Security Shared Responsibility Model
Security is a team effort and we are more successful together. This document is intended to provide information about where we rely on our cloud service providers (“CSP”) to provide security controls, where we manage security, and what you can do to improve security of your services with us. Read on to see how we are with you for every step in your journey.
Cloud Service Provider Responsibilities
We rely on CSPs, including Amazon Web Services (“AWS”), Google Cloud Platform (“GCP”) and Microsoft Azure, to provide, configure and review physical security and environmental controls of our hosted environments. They also provide security of compute, storage, and network resources we leverage to provide our service.
ClickHouse Responsibilities
In addition to security layers provided by CSPs, we securely configure and monitor operating systems, network resources and firewalls that support our services. We also manage infrastructure and application identity and access management of our internal users, and configure our systems to provide encryption in transit and at rest.
Dedicated Security Team
We have a dedicated team of security experts that configure security settings, review alerts and respond to security incidents. Our team uses industry leading tools to monitor for vulnerabilities, misconfigurations and threats. We also have incident response playbooks and practice them. Want to help us out? Tell us about any vulnerabilities you may find by following the responsible disclosure steps in our Security Policy page.
Development Security
Security is part of everyday operations. Our engineering teams utilize static code and software composition analysis scans to identify vulnerabilities in our code or third party libraries and they run automated “fuzzing” to identify unexpected issues.
Third Party Assessments & Compliance
We utilize independent experts to perform penetration testing, internal and external audits of our services. Need to demonstrate compliance for your cloud workloads? We can help you with that! We maintain SOC 2 Type II and ISO 27001 compliance. Visit our Trust Center at trust.clickhouse.com to request copies of these reports.
Customer Responsibilities
ClickHouse Cloud was built with security in mind. We provide a number of features to enable you to meet your security objectives. Always check with your security and compliance teams to determine the best combination of settings for you.
Cloud Console
Our cloud console allows you to manage users and some security settings of your services.
Identity & Access Management
- When using email + password authentication, use strong passwords
- Multi-factor authentication (MFA) can be configured for email + password users
- Single-sign on (SSO) using Google Workspace or Microsoft 365 is available
- Standard role-based access is available
- Console users may use passwordless access to services via SQL console
Security Logging
- Console activities are logged and the audit log is available for review
Geographic Control
- Select your preferred cloud provider and region for each service
Network Control
- Configure IP filters to restrict database connections
- Configure private link with your cloud provider
Transparent Database Encryption
- ADVANCED: Customer managed encryption keys (CMEK) are available
Backups
- Customers are provided with a limited number of free daily backups
- ADVANCED: Custom backup configurations are available
ClickHouse Services
ClickHouse Services (databases) provide additional levels of control.
Identity & Access Management
- Granular role-based access control may be configured in the database
- Create users using sha256_hash to avoid sharing plain text passwords
- Periodically review access
Security Logging
- Session and query logs are recorded within each database and are available for review
Data Retention
- Utilize Time to live (TTL) settings to manage retention periods
- Use ALTER TABLE DELETE or Lightweight DELETE as needed
Field Level Encryption
- ADVANCED: Field level encryption can be implemented with manual key management procedures