Couchbase’s mission is to be the data platform that revolutionizes digital innovation. Powering business-critical applications means enterprise-level security is essential for our customers. Given the dynamic nature of security, Couchbase regularly reviews and updates security policies and programs based on the evolution of our products, industry standards, and emerging threats.
Couchbase security program
Couchbase integrates security into our engineering processes with the goal of making our products as secure as possible. We make every effort to look at security during the design, development, and testing of the Couchbase Enterprise Edition.
Enabling security best practices
This security program is focused on giving Couchbase Enterprise Edition the features needed for developers to build secure applications that remain secure in operation. It covers deployment best practices such as authentication, authorization, and encryption as well as helping developers prevent "N1QL injection" attacks.
This program covers transparent vulnerability reporting and status for the Couchbase Enterprise Edition.
We’re focused on reducing the likelihood of data breaches for Couchbase internal IT systems through physical or electronic means as well as keeping our security policies up to date.
Last updated 21 May 2018.
Security Best Practices with Couchbase
Couchbase provides standard security and enterprise features, which allow you to build security into your applications. Those features include:
Role-based access control (RBAC)
Control privileges to both administrative activities and data access with fine-grained access control.
Integrate Couchbase into your existing security infrastructure with LDAP, PAM, and pluggable authentication support.
The Couchbase SDKs provide safe programming paradigms through secure connections, encryption, and parameterized N1QL query support to help prevent attacks like N1QL injection.
Encryption on the wire
Protect data as it’s sent from clients to a cluster or when it’s transferred between clusters so that it cannot be intercepted and stolen.
Encryption at rest
Secure data at rest with complete application transparency using preferred encryption capabilities that prevent unauthorized data access.
Track all user activity in a cluster, including login attempts, so data breach attempts can be identified and stopped.
Security in Couchbase covers all products whether deployed on mobile and embedded devices or in the datacenter.
Regulation compliance support
Couchbase delivers key features needed to support customers’ compliance with security and privacy-related regulations such as GDPR.
The Couchbase Enterprise Edition (Couchbase Server, Sync Gateway, Couchbase Lite) is provided to customers as a software bundle to be self-deployed by customers on their choice of hardware or cloud platform. As such, Couchbase and its employees generally do not have direct access to the data a customer has stored in Couchbase or to any production customer systems. In the course of offering support and services it may be necessary for Couchbase employees to have limited access or visibility to customer production systems or technical log files that we will ask our customers permission for.
Couchbase maintains small engineering datacenters co-located with developers for use in product development and testing. The datacenters are secured by a physical key, electronic access key, and/or biometric access reader. Electronic access is logged and monitored at all entry points, with elevated/second access required for datacenters. A video camera records motion and access to the Couchbase datacenter located at Couchbase headquarters. An alarm system is installed at all on-premises datacenters and Couchbase headquarters. Couchbase headquarters is protected by a security station with security personnel at the front desk lobby. Key fob security badges are required for building access and elevator floor access during non-business hours at Couchbase headquarters. Key fob security badges are surrendered and deactivated upon employee termination.
Couchbase enforces the rule of least privilege for IT systems. Access to designated systems is limited to those personnel for whom access is required based on job function. Access to all systems is deleted or suspended upon termination of employment. Secure transfer protocols (SFTP, SSH, etc.) are used to transfer data from one system endpoint to another.
Endpoint device security
Employee computers are password protected and the default configuration for such devices causes the devices to be automatically locked after 10 minutes of inactivity. All employee computers are installed with antivirus/malware software. Employees are provided with a tool to backup/sync company data to enterprise cloud storage. Each employee receives a laptop computer with an assigned unique company asset tag for identification. Couchbase employees are required to contact IT in the event of laptop theft or loss.
Couchbase will notify customers of any security breach which involves their data as soon as possible after Couchbase becomes aware of it as required by applicable law or our governing contract. This applies to information stored in its own systems as well as the systems of its vendors.