Scribd Logo
Upload

Welcome to Scribd!

  • Security

    Uploaded by

    avilanchee
    3 views18 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views18 pages

    Security

    Uploaded by

    avilanchee

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 18

    Security in ClickHouse Cloud

    San Tran

    Dec, 2023
    Speakers

    San Tran

    Application/Product security dude

    2
    ClickHouse Cloud
    01 Security features
    journey

    3
    Timeline

    Dec 2022 June 2023


    March 2023 Dec 2023
    (GA Launch) (GCP Launch)

    ● IP Filtering
    ● Username & password for
    authentication 😅
    ● Workload isolation &
    Security controls inside
    K8s & Cloud environment

    4
    Timeline

    Dec 2022 June 2023


    March 2023 Dec 2023
    (GA Launch) (GCP Launch)

    ● IP Filtering ● MFA
    ● Username & password ● Private Link
    authentication ● SLQConsole using
    ● Workload isolation & Certificate Authentication
    Security controls inside
    K8s & Cloud environment

    5
    Timeline

    Dec 2022 June 2023


    March 2023 Dec 2023
    (GA Launch) (GCP Launch)

    ● IP Filtering ● MFA ● Customer Managed


    ● Username & password ● Private Link Encryption Key
    authentication ● SLQConsole using (CMEK)
    ● Workload isolation & Certificate Authentication ● REST API security
    Security controls inside ● Secure S3 access
    K8s & Cloud environment

    6
    Timeline

    Dec 2022 June 2023


    March 2023 Dec 2023
    (GA Launch) (GCP Launch)

    ● IP Filtering ● MFA ● Customer Managed ● ClickPipe data ingestion


    ● Username & password ● Private Link Encryption Key ● Self served Secure S3 &
    authentication ● SLQConsole using (CMEK) Private Link
    ● Workload isolation & Certificate Authentication ● REST API security ● Auth0 migration in
    Security controls inside ● Secure S3 access preparation for BYO
    K8s & Cloud environment SAML Identity Provider.

    7
    02 Let’s get to
    the details…

    8
    Workload isolation

    Picture taken from: https://clickhouse.com/blog/building-clickhouse-cloud-from-scratch-in-a-year

    9
    Workload Isolation - ClickPipes

    ClickHouse

    ClickPipe

    10
    Console Certificate Authentication

    Username & Password

    11
    Console Certificate Authentication
    SQLConsole/Arctype

    Username & Password

    12
    Say NO to passing client
    credentials where we can!

    13
    14
    How cert-auth works end to end with ClickHouse for HTTP Protocol?

    Client establishes TLS


    with a client cert with specific
    Common Name(CN)

    Server check validity of client certificate Terminate if certificate


    against configured CA chained certificate validation fails or expired

    Client send query over HTTP


    request with header contains
    username

    Server check against the database for the Fail if CN or username not
    username & the common name (CN) of the matching or user does not have
    certificate enough grant

    All is good - execute the query

    15 15
    Console Certificate Authentication - high level design

    16 16
    Customer Managed
    Encryption Key aka
    BYOK(Bring Your Own Key)
    ● Support for AWS KMS(Key Management
    System) with GKS and AKS support
    coming soon.
    ● Advanced protection over data at rest
    by allowing users to manage keys that
    control encryption/decryption of data
    ● Making use of envelope encryption
    technique to enable multi-cloud support
    & reduce operational overhead

    17
    Question?

    https://trust.clickhouse.com/

    18

    You might also like