This page summarizes the security features available in CockroachDB Cloud:
- CockroachDB Standard: Deployed in shared (multi-tenant) network and compute infrastructure. Storage scales automatically according to demand, but the cluster's compute requirements are defined explicitly as part of the cluster's configuration.
- CockroachDB Basic: Deployed in shared (multi-tenant) network and compute infrastructure. Storage and compute scale automatically according to demand, and you are charged only for the storage and activity of your cluster.
- CockroachDB Advanced: Deployed in dedicated network and compute infrastructure. This deployment may be distributed over multiple regions for added disaster-resilience. In addition to infrastructure isolation, Advanced clusters can be customized with advanced network, identity-management, and encryption-related security features required for high benchmark security goals such as PCI DSS compliance. Refer to Payment Card Industry Data Security Standard (PCI DSS) Compliance in CockroachDB Advanced
The following table summarizes the CockroachDB Cloud security features and provides links to detailed documentation for each feature where applicable.
| Security Domain | CockroachDB Basic | CockroachDB Standard | CockroachDB Advanced | Feature |
| Authentication | ✓ | ✓ | ✓ | Inter-node and node identity authentication using TLS 1.3 |
| ✓ | ✓ | ✓ | Client identity authentication using a username and password | |
| ✓ | ✓ | ✓ | SASL/SCRAM-SHA-256 secure password-based authentication | |
| ✓ | Cluster DB console authentication with third-party Single Sign On (SSO) using OpenID Connect OIDC or SAML | |||
| ✓ | ✓ | ✓ | SQL Client authentication with Cluster SSO using CockroachDB Cloud as identity provider | |
| ✓ | ✓ | ✓ | SQL Client authentication with Cluster SSO using customer-managed identity providers | |
| ✓ | Client identity authentication using PKI certificates | |||
| ✓ | OCSP certificate revocation protocol | |||
| Data Protection | ✓ | ✓ | ✓ | Encryption-in-flight using TLS 1.3 |
| ✓ | ✓ | ✓ | Automatic backups for AWS clusters are encrypted-at-rest using AWS S3’s server-side encryption | |
| ✓ | ✓ | ✓ | Automatic backups for GCP clusters are encrypted-at-rest using Google-managed server-side encryption keys | |
| ✓ | ✓ | ✓ | Industry-standard encryption-at-rest provided at the infrastructure level by your chosen deployment environment, such as Google Cloud Platform (GCP), Amazon Web Services (AWS), or Microsoft Azure. | |
| ✓ | Customer Managed Encryption Keys (CMEK), with Advanced security features enabled. | |||
| Access Control (Authorization) | ✓ | ✓ | ✓ | SQL users with direct privilege management |
| ✓ | ✓ | ✓ | SQL Role-based access control (RBAC) | |
| ✓ | ✓ | ✓ | Cloud Organization users with fine-grained access roles | |
| Network Security | ✓ | ✓ | ✓ | SQL-level configuration of allowed authentication attempts by IP address |
| ✓ | Private Clusters | |||
| ✓ | ✓ | ✓ | Network-level Configuration of allowed IP addresses | |
| ✓ | Egress Perimeter Controls | |||
| ✓ | ✓ | Private Service Connect (PSC) for GCP clusters | ||
| ✓ | VPC Peering for GCP clusters | |||
| ✓ | ✓ | PrivateLink for AWS clusters. | ||
| Non-Repudiation | ✓ | ✓ | ✓ | SQL Audit Logging |
| ✓ | ✓ | ✓ | Cloud Organization Audit Logging | |
| Availability/Resilience | ✓ | ✓ | ✓ | CockroachDB, as a distributed SQL database, is uniquely resilient by nature. A cluster can tolerate node failures as long as the majority of nodes remain functional. See Disaster Recovery. |
Was this helpful?
