Cockroach Labs Security Overview
Last updated May 21, 2020
Cockroach Labs is committed to the delivery of the highest quality software and services to our customers. Essential to that quality is a steadfast dedication to security in all aspects of our business. We maintain a set of internal information security policies and processes based on controls and best practices from AICPA SOC 2. The purpose of this document is to highlight processes and controls that Cockroach Labs has in place to ensure protection and security of our customer data. Policies that are related to CockroachCloud are specifically called out when relevant.
In this document, CockroachCloud refers to the cloud offering where Cockroach Labs hosts and manages a customer’s CockroachDB clusters.
1. Customer Data Access and Management
Each CockroachCloud customer receives a single-tenant CockroachDB cluster which is spun up in a separate virtual private cloud (VPC) in a cloud provider’s account. The customer has the choice to choose Amazon Web Services (AWS) or Google Cloud Platform (GCP). The separate VPCs are fully isolated to ensure that each customer’s cluster is separated from other customers. A limited number of Cockroach Labs employees who require such access are granted access to these customer clusters, as specified in the contracts between Cockroach Labs and the customer.
2. Encryption of Customer Data
All traffic between CockroachDB nodes as well as client-server communications is encrypted for CockroachCloud managed clusters. CockroachDB uses TLS 1.2 digital certificates for inter-node and client-node authentication, which require a Certificate Authority (CA) as well as keys and certificates for nodes, and passwords for clients. The certificate authority is managed by Hashicorp Vault. TLS encryption is enabled by default for all secure clusters and needs no additional configuration.
For customers running CockroachDB on-premises, take a look at our full list of security documentation here.
3. Security Controls Framework
Cockroach Labs follows processes and policies that are designed to protect customer data, information, and related assets from threats to security and availability.
4. Security Incident Response Management
Cockroach Labs has a process for identifying and managing security vulnerabilities and threats. Once a security vulnerability has been detected, appropriate staff at Cockroach Labs are assigned to immediately fix it. Upgrades to the patch are automatically performed for our CockroachCloud customer clusters, and customers are notified after the patch. For customers running CockroachDB on-premises, Cockroach Labs may, depending on the severity of the issue, notify all paid customers and provide them sufficient time to address the issue, including upgrading to a patch, if necessary. This will be followed up with a notification and updated patch on open channels such as Forum on our website. Following this public release, an internal post mortem is conducted to understand the cause of the incident, and corrective action necessary to prevent future similar incidents. Cockroach Labs also has a Responsible Disclosure Policy outlined on our website. Our release notes contain updates on security vulnerabilities and patches, when they occur.
5. Business Continuity
Cockroach Labs has a Business Continuity Plan when an event or series of events impacts Cockroach Labs. For our CockroachCloud solution, all customer information is maintained on servers hosted in the cloud. CockroachCloud is designed to be resilient to cloud availability issues as each cluster has data replicated across three availability zones at a minimum.
Since Cockroach Labs does not process, maintain or transfer any Customer information onto servers in its corporate locations, any event that affects the Cockroach Labs corporate facility will not have an impact on the services of our Customers. Additionally by design and practice there are no critical dependencies of the daily operations of Cockroach Labs Customer support on these facilities.
In the event an incident occurs that renders the corporate facilities (headquarters) of Cockroach Labs unusable for some period of time (i.e. a natural disaster), staff will continue to provide service working from alternate Cockroach Labs locations, designated alternate work sites and home offices. Cockroach Labs performs a Business Continuity test annually.
6. Physical Security
CockroachCloud is hosted within Cloud Providers AWS and GCP today. All physical security controls are managed by the Cloud Provider. Cockroach Labs corporate offices do not house any servers that host customer clusters.
Only Cockroach Labs employees, contractors, and vendors with regular facilities access will be issued a photo ID access badge and permitted to physically access the Cockroach Labs corporate offices without escort. Cockroach Labs personnel are not permitted to loan out an access badge to anyone, not even fellow Cockroach Labs personnel. Cockroach Labs employees, contractors, and vendors are responsible for the badge issued them, and its use. The physical location of the offices are monitored by 24x7 CCTV cameras, and security personnel.
7. Risk Management
Cockroach Labs’s risk management policy includes controls specific for complying with AICPA SOC2 Trust Services Criteria.
Cockroach Labs has a corporate Risk Management Policy which applies to all Cockroach Labs employees, contractors, vendors and agents as well as all Cockroach Labs business processes, procedures and activities. While the focus is primarily Information Technology and Security and Availability, Threats or Vulnerabilities outside these areas identified by this process will be escalated to executive management for action and timely resolution.
Cockroach Labs also has a Business Continuity Program (see section 5). It contains instructions for Business Operations in the event of full or partial unavailability of a Cockroach Labs facility.
8. Customer Responsibilities
Cockroach Labs has designed its application and CockroachCloud with the assumption that certain controls will be the responsibility of its customers. The following is a representative list of controls that are recommended to be used to reduce risk and enhance security when using the service.
- Customers are responsible for adding and managing user accounts, credentials and access rights to the cluster.
- Customers are responsible for the strength of the passwords they choose for signing into the CockroachCloud console.
- Customers are responsible for identifying approved points of contacts to coordinate with Cockroach Labs. The Support team may reach out to the designated contact to validate requests.
- Customers are responsible for validating the accuracy and completeness of data contained in their environment.
- Customers are responsible for data confidentiality controls at their organizations, such as segregation of duties, (non-)disclosure of information at the customer organization.
- Customers are responsible for alerting Cockroach Labs of security incidents when they become aware of them.
- Customers are responsible for implementing Cockroach Labs provided IP whitelisting when customer data include PCI, PHI or other sensitive data.