Chapter 13. Security

In the Information Age, data is one of the world’s most valuable commodities. It can confer competitive advantage through enhanced operational intelligence, and it is often subject to the most stringent privacy regulations. Databases are frequently the target of data theft, ransomware attacks, and data tampering.

CockroachDB supports industrial-strength security features that protect your database from malicious attacks and also to some degree from human error and application bugs.

A well-secured CockroachDB deployment uses defense-in-depth to protect the database: multiple levels of security that protect against intrusion or unauthorized activities. These include:

• Firewall rules that restrict cluster connections to known and trusted network addresses.

• Transport Layer Security (TLS) encryption in flight to prevent access of data in transit. TLS authentication can also be used to defeat man-in-the-middle attacks and to provide a level of client authentication.

• Encryption at rest: an enterprise feature that allows data files on disk to be encrypted.

• A variety of authentication mechanisms to determine a user’s identity, including username/password, key file, Kerberos, and OAuth.

• A role-based authorization system that controls access to data and to system commands.

• Logging options that allow for tracking of user access. Standard logging allows tracking of authentication events and SQL executions, while audit logging allows for fine-grained tracking ...