ClickHouse Cloud Security

This document details the security options and best practices available for ClickHouse organization and service protection. ClickHouse is dedicated to providing secure analytical database solutions; therefore, safeguarding data and service integrity is a priority. The information herein covers various methods designed to assist users in securing their ClickHouse environments.

Cloud Console Authentication

Password Authentication

ClickHouse Cloud console passwords are configured to NIST 800-63B standards with a minimum of 12 characters and 3 of 4 complexity requirements: upper case characters, lower case characters, numbers and/or special characters.

Learn more about password authentication.

ClickHouse Cloud supports Google or Microsoft social authentication for single sign-on (SSO).

Learn more about social SSO.

Multi-Factor Authentication

Users using email and password or social SSO may also configure multi-factor authentication utilizing an authenticator app such as Authy or Google Authenticator.

Learn more about multi-factor authentication.

Security Assertion Markup Language (SAML) Authentication

Enterprise customers may configure SAML authentication.

Learn more about SAML authentication.

API Authentication

Customers may configure API keys for use with OpenAPI, Terraform and Query API endpoints.

Learn more about API authentication.

Database Authentication

Database Password Authentication

ClickHouse database user passwords are configured to NIST 800-63B standards with a minimum of 12 characters and complexity requirements: upper case characters, lower case characters, numbers and/or special characters.

Learn more about database password authentication.

Secure Shell (SSH) Database Authentication

ClickHouse database users may be configured to use SSH authentication.

Learn more about SSH authentication.

Access Control

Console Role-Based Access Control (RBAC)

ClickHouse Cloud supports role assignment for organization, service and database permissions. Database permissions using this method are supported in SQL console only.

Learn more about console RBAC.

Database User Grants

ClickHouse databases support granular permission management and role-based access via user grants.

Learn more about database user grants.

Network Security

IP Filters

Configure IP filters to limit inbound connections to your ClickHouse service.

Learn more about IP filters.

Private Connectivity

Connect to your ClickHouse clusters from AWS, GCP or Azure using private connectivity.

Learn more about private connectivity.

Encryption

Storage Level Encryption

ClickHouse Cloud encrypts data at rest by default using cloud provider-managed AES 256 keys.

Learn more about storage encryption.

Transparent Data Encryption

In addition to storage encryption, ClickHouse Cloud Enterprise customers may enable database level transparent data encryption for additional protection.

Learn more about transparent data encryption.

Customer Managed Encryption Keys

ClickHouse Cloud Enterprise customers may use their own key for database level encryption.

Learn more about customer managed encryption keys.

Auditing and Logging

Console Audit Log

Activities within the console are logged. Logs are available for review and export.

Learn more about console audit logs.

Database Audit Logs

Activities within the database are logged. Logs are available for review and export.

Learn more about database audit logs.

BYOC Security Playbook

Sample detection queries for security teams managing ClickHouse BYOC instances.

Learn more about the BYOC security playbook.

Compliance

Security and Compliance Reports

ClickHouse maintains a strong security and compliance program. Check back periodically for new third party audit reports.

Learn more about security and compliance reports.

HIPAA Compliant Services

ClickHouse Cloud Enterprise customers may deploy services housing protected health information (PHI) to HIPAA compliant regions after signing a Business Associate Agreement (BAA).

Learn more about HIPAA compliance.

PCI Compliant Services

ClickHouse Cloud Enterprise customers may deploy services housing credit card information to PCI compliant regions.

Learn more about PCI compliance.

Cloud Console Authentication​

Password Authentication​

Social Single Sign-On (SSO)​

Multi-Factor Authentication​

Security Assertion Markup Language (SAML) Authentication​

API Authentication​

Database Authentication​

Database Password Authentication​

Secure Shell (SSH) Database Authentication​

Access Control​

Console Role-Based Access Control (RBAC)​

Database User Grants​

Network Security​

IP Filters​

Private Connectivity​

Encryption​

Storage Level Encryption​

Transparent Data Encryption​

Customer Managed Encryption Keys​

Auditing and Logging​

Console Audit Log​

Database Audit Logs​

BYOC Security Playbook​

Compliance​

Security and Compliance Reports​

HIPAA Compliant Services​

PCI Compliant Services​