Security Architecture | Geode Database

<h2 id="security-architecture" class="position-relative d-flex align-items-center group"> Security Architecture <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-architecture" aria-haspopup="dialog" aria-label="Share link: Security Architecture"> Share link </button> </h2><div id="headingShareModal" class="heading-share-modal" role="dialog" aria-modal="true" aria-labelledby="headingShareTitle" hidden> <div class="hsm-dialog" role="document"> <div class="hsm-header"> <h2 id="headingShareTitle" class="h6 mb-0 fw-bold">Share this section</h2> <button type="button" class="hsm-close" aria-label="Close"> </button> </div> <div class="hsm-body"> <label for="headingShareInput" class="form-label small text-muted mb-1 text-uppercase fw-bold" style="font-size: 0.7rem; letter-spacing: 0.5px;">Permalink</label> <div class="input-group mb-4 hsm-url-group"> <input id="headingShareInput" type="text" class="form-control font-monospace" readonly aria-readonly="true" style="font-size: 0.85rem;" /> <button class="btn btn-primary hsm-copy" type="button" aria-label="Copy" title="Copy"> </button> </div> <div class="small fw-bold mb-2 text-muted text-uppercase" style="font-size: 0.7rem; letter-spacing: 0.5px;">Share via</div> <div class="hsm-share-grid"> <a id="share-twitter" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Twitter </a> <a id="share-linkedin" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> LinkedIn </a> <a id="share-facebook" class="btn btn-outline-secondary w-100" target="_blank" rel="noopener noreferrer"> Facebook </a> </div> </div> </div> </div> <style> .heading-share-modal { position: fixed; inset: 0; display: flex; justify-content: center; align-items: center; background: rgba(0, 0, 0, 0.6); z-index: 1050; padding: 1rem; backdrop-filter: blur(4px); -webkit-backdrop-filter: blur(4px); } .heading-share-modal[hidden] { display: none !important; } .hsm-dialog { max-width: 420px; width: 100%; background: var(--bs-body-bg, #fff); color: var(--bs-body-color, #212529); border: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); border-radius: 1rem; box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.25); overflow: hidden; animation: hsm-fade-in 0.2s ease-out; } @keyframes hsm-fade-in { from { opacity: 0; transform: scale(0.95); } to { opacity: 1; transform: scale(1); } } [data-bs-theme="dark"] .hsm-dialog { background: #1e293b; border-color: rgba(255,255,255,0.1); color: #f8f9fa; } .hsm-header { display: flex; justify-content: space-between; align-items: center; padding: 1rem 1.5rem; border-bottom: 1px solid var(--bs-border-color, rgba(0,0,0,0.1)); background: rgba(0,0,0,0.02); } [data-bs-theme="dark"] .hsm-header { background: rgba(255,255,255,0.02); border-color: rgba(255,255,255,0.1); } .hsm-close { background: transparent; border: none; color: inherit; opacity: 0.5; padding: 0.25rem 0.5rem; border-radius: 0.25rem; font-size: 1.2rem; line-height: 1; transition: opacity 0.2s; } .hsm-close:hover { opacity: 1; } .hsm-body { padding: 1.5rem; } .hsm-url-group { display: flex !important; align-items: stretch; } .hsm-url-group .form-control { flex: 1; min-width: 0; margin: 0; background: var(--bs-secondary-bg, #f8f9fa); border-color: var(--bs-border-color, #dee2e6); border-top-right-radius: 0; border-bottom-right-radius: 0; height: 42px; } .hsm-url-group .btn { flex: 0 0 auto; margin: 0; margin-left: -1px; border-top-left-radius: 0; border-bottom-left-radius: 0; height: 42px; display: flex; align-items: center; justify-content: center; padding: 0 1.25rem; z-index: 2; } [data-bs-theme="dark"] .hsm-url-group .form-control { background: #0f172a; border-color: #334155; color: #e2e8f0; } .hsm-share-grid { display: flex; flex-direction: column; gap: 0.5rem; } .hsm-share-grid .btn { display: flex; align-items: center; justify-content: center; font-size: 0.9rem; padding: 0.6rem; border-color: var(--bs-border-color); width: 100%; } [data-bs-theme="dark"] .hsm-share-grid .btn { color: #e2e8f0; border-color: #475569; } [data-bs-theme="dark"] .hsm-share-grid .btn:hover { background: #334155; border-color: #cbd5e1; } </style> <script> (function(){ const modal = document.getElementById('headingShareModal'); if(!modal) return; const input = modal.querySelector('#headingShareInput'); const copyBtn = modal.querySelector('.hsm-copy'); const twitter = modal.querySelector('#share-twitter'); const linkedin = modal.querySelector('#share-linkedin'); const