ClickHouse Security

Purpose

This document is for current and prospective customers and evaluators of the ClickHouse Cloud service and is intended to give insight into ClickHouse’s security posture and overall approach to security. Please reach out to [email protected] with any questions. 

Summary

The ClickHouse Cloud service is designed and operated with security as a top priority. To be able to meet ClickHouse’s and our customers’ security needs, ClickHouse operates under the shared responsibility security model. 

The shared responsibility security framework is in place by many cloud providers to clarify the security responsibilities of the customer and the cloud provider. In this model, ClickHouse is responsible for the security of the ClickHouse Cloud service, and the customer is responsible for security within the context of its use of the ClickHouse Cloud service. 

Security Controls and Processes

Dedicated Security Team

ClickHouse has a dedicated, in-house information security team. The team is responsible for securing the ClickHouse enterprise and ecosystem, identifying vulnerabilities and threats, and responding to security events.

Data Storage and Processing Locations

ClickHouse Cloud consists of two main components – a control layer, which provisions and manages ClickHouse cloud workloads and data plane, which orchestrates running the workloads. 

ClickHouse uses AWS-provided storage and processing in US-based locations for its control layer. This control layer maintains and stores metadata about customer workloads. 

ClickHouse provides options for user-defined locations for ClickHouse Cloud workloads. ClickHouse currently supports AWS as the cloud services provider and offers storage locations in North America (us-west-2, us-east-2) and Europe (eu-west-1). Customer data stored and processed by ClickHouse Cloud workloads is maintained and stored in these customer-defined regions. 

Cloud Security

ClickHouse utilizes AWS native security monitoring and detection tools to monitor the ClickHouse Cloud infrastructure for common vulnerabilities, misconfigurations, threats and aid in ensuring compliance. Some of the tools in use include AWS GuardDuty, Config, Inspector and Security Hub.

Development Security 

ClickHouse implements a variety of processes and tools to maintain and improve the security of both the ClickHouse Cloud service and the core ClickHouse open source product. The ClickHouse codebase is subject to regular static code and software composition analysis scans in order to identify any vulnerabilities in the ClickHouse code as well as 3rd party libraries. 

ClickHouse maintains a public version of security fixes introduced to the ClickHouse open source product.

Authentication and Authorization

ClickHouse uses AWS Cognito for user sign-up, sign-in and access controls. Currently username and password based authentication is supported with a defined password policy in place (password minimum length = 12, password complexity = enabled). 

ClickHouse Cloud is based on role-based access authorization and supports two user profiles – an administrator and a developer.

The core open source ClickHouse product also supports authentication and authorization controls. Passwords used for authentication are salted and hashed.

Encryption

ClickHouse encrypts information in transit by supporting TLS 1.2 and 1.3 when interacting with ClickHouse Cloud over the public internet. 

Data at rest is also encrypted using AES-256 encryption applied to AWS S3 buckets.

Incident Response

ClickHouse has an established incident response policy and associated procedures in place. This includes the designation of appropriate roles and responsibilities for internal staff (e.g. security, engineering, legal) as well as procedures for liaising with external parties (e.g. law enforcement) as appropriate.

Vulnerability Reporting and Disclosure

ClickHouse manages an industry-standard responsible disclosure program.

Business Continuity and Disaster Recovery

ClickHouse leverages Amazon Web Services substantially for its ClickHouse Cloud offering. As such, Business Continuity and Disaster Recovery are reliant on the controls and processes of AWS. More information is available at AWS’s compliance center.

Compliance

ClickHouse achieved SOC 2 Type 1 compliance for its ClickHouse Cloud offering in April 2022. We are working towards obtaining SOC 2 Type 2 compliance in H1 2023.

ClickHouse has established procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.

Document History

Date Notes
February 2022 Initial draft
April 2022 Private preview notes
May 2022 SOC 2 Type 1 audit completion