04 November 2014 Engineering

Shield: You Know, For Security

By Shay Banon

UPDATE: The age of Shield is here, click here to get information on how you can activate your plug-in today.


Since the early days of Elasticsearch, one could secure Elasticsearch using external systems. For example, since Elasticsearch APIs are exposed through REST over HTTP, users secure it using proxies or firewalls.

With the explosive adoption of Elasticsearch and the ELK stack, our customers and users started to ask us for a more integrated security solution with advanced features that are not implemented using external systems.

After spending a lot of time with our customers, some of them with very demanding security requirements, we started to work on a security product within Elasticsearch, which we named Shield. (Any Marvel fans out there sensing a theme? :) )

Over the last few months, I have been traveling all over the world talking to customers and users at meetups, and every time I mentioned Shield, people got very excited. For this reason, we thought it made sense to publicly announce that we are working on a security product, explain what it is, and that we are expecting to release it by the end of the year.

Shield, in the same spirit of Marvel, is built on top of Elasticsearch public extensions points, and is easily installed as a plugin to add security features to any existing Elasticsearch installation. It does not require a different distribution of Elasticsearch, and relies heavily on the open public APIs Elasticsearch already exposes.

Shield itself provides four main feature themes:

Role-Based Access Control

Set granular cluster, index, and alias-level permissions for each user of your Elasticsearch cluster. For example, allow the marketing department to freely search and analyze social media data with read-only permissions, while preventing access to sensitive financial data.

Authentication System Support

Shield integrates with LDAP-based authentication systems as well as Active Directory, so your users don't need to remember yet another password. We also provide a native authentication system, for those who want to manage all access within Elasticsearch.

Encrypted Communications

Node-to-node encryption protects your data from intruders. With certificate-based SSL/TLS encryption and secure client communications with HTTPS, Shield keeps data traveling over the wire protected.

Audit Logging

Ensure compliance and keep a pulse on security-related activity happening in your Elasticsearch deployment; record login failures and attempts to access unauthorized information.

Recently, we successfully launched a beta with a select group of customers who are putting each aspect of Shield to the test. We are excited to take what we learn and fold that valuable knowledge back into the finished product for everyone to use.

Finally, I am very happy to announce that Shield will be free for existing and future subscription customers. Our customers already enjoy the relationship they built with our developers when it comes to supporting them through their development and production deployments, as well as the huge investment we make in developing the products themselves, and we are thrilled to provide them, at no additional cost, the option to use Shield.

We think Shield will develop into a one-stop shop when it comes to securing the ELK stack, satisfying even the most demanding security requirements. We are very excited to make this available to our customers, and I hope you are as well.

Stay tuned for more updates as the release date draws near....