How CockroachDB ensures data privacy and security

Database security is crucial for organisations that rely on databases to store sensitive and confidential data. Databases can contain critical business data, such as customer information, financial records, and intellectual property, which makes them a prime target for cyber attacks.

As a distributed database, CockroachDB is designed with security in mind. CockroachDB supports industrial-strength security features that protect your database from malicious attacks and also to some degree from human error and application bugs.

In this blog post, we will take a closer look at what some of the most important forms of security are and how CockroachDB ensures data privacy and security for your important data.

Encryption

Encryption is essentially a process which data is encoded so that it is hidden, unreadable or completely inaccessible from unauthorised users, it's purpose is to protect any sensitive data which may be stored and can also ensure security of communication between apps and servers.

CockroachDB Encrypts at multiple layers to ensure strong data privacy and security, it does this using the following methods:

  • Encryption In Flight - All Network traffic in CockroachDB whether that be between nodes or from clients to nodes is encrypted with Transport Layer Security (TLS)

  • Encryption at Rest - When picking a deployment environment for your cluster, if using GCP, AWS or Azure you'll automatically be provided with industry standard encryption for cloud storage. However on top of this Infrastructe level-encryption CockroachDB have additional optional safeguards for data at rest on cluster disks, such as:

    • Customer-Managed Encryption Keys (CMEK) for CockroachDB Dedicated allowing data protection using a cryptographic key that's within your control.
    • AES Encryption for Enterprise Self Hosted deployments, allowing encryption of all files on disk using AES in counter mode.

Authentication

The purpose of authentication is to verify that someone or something is who or what they claim to be, you want to ensure that only authorised users or application services can access your database whether that be via the UI for monitoring purpose or via the SQL interface for reading/writing from the database layer.

CockroachDB offers multiple levels of SQL Authentication methods right out of the box to meet the Authentication requirements to keep your database secure and inaccessible to unwanted users & services, these are:

Authorisation

Authorisation works hand in hand with Authentication, with the difference being that Authorisation is the process of giving a user or service account the appropriate permissions to access a specific resource or function.  For example in Cockroach you create a user called Dan which allows them to authenticate in to the system, but if you wanted Dan to have access to read from a certain database you'd have to assign an appropriate set of permissions allowing him to do so.

Similar to other databases CockroachDB has built in SQL statements for managing Authorisation.

Database administrators are able to use these statements to manage authorisation within any cluster whether that be dedicated or self hosted right at their fingertips by using the SQL command line interface to create, attach or revoke roles to specific users, ensuring only the correct people have access to the information they require.

Audit Logging

Audit logging is an audit trail of security-relevant activity within a system, it's essentially a record of events, usually produced in a generic log format. These events can be different things such as who performed an activity, what type of activity was performed, perhaps a delete of an object and how the system responded to that event.

Auditing is incredibly useful for a multitude of things such as, proving compliance, gaining insight and risk management.

CockroachDB specifically has a SQL Audit Logging function, SQL audit logging gives you detailed information about queries being executed against your system. This feature is especially useful when you want to log all queries that are run against a table containing personally identifiable information (PII).

This feature is customisable and configurable to meet your audit logging requirements, perhaps you only want to audit on a specific table within your database, this is a possibility within CockroachDB.

Comparison of Security Features in CockroachDB

Here at Cockroach Labs we have several offerings when it comes to CockroachDB from Self-hosted all the way up to Dedicated we ensure that security is offered in some level right out of the box regardless of what offering you are using the below is a nice comparison of what you'd expect based on your deployment type:

Conclusion

This is just a broad overview of how CockroachDB can ensure the Confidentiality and integrity of your information stored within the database, if you'd like to read in more detail about all of the topics listed above and even more you can find it all within our Security Documentation.

It's also important to do your own due diligence around security, look at where you're hosting your  database or applications and assess whether or not there are appropriate controls in place to protect yourself from an infrastructure level, for example appropriate firewall rules in place ensuring only the right system components can talk to them and only over the appropriate ports. Always ensure that you keep your OS and application versioning up to date to ensure security fixes are applied and in place to prevent exploitation.

Thank you for taking the time to read this blog, I hope you found it useful.