Cockroach Labs is committed to the delivery of the highest quality software and services to our customers. Essential to that quality is a steadfast dedication to security in all aspects of our business. We maintain a set of internal information security policies and processes based on controls and best practices from AICPA SOC 2 Trust Services Criteria. Azure is not currently covered in the CockroachDB Cloud SOC 2 reports. The purpose of this document is to highlight processes and controls that Cockroach Labs has in place to ensure protection and security of our customer data. Policies that are related to CockroachDB Cloud are specifically called out when relevant.
Cockroach Labs has two cloud offerings where Cockroach Labs hosts and manages a customer’s CockroachDB clusters, CockroachDB Dedicated and CockroachDB Serverless. In this document, references to CockroachDB Cloud are applicable to both offerings.
1. Customer Data Access and Management
The customer has the choice to choose Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Each CockroachDB Dedicated customer receives a single-tenant CockroachDB cluster which is spun up in a separate virtual network in Cockroach Labs managed cloud account. The customer has the choice to choose Amazon Web Services (AWS) or Google Cloud Platform (GCP). The separate virtual networks are fully isolated to ensure that each customer’s cluster is separated from other customers. A limited number of Cockroach Labs employees who require such access for maintenance & support are granted access to these customer clusters, as specified in the contracts between Cockroach Labs and the customer.
Each CockroachDB Serverless customer receives a virtual CockroachDB cluster which is hosted on an underlying multi-tenant CockroachDB physical cluster (a “host cluster”). The host cluster stores customer data and uses certificate authentication to identify a Serverless cluster and ensure that it can only access data that it owns. SQL processing for a Serverless cluster runs in separate Kubernetes pods that provide process isolation and also are configured to be network isolated from other clusters. This prevents SQL pods from different customers from interacting with one another. A limited number of Cockroach Labs employees who require such access for maintenance & support are granted access to host clusters and the Serverless clusters that run on them.
2. Encryption of Customer Data
All traffic between CockroachDB nodes as well as client-server communications for CockroachDB Cloud clusters is encrypted using TLS. CockroachDB Cloud clusters use TLS 1.3 digital certificates for inter-node and client-server authentication, which require a Certificate Authority (CA) as well as keys and certificates for nodes, and passwords or tokens for clients. The certificate authority is managed by CockroachDB Cloud internally. TLS encryption is enabled by default for all secure clusters and needs no additional configuration.
All data at rest in CockroachDB Cloud clusters is encrypted using the cloud provider’s infrastructure-level disk encryption. In addition, CockroachDB Dedicated customers can bring their own managed key from cloud provider’s key management service to further encrypt the AWS & GCP cluster data using file-based encryption.
For customers running CockroachDB on-premises, take a look at our full list of security documentation here.
3. Security Controls Framework
Cockroach Labs follows processes and policies that are designed to protect customer data, information, and related assets from threats to security and availability. Cockroach Labs’ internal security controls map to AICPA SOC2 Trust Services Criteria for security (common criteria), availability, and confidentiality.
4. Security Incident Response Management
Cockroach Labs has a process for identifying and managing security vulnerabilities and threats. Once a security vulnerability has been detected, appropriate staff at Cockroach Labs are assigned to immediately fix it. Version upgrades and security patching are automatically performed for our CockroachDB Cloud customer clusters, and customers are notified after the event. For customers running CockroachDB on-premises, Cockroach Labs may, depending on the severity of the issue, notify all paid customers and provide them sufficient time to address the issue, including upgrading to a patch, if necessary. This will be followed up with a notification and updated patch on open channels such as Forum on our website. Following this public release, an internal post mortem is conducted to understand the cause of the incident, and corrective action necessary to prevent future similar incidents. Our release notes contain updates on security vulnerabilities and patches, when they occur.
5. Responsible Disclosure Policy
Cockroach Labs has a Responsible Disclosure Policy outlined on our website. If you discover a vulnerability, please follow the steps outlined in our policy to report the issue to us so we can take steps to resolve it as quickly as possible.
6. Business Continuity
Cockroach Labs has a Business Continuity Plan when an event or series of events impacts Cockroach Labs. In the case of CockroachDB Cloud clusters, all customer information is maintained on compute & storage hosted by the cloud providers. CockroachDB Cloud clusters are designed to be resilient to cloud availability issues as each cluster has data replicated across at least three availability zones at a minimum, except for single-node clusters.
Since Cockroach Labs does not process, maintain, or transfer any Customer information onto compute & storage in its corporate locations, any event that affects the Cockroach Labs corporate facility will not have an impact on the clusters of our Customers. Additionally by design and practice there are no critical dependencies of the daily operations of Cockroach Labs Customer support on these facilities.
In the event an incident occurs that renders the corporate facilities (headquarters) of Cockroach Labs unusable for some period of time (i.e. a natural disaster), staff will continue to provide service working from alternate Cockroach Labs locations and home offices. Cockroach Labs performs a Business Continuity test annually.
7. Physical Security
CockroachDB Cloud clusters are hosted within the infrastructure provided by Cloud Providers AWS, Azure, and GCP today. All physical security controls for those clusters are managed by the Cloud Providers. Cockroach Labs corporate offices do not host any compute or storage for the customer clusters.
Only Cockroach Labs employees, contractors, and vendors with regular facilities access will be issued an access card and permitted to physically access the Cockroach Labs corporate offices without escort. Cockroach Labs personnel are not permitted to loan out an access card to anyone, not even fellow Cockroach Labs personnel. Cockroach Labs employees, contractors, and vendors are responsible for the badge issued to them, and its use. The physical location of the offices are monitored by 24x7 CCTV cameras.
8. Risk Management
Cockroach Labs’ risk management policy includes controls specific for complying with AICPA SOC2 Trust Services Criteria.
Cockroach Labs has a corporate Risk Management Processes, which applies to all Cockroach Labs employees, contractors, vendors and agents as well as all Cockroach Labs business processes, procedures and activities. While the focus is primarily Information Technology and Security and Availability, threats or vulnerabilities outside these areas identified by this process will be escalated to executive management for action and timely resolution.
Cockroach Labs also has a Business Continuity Plan (see section 5). It contains instructions for Business Operations in the event of full or partial unavailability of a Cockroach Labs facility.
9. Customer Responsibilities
Cockroach Labs has designed the CockroachDB Cloud service with the assumption that certain controls will be the responsibility of its customers. The following is a representative list of controls that are recommended to be used to reduce risk and enhance security when using the service.
- Customers are responsible for adding and managing user accounts, credentials and access rights to the cloud console and their clusters.
- Customers are responsible for the strength of the passwords they choose for signing into the CockroachDB Cloud console or their clusters.
- Customers are responsible for identifying approved points of contacts to coordinate with Cockroach Labs. The Support team may reach out to the designated contact to validate requests.
- Customers are responsible for validating the accuracy and completeness of data contained in their environment.
- Customers are responsible for data confidentiality controls at their organizations, such as segregation of duties, (non-)disclosure of information at the customer organization.
- Customers are responsible for alerting Cockroach Labs of security incidents when they become aware of them.
- Customers are responsible for implementing CockroachDB Cloud provided network security and data protection capabilities in CockroachDB Dedicated when customer data includes PII, PHI, or other sensitive data.