Documentation

Enterprise Features

KafkaGuard Enterprise provides comprehensive security and compliance capabilities designed for production Kafka deployments. This page details our enterprise features, security posture, and compliance readiness.

Table of Contents

Security Posture

KafkaGuard validates your Kafka cluster's security configuration with 15 security controls covering authentication, encryption, and access control.

Authentication Mechanisms

KafkaGuard supports all major Kafka authentication mechanisms:

  • PLAIN - Simple username/password authentication
  • SCRAM-SHA-256 - Secure password-based authentication
  • SCRAM-SHA-512 - Enhanced secure password-based authentication (recommended)
  • Kerberos (GSSAPI) - Enterprise authentication for Active Directory and LDAP integration

Security Protocols

Full support for all Kafka security protocols:

  • PLAINTEXT - Development only (non-secure)
  • SSL - TLS encryption only
  • SASL_PLAINTEXT - Test environments only
  • SASL_SSL - Recommended for production (authentication + encryption)

Encryption & Certificates

  • TLS/SSL Encryption - Validates TLS configuration and certificate validity
  • Mutual TLS (mTLS) - Support for client certificate authentication
  • Certificate Validation - Checks certificate expiry and protocol versions
  • Inter-Broker Encryption - Validates encryption between Kafka brokers

Access Control

  • ACL Validation - Verifies ACL authorization is enabled and configured
  • Wildcard Detection - Identifies insecure wildcard ACLs (User:*)
  • Access Restriction - Validates proper access control implementation

For detailed security configuration, see the Configuration Guide.

Compliance Frameworks

KafkaGuard provides built-in compliance mappings for major regulatory standards, making it easy to demonstrate compliance and generate audit-ready reports.

PCI-DSS 4.0 Compliance

Coverage: 9 PCI-DSS requirements mapped to KafkaGuard controls

KafkaGuard validates compliance with PCI-DSS requirements including:

  • Requirement 2.2 - Secure System Configuration
  • Requirement 4.1 - Encryption in Transit
  • Requirement 7.1 - Access Control Policy
  • Requirement 7.2 - Access Control Implementation
  • Requirement 8.1 - User Identification
  • Requirement 8.2 - Strong Authentication
  • Requirement 10.1 - Audit Logging
  • Requirement 10.7 - Log Retention

Controls: 18 KafkaGuard controls directly map to PCI-DSS requirements, covering authentication, encryption, access control, and logging.

SOC2 Type II Compliance

Coverage: 12 Trust Service Criteria covered

KafkaGuard validates compliance with SOC2 Trust Service Criteria:

  • CC6.1 - Logical and Physical Access Security
  • CC6.2 - Access Restriction
  • CC6.3 - Access Revocation
  • CC6.4 - Access Monitoring
  • CC6.5 - Data Encryption
  • CC6.6 - Network Security
  • CC7.1 - System Availability
  • CC7.2 - System Monitoring
  • CC8.1 - Data Processing Integrity
  • CC9.1 - Data Confidentiality
  • CC9.2 - Access Controls for Confidentiality
  • CC10.6 - Data Security (Privacy)

Coverage: All 40 KafkaGuard controls map to at least one SOC2 Trust Service Criterion, providing comprehensive SOC2 compliance validation.

ISO 27001:2013 Compliance

Coverage: 34 ISO 27001 requirements mapped across 5 domains

KafkaGuard validates compliance with ISO 27001:2013 requirements:

  • Access Control (A.9) - 15 requirements covering user access, authentication, and authorization
  • Cryptography (A.10) - 2 requirements for encryption and key management
  • Operations Security (A.12) - 10 requirements for operational procedures and logging
  • Communications Security (A.13) - 8 requirements for network and data transfer security
  • Business Continuity (A.17) - 3 requirements for availability and continuity planning

Coverage: All 40 KafkaGuard controls map to ISO 27001 requirements, providing comprehensive ISMS (Information Security Management System) validation.

