From development to delivery, SingleStoreDB Cloud ensures that security is considered, designed, reviewed and implemented so that the data of our customers — and their customers— is safeguarded as if it were our own. We’ve built security into all of our products: from those hosted by customers on their own infrastructure, to those we host on our customers’ behalf.
SingleStoreDB automatically manages encryption, authentication, access and monitoring so you can focus your efforts on your data and the value it adds. We maintain a holistic approach to information protection, combining a set of controls that help businesses meet their compliance objectives — while always ensuring our customers’ data is secure.
Figure 1: Security aspects of SingleStoreDB Cloud
As shown in Figure 1., SingleStoreDB Cloud ensures an end-to-end security posture for all of your critical enterprise workloads. This requires securing customer data using in-depth defense against three security threat concerns:
- How is my data stored in SingleStoreDB Cloud protected?
- How can someone connect to SingleStoreDB Cloud?
- How do I prevent the wrong person from accessing data?
As a SaaS offering, it’s critical that customers trust that housing their data in SingleStoreDB Cloud is safe and also have the peace of mind that their data will not be compromised. Ensuring customer data is always secure, SingleStoreDB Cloud offers multi-layer security for data storage and retrieval, encrypting customer data while it's both in motion and at rest. Here are the key controls and capabilities that SingleStoreDB Cloud provides to ensure each customer’s data is always safeguarded:
- Data security in-motion. SingleStoreDB Cloud guarantees that all connections to the database are enabled with TLS 1.2, which ensures data-in-motion is always encrypted. In addition, each client connection is checked to ensure that valid certificates are being used, and that the connection to SingleStoreDB Cloud is secure.
- Data security at-rest. In accordance with industry best practices, all data stored in SingleStoreDB Cloud is encrypted at rest using an AES 256-bit encryption key. Encryption scope includes both EBS and S3 for AWS, Premium SSD and Blob storage for Azure, and Persistent Disks and Google Cloud Storage for GCP.
- Customer managed encryption keys (stores in the cloud KMS). An additional layer of security for customer data can be added using the keys stored in a customer's cloud key management service (KMS). Additionally, separate keys can be used for data backups and their associated bucket(s). This feature is only supported for the dedicated edition of SingleStoreDB Cloud.
Figure 2: Customer Managed Encryption Key (CMEK)
Read the whitepaper: SingleStoreDB Cloud Security
Since SingleStoreDB Cloud is a cloud-based (remote) service, properly granting access to a SingleStoreDB Cloud workspace is the first line of defense. Network security in SingleStoreDB Cloud ensures that only properly configured resources can gain access to a database and its data. The controls available to a customer include:
- Accessing data using private networking (inbound and outbound). Customers that want secure connectivity from inside their VPC — but who do not want to connect to SingleStoreDB Cloud over the public internet — can use AWS PrivateLink, Azure Private Link and Google Private Service Connect to connect to AWS, Azure and GCP deployments, respectively. This private connectivity applies to both inbound and outbound traffic. This feature is only available to SingleStoreDB Cloud customers, regardless of the edition they use (Standard, Premium and Dedicated). Private networking can also be used for creating outbound connectivity to object storage (blob storage) for backups and/or customer-initiated copies of data.
- IP allowlisting. Traffic to SingleStoreDB Cloud is over the internet when using the IP allowlisting. Customers can restrict access to a SingleStoreDB Cloud workspace group from a specific set of IP addresses based on a corporate network policy. Having a known client location and IP address helps prevent unauthorized access to your SingleStoreDB Cloud. If an application is hosted outside of your VPC, it’s critical to define a restrictive set of IP addresses that are required to successfully run the application. However as a best practice, you should always choose private connectivity over IP allowlisting to connect to SingleStoreDB Cloud.
SingleStoreDB Cloud provides a variety of access control tools and capabilities that govern user login, permissions and data access, including:
- Native password authentication. Customers can use native password authentication both for SingleStoreDB Cloud and database connectivity. Password complexity is flexible and can be based on your corporate policy.
- Single Sign-On (SSO). As the number of users accessing the database increases, customers can also connect to SingleStoreDB Cloud (both the data plane and the portal) using identities defined in an Identity Provider (IdP) of their choice (Azure AD, Okta, Ping). This allows database user identities to be managed from a central location, which simplifies access management at scale. Customers may also enable multi-factor authentication (MFA) to provide an additional layer of security.
- JWT/JWKS authentication. To eliminate the use of passwords, customers can authenticate clients via JSON Web Tokens (JWT). JWTs are useful for both authorization (the most common scenario for using a JWTs) and information exchange (where information can be securely transmitted between parties). JWTs can be created by both the SingleStoreDB Cloud portal and by customer-run identity providers, and used to authenticate users to database clusters. Additionally, JSON Web Key Sets (JWKS) can be used to validate the signature of a signed JWT. JWKS are a set of keys containing public keys that can be used to authenticate any JWT. Also, if you use SingleStoreDB native drivers to connect to the database, you can use the JWT authentication directly in the drivers.
- Role-Based Access Control (RBAC). For more granular security SingleStoreDB Cloud offers Role- Based Access Controls (RBAC), a reduced-privileges, role-separated environment where users and groups can be granted access to databases, tables, views, etc. based on role.
- Row-level security. Similar to RBAC, row-level security in SingleStoreDB Cloud can be used to dictate which roles have access to specific rows in a table.
The inherent security capabilities in SingleStoreDB Cloud allow you to build your next cloud-based, mission-critical application knowing that it will run on a secure infrastructure. Data security is a fundamental value of SingleStoreDB, and SingleStore continually follows industry guidelines and has adopted best practices to ensure that your data remains secure throughout its lifecycle.
In addition to the best practices, policies, processes and procedures we’ve implemented, we continually invest in new measures and certifications to ensure that we — and our products — remain at the forefront of data security.
SingleStoreDB Cloud operates within a shared-responsibility model. Our company, our customers and our service providers share the responsibility for identifying and preventing compromises in our respective infrastructures and/or data. If you have questions regarding data security in SingleStoreDB Cloud, please contact us at firstname.lastname@example.org.