You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/current/cockroachcloud/compliance.md
+1-1Lines changed: 1 addition & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -15,7 +15,7 @@ CockroachDB {{ site.data.products.cloud }} meets or exceeds the requirements of
15
15
16
16
## PCI DSS
17
17
18
-
CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 3.2.1. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
18
+
CockroachDB {{ site.data.products.advanced }} has been certified by a PCI Qualified Security Assessor (QSA) as a PCI DSS Level 1 Service Provider. When configured appropriately, CockroachDB {{ site.data.products.advanced }} meets the requirements of PCI DSS 4.0. PCI DSS is mandated by credit card issuers but administered by the [Payment Card Industry Security Standards Council](https://www.pcisecuritystandards.org/). Many organizations that do not store cardholder data still rely on compliance with PCI DSS to help protect other sensitive or confidential data or metadata.
19
19
20
20
Features to support PCI DSS are not yet available on Azure.
Copy file name to clipboardExpand all lines: src/current/cockroachcloud/pci-dss.md
+19-22Lines changed: 19 additions & 22 deletions
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ Features to support PCI DSS are not yet available on Azure. Refer to [CockroachD
24
24
25
25
## Overview of PCI DSS
26
26
27
-
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 3.2.1](https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf), summarizes the goals and requirements of PCI DSS.
27
+
When a system complies with PCI DSS, the system meets the goals of the standard by implementing a series of requirements, as assessed by an independent PCI QSA. The following table, which is published in Payment Card Industry Security Standards Council's [PCI DSS Quick Reference Guide, version 4.x](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Supporting%20Document/PCI-DSS-v4_x-QRG.pdf), summarizes the goals and requirements of PCI DSS.
28
28
29
29
<table>
30
30
<tgroupcols="2">
@@ -38,31 +38,31 @@ When a system complies with PCI DSS, the system meets the goals of the standard
38
38
<tr>
39
39
<td>Build and maintain a secure network and systems.</td>
40
40
<td><ol>
41
-
<li>Install and maintain a firewall configuration to protect cardholder data.</li>
42
-
<li>Do not use vendor-supplied defaults for system passwords and other security parameters.</li>
41
+
<li>Install and maintain network security controls.</li>
42
+
<li>Apply secure configurations to all system components.</li>
43
43
</ol>
44
44
</td>
45
45
</tr>
46
46
<tr>
47
-
<td>Protect cardholder data.</td>
47
+
<td>Protect account data.</td>
48
48
<td><olstart="3">
49
-
<li>Protect stored cardholder data.</li>
50
-
<li>Encrypt transmission of cardholder data across open, public networks.</li>
49
+
<li>Protect stored account data.</li>
50
+
<li>Protect cardholder data with strong cryptography during transmission over open, public networkss.</li>
51
51
</ol>
52
52
</td>
53
53
</tr>
54
54
<tr>
55
55
<td>Maintain a vulnerability management program.</td>
56
56
<td><olstart="5">
57
-
<li>Protect all systems against malware and regularly update antivirus software or programs.</li>
57
+
<li>Protect all systems and networks from malicious software.</li>
58
58
<li>Develop and maintain secure systems and applications.</li>
59
59
</ol>
60
60
</td>
61
61
</tr>
62
62
<tr>
63
63
<td>Implement strong access control measures.</td>
64
64
<td><olstart="7">
65
-
<li>Restrict access to cardholder data by business need to know.</li>
65
+
<li>Restrict access to system components and cardholder data by business need to know.</li>
66
66
<li>Identify and authenticate access to system components.</li>
67
67
<li>Restrict physical access to cardholder data.</li>
68
68
</ol>
@@ -71,37 +71,36 @@ When a system complies with PCI DSS, the system meets the goals of the standard
71
71
<tr>
72
72
<td>Regularly monitor and test networks.</td>
73
73
<td><olstart="10">
74
-
<li>Track and monitor all access to network resources and cardholder data.</li>
75
-
<li>Regularly test security systems and processes.</li>
74
+
<li>Log and monitor all access to system components and cardholder data.</li>
75
+
<li>Test security of systems and networks regularly.</li>
76
76
</ol>
77
77
</td>
78
78
</tr>
79
79
<tr>
80
80
<td>Maintain an information security policy.</td>
81
81
<td><olstart="12">
82
-
<li>Maintain a policy that addresses information security for all personnel.</li>
82
+
<li>Support information security with organizational policies and programs.</li>
83
83
</td>
84
84
</tr>
85
85
</tbody>
86
86
</tgroup>
87
87
</table>
88
88
89
-
CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 3.2.1](https://listings.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
89
+
CockroachDB {{ site.data.products.advanced }} is certified by a PCI QSA to be compliant with [PCI DSS 4.0](https://docs-prv.pcisecuritystandards.org/PCI%20DSS/Reporting%20Template%20or%20Form/PCI-DSS-v4-0-1-ROC-AOC-Merchants.pdf) within the DBaaS platform. Customers are still responsible to ensure that their applications are PCI DSS compliant. Customers may need to take the additional actions outlined in [Responsibilities of the customer](#responsibilities-of-the-customer) to maintain their own PCI compliance when using CockroachDB {{ site.data.products.advanced }} clusters for cardholder data or other sensitive data.