facebook = modal.querySelector('#share-facebook'); const closeBtn = modal.querySelector('.hsm-close'); let lastFocus=null; let trapBound=false; function buildUrl(id){ return window.location.origin + window.location.pathname + '#' + id; } function isOpen(){ return !modal.hasAttribute('hidden'); } function hydrate(id){ const url=buildUrl(id); input.value=url; const enc=encodeURIComponent(url); const text=encodeURIComponent(document.title); if(twitter) twitter.href=`https://twitter.com/intent/tweet?url=${enc}&text=${text}`; if(linkedin) linkedin.href=`https://www.linkedin.com/sharing/share-offsite/?url=${enc}`; if(facebook) facebook.href=`https://www.facebook.com/sharer/sharer.php?u=${enc}`; } function openModal(id){ lastFocus=document.activeElement; hydrate(id); if(!isOpen()){ modal.removeAttribute('hidden'); } requestAnimationFrame(()=>{ input.focus(); }); trapFocus(); } function closeModal(){ if(!isOpen()) return; modal.setAttribute('hidden',''); if(lastFocus && typeof lastFocus.focus==='function') lastFocus.focus(); } function copyCurrent(){ try{ navigator.clipboard.writeText(input.value).then(()=>feedback(true),()=>fallback()); } catch(e){ fallback(); } } function fallback(){ input.select(); try{ document.execCommand('copy'); feedback(true);}catch(e){ feedback(false);} } function feedback(ok){ if(!copyBtn) return; const icon=copyBtn.querySelector('i'); if(!icon) return; const prev=copyBtn.getAttribute('data-prev')||icon.className; if(!copyBtn.getAttribute('data-prev')) copyBtn.setAttribute('data-prev',prev); icon.className= ok ? 'fa-duotone fa-clipboard-check':'fa-duotone fa-circle-exclamation'; setTimeout(()=>{ icon.className=prev; },1800); } function handleShareClick(e){ e.preventDefault(); const btn=e.currentTarget; const id=btn.getAttribute('data-share-target'); if(id) openModal(id); } function bindShareButtons(){ document.querySelectorAll('.h-share').forEach(btn=>{ if(!btn.dataset.hShareBound){ btn.addEventListener('click', handleShareClick); btn.dataset.hShareBound='1'; } }); } bindShareButtons(); if(document.readyState==='loading'){ document.addEventListener('DOMContentLoaded', bindShareButtons); } else { requestAnimationFrame(bindShareButtons); } document.addEventListener('click', function(e){ const shareBtn=e.target.closest && e.target.closest('.h-share'); if(shareBtn && !shareBtn.dataset.hShareBound){ handleShareClick.call(shareBtn, e); } }, true); document.addEventListener('click', e=>{ if(e.target===modal) closeModal(); if(e.target.closest && e.target.closest('.hsm-close')){ e.preventDefault(); closeModal(); } if(copyBtn && (e.target===copyBtn || (e.target.closest && e.target.closest('.hsm-copy')))) { e.preventDefault(); copyCurrent(); } }); document.addEventListener('keydown', e=>{ if(e.key==='Escape' && isOpen()) closeModal(); }); function trapFocus(){ if(trapBound) return; trapBound=true; modal.addEventListener('keydown', f=>{ if(f.key==='Tab' && isOpen()){ const focusable=[...modal.querySelectorAll('a[href],button,input,textarea,select,[tabindex]:not([tabindex="-1"])')].filter(el=>!el.hasAttribute('disabled')); if(!focusable.length) return; const first=focusable[0]; const last=focusable[focusable.length-1]; if(f.shiftKey && document.activeElement===first){ f.preventDefault(); last.focus(); } else if(!f.shiftKey && document.activeElement===last){ f.preventDefault(); first.focus(); } } }); } if(closeBtn) closeBtn.addEventListener('click', e=>{ e.preventDefault(); closeModal(); }); })(); </script>Geode implements defense-in-depth security with multiple layers of protection for enterprise deployments. <h3 id="overview" class="position-relative d-flex align-items-center group"> Overview <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="overview" aria-haspopup="dialog" aria-label="Share link: Overview"> Share link </button> </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback">┌─────────────────────────────────────────────────────────┐ │ Security Layers │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Transport Security │ │ │ │ (QUIC + TLS 1.3) │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Authentication │ │ │ │ (Password, Certificate, OIDC) │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Authorization │ │ │ │ (RBAC + ABAC + RLS) │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Data Protection │ │ │ │ (TDE + FLE) │ │ │ └─────────────────────────────────────────────────┘ │ │ │ │ │ ┌─────────────────────────────────────────────────┐ │ │ │ Audit & Compliance │ │ │ │ (Logging, Monitoring, Alerts) │ │ │ └─────────────────────────────────────────────────┘ │ └─────────────────────────────────────────────────────────┘ </code></pre></div> <h3 id="transport-security" class="position-relative d-flex align-items-center group"> Transport Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transport-security" aria-haspopup="dialog" aria-label="Share link: Transport Security"> Share link </button> </h3> <h4 id="quic--tls-13" class="position-relative d-flex align-items-center group"> QUIC + TLS 1.3 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="quic--tls-13" aria-haspopup="dialog" aria-label="Share link: QUIC &#43; TLS 1.3"> Share link </button> </h4>All client-server communication uses QUIC with mandatory TLS 1.3: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">tls: enabled: true min_version: "1.3" cert: "/etc/geode/certs/server.crt" key: "/etc/geode/certs/server.key" ca: "/etc/geode/certs/ca.crt" client_auth: "require" # none, request, require ciphers: - "TLS_AES_256_GCM_SHA384" - "TLS_CHACHA20_POLY1305_SHA256" </code></pre></div> <h4 id="certificate-management" class="position-relative d-flex align-items-center group"> Certificate Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="certificate-management" aria-haspopup="dialog" aria-label="Share link: Certificate Management"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"># Generate CA openssl req -x509 -newkey rsa:4096 -days 365 -nodes \ -keyout ca-key.pem -out ca-cert.pem # Generate server certificate openssl req -newkey rsa:4096 -nodes \ -keyout server-key.pem -out server-req.pem openssl x509 -req -in server-req.pem -days 365 \ -CA ca-cert.pem -CAkey ca-key.pem -out server-cert.pem # Generate client certificate openssl req -newkey rsa:4096 -nodes \ -keyout client-key.pem -out client-req.pem openssl x509 -req -in client-req.pem -days 365 \ -CA ca-cert.pem -CAkey ca-key.pem -out client-cert.pem </code></pre></div> <h3 id="authentication" class="position-relative d-flex align-items-center group"> Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authentication" aria-haspopup="dialog" aria-label="Share link: Authentication"> Share link </button> </h3> <h4 id="password-authentication" class="position-relative d-flex align-items-center group"> Password Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="password-authentication" aria-haspopup="dialog" aria-label="Share link: Password Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">authentication: methods: - type: "password" enabled: true password_policy: min_length: 12 require_uppercase: true require_lowercase: true require_numbers: true require_special: true max_age_days: 90 </code></pre></div> <h4 id="certificate-authentication" class="position-relative d-flex align-items-center group"> Certificate Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="certificate-authentication" aria-haspopup="dialog" aria-label="Share link: Certificate Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">authentication: methods: - type: "certificate" enabled: true ca_cert: "/etc/geode/certs/ca.crt" crl: "/etc/geode/certs/crl.pem" subject_mapping: pattern: "CN=(.+),OU=(.+)" username: "$1" roles: "$2" </code></pre></div> <h4 id="oidc--oauth-20" class="position-relative d-flex align-items-center group"> OIDC / OAuth 2.0 <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="oidc--oauth-20" aria-haspopup="dialog" aria-label="Share link: OIDC / OAuth 2.0"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">authentication: methods: - type: "oidc" enabled: true issuer: "https://auth.example.com" client_id: "geode-client" client_secret: "${OIDC_CLIENT_SECRET}" scopes: ["openid", "profile", "email"] claim_mapping: username: "preferred_username" roles: "groups" </code></pre></div> <h4 id="multi-factor-authentication" class="position-relative d-flex align-items-center group"> Multi-Factor Authentication <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="multi-factor-authentication" aria-haspopup="dialog" aria-label="Share link: Multi-Factor Authentication"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">authentication: mfa: enabled: true methods: - type: "totp" issuer: "Geode" algorithm: "SHA256" digits: 6 period: 30 </code></pre></div> <h3 id="authorization" class="position-relative d-flex align-items-center group"> Authorization <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="authorization" aria-haspopup="dialog" aria-label="Share link: Authorization"> Share link </button> </h3> <h4 id="role-based-access-control-rbac" class="position-relative d-flex align-items-center group"> Role-Based Access Control (RBAC) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="role-based-access-control-rbac" aria-haspopup="dialog" aria-label="Share link: Role-Based Access Control (RBAC)"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create roles CREATE ROLE analyst; CREATE ROLE data_engineer; CREATE ROLE admin; -- Grant privileges GRANT READ ON GRAPH * TO analyst; GRANT READ, WRITE ON GRAPH analytics TO data_engineer; GRANT ALL ON GRAPH * TO admin; -- Assign roles to users GRANT ROLE analyst TO 'alice'; GRANT ROLE data_engineer TO 'bob'; GRANT ROLE admin TO 'carol'; </code></pre></div> <h4 id="built-in-roles" class="position-relative d-flex align-items-center group"> Built-in Roles <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="built-in-roles" aria-haspopup="dialog" aria-label="Share link: Built-in Roles"> Share link </button> </h4><table> <thead> <tr> <th>Role</th> <th>Permissions</th> </tr> </thead> <tbody> <tr> <td><code>reader</code></td> <td>Read access to all graphs</td> </tr> <tr> <td><code>writer</code></td> <td>Read/write access to all graphs</td> </tr> <tr> <td><code>architect</code></td> <td>Schema modification</td> </tr> <tr> <td><code>admin</code></td> <td>Full administrative access</td> </tr> <tr> <td><code>public</code></td> <td>Minimal read access (if enabled)</td> </tr> </tbody> </table> <h4 id="attribute-based-access-control-abac" class="position-relative d-flex align-items-center group"> Attribute-Based Access Control (ABAC) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="attribute-based-access-control-abac" aria-haspopup="dialog" aria-label="Share link: Attribute-Based Access Control (ABAC)"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">authorization: abac: enabled: true policies: - name: "department_access" effect: "allow" conditions: - attribute: "user.department" operator: "equals" value: "engineering" actions: ["read", "write"] resources: ["engineering_*"] </code></pre></div> <h4 id="row-level-security-rls" class="position-relative d-flex align-items-center group"> Row-Level Security (RLS) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="row-level-security-rls" aria-haspopup="dialog" aria-label="Share link: Row-Level Security (RLS)"> Share link </button> </h4>Restrict data visibility at the row level: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create RLS policy CREATE POLICY department_isolation ON :Employee FOR SELECT USING (department = current_user_department()); -- Enable RLS on label ALTER LABEL :Employee ENABLE ROW LEVEL SECURITY; </code></pre></div>RLS Implementation: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-zig" data-lang="zig">pub fn applyRLS( query: Query, user: User, policies: []RLSPolicy ) Query { var filtered_query = query; for (policies) |policy| { if (policy.appliesTo(user, query)) { // Add policy predicate to WHERE clause filtered_query.addPredicate( policy.evaluatePredicate(user) ); } } return filtered_query; } </code></pre></div> <h3 id="data-protection" class="position-relative d-flex align-items-center group"> Data Protection <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="data-protection" aria-haspopup="dialog" aria-label="Share link: Data Protection"> Share link </button> </h3> <h4 id="transparent-data-encryption-tde" class="position-relative d-flex align-items-center group"> Transparent Data Encryption (TDE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="transparent-data-encryption-tde" aria-haspopup="dialog" aria-label="Share link: Transparent Data Encryption (TDE)"> Share link </button> </h4>Encrypt data at rest: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: tde: enabled: true algorithm: "AES-256-GCM" key_management: "vault" vault: address: "https://vault.example.com" path: "secret/geode/tde-key" role: "geode-server" </code></pre></div> <h4 id="field-level-encryption-fle" class="position-relative d-flex align-items-center group"> Field-Level Encryption (FLE) <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="field-level-encryption-fle" aria-haspopup="dialog" aria-label="Share link: Field-Level Encryption (FLE)"> Share link </button> </h4>Encrypt sensitive