MarkLogic Data Hub Service: Mastering Security in the Cloud

Almost every organization you speak to these days has a cloud-first strategy, and if they don’t today, they will soon. They all want the agility of the cloud, the automation it can bring, and they want to focus on their business – not the plumbing. However, when it comes to large enterprises and mission-critical tasks, security has been a barrier for cloud adoption.

We recognized this challenge several years ago and began a concerted effort to remove those barriers by taking our industry-leading security model to an even higher level. Customers are relying on our advanced security capabilities to give them the assurance they need to migrate some of the most complex and sensitive workloads in the world to the cloud. For example, The Centers for Medicare & Medicaid Services is now running the Affordable Care Act (ACA) program completely in the cloud. When you think about the sorts of data managed by that system, you realize just how strict the security requirements must be.

But we didn’t stop there. The newest release of our multi-model database, MarkLogic 10, adds even more security capabilities. But an ultra-secure database isn’t enough. The MarkLogic Data Hub Service, powered by MarkLogic 10, secures your entire data integration platform in unique ways:

• Virtual Private Cloud. Unlike other services where multi-tenancy and shared infrastructure is the norm, every customer running in MarkLogic Data Hub Service is in its own virtual private cloud (VPC) in a completely different environment from any other company’s data, network, storage, and administration, rather than being part of a pool from which space is carved out for different customers. Like other security mechanisms, MarkLogic’s VPC approach is baked into the data hub. There’s no way to turn it off, there is no way to misconfigure it, and there is no way to forget to turn it on. This level of isolation is what enterprises need to rest assured that their data, their very lifeblood, is well protected.
• Advanced encryption. The data in MarkLogic Data Hub Service is always encrypted—by default. Done at the database level, the encryption means that even AWS or Azure cannot see the company’s data. Even within a company, there are different kinds and classes of data. They, too, can be encrypted differently. This ensures that only the right people, at the right time, have access to the right data. This level of encryption constitutes another level of data segregation that enterprises require. Along with capabilities like element-level security and anonymization, data is both highly secure and highly shareable – with the right people.
• Secure by Default. Security in MarkLogic Data Hub Service is always on—and it comes on top of the security built into the underlying MarkLogic database, which is leaps and bounds tougher than the security built into other databases. This results in granular control over all data, all the time, and enterprise-grade strict policies regarding access controls.

With these improvements, we’ll help drive enterprise workloads to the cloud faster than ever and set the standard for what enterprises demand from database and cloud services technologies. Enterprises may even have better security in the cloud than on-premise because of the extra level of cloud security that occurs because fixes are more centrally administered, often more quickly, than with on-premise solutions. As IDC states, while security is “often cited as the leading obstacle to cloud implementations, increasingly some customers see cloud as more secure, cost-effective, and customer responsive than in-house capabilities.”

Besting Certification Requirements

With our enhanced products now in the market, our next step is to achieve the highest levels of external security certifications for them. We don’t design our products simply to meet certification requirements so we can check a box somewhere. We design them to meet the requirements of enterprise customers. In our mind, that means going beyond what those certifications require and what is offered by competing services. We opted for enhanced security from the start and every choice we’ve made since then has sprung from that position.

Within the next few months, MarkLogic expects to achieve the following certifications, including:

• NIST 800-53 Moderate Attestation. This is an umbrella framework that implements the control that enables compliance with many certifications, including:
• SOC 2 Type 2. SOC 2 Type 2 is a requirement for many financial organizations to use cloud vendors. SOC stands for “Service Organization Controls” and SOC 2 focuses on the internal controls an organization has that are released to compliance and operations. Type 2 also evaluates the operational effectiveness of controls over a period of time, the minimum of which is six months, to determine if controls are operating as described. In contrast, a Type 1 certification looks at security controls at a specific point in time.
• FedRamp Moderate ATO. The U.S. government increasingly requires FedRAMP certification for cloud vendors.
• HIPAA. Health care providers are required to comply with HIPAA and so want compliant cloud vendors.
• FDA 21 CFR Part II. This is targeted toward the pharmaceutical industry.

Security for Every Industry

We tend to think that these sorts of certifications are targeted towards regulated industries, but we believe that every industry today is in fact regulated. If the government isn’t regulating the industry directly—as is the case with health care, finance, and insurance—market forces are. And what the market requires, by way of customers and consumers, is the very best data security as companies pursue their digital transformations. This is exactly what the MarkLogic Data Hub Service delivers.

Learn more about the MarkLogic Data Hub Service.