Merge pull request ClickHouse#2349 from ClickHouse/may-2024-security-…

…updates

May 2024 security updates

docs/en/cloud/manage/backups.md

@@ -1,6 +1,6 @@
 ---
 sidebar_label: Backups
-slug: /en/manage/backups
+slug: /en/cloud/manage/backups
 description: Managing backups in ClickHouse Cloud
 keywords: [backups, cloud backups, restore]
 ---
@@ -129,7 +129,7 @@ Suppose you cannot work with the newly restored service for any reason; for exam
 
 **Allow remote access to the newly restored service**
 
-The new service should be restored from a backup with the same IP Allow List as the original service. This is required as connections will not be allowed to other ClickHouse Cloud services unless you had allowed access from **Anywhere**. Modify the allow list and allow access from **Anywhere** temporarily. See the [IP Access List](/docs/en/cloud/security/ip-access-list.md) docs for details.
+The new service should be restored from a backup with the same IP Allow List as the original service. This is required as connections will not be allowed to other ClickHouse Cloud services unless you had allowed access from **Anywhere**. Modify the allow list and allow access from **Anywhere** temporarily. See the [IP Access List](/docs/en/cloud/security/setting-ip-filters) docs for details.
 
 **On the newly restored ClickHouse service (the system that hosts the restored data)**
 

docs/en/cloud/reference/architecture.md

@@ -35,7 +35,7 @@ All services are isolated at the network layer.
 
 All services use a separate subpath of a shared bucket (AWS, GCP) or storage container (Azure). 
 
-For AWS, access to storage is controlled via AWS IAM, and each IAM role is unique per service. For **Production** and **Dedicated** services, [CMEK](/docs/en/cloud/manage/cmek) can be enabled to provide advanced data isolation at rest. CMEK is only supported for AWS services at this time.
+For AWS, access to storage is controlled via AWS IAM, and each IAM role is unique per service. For **Production** and **Dedicated** services, [CMEK](/docs/en/cloud/security/cmek) can be enabled to provide advanced data isolation at rest. CMEK is only supported for AWS services at this time.
 
 For GCP and Azure, services have object storage isolation (all services have their own buckets or storage container).
 

docs/en/cloud/reference/changelog.md

@@ -370,7 +370,7 @@ This release brings usability and performance improvements in the SQL console, b
 This release brings general availability of ClickPipes for Kafka, Confluent Cloud, and Amazon MSK and the Kafka Connect ClickHouse Sink, self-service workflow to secure access to Amazon S3 via IAM roles, and AI-assisted query suggestions ( private preview).
 
 ### Console changes
-- Added a self-service workflow to secure [access to Amazon S3 via IAM roles](/docs/en/cloud/manage/security/secure-s3)
+- Added a self-service workflow to secure [access to Amazon S3 via IAM roles](/docs/en/cloud/security/secure-s3)
 - Introduced AI-assisted query suggestions in private preview (please [contact ClickHouse Cloud support](https://clickhouse.cloud/support) to try it out!)
 
 ### Integrations changes 

docs/en/cloud/security/secure-s3.md → docs/en/cloud/security/accessing-s3-data-securely.md

@@ -1,7 +1,7 @@
 ---
-slug: /en/cloud/manage/security/secure-s3
-sidebar_label: S3 Role-based Access
-title: S3 Role-based Access
+slug: /en/cloud/security/secure-s3
+sidebar_label: Accessing S3 Data Securely
+title: Accessing S3 Data Securely
 ---
 
 This article demonstrates how ClickHouse Cloud customers can leverage role-based access to authenticate with Amazon Simple Storage Service(S3) and access their data securely.

docs/en/cloud/security/activity-log.md → docs/en/cloud/security/audit-logging.md

@@ -1,7 +1,7 @@
 ---
-slug: /en/manage/security/organization-activity
-sidebar_label: Audit Log
-title: Viewing activity in your Organization
+sidebar_label: Audit Logging
+slug: /en/cloud/security/audit-logging
+title: Audit Logging
 ---
 
 In ClickHouse Cloud, you can use the **Activity** tab on the left menu to see what changes have been made to your ClickHouse Cloud organization - including who made the change and when it occurred.

