

IP filtering

 Your internal network can be secured against hackers using IP filtering and network address translation (NAT). You may manage which IP traffic is allowed into and out of your network using IP filtering.


 The process of confirming that someone or something is, in fact, who or what it claims to be is known as authentication. By comparing a user’s credentials to those stored in a database of authorized users or on a data authentication server, authentication technology controls access to systems. Authentication ensures secure systems, secure business processes, and secure corporate data.

Portal26’s Elasticsearch Security and OpenSearch Security Features

For enterprise search engines like Elasticsearch and OpenSearch, Portal26 provides its own option for Elasticsearch and OpenSearch security through Portal26 Search Plugin, including features like:

  • Searchable encryption that remains in place even during active indexing and searching.
  • Support for multiple privacy-preserving formats, such as encryption, tokenization, masking, and redaction when data is released.
  • Compliance with security regulations and audits, including FIPS 140-2, FEDRAMP and other data privacy laws.
  • Bring Your Own Key/Hold Your Own Key (BYOK/HYOK) capabilities for all Portal26-secured data within Elasticsearch and OpenSearch. This protection is across all levels of granularity including field level, index level and above.
  • Post-attack visibility that allows Portal26 to report on what cybercriminals accessed, viewed, and exfiltrated in the case of a security breach and to provide evidence that sensitive data retained encryption even if it was exfiltrated. This capability is helpful when reporting to auditors, regulators, and internal boards.

By utilizing Portal26’s Elasticsearch and OpenSearch security plugin, organizations can feel safe knowing their sensitive data is protected at all times. For more information regarding Portal26’s BYOK/HYOK services for Elasticsearch and OpenSearch, Portal26’s searchable encryption and general encryption capabilities for Elasticsearch and OpenSearch, and how SaaS providers can utilize Portal26 to better secure their Elasticsearch and OpenSearch platforms.

Read Portal26’s blog, Keeping Elasticsearch data secure from attacks and exposure.

Read Blog >

Learn more about Portal26’s Elasticsearch security and OpenSearch security plugin and other security solutions by scheduling a demo.

Get Started Today! >

Elasticsearch Security and OpenSearch Security FAQs

How does encryption help secure data in Elasticsearch and OpenSearch?

The Elasticsearch and OpenSearch security plugin enables full featured search and analytics on encrypted data without decryption. It also intercepts and transforms all queries against protected data. All actions are carried out transparently and using native platform capabilities. Thus, neither the datastore nor any applications built on top of it need to be aware of the plugin’s existence.

How does Portal26’s plugin help secure data in Elasticsearch and OpenSearch?

Portal26 ensures that data inside Elasticsearch and OpenSearch stays encrypted at rest and in use even if it is being actively searched. This means that even if a threat actor gains access to the cluster they cannot leave with large volumes of unencrypted data.

How do I stay updated on the latest security measures for Elasticsearch and OpenSearch?

Monitoring is necessary to keep a system secure. You can simply identify who is accessing your cluster and what they are doing by using Elastic Stack security capabilities to keep an audit trail. The audit level, which takes into account the kinds of events that are logged, is configurable. These incidents include unsuccessful attempts at authentication, user access denials, node connection denials, and others. You can learn more about attempted attacks and data breaches by examining access patterns and failed attempts to access your cluster. Keeping an auditable log of cluster activities might also aid in identifying operational problems.

What is role-based access control (RBAC) and how does it contribute to securing data in Elasticsearch and OpenSearch?

You can authorize users using the security features’ role-based access control (RBAC) method by giving roles permissions and giving roles to individuals or groups. This is a resource that only certain people can access.

What are some common security threats in Elasticsearch and how can they be prevented?

A common security threat in Elasticsearch was that scripts for Elasticsearch used to be developed in languages like JavaScript. Because of this, it was simple for a hacker to add harmful scripts to a database.  That kind of hijinks comes to an end with Painless, making it much more difficult to bring down a cluster. Now, Elasticsearch advises changing the script contexts option using script.allowed_contexts: search and update to avoid dangerous plugin scripts from running.  If this still isn’t enough, you can adjust script.allowed_contexts to “none” to stop all scripts from running.

Another common security threat in Elasticsearch is exposing your Elasticsearch Database to the internet. Programmers had previously been persuaded to incorporate security into databases at the very end of the development cycle thanks to Elasticsearch’s tiering system. Security features for Elasticsearch are now available in the free tier of Elastic Stack 6.8 and 7.1. There is no longer a financial justification for developers to forego addressing security before publication.

Read more about how you can prevent common security threats.

Related Resources