Last Revised: June 7, 2019
Cockroach Labs (CRL) is committed to the delivery of the highest quality software and services to our customers. Essential to that quality is a steadfast dedication to Security in all aspects of our business. Our basic Information Systems Policy (ISP) is based on AICPA SOC 2. The purpose of this document is to highlight the processes and controls that CRL has in place to ensure protection and security of our customer data. Policies that are related to Managed CockroachDB is specifically called out when relevant.
In this document, Managed CockroachDB refers to the cloud offering where CRL hosts and manages a customer’s CockroachDB clusters.
1. Customer Data Access and Management
Each Managed CockroachDB customer receives a single-tenant CockroachDB cluster which is spun up in a separate virtual private cloud (VPC) in a cloud provider’s account. The customer has the option to choose Amazon Web Services (AWS) or Google Cloud Platform (GCP) as of February 2019. The separate VPCs are fully isolated to ensure that each customer’s cluster is separated from other customers. A limited number of CRL employees who require such access are provided access to these customer clusters, as specified in the contract between CRL and a customer.
2. Encryption of Customer Data
All traffic between CockroachDB nodes as well as client-server communications is encrypted for Managed CockroachDB clusters. CockroachDB uses TLS 1.2 digital certificates for inter-node and client-node authentication, which require a Certificate Authority (CA) as well as keys and certificates for nodes, and passwords for clients. The certificate authority is managed by Hashicorp Vault. TLS encryption is enabled by default for all secure clusters and needs no additional configuration.
For customers running CockroachDB on-premises, take a look at our full security documentation here.
3. Security Controls Framework
CRL follows processes and policies that are designed to protect customer data, information, and related assets from threats to security and availability. Cockroach Labs follows the AICPA SOC2(TSC) framework. As a company, security is very important to us, and we fully plan to expand our policies to incorporate other controls and frameworks as appropriate in the future.
4. Security Incident Response Management
CRL has a formal process for identifying and managing security vulnerabilities and threats. Once a security vulnerability has been detected, appropriate staff at CRL are assigned to immediately fix it. Upgrades to the patch are automatically performed for our Managed CockroachDB customer clusters, and customers are notified after the patch. For customers running CockroachDB on-premises, CRL may, depending on the severity of the issue, notify all paid customers and provide them sufficient time to address the issue, including upgrading to a patch, if necessary. This will be followed up with a notification and updated patch on open channels such as Forum on our website. Following this public release, an internal post mortem is conducted to understand the cause of the incident, and determine any corrective actions necessary to prevent future similar incidents. CRL also has a Responsible Disclosure Policy outlined on our website. Our release notes contain updates on security vulnerabilities and patches, when they occur.
5. Business Continuity Plan and Disaster Recovery
CRL has a business continuity plan when an event or series of events impacts Cockroach Labs. For our Managed CockroachDB solution, all customer information is maintained on servers hosted in the cloud. The managed service offering is designed by default to be resilient to cloud availability issues as each production cluster has data replicated across three availability zones at a minimum.
Since Cockroach Labs does not process, maintain or transfer any Customer information onto servers in its corporate locations, any event that affects the Cockroach Labs corporate facility will not have an impact on the services of our Customers. Additionally by design and practice there are no critical dependencies of the daily operations of Cockroach Labs Customer support on these facilities.
In the event an incident occurs that renders the corporate facilities (headquarters) of Cockroach Labs unusable for some period of time (i.e. a natural disaster), staff will continue to provide service working from alternate Cockroach Labs locations, designated alternate work sites and home offices.
6. Physical Security
The managed service offering is hosted within Cloud Providers AWS and GCP today. All physical security controls are managed by the Cloud Provider. Cockroach Labs corporate offices do not house any physical servers that host customer clusters.
Only Cockroach Labs employees, contractors, and vendors with regular facilities access will be issued a photo ID access badge and permitted to physically access the Cockroach Labs facility without escort. Cockroach Labs personnel are not permitted to loan out an access badge to anyone, not even fellow Cockroach Labs personnel. Cockroach Labs employees, contractors, and vendors are responsible for the badge issued them, and its use. All Cockroach Labs employees are granted 24X7 access to the facility. The physical location of the offices are monitored by 24×7 CCTV cameras, and security personnel.
7. Risk Management
CRL’s risk management policy maintains controls specific for complying with AICPA SOC2 Trust Services Criteria.
CRL has a corporate Risk Management Policy which applies to all Cockroach Labs employees, contractors, vendors and agents as well as all Cockroach Labs business processes, procedures and activities. While the focus is primarily Information Technology and Security and Availability, Threats or Vulnerabilities outside these area identified by this process will be escalated to executive management for action and timely resolution.
CRL also has a Business Continuity Program (see section 5). It contains instructions for Business Operations in the event of full or partial unavailability of a Cockroach Labs facility.
8. Customer Responsibilities
CRL has designed its application and managed service offering with the assumption that certain controls will be the responsibility of its customers. The following is a representative list of controls that are recommended to be used to reduce risk and enhance security when using the service.
- Customers are responsible for adding and managing user accounts, credentials and access rights to the cluster.
- Customers are responsible for the strength of the passwords they choose for signing into the managed services console.
- Customers are responsible for identifying approved points of contacts to coordinate with CRL. The Support team may reach out to the designated contact to validate requests.
- Customers are responsible for validating the accuracy and completeness of data contained in their environment.
- Customers are responsible for data confidentiality controls at their organizations, such as segregation of duties, (non-)disclosure of information at the customer organization.
- Customers are responsible for alerting CRL of security incidents when they become aware of them.
- Customers are responsible for implementing CRL provided IP whitelisting when customer data include PCI, PHI or other sensitive data.