Our commitment to data privacy and security is embedded in every part of our business. The information on in this portal is intended to help customers better understand the security features and configurations of Redis Enterprise products as well as Redis’ commitment to security and privacy.
Knowledge Base (FAQ)
Trust Center Updates
Redis Achieves CSA STAR Level 2 Certification: A Milestone in Cloud Security and Trust
ComplianceCopy linkWe are thrilled to announce that Redis Cloud has successfully achieved the CSA STAR Level 2 certification, a rigorous, third-party independent assessment of a cloud service provider's security posture, marking a noteworthy milestone in our ongoing commitment to providing secure and trustworthy cloud services.
Achieving this certification demonstrates that Redis Cloud has met the stringent requirements of the Cloud Security Alliance's (CSA) Cloud Controls Matrix (CCM), which is recognized globally as a benchmark for cloud security.
This certification is not just a testament to our robust security measures but also reflects our commitment to transparency and accountability in how we manage and protect our customers' data, providing our customers with the assurance they need to trust us with their most critical data.
We would like to extend our gratitude to our dedicated teams across Redis whose cooperation and hard work made this achievement possible. Their commitment to excellence and security has been instrumental in reaching this milestone.
All of our CSA STAR Level 2 certification documents are available on the Redis Trust Center or you can reach out to your account representative with any inquiries.
Threat actors are increasingly targeting cloud-based services by attempting to take over customer accounts using stolen customer account credentials. Google Cloud’s 2023 Threat Horizons Report observed that 86% of data breaches last year (2023) involved stolen credentials, and this year (2024) appears no different.
As a Redis Cloud customer, you have several options available to you to help secure access to your account. As a first step, some basic steps you should take include:
- Enforce multi-factor authentication on your Redis Cloud account.
- Set up appropriate network policies to allow only authorized/trusted traffic to your cluster.
- Disable any Redis Cloud user accounts that are no longer active.
To assist with managing your Redis Cloud security posture at enterprise scale, we offer numerous cloud configuration options*, such as CIDR allow lists, VPC peering, Private Service Connect, Single Sign-on (SAML) integration, and more. The Redis Docs Center provides additional detail on customer security configuration options.
As part of our shared responsibility model, Redis Cloud customers are responsible for securing customer-facing access to their accounts. If you require additional information, customers that have Support Services can open a support ticket for assistance.
*Some network configuration options may only be available for certain Redis Cloud subscription levels. Contact your Redis Sales Representative if you have subscription-related questions.
Security researchers at Cado Security have identified another campaign and malware variant targeting Redis in the wild. In their recently published blog post, they detail 4 variants of Golang malware they have observed targeting Docker, Hadoop YARN, Confluence, and Redis.
Specific to Redis, they describe how (yet again) these malware variants require the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).
We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods found in these new malware variants. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.
Security researchers at BleepingComputer recently published an article detailing research from Cado Security on a piece of malware called ‘Migo’ that targets Redis servers and uses them to mine cryptocurrency. In the article, they describe how Migo requires the attacker to connect to the target Redis server in order to be successful; there is no exploit or new vulnerability involved. This initial entry takes advantage of open-source Redis instances that have been misconfigured and left in an insecure, non-default state, specifically servers that are configured with weak authentication or are compromised via other means (eg. leaked or stolen credentials).
We want to emphasize that this attack does not exploit any vulnerabilities in the Redis application itself and can be prevented by following security best practices and recommendations. Additionally, specific features in Redis Enterprise add additional protections against the novel methods employed by Migo. Check out this article for 5 basic steps you can take to help prevent these types of attacks, and visit our open source and commercial software documentation sites for a full list of available security controls and settings.
Redis has been made aware of and is closely following Sumo Logic’s recent precautionary announcement related to a possible security incident. Sumologic is a subprocessor of Redis; we have applied all recommended measures to protect against exposure. We are actively monitoring this event and if Redis is made aware of any specific exposure of Redis, or Redis customer’s information we will notify any affected customer immediately. We have not identified any indication of or been made aware of any inappropriate access of Redis information via the Sumo Logic product.
If you think you may have discovered a vulnerability, please send us a note.