Last updated October 7, 2024
Cockroach Labs is committed to the delivery of the highest quality software and services to our customers. Essential to that quality is a steadfast dedication to security in all aspects of our business. We maintain a set of internal information security policies and processes based on controls and best practices from AICPA SOC 2 Trust Services Criteria and the ISO 27001 standards. The purpose of this document is to highlight processes and controls that Cockroach Labs has in place to ensure protection and security of our customer data. Policies that are related to CockroachDB Cloud are specifically called out when relevant.
Cockroach Labs offers three CockroachDB Cloud plans where Cockroach Labs hosts and manages a customer’s CockroachDB clusters: Basic, Standard, and Advanced. In this document, references to CockroachDB Cloud are applicable to all offerings.
Each CockroachDB Cloud - Advanced customer receives a single-tenant CockroachDB cluster which is spun up in a separate virtual network in Cockroach Labs managed cloud account. The customer has the choice to choose Amazon Web Services (AWS), Google Cloud Platform (GCP), or Microsoft Azure. The separate virtual networks are fully isolated to ensure that each customer’s cluster is separated from other customers. A select number of Cockroach Labs employees have access to customer clusters strictly for maintenance and support, as outlined in the customer contracts. This access is only granted with the customer's explicit request and approval, or in response to a high-severity incident.
All traffic between CockroachDB nodes as well as client-server communications for CockroachDB Cloud clusters is encrypted using TLS. CockroachDB Cloud clusters use TLS 1.3 digital certificates for inter-node and client-server authentication, which require a Certificate Authority (CA) as well as keys and certificates for nodes, and passwords or tokens for clients. The certificate authority is managed by CockroachDB Cloud internally. TLS encryption is enabled by default for all secure clusters and needs no additional configuration. CockroachDB Cloud perimeter network enforces TLS 1.2 or greater for encryption of all data in transit over public facing networks.
All data at rest in CockroachDB Cloud clusters is encrypted using the cloud provider’s infrastructure-level disk encryption. In CockroachDB Cloud - Advanced, customers can bring their own managed key from the cloud provider’s key management service to further encrypt the AWS & GCP cluster data using file-based encryption. Beyond infrastructure-level disk encryption and customer-managed encryption keys, CockroachDB supports column level encryption. Using this feature, you can encrypt one or more of the columns in each row of a database table.
For customers running CockroachDB on-premises, take a look at our full list of security documentation here.
Cockroach Labs follows processes and policies that are designed to protect customer data, information, and related assets from threats to security and availability. Cockroach Labs’ internal security controls map to AICPA SOC2 Trust Services Criteria for security (common criteria), availability, and confidentiality and the ISO 27001 Standard. Beyond these baseline standards, CockroachDB Cloud offers Payment Card Industry Data Security Standards (PCI DSS) readiness and Health Insurance Portability and Accountability Act (HIPAA) ready offerings.
Cockroach Labs has a process for identifying and managing security vulnerabilities, threats, and/or unauthorized access. Once a security incident is suspected, appropriate staff at Cockroach Labs are assigned to immediately investigate, access, contain, eradicate, recover from the incident. Formal incident post mortem and reporting processes are in place, and managed per contractual requirements with each customer.
5. Responsible Disclosure Policy
Cockroach Labs has a Responsible Disclosure Policy outlined on our website. If you discover a vulnerability, please follow the steps outlined in our policy to report the issue to us so we can take steps to resolve it as quickly as possible.
Cockroach Labs has a Business Continuity Plan when an event or series of events impacts Cockroach Labs. In the case of CockroachDB Cloud clusters, all customer information is maintained on compute & storage hosted by the cloud providers. CockroachDB Cloud clusters are designed to be resilient to cloud availability issues as each cluster has data replicated across at least three availability zones at a minimum, except for single-node clusters.
Since Cockroach Labs does not process, maintain, or transfer any customer information onto compute & storage in its corporate locations, any event that affects the Cockroach Labs corporate facility will not have an impact on the clusters of our customers. Additionally by design and practice there are no critical dependencies of the daily operations of Cockroach Labs customer support on these facilities.
In the event an incident occurs that renders the corporate facilities (headquarters) of Cockroach Labs unusable for some period of time (i.e. a natural disaster), staff will continue to provide service working from alternate Cockroach Labs locations and home offices. Cockroach Labs performs a Business Continuity test annually.
CockroachDB Cloud clusters are hosted within the infrastructure provided by Cloud Providers AWS, GCP, and Azure today. All physical security controls for those clusters are managed by the Cloud Providers. Cockroach Labs corporate offices do not host any compute or storage for the customer clusters.
Only Cockroach Labs employees, contractors, and vendors with regular facilities access will be issued an access card and permitted to physically access the Cockroach Labs corporate offices without escort. Cockroach Labs personnel are not permitted to loan out an access card to anyone, not even fellow Cockroach Labs personnel. Cockroach Labs employees, contractors, and vendors are responsible for the badge issued to them, and its use. The physical location of the offices are monitored by 24x7 CCTV cameras.
Cockroach Labs’ risk management policy includes controls specific for complying with AICPA SOC2 Trust Services Criteria and ISO 27001 standards.
Cockroach Labs has a corporate Risk Management Processes, which applies to all Cockroach Labs employees, contractors, vendors and agents as well as all Cockroach Labs business processes, procedures and activities.
Cockroach Labs also has a Business Continuity Plan (see section 5). It contains instructions for Business Operations in the event of full or partial unavailability of a Cockroach Labs facility.
Cockroach Labs software development process starts with requirements elicitation, collaboration, and communication. Secure coding techniques are implemented to ensure coding guidelines are met, code reviews enforced, and end-to-end testing is executed before changes are merged. Source code repositories are scanned with OWASP approved security tools for open-source dependency and coding vulnerabilities.
Version upgrades and security patching are automatically performed for our CockroachDB Cloud customer clusters, and customers are notified after the event. For customers running CockroachDB on-premises, Cockroach Labs may, depending on the severity of the issue, notify all paid customers and provide them sufficient time to address the issue, including upgrading to a patch, if necessary. This will be followed up with a notification and updated patch on open channels such as Forum on our website. Following this public release, an internal post mortem is conducted to understand the cause of the incident, and corrective action necessary to prevent future similar incidents. Our release notes contain updates on security vulnerabilities and patches, when they occur.
Cockroach Labs security program is certified against the ISO 27001 standard that includes; device security, anti-malware, data loss prevention, third-party risk management, human resource security, vulnerability and patch management, staff awareness training, and information security policy maintenance.
Cockroach Labs has designed the CockroachDB Cloud service with the assumption that certain controls will be the responsibility of its customers. The following is a representative list of controls that are recommended to be used to reduce risk and enhance security when using the service.
Customers are responsible for adding and managing user accounts, credentials and access rights to the cloud console and their clusters.
Customers are responsible for the strength of the passwords they choose for signing into the CockroachDB Cloud console or their clusters.
Customers are responsible for identifying approved points of contacts to coordinate with Cockroach Labs. The Support team may reach out to the designated contact to validate requests.
Customers are responsible for validating the accuracy and completeness of data contained in their environment.
Customers are responsible for data confidentiality controls at their organizations, such as segregation of duties, (non-)disclosure of information at the customer organization.
Customers are responsible for alerting Cockroach Labs of security incidents when they become aware of them.
Customers are responsible for implementing CockroachDB Cloud provided network security and data protection capabilities in CockroachDB Cloud - Advanced when customer data includes PII, PHI, or other sensitive data.