Details

Cassandra offers the option to encrypt data in transit between the client and nodes on the cluster. By default client encryption is turned off.

Rationale:

Data in transit between the client and node on the cluster should be encrypted to avoid network snooping, whether legitimate or not.

Solution

The client encryption should be implemented before anyone accesses the Cassandra server.
To enable the client encryption mechanism:
Stop the Cassandra database.
If not done so already, build out your keystore and truststore.
Modify cassandra.yaml file to modify/add entries under client_encryption_options:
set enabled: true

set optional: false
This will force all connections to be encrypted between client and node on the cluster.
Start the Cassandra database.

Default Value:
enabled: false
optional: false

References:
http://cassandra.apache.org/doc/latest/operating/security.html

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/2309

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-8
• CSCv7|14.4

Source

• Tenable.com/audits