90
90
91
91
## Responsibilities of Cockroach Labs
92
92
93
-
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 3.2.1. Some of these actions include:
93
+
Cockroach Labs takes actions to ensure that the operating procedures and the deployment environment for CockroachDB {{ site.data.products.advanced }} clusters meet or exceed the requirements of PCI DSS 4.0. Some of these actions include:
94
94
95
95
- Enforcing comprehensive security policies and standards.
96
96
- Providing periodic security training for all Cockroach Labs employees.
97
97
- Hardening our operating environments and networks according to industry standards and recommended practices, to ensure that they are secure and resilient against vulnerabilities and attacks.
98
98
- Encrypting cluster data and metadata at rest and in transit.
99
-
- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 3.2.1, and correcting issues as quickly as possible.
100
-
- Regularly scanning our environment and software for known security vulnerabilities and applying updates and security patches in a timely manner.
99
+
- Regularly scanning our environment using tools designated by PCI as [Approved Scanning Vendors (ASVs)](https://www.pcidssguide.com/what-is-a-pci-approved-scanning-vendor-asv/) to ensure our continued compliance with PCI DSS 4.0, by correcting issues and patching known security vulnerabilities as quickly as possible.
101
100
- Implementing [data loss prevention (DLP)](https://pcidss.com/listing-category/data-loss-protection-dlp).
102
101
-[Logging]({% link cockroachcloud/cloud-org-audit-logs.md %}) cluster actions and events, redacting sensitive information in audit logs, and retaining audit logs according to the [PCI DSS logging requirements](https://listings.pcisecuritystandards.org/documents/Effective-Daily-Log-Monitoring-Guidance.pdf).
103
102
104
-
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 3.2.1 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
103
+
A comprehensive list of all actions that Cockroach Labs takes to ensure compliance with PCI DSS 4.0 is beyond the scope of this document. For more information, contact your Cockroach Labs account team.
105
104
106
105
Compliance is a shared responsibility. Be sure to read [Responsibilities of the customer](#responsibilities-of-the-customer) to support you in maintaining your own PCI DSS compliance within your cluster.
107
106
@@ -113,24 +112,22 @@ It is the customer’s responsibility to know what is required for your complian
113
112
114
113
A CockroachDB {{ site.data.products.advanced }} cluster must have the following features enabled to be used in a PCI DSS compliant manner:
115
114
116
-
- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} [private cluster]({% link cockroachcloud/private-clusters.md %}). A private cluster's nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing cluster cannot be migrated to be a private cluster.
117
-
- The cluster must be created with [enhanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}). Enhanced security features cannot be changed after the cluster is created.
115
+
- The cluster must be created as a CockroachDB {{ site.data.products.advanced }} cluster with [advanced security features]({% link cockroachcloud/create-an-advanced-cluster.md %}#step-6-configure-advanced-security-features) enabled. This configures the cluster such that its nodes have no public IP addresses, and its egress traffic moves over private subnets and through a highly-available NAT gateway that is unique to the cluster. An existing {{ site.data.products.advanced }} cluster without advanced security features cannot be migrated into an {{ site.data.products.advanced }} cluster with advanced security, and vice-versa.
118
116
- Single Sign-On (SSO) helps you avoid storing user passwords in CockroachDB {{ site.data.products.cloud }}:
119
117
120
118
-[Cloud Organization SSO]({% link cockroachcloud/configure-cloud-org-sso.md %}) allows members of your CockroachDB {{ site.data.products.cloud }} organization to authenticate to CockroachDB {{ site.data.products.cloud }} using an identity from an identity provider (IdP). This integration can be done using SAML or OIDC.
