Scribd
Upload
13 views

Security

Uploaded by

avilanchee
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
13 views

Security

Uploaded by

avilanchee
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Security in ClickHouse Cloud

San Tran

Dec, 2023
Speakers

San Tran

Application/Product security dude

2
ClickHouse Cloud
01 Security features
journey

3
Timeline

Dec 2022 June 2023


March 2023 Dec 2023
(GA Launch) (GCP Launch)

● IP Filtering
● Username & password for
authentication 😅
● Workload isolation &
Security controls inside
K8s & Cloud environment

4
Timeline

Dec 2022 June 2023


March 2023 Dec 2023
(GA Launch) (GCP Launch)

● IP Filtering ● MFA
● Username & password ● Private Link
authentication ● SLQConsole using
● Workload isolation & Certificate Authentication
Security controls inside
K8s & Cloud environment

5
Timeline

Dec 2022 June 2023


March 2023 Dec 2023
(GA Launch) (GCP Launch)

● IP Filtering ● MFA ● Customer Managed


● Username & password ● Private Link Encryption Key
authentication ● SLQConsole using (CMEK)
● Workload isolation & Certificate Authentication ● REST API security
Security controls inside ● Secure S3 access
K8s & Cloud environment

6
Timeline

Dec 2022 June 2023


March 2023 Dec 2023
(GA Launch) (GCP Launch)

● IP Filtering ● MFA ● Customer Managed ● ClickPipe data ingestion


● Username & password ● Private Link Encryption Key ● Self served Secure S3 &
authentication ● SLQConsole using (CMEK) Private Link
● Workload isolation & Certificate Authentication ● REST API security ● Auth0 migration in
Security controls inside ● Secure S3 access preparation for BYO
K8s & Cloud environment SAML Identity Provider.

7
02 Let’s get to
the details…

8
Workload isolation

Picture taken from: https://clickhouse.com/blog/building-clickhouse-cloud-from-scratch-in-a-year

9
Workload Isolation - ClickPipes

ClickHouse

ClickPipe

10
Console Certificate Authentication

Username & Password

11
Console Certificate Authentication
SQLConsole/Arctype

Username & Password

12
Say NO to passing client
credentials where we can!

13
14
How cert-auth works end to end with ClickHouse for HTTP Protocol?

Client establishes TLS


with a client cert with specific
Common Name(CN)

Server check validity of client certificate Terminate if certificate


against configured CA chained certificate validation fails or expired

Client send query over HTTP


request with header contains
username

Server check against the database for the Fail if CN or username not
username & the common name (CN) of the matching or user does not have
certificate enough grant

All is good - execute the query

15 15
Console Certificate Authentication - high level design

16 16
Customer Managed
Encryption Key aka
BYOK(Bring Your Own Key)
● Support for AWS KMS(Key Management
System) with GKS and AKS support
coming soon.
● Advanced protection over data at rest
by allowing users to manage keys that
control encryption/decryption of data
● Making use of envelope encryption
technique to enable multi-cloud support
& reduce operational overhead

17
Question?

https://trust.clickhouse.com/

18

You might also like