RedisOplog - 'externalize' oplog out of SOX, PCI, GDPR compliant environment


#1

Hi,

Mongo Atlas is supporting the most import data security regulations: HIPAA, SOX, PCI

Let’s say, if I promoted my product as a business product and was asked to present specs of the DB security, I would refer to the link above indeed. This is having in mind that the Oplog is being taken care by Atlas.

What would you think about having the RedisOplog … oplog, with a non-compliant host or a host with no specified security levels or a host which is not particularly HIPAA, SOX or PCI compliant?

Do you feel we could/should add some specifications to the package about this particular thing. Perhaps some help for the developers in terms of awareness and how to achieve (and make sure of it) compliancy.

I added RedisOplog last night into one of my projects and being new to Redis I found it really challenging to understand all the bits and pieces in terms of achieving data privacy compliancy (did it over AWS EC2).

Tx,
Paul


#2

Unfortunately I had to revert back to Oplog due to compliancies. My data transaction model is built 95% around non reactive lazy loads triggered from UX and for the social module where I use reactivity I’ll stick with Oplog until … this becomes a problem. I mainly use Meteor not for reactivity but because I am a small team and I can run JS everywhere … except Photoshop … though I’m still waiting for a JS version of it …

I tried to set a EC2 machine for Redis but it is next to impossible to get a TLS into it unless you hire a full NASA tech department. All users publish “myself” to themselves for profile data and tokens, counts etc. Unless Redis is fully encrypted at rest and in transit, even GDPR becomes a little of an issue.

I am very interested to hear from anyone about tests with Redis-Oplog over TLS, with encrypted data and see how the CPUs are doing vs costs.

My take away: unless really necessary and taking into consideration extra costs for a secured clustered (probably cluster of 3) Redis service the package did not satisfy my model. I feel that I might use in the future if:

  1. My infrastructure would be so large that I’d have to run my own clusters in AWS.
  2. Running my own clusters, I could run Node, DB and Redis in the same private network.