At Weaviate, we take the protection of your data seriously. Our information security measures continuously evolve and adapt to threats we see out there in the wilds of the internet. An area we are seeing more and more within our community is successful Weaviate projects that have been put into production using our Open Source product. With Weaviate Open Source you’re in control of your data, the Weaviate environment and the infrastructure it’s hosted on. In fact, we’ve built Weaviate with a range of modules that can make your transition from hackathon to startup to customer-ready easy and safe. Managing a Weaviate installation as part of a wider application at scale can be challenging and will introduce risks that are not faced by small projects or experiments. That’s why today we’re launching our OSS Hardening Guide. This document contains hints and tips to use the built-in tools that are part of Weaviate and its hosting infrastructure in order to maximise the confidentiality, integrity and availability of your installation.
Risk-based thinking
Not every Weaviate installation needs the same security investment as ‘Fort Knox’ but it is difficult to know how much security is appropriate when deploying in production.
Behind the scenes in the Weaviate security team, we strongly believe that the best security and investment decisions are reached through risk-based thinking. The first step to hardening your Weaviate OSS installation should be to consider the risks that you face; is the data that you’ll be storing sensitive in any way? are you subject to any industry or national regulation? what about your end users - will they expect a certain level of security?
Once you have determined your risks, it’s time to see what mitigations you can implement in order to manage them. Head to our OSS Hardening Guide to understand what is available within Weaviate. While measures such as Role-based Access Control, automatic Backup capability and Replication can help you design a set of easy-to-implement controls to manage access and availability, you will also want to consider encryption both for data in transit and in storage.
Remember the principal of defense-in-depth: always configure multiple security controls in case one fails.
All modern information security frameworks require some form of risk assessment, so you're already ahead once your customers start asking for evidence of that practice!
Testing before production
It’s a good idea to test your Weaviate security measures to make sure that they are correctly configured before you launch. In particular, we recommend that you use an online SSL checker to make sure your encryption in transit is working, and that you test that you can restore your backups should the worst happen. Now is a good time to go back to your risks and mitigations, and assure yourself that the measures you’re implemented are actually managing the risk - for instance, if you’ve used replication to make sure your service can survive if a node fails, have you tested to verify that’s the case? If this service is especially critical, you may wish to engage the service of a third party penetration testing company to assist you with your assurance. If you choose to do this, we recommend ensuring your tester is CREST certified.
Ongoing Maintenance
Sadly, information security is not a ‘set and forget kind’ of job. There are a number of regular activities that we recommend are scheduled and operated as often as you think necessary. Remember that risk-based thinking should be practiced whenever a major change takes place in your environment, whether that’s the rollout of a new major version, the introduction of a new feature, expanding into a different customer base or reaching a company growth milestone. Involving a diverse range of thinkers can improve your identification, understanding and treatment of risk as well. We release new versions of Weaviate all the time, and strongly advise OSS users to stay within one major release of our latest version if possible. These releases will contain security fixes and improvements, as well as exciting new features. We will also patch any third party vulnerabilities that are identified by the open source community and our security partners.
Stay safe out there!
In summary, going from development to production is an incredible journey, and our OSS Hardening Guide, your risk-based thinking coupled with some testing, it can be a safe and secure one as well.
Ready to start building?
Check out the Quickstart tutorial, or build amazing apps with a free trial of Weaviate Cloud (WCD).
Don't want to miss another blog post?
Sign up for our bi-weekly newsletter to stay updated!
By submitting, I agree to the Terms of Service and Privacy Policy.