Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL publishes best data security practices for organisations using Elasticsearch

The French data protection authority ('CNIL') published, on 2 September 2020, four key best practices for organisations using Elasticsearch technology for indexing and searching online in order to ensure security of personal data. In particular, CNIL outlined that Elasticsearch servers can process large amounts of personal data, such as IP addresses, usernames, user activity logs, geolocation of users and, as such, organisations using Elasticsearch are becoming increasingly targeted by online attackers, while organisations are not implementing some basic security measures. Therefore, CNIL recommended that organisations implement the following four key measures: implementing user authentication processes, for instance via password; setting up firewall rules and filters for IP addresses; updating software to ensure the highest level of data security and communication encryption; and disabling or restricting modules allowing unused scripts to run and, where necessary, blocking direct access for users through the front-end. In addition, CNIL reminded organisations using Elasticsearch servers of general information security best practices, such as regularly updating applications, while also adapting them to this specific use case through, for instance, activating security event logs in order to monitor unsuccessful attempts to log in.

You can read CNIL's best practices, only available in French, here.