Manage Security in Confluent Platform

Confluent Platform is the central nervous system for a business, storing mission-critical data and uniting your organization around an Apache Kafka®-based single source of truth. Confluent supplies a comprehensive set of security features features and tools to manage the health of your crucial business systems. From managing identities to encrypting data, the platform provides flexible, configurable options to meet the security requirements of a wide range of organizations and use cases.

Identity and Access Management

Confluent Platform offers several built-in features to help you enforce who can access your Confluent cluster and what they can do is foundational to security.

• The role-based access control (RBAC) system lets you assign roles like “ClusterAdmin” or “DeveloperRead” to users and service accounts. You can scope permissions to individual clusters, topics, or consumer groups.
• For environments not using RBAC, can use Apache Kafka® Access Control Lists (ACLs) to control producer and consumer access at the topic or group level. ACLs also provide compatibility for existing Kafka security setups.
• OAuth 2.0 supported integrations with identity providers like Okta, Keycloak, and Entra ID allow centralized user management and single sign-on (SSO).
• Confluent supports TLS for secure communication and can enforce mutual authentication (mTLS) between clients and brokers. By issuing client certificates, you can authenticate both ends of every connection.

Data Protection and Encryption

Confluent Platform ensures data confidentiality and integrity with robust encryption capabilities for data at rest or in transit.

• TLS encryption protects data moving between producers, brokers, and consumers against interception. It supports configurable ciphers for compliance with organizational standards.
• Data stored in Kafka topics can be encrypted at the disk level. By integrating with tools like Amazon KMS or other key management systems, you can rotate keys and maintain control over encryption policies.

Security Plugins and Extensions

Confluent Platform extends its security functionality with several plugins and integrations:

• For environments using LDAP for centralized authentication, Confluent Platform offers seamless integration to simplify user and group management.
• Confluent supports custom authorizers, allowing you to extend and tailor access control to unique organizational needs.
• Confluent Platform securely manages sensitive configuration details, like passwords or API keys. Supports integrations with external secret managers like HashiCorp Vault or AWS Secrets Manager.

Monitoring and Auditing

A secure system must supply visibility into its operations through monitoring and auditing of its activity, Confluent Platform generates detailed audit logs for key operations, such as topic creation, ACL modifications, and user access events. These logs integrate easily with SIEM tools for monitoring and analysis. You can export metrics on security-related events, such as failed authentication attempts, to monitoring systems like Prometheus or Grafana to trigger alerts.

Multi-Tenancy Support

If you’re running a shared Kafka cluster, multi-tenancy features ensure proper isolation between tenants. With Confluent Platform you can set quotas that limit the amount of data tenants can produce or consume, thus reducing the risk of resource contention.

Dedicated connectors and schemas use namespace isolation that ensures tenants only interact with their connectors and schema registry entries.

Compliance-Ready Features

Finally, Confluent Platform is designed with compliance in mind, offering features to help meet regulatory requirements like GDPR or PCI DSS. The Schema Registry validates message formats to enforce contracts between producers and consumers, reducing the risk of bad data pipelines. Sensitive data in Kafka streams is masked and filtered during processing, ensuring only authorized users see it.

Explore the Confluent Platform Security Features

In this documentation, see the Confluent Platform demo for a working deployment of encryption, authentication, and authorization configured end-to-end across all Confluent Platform components. Other, hands-on, teaching courses include Apache Kafka Security (Confluent Developer course) and Confluent Cloud Security (Confluent Developer course)

Confluent Platform is enterprise-grade security which means your organization has options. To get an idea of the potential combinations you can configure, see Security Deployment Profiles in Confluent Platform in this documentation.

Related content

• An Introduction to Apache Kafka Security: Securing Real-Time Data Streams (Confluent blog)
• Apache Kafka Security Best Practices (podcast)
• Best Practices to Secure Your Apache Kafka Deployment. (Confluent blog)
• What are the required Firewall configurations for Confluent Platform (Confluent Support)