Streaming Data Security: Encryption, Auth, and Access Control
Securing streaming data pipelines requires encryption in transit and at rest, authentication for all connections, and role-based access control for who can read which streams and views. This guide covers security best practices for Kafka, RisingWave, and Iceberg.
Security Layers
| Layer | What to Secure | How |
| In transit | Kafka ↔ RisingWave, Client ↔ RisingWave | TLS/SSL |
| At rest | S3 state, Iceberg data files | S3 encryption (SSE-S3, SSE-KMS) |
| Authentication | Client connections | Username/password, certificates |
| Authorization | Who reads what | GRANT/REVOKE on views |
| Data masking | PII in streaming views | SQL views with masking logic |
Access Control in RisingWave
-- Create roles
CREATE ROLE analyst;
CREATE ROLE data_engineer;
-- Grant access to specific views
GRANT SELECT ON dashboard_metrics TO analyst;
GRANT ALL ON ALL TABLES TO data_engineer;
-- Data masking for PII
CREATE MATERIALIZED VIEW safe_customers AS
SELECT customer_id,
CONCAT(LEFT(email, 2), '***@', SPLIT_PART(email, '@', 2)) as masked_email,
city, state -- exclude name, phone, SSN
FROM customers;
GRANT SELECT ON safe_customers TO analyst;
Kafka Security
# Kafka broker
listeners=SSL://kafka:9093
ssl.keystore.location=/etc/kafka/kafka.keystore.jks
ssl.truststore.location=/etc/kafka/kafka.truststore.jks
security.inter.broker.protocol=SSL
Frequently Asked Questions
How do I encrypt streaming data at rest?
RisingWave stores state on S3 — enable S3 server-side encryption (SSE-S3 or SSE-KMS). Iceberg data files on S3 are encrypted the same way. Kafka log segments can be encrypted with disk encryption or Kafka's built-in encryption features.
How do I mask PII in streaming views?
Create a materialized view that masks sensitive fields (email, phone, SSN) and grant analysts access only to the masked view. The raw data remains accessible only to authorized roles.