docs/en/cloud/security/users-and-roles.md → docs/en/cloud/security/cloud-access-management.md

@@ -1,7 +1,7 @@
 ---
-sidebar_label: "Overview"
-title: "Cloud access management"
-slug: "/en/security/cloud-access-management"
+sidebar_label: Overview
+slug: /en/cloud/security/cloud-access-management
+title: Cloud access management
 ---
 
 # Access Control in ClickHouse Cloud

docs/en/cloud/security/cloud-authentication.md

@@ -0,0 +1,48 @@
+---
+sidebar_label: Cloud Authentication
+slug: /en/cloud/security/cloud-authentication
+title: Cloud Authentication
+---
+# Cloud Authentication
+
+ClickHouse Cloud provides a number of ways to authenticate. This guide explains some good practices for configuring your authentication. Always check with your security team when selecting authentication methods.
+
+## Password Settings
+
+Minimum password settings for our console and services (databases) currently comply with [NIST 800-63B](https://pages.nist.gov/800-63-3/sp800-63b.html#sec4) Authenticator Assurance Level 1:
+- Minimum 12 characters
+- Includes 3 of the following 4 items:
+   - 1 uppercase letter
+   - 1 lowercase letter
+   - 1 number
+   - 1 special character
+
+## Email + Password
+
+ClickHouse Cloud allows you to authenticate with an email address and password. When using this method the best way to protect your ClickHouse account use a strong password. There are many online resources to help you devise a password you can remember. Alternatively, you can use a random password generator and store your password in a password manager for increased security.
+
+### Multi-Factor Authentication
+
+Users with email and password authentication can further secure their account using multi-factor authentication (MFA). To set up MFA:
+1. Log into console.clickhouse.cloud
+2. Click your initials in the upper left corner next to the ClickHouse logo
+3. Select Profile
+4. Select Security on the left
+5. Click Set up in the Authenticator app tile
+6. Use an authenticator app such as Authy, 1Password or Google Authenticator to scan the QR code
+7. Enter the code to confirm
+
+## Database User ID + Password
+
+Use the SHA256_hash method when [creating user accounts](/docs/en/sql-reference/statements/create/user.md) to secure passwords.
+
+**TIP:** Since users with less than administrative privileges cannot set their own password, ask the user to hash their password using a generator
+such as [this one](https://tools.keycdn.com/sha256-online-generator) before providing it to the admin to setup the account. Passwords should follow the [requirements](#establish-strong-passwords) listed above.
+
+```
+CREATE USER userName IDENTIFIED WITH sha256_hash BY 'hash';
+```
+
+## SSO Using Google or Microsoft Social Authentication
+
+If your company uses Google Workspace or Microsoft 365, you can leverage your current single sign-on setup within ClickHouse Cloud. To do this, simply sign up using your company email address and invite other users using their company email. The effect is your users must login using your company's login flows, whether via your identity provider or directly through Google or Microsoft authentication, before they can authenticate into ClickHouse Cloud. This includes requiring multi-factor authentication as required by your login flow.

docs/en/cloud/security/cloud-endpoints-api.md

@@ -1,7 +1,7 @@
 ---
 slug: /en/manage/security/cloud-endpoints-api
-sidebar_label: Static IPs
-title: Static IPs
+sidebar_label: Cloud IP Addresses
+title: Cloud IP Addresses
 ---
 
 ## List of Static IPs

docs/en/cloud/manage/cmek.md → docs/en/cloud/security/cmek.md

@@ -1,7 +1,7 @@
 ---
-sidebar_label: Encryption
-slug: /en/cloud/manage/cmek
-title: Encryption
+sidebar_label: Customer Managed Encryption Keys
+slug: /en/cloud/security/cmek
+title: Customer Managed Encryption Keys (CMEK)
 ---
 