Additional Compliance Frameworks

  • HIPAA - Healthcare data protection requirements
  • GDPR - Data retention and security measures

For detailed compliance mappings and control matrices, see the Compliance Documentation.

Enterprise Capabilities

40+ Production-Ready Controls

KafkaGuard Enterprise includes 40 comprehensive controls across three categories:

  • 15 Security Controls - Authentication, encryption, access control, certificate validation
  • 12 Reliability Controls - Replication, ISR, fault tolerance, ZooKeeper health
  • 13 Operational Controls - Configuration, performance, monitoring, retention

4 Report Formats

Generate reports in multiple formats for different use cases:

  • JSON - Structured data for automation and CI/CD integration
  • HTML - Web-viewable reports with executive summaries
  • PDF - Audit-ready reports with compliance mapping
  • CSV - Tabular exports for spreadsheet analysis

Learn more about Report Formats.

Policy Tiers

Choose the right policy tier for your environment:

  • baseline-dev (20 controls) - Development and testing environments
  • enterprise-default (40 controls) - Production environments with security requirements
  • finance-iso (50 controls) - Regulated industries (Phase 2, coming soon)

Each tier includes different control sets optimized for specific use cases. Learn more about Policy Tiers.

CI/CD Integration

Designed for automation and integration:

  • GitHub Actions - Native GitHub Actions support
  • Structured JSON Output - Parse results programmatically
  • Exit Codes - Automated decision-making (0=pass, 1=findings, 2=error)
  • Pipeline Integration - Seamless integration with existing DevOps workflows

Performance & Footprint

Optimized for production environments:

  • Fast Scans - Complete scans in ~10 seconds for 3-node clusters
  • Lightweight Binary - Single static binary under 50MB
  • Low Memory Usage - Under 200MB during scans
  • Multi-Platform - Support for Linux, macOS, and Docker

Security Features

Enterprise Authentication Support

  • SASL Authentication - PLAIN, SCRAM-SHA-256, SCRAM-SHA-512
  • Kerberos (GSSAPI) - Enterprise authentication for Active Directory integration
  • TLS/SSL Encryption - Full TLS support with certificate validation
  • Mutual TLS (mTLS) - Client certificate authentication for highly secured environments
  • Security Protocol Auto-Detection - Automatically detects cluster security configuration

Security Validation

KafkaGuard validates:

  • SASL authentication is enabled and properly configured
  • SSL/TLS encryption is enabled with valid certificates
  • ACL authorization is enabled and configured
  • No insecure wildcard ACLs are present
  • TLS certificates are valid and not expiring soon
  • TLS protocol version is secure (≥1.2)
  • Inter-broker encryption is enabled
  • ZooKeeper authentication is enabled
  • Client authentication is required

Compliance Features

Automated Compliance Mapping

KafkaGuard automatically maps control findings to compliance framework requirements:

  • PCI-DSS Requirements - Direct mapping to PCI-DSS 4.0 requirements
  • SOC2 Criteria - Mapping to SOC2 Trust Service Criteria
  • ISO 27001 Controls - Mapping to ISO 27001:2013 requirements

Audit-Ready Reports

Generate compliance reports suitable for regulatory audits:

  • PDF Reports - Professional format with compliance matrices
  • Compliance Summaries - Executive summaries with compliance scores
  • Control Mapping - Detailed mapping of controls to framework requirements
  • Remediation Guidance - Step-by-step remediation instructions

Compliance Tracking

  • Historical Tracking - Track compliance posture over time
  • Trend Analysis - Identify compliance trends and improvements
  • Export Capabilities - Export findings for compliance tracking systems

Next Steps

Ready to secure your Kafka infrastructure?

Contact Us

Have questions about enterprise features?

<ContactCtas calcom-url="https://cal.com/kafkaguard/30min" whatsapp-url="https://wa.me/61469073864" email-address="jaybilgaye@gmail.com" />

Related Resources:

<BookDemoCallout />