Shared responsibilities
Responsibility for security in Cloud Service is shared between you and EDB. EDB provides a secure platform that enables you to create and maintain secure database clusters deployed on Cloud Service. You have several responsibilities around the security of your clusters and the data they contain. These responsibilities are the same whether you use your cloud or Cloud Service's cloud account as your deployment option except where noted.
The following responsibility model describes the distribution of specific responsibilities between you and EDB.
High availability
- You are responsible for choosing whether to enable high availability.
- EDB is responsible for properly configuring and maintaining replication between database nodes.
- If you choose to use asynchronous replication (not recommended), you are responsible for managing replication lag between database nodes.
- EDB is responsible for deploying database nodes across availability zones, where available.
- You are responsible for ensuring your applications reconnect when network connectivity is interrupted.
Database performance
- EDB is responsible for deploying clusters with the infrastructure you choose and managing and monitoring these infrastructure resources.
- You are responsible for data modeling, query design, and scaling the cluster to meet your performance needs.
Deploying and scaling
- EDB is responsible for deploying, managing, and monitoring the underlying infrastructure supporting your clusters.
- You are responsible for choosing the appropriate configuration for your workload, including instance type, storage, and configuration.
- If you're using your cloud account, you are responsible for managing your cloud resource limits to ensure the underlying infrastructure can be provisioned.
Backups and restores
- EDB is responsible for taking backups and archiving transaction logs and storing them in object storage instances.
- You are responsible for the charges associated with the cloud object storage solution. If you're using Cloud Service's cloud account, these charges are passed along to you in your monthly rates.
- You are responsible for periodically restoring and verifying the restores to ensure that archives can meet your recovery time and recovery point objectives.
- Cloud Service provides two methods of backups:
- Base backups are the backups of the data directory of your Postgres clusters taken using Barman. These backups are stored on object storage of the respective cloud service providers.
- Volume snapshot are the snapshot backups stored on disk in the same region as your cluster.
Encryption
- EDB is responsible for data encryption at rest for both backups and live data.
- EDB is responsible for data encryption in transit for both intra-cluster traffic and traffic between clusters and backup storage.
- You are responsible for data encryption in transit between your applications and your cluster. Cloud Service clusters support, but don't require,
verify-full
TLS connections. - You are responsible for application-level encryption to protect particularly sensitive data from unauthorized access by your authorized users and applications.
Credential management
- EDB is responsible for securely managing your edb_admin credential. The edb_admin credential is never stored in plaintext.
- You are responsible for managing and securing your cluster users and their passwords.
Could this page be better? Report a problem or suggest an addition!