 # Customer Managed Encryption Keys (CMEK)

docs/en/cloud/security/compliance-overview.md

@@ -0,0 +1,45 @@
+---
+sidebar_label: Security and Compliance
+slug: /en/cloud/security/security-and-compliance
+title: Security and Compliance
+---
+
+# Security and Compliance Reports
+ClickHouse Cloud continuously evalutates the security and compliance needs of our customers and is continuously expanding the program as additional reports are requested. For additional information or to download the reports visit our [Trust Center](https://trust.clickhouse.com).
+
+### SOC 2 Type II (Since 2022)
+
+System and Organization Controls (SOC) 2 is a report focusing on security, availability, confidentiality, processing integrity and privacy criteria contained in the Trust Services Criteria (TSC) as applied to an organization's systems and is designed to provide assurance about these controls to relying parties (our customers). ClickHouse works with independent external auditors to undergo an audit at least once per year addressing security, availability, confidentiality and processing integrity of ClickHouse Cloud. 
+
+### ISO 27001 (Since 2023)
+
+International Standards Organization (ISO) 27001 is an international standard for information security. It requires companies to implement an Information Security Management System (ISMS) that includes processes for managing risks, creating and communicating policies, implementing security controls, and monitoring to ensure components remain relevant and effective. ClickHouse conducts internal audits and works with independent external auditors to undergo audits and interim inspections for the 2 years between certificate issuance. 
+
+### U.S. DPF (Since 2024)
+
+The U.S. Data Privacy Framework was developed to provide U.S. organizations with reliable mechanisms for personal data transfers from the United States to the European Union/ European Economic Area, the United Kingdom, and Switzerland that are consistent with EU, UK and Swiss law (https://dataprivacyframework.gov/Program-Overview). ClickHouse self-certified to the framework and is listed on the [Data Privacy Framework List](https://dataprivacyframework.gov/list)).
+
+# Privacy Compliance
+
+In addition to the items above, ClickHouse maintains internal compliance programs addressing the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and other relevant privacy frameworks. Details on personal data that ClickHouse collects, how it is used, how it is protected and other privacy related information can be found in the following locations.
+
+### Legal Documents
+
+- [Privacy Policy](https://clickhouse.com/legal/privacy-policy)
+- [Cookie Policy](https://clickhouse.com/legal/cookie-policy)
+- [Data Privacy Framework Notification](https://clickhouse.com/legal/data-privacy-framework)
+- [Data Processing Addendum (DPA)](https://clickhouse.com/legal/agreements/data-processing-addendum)
+
+### Processing Locations
+
+- [Sub-Processors and Affiliates](https://clickhouse.com/legal/agreements/subprocessors)
+- [Data Processing Locations](https://trust.clickhouse.com) 
+
+### Additional Procedures
+
+- [Personal Data Access](/docs/en/cloud/security/personal-data-access)
+- [Delete Account](/docs/en/cloud/manage/close_account)
+
+# Payment Compliance
+
+ClickHouse provides a secure method to pay by credit card that is compliant with [PCI SAQ A v4.0](https://www.pcisecuritystandards.org/document_library/). 

docs/en/cloud/security/personal-data-access.md

@@ -40,7 +40,10 @@ Please be sure to include the following details in your support case:
 | Subject | Data Subject Access Request (DSAR) |
 | Description | Detailed description of the information you’d like ClickHouse to look for, collect, and/or provide. |
 
-<img width="250" alt="Support Case Form" src="./images/support-case-form.png"/>
+<img src={require('./images/support-case-form.png').default}
+  class="image"
+  alt="Support Case Form"
+  style={{width: '30%'}} />
 
 ### Individuals Without an Account
 If you do not have an account with us, the self-service option above has not resolved your personal-data issue, and you wish to make a Data Subject Access Request pursuant to the Privacy Policy, you may submit these requests by email to [[email protected]](mailto:[email protected]).

docs/en/cloud/security/private-link-overview.md

@@ -0,0 +1,13 @@
+---
+sidebar_label: Private Link Overview
+slug: /en/cloud/security/private-link-overview
+title: Private Link Overview
+---
+
+# Private Link Overview
+
+ClickHouse Cloud provides the ability to connect your services to your cloud virtual network. Refer to the guides below for your provider:
+
+- [AWS Private Link](/en/cloud/security/aws-privatelink.md)
+- [GCP Private Service Connect](/en/cloud/security/gcp-private-service-connect.md)
+- [Azure Private Link](/en/cloud/security/azure-privatelink.md)