Enhanced data security with CockroachDB and Satori

Enhanced data security with CockroachDB and Satori

CockroachDB helps small to large organizations manage their transactional data at global scale, with high-availability, while providing multi-cloud & hybrid disaster proofing capabilities. Many of those customers trust CockroachDB to store PII or organizationally sensitive data, and they secure it with native data security capabilities in the product. But there are some needs that require reimagination of how one looks at data security at different kinds of scale - across different business units or teams, across multiple CockroachDB clusters, or across multiple types of data stores including OLTP and OLAP

And to address such challenges, we are excited to forge a partnership with Satori to provide a joint solution to our customers. Satori is a DataSecOps platform that enables companies to streamline access to sensitive data and shorten the time it takes to provide data access while enhancing security features.

Security mental model for CockroachDB

Before diving into the specific challenges addressed by the joint solution, let’s run through a contextual overview of how we think about security for CockroachDB. You’ll notice that most of the “blazing fast” or “performance benchmark breaking” databases out there either treat security as a blocker to resolve, or as an afterthought. But here at Cockroach Labs, we believe that security is rooted in trust that app teams and their users place when storing their PII, PHI or other confidential data in a database, and it’s a fundamental right when using a database. To that end, our security mental model is based on 4 key pillars:

Security mental model for CockroachDB

  • Identity and Access Management (IAM) - User authentication based on standards like SAML & OIDC, Authorization rooted in least privilege principle & avoiding privilege escalation, and simplified provisioning & deprovisioning of identities.
  • Data Protection & Privacy - Encryption of customer data at rest and in transit beyond just encrypting the cluster disks, Ability to mask or anonymize sensitive data while having proper classification, Using cloud provider IAM to access cloud-native resources.
  • Network Security - Cloud provider-native VPC Peering or PrivateLink to connect to a cluster, Perimeter controls when connecting to customer resources for Backups, Change Data Capture etc.
  • Compliance - Regulatory or industry-specific compliance certifications, SaaS security controls & infosec processes.

Where does Satori fit in?

When we looked at the security features within CockroachDB and what our most security conscious customers would need in future, we analyzed that a new class of enhanced data security capabilities spanning across the IAM and Data Protection & Privacy pillars would help our customers build a greater degree of trust in their database. And we realized that partnering with the awesome team at Satori would help us bring more innovative solutions because they are focused on relevant classes of problems across the broader OLTP & OLAP space, and a Satori partnership allows us to provide those capabilities much faster to our customers.

Fine-grained access control

Customer admins can use Satori to configure fine-grained access control consisting of row and column-level security across their users in a scalable manner, while using no-code policies and using either role-based access control (RBAC) or attribute-based access control (ABAC).

Customers can also create separate database views for different classes of row and column-level controls in CockroachDB. Though this approach can pose a scale challenge if the number of user classes increases in an organization, or if the app teams need a mechanism to enforce similar controls across multiple clusters.

Data masking and anonymization

App or security teams can use Satori to configure PII or PHI data masking to set up different classes of permissive and restrictive profiles across their users and clusters in a scalable manner, again while using no-code policies. This can be combined with the fine-grained access control capability because typically the customers need to address both requirements.

Customers can also use a DIY solution to mask the data on the app or client-side before writing it to CockroachDB. Though that can be too restrictive if a minimum set of high-privileged users need the ability to query the unmasked or anonymized data for auditing purposes. Starting with CockroachDB version 22.1, customers can alternatively use hmac() and digest() functions in pgcrypto if they want a more localized solution.

Data access auditing from one stop-shop

Security / Risk teams and admins can use Satori to configure scalable data access auditing for audit information with enriched metadata and contextual information. The reason to use this capability is stronger when there are multiple clusters or different types of data stores including CockroachDB.

Customers can also use CockroachDB’s SQL audit logging capability if they want a more native solution.

Our Recommendations

As you can see, there are both CockroachDB specific and Satori-integrated solutions for the above mentioned requirements. The right approach for your organization depends on your scale, use case complexity, and maturity. Our recommendations are:

  • Use the CockroachDB specific solution if you have a particular requirement for a few sets of user classes or data access profiles, and if you’re looking to set it up for a few clusters.
  • Use the Satori-integrated solution if you have a mixed set of requirements across more than a few user classes or data access profiles, or if you’re looking to scale those across more than a few clusters.

How does the Satori and CockroachDB integration work?

CockroachDB and Satori Integration Architecture

Customers can just drop the Satori’s Data Access Controller (DAC) in between their users & apps and the CockroachDB cluster. The Satori DAC works as a transparent proxy to apply configured controls both during writes or reads, without having to change anything within the database cluster. It just works. 

Depending on the requirements, some customers could choose to route only the human user traffic through the Satori DAC, while allowing the traffic for apps to go straight to the database clusters. Reasons for that could include the need for apps to see all data as-is, or not having to incur even the minimum amount of latency (to the order of single-digit milliseconds) due to Satori DAC intercepting app traffic. Point being, the architecture can be flexible depending on specific needs. To ensure that relevant traffic to CockroachDB only comes through Satori DAC (and optionally from an app), we recommend using VPC Peering on GCP or PrivateLink on AWS or IP Allowlisting on either cloud.

What are the deployment patterns?

The CockroachDB and Satori partnership was made in a tech heaven, because both products have similar offerings or deployment models, which fit nicely with each other:

And it’s possible to mix the offerings across CockroachDB and Satori depending on unique customer needs.

How to get started with Satori and CockroachDB

If you don’t have a CockroachDB cluster yet, you could get started here. Once the cluster is set up, try out the integration in the Satori test drive. It takes less than five minutes to getbe up and running.

Setting up Satori with CockroachDB is super easy and requires no downtime if you follow these steps:

  1. If you do not already have a Satori account, register for a test drive account.
  2. Choose “Data Stores” in the navigation bar.
  3. Add a CockroachDB data store using the hostname of your CockroachDB cluster.
  4. Connect to your CockroachDB cluster with your favorite client, script, or BI tool, using the new hostname displayed in Satori.

We also encourage you to watch this session from Satori’s Data Leader Summit where we provide an overview of the integration and showcase it through a demo.

Keep Reading

Change Data Capture: Fine Tuning Changefeeds for Performance and Durability

NOTE: This blog requires a fairly in-depth understanding of your application and changefeeds. If you want to learn more …

Read More
Modernize applications on-prem with CockroachDB on Amazon EKS-Anywhere

Managing a single Kubernetes cluster in a single environment can be a challenge, and if you extend this to multiple …

Read More
Build a Simple Image Recognition Engine with Google ML & CockroachDB

In this codelab, we will walk through the process of creating an image recognition engine. Its primary purpose will be …

Read More
Developer Resources