DataSunrise Achieves AWS DevOps Competency Status in AWS DevSecOps and Monitoring, Logging, Performance

This website stores cookies to collect information about how you interact with our website. To find out more visit our Privacy Policy.

Full ClickHouse Protection

ClickHouse has become the backbone of real-time analytics for organizations handling massive data volumes. Its columnar architecture delivers exceptional query performance, but this speed comes with security challenges that traditional database protection tools struggle to address. With DataSunrise 11.3, we're introducing comprehensive ClickHouse support through Native and HTTP protocol parsers, Databricks-based SQL grammar, and full security rule enforcement.

Why ClickHouse Security Requires a Specialized Approach

ClickHouse operates differently from conventional relational databases. It uses both Native TCP protocol (port 9000) and HTTP interface (port 8123) for client connections, processes extended SQL syntax, and handles analytical workloads at speeds that can overwhelm traditional security proxies.

Standard database firewalls often fail to parse ClickHouse traffic correctly, resulting in incomplete audit logs, missed policy violations, or unacceptable latency. Organizations running ClickHouse for business-critical analytics need protection that matches the database's performance characteristics.

Native and HTTP Protocol Parsing

DataSunrise 11.3 delivers true protocol-level visibility into ClickHouse traffic. The solution parses both communication methods:

ProtocolDefault PortDescription
Native (TCP)9000Binary protocol used by clickhouse-client and native drivers. Recommended for best performance.
HTTP8123REST API interface used by JDBC drivers and web applications.

This dual-protocol coverage ensures no queries slip through unmonitored, regardless of how applications connect to your ClickHouse clusters.

Databricks-Based SQL Grammar Support

DataSunrise's SQL parser recognizes ClickHouse's extended SQL dialect natively, including PostgreSQL-like syntax with type casts using :: notation. This parsing accuracy enables:

  • Query classification and categorization
  • Object-level access tracking (databases, tables, columns)
  • Function and expression analysis
  • Subquery identification

Without proper grammar support, security rules targeting specific tables or operations would fail against ClickHouse's syntax variations.

Supported Security Features

DataSunrise 11.3 provides comprehensive capabilities for ClickHouse:

  • Audit – Monitor and log all database queries and activities
  • Dynamic Masking – Mask sensitive data in query results in real-time
  • Dynamic Blocking – Block unauthorized queries based on security rules
  • Data Discovery – Identify and classify sensitive data across your ClickHouse environment
  • Sniffer Mode – Passive traffic monitoring without proxy deployment
  • Native Logs Trailing – Collect audit events from ClickHouse's native logging
Tip

Masking rules are currently supported for Native protocol sessions. When masking is configured on an HTTP session, the system logs an informational message in Event Monitor to indicate that masking is inactive for that session.

Dynamic Data Masking

Sensitive data in analytical databases often spans millions of rows across wide tables. Static masking is impractical when data scientists need rapid access to production-scale datasets.

Dynamic masking transforms sensitive values in real-time as query results return to users. To configure dynamic masking for ClickHouse:

  1. Navigate to Masking → Dynamic Masking Rules
  2. Click Add Rule
  3. Select the ClickHouse database instance
  4. Configure masking settings for specific columns or data patterns
  5. Click Save

Analysts see masked values while queries execute at full ClickHouse speed. The underlying data remains untouched.

Security Rule Enforcement

DataSunrise enforces comprehensive security policies across your ClickHouse environment. To configure security rules:

  1. Navigate to Security → Security Rules
  2. Click Add Rule
  3. Select the ClickHouse database instance
  4. Define rule conditions and actions
  5. Click Save

Rules evaluate against parsed query metadata, enabling precise conditions that reference specific databases, tables, columns, or SQL operations.

Getting Started

To configure DataSunrise for ClickHouse:

  1. Go to Configuration → Databases and click Add Database
  2. Select ClickHouse from the Database Type drop-down
  3. Configure connection parameters including hostname, port, and protocol (Native or HTTP)
  4. Click Test Connection to verify connectivity
  5. Configure proxy settings for client connections
  6. Click Save

Connect through the DataSunrise proxy using clickhouse-client:

clickhouse-client --user <username> --password <password> --host <datasunrise_host> --port <proxy_port>

Or via JDBC for HTTP connections:

jdbc:clickhouse://<datasunrise_host>:<proxy_port>/<database>

ClickHouse support is available now in DataSunrise 11.3. For teams running high-performance analytics, enterprise-grade database security is ready for deployment.

Protect Your Data with DataSunrise

Secure your data across every layer with DataSunrise. Detect threats in real time with Activity Monitoring, Data Masking, and Database Firewall. Enforce Data Compliance, discover sensitive data, and protect workloads across 50+ supported cloud, on-prem, and AI system data source integrations.

Start protecting your critical data today

Request a Demo Download Now

Next

Smarter Data Discovery with AI Score & GPU Speed

Learn More

Need Our Support Team Help?

Our experts will be glad to answer your questions.

General information:
[email protected]
Sales:
[email protected]
Customer Service and Technical Support:
support.datasunrise.com
Partnership and Alliance Inquiries:
[email protected]