# Securing Kafka

## Encryption <a href="#encryption" id="encryption"></a>

Kafka in Condense supports Transport Layer Security (TLS), a protocol for encrypted communication.

Communication is always encrypted between Kafka components.

## Authentication <a href="#authentication" id="authentication"></a>

Kafka listeners use authentication to ensure a secure client connection to the Kafka cluster. Clients can also be configured for mutual authentication. Security credentials are created and managed by the Cluster and User Operator.

### **Supported authentication mechanisms**

* mTLS authentication (on listeners with TLS-enabled encryption)
* SASL SCRAM-SHA-512
* OAuth 2.0 token based authentication
* Custom authentication (supported by Kafka)

## Authorization <a href="#authorization" id="authorization"></a>

Authorization controls the operations that are permitted on Kafka brokers by specific clients or users.

### **Supported authorization mechanisms**

* Simple authorization using ACL rules
* OAuth 2.0 authorization (if you are using OAuth 2.0 token-based authentication)
* Open Policy Agent (OPA) authorization
* Custom authorization (supported by Kafka)

## **Federal Information Processing Standards (FIPS)**

Kafka in Condense can run on FIPS-enabled Kubernetes clusters to ensure data security and system interoperability if the native Kubernetes service of the cloud provider supports it.