Security Best Practices
- Capella Operational
Security is a process and Couchbase Capella strives to achieve the best ways to protect your data, from Zero Trust, through adaptive access, to centralized management and proactive monitoring. Best practices in the way you work with Capella further protect you from malicious attacks.
This page groups together listings of some of the many features of Capella security architecture with links to places in the docs where you have a chance to apply good practice to your Couchbase instance.
Security Highlights
All communication is encrypted using TLS 1.2 or higher. This can’t be turned off.
Auditing
Capella provides event auditing, whereby events are logged. Log files can be downloaded for inspection.
Event auditing occurs on a per node basis: each node captures only its own events, and saves the records in its own log file. When a cluster’s log files are to be inspected, the user can perform a download: all log files are duly downloaded, as a single, compressed file, to the user’s current system.
For a full overview, providing access to step-by-step instructions and reference information, see Auditing.
Encryption at Rest
By default, Couchbase Capella clusters use the underlying cloud provider’s key management service to create a new key for each cluster. These key management services include AWS Key Management Service, Google Cloud Key Management Service, and Azure Key Vault.
Capella uses customer master keys that are 256-bit Advanced Encryption Standard (AES) symmetric keys and are not exportable. AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. Customer master keys use hardware security modules (HSMs) validated under FIPS 140-2.
Customer Managed Encryption Keys
Capella also supports customer-managed encryption keys. Customer-managed encryption allows you to move control of the keys from Couchbase to your own key management system. By managing your encryption keys, you control their configuration, rotation cycles, geographic storage location, and can directly revoke them.
Access Management
Capella is built upon Couchbase’s sophisticated Role-Based Access Control.
Organization and Project Overview: Couchbase Capella is organized into organizations and projects, each of which has its own user roles.
Allowed IPs: Limit both the IP addresses that can access your data, and the period for which they have access.
Cluster Credentials: Provide programmatic and application-level access to data on a cluster.
Authentication
Federated & SSO Authentication: Couchbase Capella allows users to sign in to the Capella UI using federated and SSO authentication after configuring Capella to authenticate using data passed from your identity provider (IdP). Okta, Azure AD, Ping Identity, and CyberArk are supported IdPs.
Multi-Factor Authentication (MFA): Any non-SSO user within your organization can use Capella’s MFA. MFA improves your Capella account security by requiring two credentials to sign in: your password and a time-based one-time password (TOTP).
Five failed attempts at logging in a user results in that account being locked for five minutes.
Secrets Management
Application passwords management can be simplified with our Hashicorp Vault plug-in. Vault’s Cluster Secrets Engine generates dynamic, short-lived cluster credentials, which streamlines the management of cluster connections and roles. You can also customize permissions and TTL settings.
Applying Best Practice
Make sure to familiarize yourself with our Access Management (RBAC), to ensure your applications take advantage of the Least Privileges and Separation of Duties that we offer.
We strongly recommend enabling Multi-Factor Authentication (MFA) to authenticate against Capella—adding a strong layer of protection against many common attacks.
Lifecycle
Couchbase Capella manages the infrastructure lifecycle for you, upgrading the Couchbase Cluster with a new version of Couchbase Server, and communicating the release cycle and policy with you. Customers should update the Couchbase SDK that they use in their applications to the latest patched version, and validate after upgrading.
Monitoring & Alerts
Couchbase Capella provides a performance metrics dashboard. The customer reviews the metrics and is responsible for scaling the cluster to accommodate changes in workload or dataset size Capella provides an Alerts dashboard — informing you of any problems, such as a failed backup. Reviewing these alerts and taking appropriate actions is a shared responsibility between the Couchbase Support team and the customer.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is available for non-SSO Capella users. Users can choose to add another layer of security by requiring a one-time passcode to be used in conjunction with the password to log in to the Couchbase Capella Control Plane.
See Manage Multi-Factor Authentication (MFA) for more information.
Networking
Set up a VPC peering connection with AWS, Azure, or GCP.
Add private endpoints with AWS PrivateLink, Azure Private Link, or GCP Private Service Connect.
Restrict Public Access
Limited availability
The option to create a cluster with restricted public access is available only on request. For more information, contact Couchbase Support. |
If Couchbase grants your organization access to this feature, you can restrict public access for a new cluster.
With restrict public access turned on for your cluster, you can only connect to your cluster through Capella’s private networking options, including VPC peering and private endpoints.
For example, with restrict public access enabled, only your cloud service provider (CSP) network that’s peered with Capella can access your cluster. This configuration allows direct traffic routing from your on-premises network to Capella through your CSP’s network that’s peered with Capella.
When you restrict public access for a cluster, the cluster is accessible only through private IP addresses that Capella assigns. In your applications, you can use the DNS hostname provided by Capella to resolve your cluster’s private IP addresses. You can also still use the connection string for your cluster on the page.
Shared Responsibilities
Good security is a partnership of application and cluster. With Capella, most operations are automated, but some areas need active input from the customer to get the best possible results.
With a fully-hosted solution, Couchbase takes care of all of the infrastructure, as well as managing the cluster deployment. However, customers should take care to follow best practices for authentication, as well as least privilege in RBAC. This page highlights some of those best practices.
Key areas of customer responsibility are Defining Roles and Customer Access Control policy.