-
Notifications
You must be signed in to change notification settings - Fork 484
Add BYOC shared-responsibility page #6373
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| --- | ||
| title: 'Security shared responsibility model' | ||
| slug: /cloud/reference/byoc/reference/security-shared-responsibility | ||
| sidebar_label: 'Security shared responsibility' | ||
| keywords: ['BYOC', 'security', 'shared responsibility', 'IAM', 'compliance', 'GDPR', 'CCPA', 'encryption', 'network security', 'disaster recovery'] | ||
| description: 'Breakdown of security responsibilities between ClickHouse, the customer, and cloud providers in a BYOC deployment.' | ||
| doc_type: 'reference' | ||
| --- | ||
|
|
||
| BYOC deploys ClickHouse services within your cloud account, distributing security responsibilities across three parties: ClickHouse, you, and your cloud service provider. | ||
| The table below breaks down who owns what across eight security domains. | ||
|
|
||
| For more information on specific features and settings to meet your security requirements, visit [trust.clickhouse.com](https://trust.clickhouse.com). | ||
|
|
||
| ## Shared responsibilities {#shared-responsibilities} | ||
|
|
||
| | Domain | ClickHouse | Customer | Cloud provider | | ||
| |-------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | ||
| | **IAM** | Enforce unique usernames, strong passwords, and MFA.<br /><br />Restrict access to customer environments based on least privilege.<br /><br />Secure remote connections using strong cryptography.<br /><br />Manage IAM holistically, including oversight of Auth0 accounts BYOC customers create. | Configure SSO for console users and enforce MFA within the identity provider.<br /><br />Use strong passwords and configure roles based on least privilege for database users.<br /><br />Securely manage the default user password and relevant API keys and secrets. | Protect the identity and access management infrastructure. | | ||
|
Check notice on line 19 in docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md
|
||
| | **Data security** | Encrypt data in transit using TLS 1.2+.<br /><br />Encrypt data at rest using AES-256+.<br /><br />Securely manage, deploy, and rotate encryption keys.<br /><br />Delete service data and backups within seven days of service termination. | Implement [customer-managed encryption keys (CMEK)](/cloud/security/cmek), as available.<br /><br />Use time-to-live settings to enforce data retention. | Manage encryption hardware and services.<br /><br />Encrypt data in transit and at rest, where configured. | | ||
|
Check notice on line 20 in docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md
|
||
| | **Network** | Deploy security groups and network controls to enable secure communication while isolating customer environments.<br /><br />Enable secure defaults for network access controls and security groups. | Configure [IP filters](/cloud/security/setting-ip-filters) to restrict connections to the database.<br /><br />Maintain secure network configurations after initial deployment. | Manage physical and logical security of the cloud networking infrastructure.<br /><br />Maintain secure communications for cloud infrastructure, including APIs. | | ||
| | **Security monitoring** | Deploy security event detection capabilities.<br /><br />Generate audit logs and retain for one year.<br /><br />Investigate and respond to potential security events.<br /><br />Report security breaches affecting you in accordance with the ClickHouse Information Security Addendum. | Configure and manage cloud security monitoring.<br /><br />Monitor session and query logs within the service.<br /><br />Investigate and respond to potential security events. | Configure and manage security monitoring for underlying cloud services.<br /><br />Investigate and respond to potential security events related to underlying cloud services.<br /><br />Report security breaches affecting you in accordance with contractual obligations. | | ||
| | **Disaster recovery** | Protect against database failures using multiple replicas.<br /><br />Use multi-availability zone configurations in each region.<br /><br />Provide backup capabilities to enable data recovery from localized incidents.<br /><br />Regularly test backups to ensure recoverability. | Configure backup policies and perform restoration. | Provide data centers with high-availability features.<br /><br />Provide geographically isolated data centers in each region. | | ||
| | **Platform** | Securely configure, deploy, and terminate ClickHouse systems.<br /><br />Use hardened base images to deploy services.<br /><br />Maintain a public bug bounty program. | Secure the service landing zone, including account setup, configuration, and management. | Provide and maintain physical and environmental protections.<br /><br />Securely configure, patch, and maintain hardware, firmware, and operating system software. | | ||
| | **Best practices** | Maintain a technical vulnerability management program.<br /><br />Conduct third-party penetration tests at least annually.<br /><br />Employ an in-house information security team. | Configure ClickHouse and cloud security controls based on organizational requirements.<br /><br />Follow security best practices for cloud-based systems. | Maintain a technical vulnerability management program.<br /><br />Conduct third-party penetration tests at least annually.<br /><br />Employ an in-house information security team. | | ||
| | **Compliance** | Maintain independent third-party audits, standards, and certifications.<br /><br />Provide tools and configurations that enable compliance with applicable laws, such as GDPR and CCPA. | Evaluate and implement relevant ClickHouse security configurations to meet applicable compliance requirements for the type of data processed.<br /><br />Use ClickHouse services in compliance with relevant export control and data privacy laws. | Maintain relevant independent third-party audits, standards, and certifications. | | ||
|
Check notice on line 26 in docs/cloud/guides/infrastructure/01_deployment_options/byoc/08_reference/08_security_shared_responsibility.md
|
||
Uh oh!
There was an error while loading. Please reload this page.