NCache Security (Quick Peek)
Let's take a quick peek into NCache security. Please note that NCache is industry's only 100% native .NET caching solution. Here's how NCache is typically deployed in the enterprise. Notice there's a separate caching tier that consists of cache servers, and your application tier is called the cache clients.
Now, let's dive into NCache security. NCache security consists of four different areas.
- User Security: Number one is the user security, which consists of user authentication and authorization.
- Encryption: And number two is the encryption of data that is put in the cache, and encryption also includes RSA encryption for the transport of credentials and encryption keys.
- Transport Layer Security (TLS): Number three is to use the transport layer security / TLS, to establish secured, encrypted transport between NCache clients and NCache servers, and among NCache servers as well. NCache supports regular TLS and also mutual TLS.
- HTTPS for Management Center: And fourth is the use of HTTPS for Management Center, so the NCache management aspect is also secured.
User Security
User Authentication
- Windows: Domain Controller with Active Directory (AD)
- Linux: Red Hat Directory Server, OpenLDAP on Ubuntu / Debian / Red Hat
- Cloud: Azure Microsoft Entra ID, AWS Directory Service, GCP Managed Microsoft AD
- Secured SSL/TLS Server: Secured LDAP and Domain Controller
User security consists of user authentication, which is done on Windows against a domain controller, and on Linux against an LDAP server or an LDAP standard server, on Red Hat, Ubuntu, or Debian. In the cloud, you have Azure Microsoft Entra ID, and then AWS Directory Service or the Google GCP Managed Microsoft AD as the options for authentication. NCache also supports secured SSL/TLS-based servers, the secured LDAP or secured domain controller.
User Authorization (Types of Users)
- Server Admin (Windows/Linux): Enable / Disable Security (Node Level)
- NCache Admin: Cache Management and User Management
- Cache User: Cache Access for read/write operations
The second aspect of user security is called user authorizations, which is authorizing users into different types of users. Number one is the server admin on both Windows and Linux. This is the type of user that is needed to turn on or enable user security in NCache. Once that is done, then you can create NCache admin and cache users. NCache admin is used for cache management and also for creating more users, whether NCache admin users or cache users. And the cache users are the ones that can access a specific cache for read/write operations.
Credential Encryption
- RSA Encryption: for transport client-server, server-server
- Credential Encryption Key (CEK): for saving credentials in config files
User security also includes credential encryption. RSA encryption is used for the transport of credentials between NCache clients and servers, and among the NCache servers. And there's also a credential encryption key that is used if you're saving these credentials in the config files.
Credential Caching
- Credentials cached on NCache servers upon successful login
- LDAP/Domain Controller validation upon login failure
Finally, there's a credential caching aspect in user security, where upon successful login, NCache will cache these credentials. So, future authentication for the same credentials will be done against this cache and not go against that LDAP server or the domain controller.
Here's how the picture looks like for user security. Notice all the cache servers are authenticating against a domain controller and LDAP server.
Encryption
Data Encryption (Cache Level)
- 3DES-128, 3DES-192
- AES-128, AES-192, AES-256 (AES-FIPS too)
- FIPS: Federal Information Processing Standard
Let's now talk about encryption. NCache provides data encryption at the cache level. And for that, it provides 3DES and AES algorithms. There's 3DES-128 and 3DES-192, and AES-128, AES-192, and AES-256 algorithms. There's also the AES-FIPS. FIPS stands for Federal Information Processing Standard. The most popular algorithm here is AES-256.
Encryption Keys
- Data Encryption Key (DEK): provided by the user (cache level)
- Key Encryption Key (KEK): to encrypt DEK
- Credentials Encryption Key (CEK): to encrypt user credentials
NCache also lets you specify data encryption keys, which are then stored on the cache servers. And NCache also lets you specify a Key Encryption Key, which is used to encrypt the data encryption key at the time of saving it to the config files. NCache also lets you specify a Credential Encryption Key, which is used to encrypt user credentials before saving them on either the server or the client side.
RSA Encryption (Public/Private Key)
- For transport only: Client-Server and Server-Server
- Encryption on: User credentials, KEK, CEK
There's also the RSA encryption that includes a public and a private key, that is used mainly for transport of user credentials or encryption keys from NCache clients to NCache servers, or among different NCache servers.
Here's what the picture looks like with encryption turned on. Notice all the cached data is encrypted, both on the caching tier and also on the client cache. And when the data is sent, it is sent or returned in an encrypted form.
Transport Layer Security (TLS)
Now, let's talk about the Transport Layer Security, or TLS. It's a pretty straightforward process.
Regular TLS
- Install the Server certificate on all NCache servers (Windows / Linux)
For regular TLS, you just install the SSL/TLS certificate on all the NCache servers, whether this is Windows or Linux.
Mutual TLS
- Install the Client Certificate on all NCache clients (Windows / Linux)
- Client certificate may be the same or different from the server certificate
- Mutual TLS: both client and server present their certificates to connect
And for mutual TLS, you need to install SSL/TLS certificates on all the NCache client boxes. These could either be the same certificate that you install in NCache servers or different certificates.
Configure all Servers and Clients to use TLS
- Use PowerShell Cmdlet "Enable-NCacheTLS" with Thumbprint and CN
- For Client-to-Server, Server-to-Server, and Bridge communication
- Specify all Servers, Clients, and Bridge nodes
NCache supports both regular and mutual TLS. You just configure all the NCache servers and all the clients to use TLS once those certificates are installed, with the help of a PowerShell Cmdlet.
Here's what the picture looks like when you have TLS enabled. Notice all the communication from clients to the servers is done through TLS both ways, and all the communication among all the NCache servers is done through TLS.
TLS essentially encrypts data in the transport, but once the data is stored in the cache, that is not encrypted, and as you can see, it's normal data. If you want the encrypted data to be stored in the cache, then you have to use encryption as a feature.
HTTPS for NCache Management Center
- Install SSL/TLS Certificate on Servers
- Install the SSL/TLS Server certificate on all NCache servers (Windows / Linux)
- If already installed for TLS, the reuse here
- Configure HTTPS in Kestrel Web Server
- Management Center is ASP.NET Core and runs in Kestrel Web Server
- Add an HTTPS Endpoint in the appsettings.json config file
Finally, let's talk about HTTPS. To use HTTPS for the NCache Management Center, again, it's pretty straightforward. You install the SSL/TLS certificate on all the NCache servers or, if you've already installed them to use in TLS, then you can just reuse them here and then you configure HTTPS in the Kestrel web server. The NCache management center is an ASP.NET Core application and runs in the Kestrel web server, and all you have to do is add an HTTPS endpoint in the appsettings.json config file for this to happen.
Schedule a Demo
Please contact us to schedule a demo to learn about NCache architecture, its features, and strategy on how you can incorporate NCache into your application. Thank you very much.