Announcing FIPS-compatible Altinity Stable Builds for ClickHouse

ClickHouse has become an indispensable tool for enterprise analytics, which means demands for security compliance are rising. ClickHouse users are deploying analytics in secure environments up to and including FedRAMP, a standard for computing on US government systems. They need software and support to pass compliance audits. 

To support users deploying into such environments it is our pleasure to announce FIPS-compatible Altinity Stable Builds for ClickHouse. The builds use the same BoringSSL source code and build process that passed FIPS 140-2 certification. They are available for download starting with ClickHouse version 22.8. 

We are also announcing enterprise support deployment for FIPS-compatible ClickHouse operation, including in air-gapped FedRAMP environments. This is an add-on to our regular enterprise support. 

There’s a lot more security news at Altinity. Read on to learn about FIPS-compatible builds, enabling compliant operation, open source policy, and our roadmap for security features in general. 

What is FIPS and What is a FIPS-compatible Build?

FIPS stands for Federal Information Processing Standards, which are a family of standards for US government computing. In our case “FIPS” means FIPS 140-2, which defines cryptography requirements. It includes allowable encryption protocols like TLS 1.2, allowable ciphers, and a procedure for ensuring that crypto algorithm code has not been compromised. 

ClickHouse has used BoringSSL cryptography for a number of years. BoringSSL has been certified for FIPS 140-2 Level 1 conformance, most recently on 29 June 2022. FIPS-compatible Altinity Stable Builds use the same BoringSSL code that passed FIPS 140-2 certification. With proper configuration, ClickHouse servers use cryptography in a manner that is compatible with FIPS 140-2 Level 1. 

FIPS 140-2 is a requirement for many US government systems, including those that meet FedRAMP standards. It is difficult and time-consuming to certify software fully against FIPS 140-2. Many vendors therefore deploy software that ensures FIPS-compatible operation for system components. That means using the same crypto source code that passed certification plus appropriate application configuration. 

FIPS-compatible Altinity Stable Builds open a path to add ClickHouse analytics to systems that process US government data. They have applications in other countries like Canada and Japan that also recognize the FIPS 140-2 standard. 

How Can ClickHouse Run in a FIPS-compatible Manner?

The Altinity Stable Build documentation provides information you need to get started. There are two steps. 

  1. Download the latest FIPS-compatible Altinity Stable Build from FIPS builds use a separate channel for release from regular Altinity Stable. (Scroll down to see it.)
  2. Follow the instructions in the documentation for FIPS-Compatible Altinity Stable Builds to configure your ClickHouse server to operate in a FIPS-compatible manner. 

It’s important to note that proper configuration covers a lot of ground, such as: 

  • Enabling secure TCP and HTTP ports.
  • Configuring connections to and between ClickHouse servers. 
  • Configuring ZooKeeper and ClickHouse Keeper, including RAFT connections between Keeper servers.

FIPS-compatible operation is extensively tested. We validate the above configurations in our test suites and document them as they are certified. Our support team can provide detailed guidance for users. 

Are FIPS-compatible Altinity Stable Builds for ClickHouse open source?

Yes. You can find the code in the Altinity fork of ClickHouse

Unlike virtually all other code we develop for ClickHouse, the FIPS changes are not currently merged into the upstream ClickHouse repository. The reason is that FIPS-compliant builds are not compatible with upstream, which links to a different BoringSSL version. 

What is The Roadmap for Security at Altinity?

Altinity.Cloud has been SOC 2 certified since 2021. Besides continuing to improve the security posture for Altinity.Cloud we have on-going work in the following areas. 

  • ClickHouse testing and fixes – We continue to report, fix, and test security issues in ClickHouse. Our most current work relates to Row Policies, and we have more on tap. (Examples here and here.)
  • FedRAMP – A number of Altinity customers are deploying ClickHouse in FedRAMP environments. We are adding security features and documentation to enable successful deployments of air-gapped ClickHouse analytics. FIPS-compatible builds are the first step in that process. 
  • Secure Operation on Kubernetes – Altinity has a long-standing commitment to enabling cloud native operation of ClickHouse on Kubernetes. Recent contributions include new security-related features in the Altinity Kubernetes Operator for ClickHouse as well as a hardening guide to aid secure deployment on Kubernetes. 
  • PCI Compliance – This is a common request to allow sensitive data to be processed in Altinity.Cloud, including user environments managed by Altinity.Cloud Anywhere.

Finding Out More and Getting Started

FIPS-compatible Altinity Stable Builds are a new tool for users who need to deploy ClickHouse analytics that meet high security compliance requirements. The first builds are already out and in use with Altinity customers. Check out our documentation, grab a build, and try it yourself. 

Altinity Enterprise support covers FIPS-compatible builds as an add-on. If you would like to learn more please contact us or raise a support request if you are already a customer. We would be happy to help. 

Keep watching this space to learn more about Altinity work to enable secure analytics based on ClickHouse. In the month of June we’ll have two webinars related to security you won’t want to miss: 

We’re delighted to have Cisco with us in the second webinar to talk about their FedRAMP deployment using FIPS-compatible Altinity Stable Builds. We look forward to seeing you soon!