Security is a process, and whilst Couchbase Capella strives to achieve the best ways to protect your data, from Zero Trust, through adaptive access, to centralized management and proactive monitoring. Best practices in the way you work with Capella will further protect you from malicious attacks.
This page groups together listings of some of the many features of Capella security architecture with links to places in the docs where you have a chance to apply good practice to your Couchbase instance.
All communication is encrypted using TLS 1.2 or higher. This cannot be turned off.
Using Couchbase’s Cloud Account in our free trial automatically gives you the underlying Cloud Provider’s Key Management System — KMS for AWS. Using our Own Cloud Provider Service with Azure uses Key Vault.
Couchbase Cloud uses customer master keys that are 256-bit Advanced Encryption Standard (AES) symmetric keys and are not exportable. AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. A new key is created for each cluster/database.
Customer master keys use hardware security modules (HSMs) that have been validated under FIPS 140-2.
Capella is built upon Couchbase’s sophisticated Role-Based Access Control, with Couchbase Managed Cloud offering further refinements.
Allowed IPs: Limit both the IP addresses that can access your data, and the period for which they have access.
Make sure to familiarise yourself with our Access Management (RBAC), to ensure your applications take advantage of the Least Priveleges and Separation of Duties that we offer.
We strongly recommend enabling Multi-Factor Authentication (MFA) to authenticate against Capella — adding a strong layer of protection against many common attacks.
Couchbase Capella will manage the infrastructure lifecycle for you, upgrading the Couchbase Cluster with a new version of Couchbase Server, and communicating the release cycle and policy with you. Customers should update the Couchbase SDK that they use in their applications to the latest patched version, and validate after upgrading.
Couchbase Capella provides a performance metrics dashboard The customer reviews the metrics and is responsible for scaling the cluster to accommodate with changes in workload or dataset size Capella provides an Alerts dashboard — informing you of any problems, such as a failed backup. Reviewing these alerts and taking appropriate actions is a shared responsibility between Couchbase Support team and the customer.
Multi-Factor Authentication (MFA) is available in both Couchbase’s Cloud Account and Own Cloud Account. Users can choose to add another layer of security by requiring a one-time passcode to be used in conjunction with the password to log in to the Couchbase Cloud Control Plane.
Private Networking with AWS VPC peering or Azure VNet peering.
Good security is a partnership of application and database. With Capella, most operations are automated, but some areas need active input from the customer to get the best possible results.
With a fully-hosted solution, Couchbase takes care of all of the infrastructure, as well as managing the database deployment. However, customers should take care to follow best practices for authentication, as well as least privilege in RBAC. This page highlights some of those best practices.
Couchbase’s ResponsibilitiesThis information is for anyone still using Couchbase Server 6.6, hosted in their own Cloud provider’s VPC. It does not apply to Couchbase 7.0, hosted in Couchbase’s VPC and fully managed for you.
Operate the Cloud Control Plane, including the user interface of the Cloud Service
Implement reasonable technical and organizational measures to protect the security of the Cloud Control Plane
Does not host the Customer Cloud Environment into which the Data Plane is deployed
Does not host the systems in which Customer Content may be stored
Obtain a Customer Capella Environment through cloud provider
Notify Couchbase immediately of any unauthorized use of the user account
Protect the security of all Registration Information
Properly maintain and secure the Customer Cloud Environment
Not interfere with updates to the Cloud Service
Implement the appropriate configurations to enable backup and recovery features of the Cloud Service
No matter which version of Capella you are using, key areas of customer responsibility are Defining Roles and Customer Access Control policy.