Skip to content

Commit 336c80f

Browse files
committed
Merge remote-tracking branch 'origin/main' into DOC-13899
2 parents d0f7710 + 32d6c21 commit 336c80f

File tree

6 files changed

+27
-30
lines changed

6 files changed

+27
-30
lines changed

src/current/cockroachcloud/compliance.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ CockroachDB {{ site.data.products.cloud }} meets or exceeds the requirements of
1515

1616
## PCI DSS
1717

18-
CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 3.2.1. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
18+
CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 4.0. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
1919

2020
Features to support PCI DSS are not yet available on Azure.
2121

src/current/cockroachcloud/egress-perimeter-controls.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ Regardless of user-specific Egress Perimeter Control policy, egress is always pe
3535
## Before you begin
3636

3737
- Egress Perimeter Controls are supported on AWS and GCP for the following deployment types:
38-
- CockroachDB {{ site.data.products.advanced }} clusters with [enhanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features).
38+
- CockroachDB {{ site.data.products.advanced }} clusters with [advanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features).
3939
- CockroachDB {{ site.data.products.advanced }} [Private Clusters]({% link cockroachcloud/private-clusters.md %}).
4040

4141
Egress Perimeter Controls are not supported for CockroachDB {{ site.data.products.advanced }} on Azure.

src/current/cockroachcloud/insights-page.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -23,4 +23,4 @@ Viewing the insights page requires the [Cluster Admin]({% link cockroachcloud/au
2323

2424
- [Statements page]({% link cockroachcloud/statements-page.md %})
2525
- [Transactions page]({% link cockroachcloud/transactions-page.md %})
26-
- [Databases page]({% link cockroachcloud/databases-page.md %})
26+
- [Databases page]({% link cockroachcloud/databases-page.md %})

src/current/cockroachcloud/pci-dss.md

Lines changed: 19 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ Features to support PCI DSS are not yet available on Azure. Refer to [CockroachD
2424

2525
## Overview of PCI DSS
2626

27-
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 3.2.1](https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf), summarizes the goals and requirements of PCI DSS.
27+
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 4.x](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4_x-QRG.pdf), summarizes the goals and requirements of PCI DSS.
2828

2929
<table>
3030
<tgroup cols="2">
@@ -38,31 +38,31 @@ When a system complies with PCI DSS, the system meets the goals of the standard
3838
<tr>
3939
<td>Build and maintain a secure network and systems.</td>
4040
<td><ol>
41-
<li>Install and maintain a firewall configuration to protect cardholder data.</li>
42-
<li>Do not use vendor-supplied defaults for system passwords and other security parameters.</li>
41+
<li>Install and maintain network security controls.</li>
42+
<li>Apply secure configurations to all system components.</li>
4343
</ol>
4444
</td>
4545
</tr>
4646
<tr>
47-
<td>Protect cardholder data.</td>
47+
<td>Protect account data.</td>
4848
<td><ol start="3">
49-
<li>Protect stored cardholder data.</li>
50-
<li>Encrypt transmission of cardholder data across open, public networks.</li>
49+
<li>Protect stored account data.</li>
50+
<li>Protect cardholder data with strong cryptography during transmission over open, public networkss.</li>
5151
</ol>
5252
</td>
5353
</tr>
5454
<tr>
5555
<td>Maintain a vulnerability management program.</td>
5656
<td><ol start="5">
57-
<li>Protect all systems against malware and regularly update antivirus software or programs.</li>
57+
<li>Protect all systems and networks from malicious software.</li>
5858
<li>Develop and maintain secure systems and applications.</li>
5959
</ol>
6060
</td>
6161
</tr>
6262
<tr>
6363
<td>Implement strong access control measures.</td>
6464
<td><ol start="7">
65-
<li>Restrict access to cardholder data by business need to know.</li>
65+
<li>Restrict access to system components and cardholder data by business need to know.</li>
6666
<li>Identify and authenticate access to system components.</li>
6767
<li>Restrict physical access to cardholder data.</li>
6868
</ol>
@@ -71,37 +71,36 @@ When a system complies with PCI DSS, the system meets the goals of the standard
7171
<tr>
7272
<td>Regularly monitor and test networks.</td>
7373
<td><ol start="10">
74-
<li>Track and monitor all access to network resources and cardholder data.</li>
75-
<li>Regularly test security systems and processes.</li>
74+
<li>Log and monitor all access to system components and cardholder data.</li>
75+
<li>Test security of systems and networks regularly.</li>
7676
</ol>
7777
</td>
7878
</tr>
7979
<tr>
8080
<td>Maintain an information security policy.</td>
8181
<td><ol start="12">
82-
<li>Maintain a policy that addresses information security for all personnel.</li>
82+
<li>Support information security with organizational policies and programs.</li>
8383
</td>
8484
</tr>
8585
</tbody>
8686
</tgroup>
8787
</table>
8888

89-
CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 3.2.1](https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
89+
CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 4.0](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Reporting%20Template%20or%20Form/PCI-DSS-v4-0-1-ROC-AOC-Merchants.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
9090

9191
## Responsibilities of Cockroach Labs
9292

93-
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 3.2.1. Some of these actions include:
93+
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 4.0. Some of these actions include:
9494