121
119
-[Cluster SSO]({% link cockroachcloud/cloud-sso-sql.md %}) allows users to access the SQL interface of a CockroachDB cluster (whether provisioned on CockroachDB {{ site.data.products.cloud }} or self-hosted) with the full security of SSO, and the convenience of being able to choose from a variety of SSO identity providers, including CockroachDB {{ site.data.products.cloud }}, Google, Azure, GitHub, or your own self-hosted OIDC.
122
120
123
-
- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.dedicated }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
121
+
- Enable [Customer-Managed Encryption Keys (CMEK)]({% link cockroachcloud/cmek.md %}), which allow you to protect data at rest in a CockroachDB {{ site.data.products.advanced }} cluster using a cryptographic key that is entirely within your control, hosted in a supported key-management system (KMS) platform. It enables file-based encryption of all new or updated data, and provides additional protection on top of the storage-level encryption of cluster disks.
124
122
- Enable [Egress Perimeter Controls]({% link cockroachcloud/egress-perimeter-controls.md %}), which ensure that cluster egress operations, such as [self-managed cluster backups]({% link cockroachcloud/take-and-restore-self-managed-backups.md %}) or [change data capture]({% link {{ site.current_cloud_version }}/change-data-capture-overview.md %}), are restricted to a list of specified external destinations.
125
-
-[Cluster log exports]({% link cockroachcloud/export-logs.md %}) must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging.
123
+
-Use [cluster log exports]({% link cockroachcloud/export-logs-advanced.md %}) to automatically capture detailed information about queries being executed in your cluster. You must have the redaction feature enabled to prevent the exposure of sensitive data in logs exported to your instance of Amazon CloudWatch or GCP Cloud Logging. (Refer to the `redact` setting under [Enable log export]({% link cockroachcloud/export-logs-advanced.md %}#enable-log-export).)
126
124
-[Cloud Organization audit logs]({% link cockroachcloud/cloud-org-audit-logs.md %}) automatically capture information when many types of events occur in your CockroachDB {{ site.data.products.cloud }} organization, such as when a cluster is created or when a member is added to or removed from an organization. You can export your CockroachDB {{ site.data.products.cloud }} organization's audit logs to analyze usage patterns and investigate security incidents.
127
-
-[Cluster audit log export]({% link cockroachcloud/export-logs.md %}) automatically capture detailed information about queries being executed in your cluster.
128
125
129
126
Cockroach Labs cannot provide specific advice about ensuring end-to-end compliance of your overall system with PCI DSS or how to implement a specific requirement across all operating environments. The following are additional guidelines for a cluster to be used in a PCI DSS compliant manner:
130
127
131
128
- Before you insert cardholder data into the cluster, protect it by a combination of encryption, hashing, masking, and truncation. For an example implementation, refer to [Integrate CockroachDB {{ site.data.products.advanced }} with Satori]({% link {{ site.current_cloud_version }}/satori-integration.md %}).
132
129
- The cryptographic materials used to protect cardholder data must themselves be protected at rest and in transit, and access to the unencrypted key materials must be strictly limited only to approved individuals.
133
-
- Within the cluster, restrict access to cardholder data on a “need to know basis” basis. Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
130
+
- Within the cluster, restrict access to cardholder data in a manner consistent with the [principle of least privilege](https://wikipedia.org/wiki/Principle_of_least_privilege). Access to tables and views in the cluster that contain cardholder data must be restricted, and you are responsible to regularly test for compliance. Refer to [Authorization]({% link {{ site.current_cloud_version }}/authorization.md %}).
134
131
- Protect networks that transmit cardholder data from malicious access over the public internet, and regularly test for compliance. For more information about protecting the cluster’s networks, refer to [Network Authorization]({% link cockroachcloud/network-authorization.md %}).
135
132
- Important security and stability updates are applied regularly and automatically to CockroachDB {{ site.data.products.advanced }} clusters. These updates include, but are not limited to, the cluster’s CockroachDB runtime, the operating systems of cluster nodes, APIs, and management utilities. Customers are notified about upcoming cluster maintenance before it happens, when it starts, and when it completes.
136
133
- If your cluster is part of a solution that includes external systems and applications that store or process cardholder data, it is your responsibility to ensure that these systems and applications, as well as their dependencies, are compliant with PCI DSS. You are responsible for regularly testing these systems and applications for known vulnerabilities and compliance violations and regularly applying updates and mitigations.
0 commit comments