fields: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Define encrypted property ALTER LABEL :Person ADD PROPERTY ssn STRING ENCRYPTED; -- Query encrypted data (automatic decryption for authorized users) MATCH (p:Person) WHERE p.ssn = '123-45-6789' RETURN p.name; </code></pre></div> <h4 id="searchable-encryption" class="position-relative d-flex align-items-center group"> Searchable Encryption <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="searchable-encryption" aria-haspopup="dialog" aria-label="Share link: Searchable Encryption"> Share link </button> </h4>Enable queries on encrypted data: <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: fle: enabled: true searchable: true algorithm: "AES-256-GCM-SIV" # Deterministic for equality search properties: - label: "Person" property: "ssn" searchable: true - label: "Person" property: "medical_record" searchable: false </code></pre></div> <h3 id="audit-logging" class="position-relative d-flex align-items-center group"> Audit Logging <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-logging" aria-haspopup="dialog" aria-label="Share link: Audit Logging"> Share link </button> </h3> <h4 id="audit-configuration" class="position-relative d-flex align-items-center group"> Audit Configuration <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-configuration" aria-haspopup="dialog" aria-label="Share link: Audit Configuration"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">audit: enabled: true log_file: "/var/log/geode/audit.log" format: "json" events: - authentication - authorization - data_access - schema_changes - admin_actions include: user: true timestamp: true query: true result_count: true client_ip: true </code></pre></div> <h4 id="audit-log-format" class="position-relative d-flex align-items-center group"> Audit Log Format <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-log-format" aria-haspopup="dialog" aria-label="Share link: Audit Log Format"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json">{ "timestamp": "2026-01-28T10:30:00Z", "event_type": "data_access", "user": "alice", "client_ip": "192.168.1.100", "action": "MATCH", "query": "MATCH (p:Person) RETURN p.name", "result_count": 42, "duration_ms": 15, "status": "success" } </code></pre></div> <h4 id="audit-queries" class="position-relative d-flex align-items-center group"> Audit Queries <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="audit-queries" aria-haspopup="dialog" aria-label="Share link: Audit Queries"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- View recent audit events CALL db.audit.recent(100) -- Search audit logs CALL db.audit.search({ user: 'alice', event_type: 'data_access', start_time: datetime('2026-01-01'), end_time: datetime('2026-01-31') }) </code></pre></div> <h3 id="security-best-practices" class="position-relative d-flex align-items-center group"> Security Best Practices <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-best-practices" aria-haspopup="dialog" aria-label="Share link: Security Best Practices"> Share link </button> </h3> <h4 id="1-principle-of-least-privilege" class="position-relative d-flex align-items-center group"> 1. Principle of Least Privilege <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="1-principle-of-least-privilege" aria-haspopup="dialog" aria-label="Share link: 1. Principle of Least Privilege"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Create specific roles for each function CREATE ROLE reporting_analyst; GRANT READ ON GRAPH analytics TO reporting_analyst; DENY WRITE ON GRAPH * TO reporting_analyst; </code></pre></div> <h4 id="2-network-segmentation" class="position-relative d-flex align-items-center group"> 2. Network Segmentation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="2-network-segmentation" aria-haspopup="dialog" aria-label="Share link: 2. Network Segmentation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">network: bind_address: "10.0.1.0" # Internal network only admin_bind: "127.0.0.1" # Admin on localhost only allowed_networks: - "10.0.0.0/8" - "192.168.0.0/16" </code></pre></div> <h4 id="3-key-rotation" class="position-relative d-flex align-items-center group"> 3. Key Rotation <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="3-key-rotation" aria-haspopup="dialog" aria-label="Share link: 3. Key Rotation"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">encryption: key_rotation: enabled: true interval_days: 