Security on SingleStore Helios


Manish Kumar

Principal Product Manager

Security on SingleStore Helios

From development to delivery, Singlestore Helios ensures that security is considered, designed, reviewed and implemented so that the data of our customers — and their customers— is safeguarded as if it were our own. We’ve built security into all of our products: from those hosted by customers on their own infrastructure, to those we host on our customers’ behalf.

SingleStoreDB automatically manages encryption, authentication, access and monitoring so you can focus your efforts on your data and the value it adds. We maintain a holistic approach to information protection, combining a set of controls that help businesses meet their compliance objectives — while always ensuring our customers’ data is secure.

Figure 1: Security aspects of SingleStoreDB Cloud

As shown in Figure 1., Singlestore Helios ensures an end-to-end security posture for all of your critical enterprise workloads. This requires securing customer data using in-depth defense against three security threat concerns:

  1. How is my data stored in Singlestore Helios protected?
  2. How can someone connect to Singlestore Helios?
  3. How do I prevent the wrong person from accessing data?

data-encryptionData Encryption

As a SaaS offering, it’s critical that customers trust that housing their data in Singlestore Helios is safe and also have the peace of mind that their data will not be compromised. Ensuring customer data is always secure, Singlestore Helios offers multi-layer security for data storage and retrieval, encrypting customer data while it's both in motion and at rest. Here are the key controls and capabilities that Singlestore Helios provides to ensure each customer’s data is always safeguarded:

  • Data security in-motion. Singlestore Helios guarantees that all connections to the database are enabled with TLS 1.2, which ensures data-in-motion is always encrypted. In addition, each client connection is checked to ensure that valid certificates are being used, and that the connection to Singlestore Helios is secure.
  • Data security at-rest. In accordance with industry best practices, all data stored in Singlestore Helios is encrypted at rest using an AES 256-bit encryption key. Encryption scope includes both EBS and S3 for AWS, Premium SSD and Blob storage for Azure, and Persistent Disks and Google Cloud Storage for GCP.
  • Customer managed encryption keys (stores in the cloud KMS). An additional layer of security for customer data can be added using the keys stored in a customer's cloud key management service (KMS). Additionally, separate keys can be used for data backups and their associated bucket(s). This feature is only supported for the dedicated edition of Singlestore Helios.

Figure 2: Customer Managed Encryption Key (CMEK)

Read the whitepaper: Singlestore Helios Security

network-securityNetwork Security

Since Singlestore Helios is a cloud-based (remote) service, properly granting access to a Singlestore Helios workspace is the first line of defense. Network security in Singlestore Helios ensures that only properly configured resources can gain access to a database and its data. The controls available to a customer include:

  • Accessing data using private networking (inbound and outbound). Customers that want secure connectivity from inside their VPC — but who do not want to connect to Singlestore Helios over the public internet — can use AWS PrivateLink, Azure Private Link and Google Private Service Connect to connect to AWS, Azure and GCP deployments, respectively. This private connectivity applies to both inbound and outbound traffic. This feature is only available to Singlestore Helios customers, regardless of the edition they use (Standard, Premium and Dedicated). Private networking can also be used for creating outbound connectivity to object storage (blob storage) for backups and/or customer-initiated copies of data.
  • IP allowlisting. Traffic to Singlestore Helios is over the internet when using the IP allowlisting. Customers can restrict access to a Singlestore Helios workspace group from a specific set of IP addresses based on a corporate network policy. Having a known client location and IP address helps prevent unauthorized access to your Singlestore Helios.  If an application is hosted outside of your VPC, it’s critical to define a restrictive set of IP addresses that are required to successfully run the application. However as a best practice, you should always choose private connectivity over IP allowlisting to connect to Singlestore Helios.

access-controlAccess Control

Singlestore Helios provides a variety of access control tools and capabilities that govern user login, permissions and data access, including:

  • Native password authentication. Customers can use native password authentication both for Singlestore Helios and database connectivity. Password complexity is flexible and can be based on your corporate policy.
  • Single Sign-On (SSO). As the number of users accessing the database increases, customers can also connect to Singlestore Helios (both the data plane and the portal) using identities defined in an Identity Provider (IdP) of their choice (Azure AD, Okta, Ping). This allows database user identities to be managed from a central location, which simplifies access management at scale. Customers may also enable multi-factor authentication (MFA) to provide an additional layer of security.
  • JWT/JWKS authentication. To eliminate the use of passwords, customers can authenticate clients via JSON Web Tokens (JWT). JWTs are useful for both authorization (the most common scenario for using a JWTs) and information exchange (where information can be securely transmitted between parties).  JWTs can be created by both the Singlestore Helios portal and by customer-run identity providers, and used to authenticate users to database clusters. Additionally, JSON Web Key Sets (JWKS) can be used to validate the signature of a signed JWT.  JWKS are a set of keys containing public keys that can be used to authenticate any JWT. Also, if you use SingleStoreDB native drivers to connect to the database, you can use the JWT authentication directly in the drivers.
  • Role-Based Access Control (RBAC). For more granular security Singlestore Helios offers Role- Based Access Controls (RBAC), a reduced-privileges, role-separated environment where users and groups can be granted access to databases, tables, views, etc. based on role.
  • Row-level security. Similar to RBAC, row-level security in Singlestore Helios can be used to dictate which roles have access to specific rows in a table.


The inherent security capabilities in Singlestore Helios allow you to build your next cloud-based, mission-critical application knowing that it will run on a secure infrastructure. Data security is a fundamental value of SingleStoreDB, and SingleStore continually follows industry guidelines and has adopted best practices to ensure that your data remains secure throughout its lifecycle.

In addition to the best practices, policies, processes and procedures we’ve implemented, we continually invest in new measures and certifications to ensure that we — and our products — remain at the forefront of data security.

Singlestore Helios operates within a shared-responsibility model. Our company, our customers and our service providers share the responsibility for identifying and preventing compromises in our respective infrastructures and/or data. If you have questions regarding data security in Singlestore Helios, please contact us at

Try SingleStoreDB free