9595
- Enforcing comprehensive security policies and standards.
9696
- Providing periodic security training for all Cockroach Labs employees.
9797
- Hardening our operating environments and networks according to industry standards and recommended practices, to ensure that they are secure and resilient against vulnerabilities and attacks.
9898
- Encrypting cluster data and metadata at rest and in transit.
99-
- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 3.2.1, and correcting issues as quickly as possible.
100-
- Regularly scanning our environment and software for known security vulnerabilities and applying updates and security patches in a timely manner.
99+
- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 4.0, by correcting issues and patching known security vulnerabilities as quickly as possible.
101100
- Implementing [data loss prevention (DLP)](https://pcidss.com/listing-category/data-loss-protection-dlp).
102101
- [Logging]({% link cockroachcloud/cloud-org-audit-logs.md %}) cluster actions and events, redacting sensitive information in audit logs, and retaining audit logs according to the [PCI DSS logging requirements](https://listings.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf).
103102

104-
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 3.2.1 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
103+
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 4.0 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
105104

106105
Compliance is a shared responsibility. Be sure to read [Responsibilities of the customer](#responsibilities-of-the-customer) to support you in maintaining your own PCI DSS compliance within your cluster.
107106

@@ -113,24 +112,22 @@ It is the customer’s responsibility to know what is required for your complian
113112

114113
A CockroachDB {{ site.data.products.advanced }} cluster must have the following features enabled to be used in a PCI DSS compliant manner:
115114

116-
- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} [private cluster]({% link cockroachcloud/private-clusters.md %}). A private cluster's nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing cluster cannot be migrated to be a private cluster.
117-
- The cluster must be created with [enhanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}). Enhanced security features cannot be changed after the cluster is created.
115+
- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} cluster with [advanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features) enabled. This configures the cluster such that its nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing {{ site.data.products.advanced }} cluster without advanced security features cannot be migrated into an {{ site.data.products.advanced }} cluster with advanced security, and vice-versa.
118116
- Single Sign-On (SSO) helps you avoid storing user passwords in CockroachDB {{ site.data.products.cloud }}:
119117

120118
- [Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) allows members of your CockroachDB {{ site.data.products.cloud }} organization to authenticate to CockroachDB {{ site.data.products.cloud }} using an identity from an identity provider (IdP). This integration can be done using SAML or OIDC.
121119
- [Cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) allows users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB {{ site.data.products.cloud }} or self-hosted) with the full security of SSO, and the convenience of being able to choose from a variety of SSO identity providers, including CockroachDB {{ site.data.products.cloud }}, Google, Azure, GitHub, or your own self-hosted OIDC.
122120

123-
- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.dedicated }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
121+
- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.advanced }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
124122
- Enable [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}), which ensure that cluster egress operations, such as [self-managed cluster backups]({% link cockroachcloud/take-and-restore-self-managed-backups.md %}) or [change data capture]({% link {{ site.current_cloud_version }}/change-data-capture-overview.md %}), are restricted to a list of specified external destinations.
125-
- [Cluster log exports]({% link cockroachcloud/export-logs.md %}) must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging.
123+
- Use [cluster log exports]({% link cockroachcloud/export-logs-advanced.md %}) to automatically capture detailed information about queries being executed in your cluster. You must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging. (Refer to the `redact` setting under [Enable log export]({% link cockroachcloud/export-logs-advanced.md %}#enable-log-export).)
126124
- [Cloud Organization audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) automatically capture information when many types of events occur in your CockroachDB {{ site.data.products.cloud }} organization, such as when a cluster is created or when a member is added to or removed from an organization. You can export your CockroachDB {{ site.data.products.cloud }} organization's audit logs to analyze usage patterns and investigate security incidents.
127-
- [Cluster audit log export]({% link cockroachcloud/export-logs.md %}) automatically capture detailed information about queries being executed in your cluster.
128125

129126
Cockroach Labs cannot provide specific advice about ensuring end-to-end compliance of your overall system with PCI DSS or how to implement a specific requirement across all operating environments. The following are additional guidelines for a cluster to be used in a PCI DSS compliant manner:
130127

131128
- Before you insert cardholder data into the cluster, protect it by a combination of encryption, hashing, masking, and truncation. For an example implementation, refer to [Integrate CockroachDB {{ site.data.products.advanced }} with Satori]({% link {{ site.current_cloud_version }}/satori-integration.md %}).
132129
- The cryptographic materials used to protect cardholder data must themselves be protected at rest and in transit, and access to the unencrypted key materials must be strictly limited only to approved individuals.
133-
- Within the cluster, restrict access to cardholder data on a “need to know basis” basis. Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
130+
- Within the cluster, restrict access to cardholder data in a manner consistent with the [principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege). Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
134131
- Protect networks that transmit cardholder data from malicious access over the public internet, and regularly test for compliance. For more information about protecting the cluster’s networks, refer to [Network Authorization]({% link cockroachcloud/network-authorization.md %}).
135132
- Important security and stability updates are applied regularly and automatically to CockroachDB {{ site.data.products.advanced }} clusters. These updates include, but are not limited to, the cluster’s CockroachDB runtime, the operating systems of cluster nodes, APIs, and management utilities. Customers are notified about upcoming cluster maintenance before it happens, when it starts, and when it completes.
136133
- If your cluster is part of a solution that includes external systems and applications that store or process cardholder data, it is your responsibility to ensure that these systems and applications, as well as their dependencies, are compliant with PCI DSS. You are responsible for regularly testing these systems and applications for known vulnerabilities and compliance violations and regularly applying updates and mitigations.

0 commit comments

Comments
 (0)