90 retain_old_keys: 3 </code></pre></div> <h4 id="4-session-management" class="position-relative d-flex align-items-center group"> 4. Session Management <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="4-session-management" aria-haspopup="dialog" aria-label="Share link: 4. Session Management"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">sessions: timeout_minutes: 30 max_concurrent: 5 idle_timeout_minutes: 15 require_reauthentication: true </code></pre></div> <h3 id="compliance" class="position-relative d-flex align-items-center group"> Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="compliance" aria-haspopup="dialog" aria-label="Share link: Compliance"> Share link </button> </h3> <h4 id="soc-2-compliance" class="position-relative d-flex align-items-center group"> SOC 2 Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="soc-2-compliance" aria-haspopup="dialog" aria-label="Share link: SOC 2 Compliance"> Share link </button> </h4><ul> <li>Access controls with audit trails</li> <li>Encryption at rest and in transit</li> <li>Vulnerability management</li> <li>Incident response procedures</li> </ul> <h4 id="gdpr-compliance" class="position-relative d-flex align-items-center group"> GDPR Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="gdpr-compliance" aria-haspopup="dialog" aria-label="Share link: GDPR Compliance"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gql" data-lang="gql">-- Right to be forgotten MATCH (p:Person {email: 'user@example.com'}) DETACH DELETE p; -- Data export MATCH (p:Person {email: 'user@example.com'}) RETURN p AS personal_data; -- Consent tracking MATCH (p:Person {email: 'user@example.com'}) SET p.consent_given = true, p.consent_date = datetime(); </code></pre></div> <h4 id="hipaa-compliance" class="position-relative d-flex align-items-center group"> HIPAA Compliance <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="hipaa-compliance" aria-haspopup="dialog" aria-label="Share link: HIPAA Compliance"> Share link </button> </h4><ul> <li>PHI encryption with FLE</li> <li>Access audit logging</li> <li>Role-based access controls</li> <li>Automatic session timeout</li> </ul> <h3 id="monitoring-security" class="position-relative d-flex align-items-center group"> Monitoring Security <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="monitoring-security" aria-haspopup="dialog" aria-label="Share link: Monitoring Security"> Share link </button> </h3> <h4 id="security-metrics" class="position-relative d-flex align-items-center group"> Security Metrics <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="security-metrics" aria-haspopup="dialog" aria-label="Share link: Security Metrics"> Share link </button> </h4><table> <thead> <tr> <th>Metric</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td><code>auth_failures_total</code></td> <td>Failed authentication attempts</td> </tr> <tr> <td><code>authz_denials_total</code></td> <td>Authorization denials</td> </tr> <tr> <td><code>encryption_operations</code></td> <td>Encryption/decryption count</td> </tr> <tr> <td><code>audit_events_total</code></td> <td>Audit events logged</td> </tr> </tbody> </table> <h4 id="alerts" class="position-relative d-flex align-items-center group"> Alerts <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="alerts" aria-haspopup="dialog" aria-label="Share link: Alerts"> Share link </button> </h4><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml">alerts: - name: "brute_force_detection" condition: "auth_failures > 10 in 5m" severity: "critical" action: "block_ip" - name: "privilege_escalation" condition: "role_grants > 5 in 1h" severity: "warning" action: "notify" </code></pre></div> <h3 id="next-steps" class="position-relative d-flex align-items-center group"> Next Steps <button type="button" class="h-share btn btn-link p-0 text-decoration-none link-secondary opacity-50 hover-opacity-100 transition-all ms-1" data-share-target="next-steps" aria-haspopup="dialog" aria-label="Share link: Next Steps"> Share link </button> </h3><ul> <li><a href="/docs/architecture/storage-engine/" >Storage Engine</a> - Data encryption at rest</li> <li><a href="/docs/architecture/distributed-systems/" >Distributed Systems</a> - Cluster security</li> <li><a href="/docs/architecture/query-optimization/" >Query Optimization</a> - Query planning</li> <li><a href="/docs/ops/audit-logging/" >Audit Logging</a> - Detailed audit configuration</li> </ul>