Starburst Documentation
Security information
  • Overview
  • Corporate
  • Development
  • Starburst Enterprise
  • Starburst Galaxy
  • Starburst Galaxy subprocessors
  • Advisories
  • log4shell
  • Contact
    • Resources
  • Support
  • Security
  • Technical blog
  • Video library
  • Starburst Academy
  • Glossary
  • Conventions
  • Iconography
  • Starburst forum

    • security > Security and Starburst Galaxy

    Security and Starburst Galaxy #

    Starburst Galaxy provides the benefits of Trino, on an easy to use, fully-managed and enterprise-ready SaaS platform.

    Data sources, catalogs, and clusters #

    Your data sources for Starburst Galaxy are managed by yourself in a cloud provider infrastructure. The data sources remain under your control. Only queried data is accessed by Starburst Galaxy.

    Data source access is configured in catalogs in Starburst Galaxy. Catalogs use authentication and authorization configured by you in the data source of your cloud provider to access the data.

    These catalogs can be used in one or more clusters. The clusters are within cloud platform regions of your choice. ElasticIPs are whitelisted for Starburst’s NAT gateways, to connect publicly to a customer’s resource. All access to data sources originates from these clusters.

    Control plane #

    The control plane of Starburst Galaxy manages the overall application, provides configuration storage and all other aspects of managing the system for all users. The control plane is deployed and managed by Starburst in our cloud environments. All storage is encrypted and separated per customer. Only a limited number of privileged users at Starburst are granted access to the control plane.

    Authentication and authorization system #

    Starburst Galaxy includes a role-based access control (RBAC) system to support Starburst Galaxy, the clusters, and the configured catalogs with the data from the data sources for every user.

    Starburst Galaxy provides a hosted login experience allowing users to sign in with standard username and password credentials. You can manage all users for your organization with the Starburst Galaxy user interface.

    Users are assigned one or more roles. A role has a name and an optional description, and can be assigned privileges on entities, such as cluster management, user creation, audit log viewing, and others. You can manage users, roles, and privileges in the Starburst Galaxy user interface.

    Starburst Galaxy includes an attribute-based access control (ABAC) system that uses policies and attributes, such as tags, to help further manage role access to entities like catalogs, schemas, tables, and views. You can manage policies and tags in the Starburst Galaxy user interface.

    Access to the Starburst Galaxy user interface, and directly to clusters with clients, is secured with Transport Layer Security (TLS) and globally trusted certificates.

    Starburst Galaxy follows the recommendations and guidelines from the National Institute of Standards and Technology, specifically the digital identity guidelines from NIST Special Publication 800-63:

    More information is available in the Starburst Galaxy security documentation.

    Logging and monitoring #

    Starburst Galaxy includes comprehensive logging of events and end-to-end user activities. It automates health and performance monitoring to provide observability to ensure services are functioning optimally.

    Audit and compliance #

    Starburst audits all actions that are taken on your account. Audit logs are maintained within the user interface and are available to you.

    Usage information #

    Starburst strives to access and collect only the minimum amount of information needed to provide our products and services. In some instances, Starburst staff may be required to access customer information via the Starburst Galaxy user interface to provide customer support, to fulfill legal requirements, or for other legitimate business purposes. Employees with data access undergo regular appropriate use training and our environment is protected with robust security measures and controls.

    Starburst Galaxy subprocessors #

    Starburst Galaxy uses third-party subprocessors to assist in providing services. For details, see Starburst Galaxy subprocessors.

    Catalog explorer #

    Starburst follows the security best practice of data minimization and has made specific provisions so that only metadata is accessed by the catalog explorer feature. No personal information (PI) is involved, and no data is cached by Starburst.

    Starburst Warp Speed #

    Clusters with Starburst Warp Speed acceleration use caches that reside on solid-state drive (SSD) storage attached to cluster nodes that are a part of Starburst Galaxy infrastructure. These caches can contain personal information (PI). No additional security is needed, however, as information is encrypted at rest and there is no means of direct access for end users. All access to cached data is subject to all applicable, existing access control policies. When nodes are destroyed, any data residing in the attached SSDs is also destroyed.

    Cloudflare integration #

    Starburst adds Cloudflare integration, providing robust protection for Starburst Galaxy, ensuring consistent speed, availability, and security. With Cloudflare’s global threat protection network, Starburst Galaxy can handle traffic spikes, fend off attacks, and stay online for a smooth user experience.

    Customer data privacy FAQ #

    Does Starburst Galaxy have access to my personal information?

    In some instances, Starburst Galaxy staff may be required to access customer information via the Starburst Galaxy user interface to provide customer support, fulfill legal requirements, or for other legitimate business purposes. Your data sources for Starburst Galaxy are managed by you in a cloud provider infrastructure.

    Do any Starburst staff have access to my business’s catalog data within
    my production environment?

    Only a limited number of privileged users at Starburst are granted access to the production environment. Access to confidential data is granted on a need-to-know basis. Access to catalog data is only permitted for troubleshooting or to resolve any emergency situations.

    Does Starburst share my personal data with third-party vendors?

    In order to provide the services to you, Starburst Galaxy utilizes third-party vendors (subprocessors) for functions such as platform analytics, marketing services, and so forth. Starburst does not allow these third-party service providers to use your personal data for their own purposes.

    What third-party vendors does Starburst share my personal information
    with?

    Visit Starburst subprocessors.

    Does Starburst Galaxy have access to my payment card information (PCI)?

    Starburst Galaxy does not collect or store credit card information. Any credit card payments you make for Starburst products are made through Stripe, although Starburst Galaxy also supports other payment methods, such as through AWS Marketplace.

    Does Starburst Galaxy store any customer data that contains PI (personal
    information)?

    Starburst is considered a data processor. In unique situations, data may be stored temporarily in Starburst Galaxy. Within the Starburst Galaxy UI, if a customer selects the I have no metastore option, Starburst Galaxy will create a metastore for the customer and therefore all of their metadata would be hosted by Starburst. This metadata does not contain personal information (PI), unless it is configured to do so by the customer. With batch-optimized clusters, upon running a query, Starburst may temporarily store the data with our cloud provider. All data is encrypted and the data is deleted immediately after the query finishes. PI can be stored in clusters with Starburst Warp Speed enabled. Learn about PI in clusters configured to use Starburst Warp Speed.

    Does Starburst sell data?

    Starburst will not sell your personal data or allow a third party to use your personal data for its own commercial purpose.