Join EDB’s SVP of Product Development and Support, Marc Linster in this webinar, he discusses the process of creating a multi-layered security architecture for your Postgres database.
During this session, we will cover:
- Aspects of Data Security
- Authentication, Authorization & Auditing
- Multiple Layers of Security
Learn security best practices for managing your Postgres databases.
2. WHO IS EDB?
The world leader in
open-source based Postgres
software and services
2
• Founded in 2004
• Recognized RDBMS leader by:
• Gartner
• Forrester
• Customer base > 4000
• 300+ employees
• Offices worldwide
• Largest PostgreSQL
community leader
3. EDB POSTGRES SOLUTION USE CASES
New Applications
DevOps, schema-less rapid development, and
multiple programming language support
Application Modernization
Multi-model flexibility and integration with popular
data sources
Legacy Migration
Compatibility with Oracle leverages existing
DBA
and developer skills
3
Migration to Cloud
Flexible deployment options and simple
business terms
for moving to the cloud
Our customers rely on our expertise and solutions to develop new
applications, move applications to the cloud, modernize applications,
and migrate off legacy databases like Oracle.
5. 5
Customers working SMARTER, reducing RISK and being more PRODUCTIVE with EDB.
OVER 4,000 CUSTOMERS
U.S Customers
EMEA Customers APAC Customers
102
of the
Fortune 500
337
of the Forbes
Global 2000
6. EDB OPEN SOURCE LEADERSHIP
NAMED EDB OPEN SOURCE COMMITTERS AND CONTRIBUTORS
6
• CORE TEAM
• • •
• MAJOR CONTRIBUTORS • CONTRIBUTORS
Akshay
Joshi
Amul
Sul
Ashesh
Vashi
Dilip
Kumar
Jeevan
Ladhe
Mithun
Cy
Andres
Freund
Devrim
Gündüz
Thomas
Munro
Amit
Kapila
Bruce
Momjian
Dave
Page
Robert
Haas
Ashutosh
Sharma
Rushabh
Lathia
- designates committers
8. 8
Aspects of Data Security
Data
Security
Unauthorized
access
Data
corruption
Loss of
access
Data breaches
(Un)intentional corruption
Hardware failure
Operator error
Process failure
Loss of encryption keys
Network failure
Disaster recovery
Notification and compliance
9. 9
Key Concepts: AAA
● Authentication: verify the user is who they claim to be
● Authorization: verify the user is allowed access to the
system and the data
● Auditing: record all database activity, including username
and time
10. 10
KEY CONCEPTS: MULTIPLE BARRIERS
● Secure physical access to the host
● Limited access to the network
● Limited access to the database host
● Limited access to the database application
● Limited access to the data in the database
11. 11
DB Host
Database files
Data
base
Data
base
Data
baseData access control:
• Tables
• Columns
• Rows
• Views
• Security barriers
DB Server
Authentication:
• Users
• Roles
• Password profiles
Data Center Physical access
Host access
DB Server network
access
File system encryption
Data file encryption
Data encryption
• Column based
encryption
DML/DDL Auditing
SQL Injection Attack
Prevention
Encryption in transit w.
host authentication
Data
redaction/masking
Key
Management
System
MULTIPLE LAYERS OF SECURITY
12. 12
MULTIPLE BARRIERS
1. Physical access (locks on doors, cameras, etc.): If a data center is
not physically protected, all other data security measures become
significantly less valuable.
2. Host access (Operating System controls): Securing access at the
host-level ensures no users have unfettered access to the database
host.
3. DB Server Network Access: Through Postgres’s hba.conf,
connections to the database server can be controlled and limited.
4. File system encryption (through native Linux or third-party
solutions): Encrypting the file system protects the files on the drive if
the drive is stolen. Third party solutions can also leverage third- party
key management systems
13. 13
MULTIPLE BARRIERS
5. SQL injection attack prevention: SQL injection attack prevention
blocks corruption or co-opting of a database, including unauthorized
relations, utility commands, SQL tautology, and unbounded DML.
6. Database authentication: Passwords, LDAP, Keberos, certificates or
using operating systems credentials. Database authentication should
be tied with overall user management to make sure access credentials
get revoked when users leave the business or cease to be customers.
7. Database authorization and access control: Users must be
granted permissions to view and work with data in the database.
A principle of least privilege should be applied.
14. 14
MULTIPLE BARRIERS
9. File system encryption (native Linux or third-party): Encrypting the
file system protects the files on the drive if the drive is stolen. Third
party solutions can leverage third- party key management systems
10. Data encryption (pgCrypto): If a user gets past file system
encryption, they can access a database that’s been logged into.
Encrypting data at the column level keeps the database information
secure.
11. Auditing: Track and analyze database activities, like the creation,
changing, or deletion of data. EDB recommends auditing based on
user connections, DDL changes, data changes, and data views.
12. Data redaction: Data redaction shields certain data elements from
certain types of users, like Social Security numbers.
15. 15
EXAMPLE: DATA REDACTION
15
Username [enterprisedb]: privilegeduser
mycompany=> select * from employees;
id | name | ssn | phone | birthday
----+--------------+-------------+------------+--------------------
1 | Sally Sample | 020-78-9345 | 5081234567 | 02-FEB-61 00:00:00
1 | Jane Doe | 123-33-9345 | 6171234567 | 14-FEB-63 00:00:00
1 | Bill Foo | 123-89-9345 | 9781234567 | 14-FEB-63 00:00:00
(3 rows)
Username [enterprisedb]: redacteduser
mycompany=> select * from employees;
id | name | ssn | phone | birthday
----+--------------+-------------+------------+--------------------
1 | Sally Sample | xxx-xx-9345 | 5081234567 | 02-FEB-02 00:00:00
1 | Jane Doe | xxx-xx-9345 | 6171234567 | 14-FEB-02 00:00:00
1 | Bill Foo | xxx-xx-9345 | 9781234567 | 14-FEB-02 00:00:00
(3 rows)
16. 16
ADVANTAGES OF EDB POSTGRES
● SQL Injection Attack Prevention
● Password Profiles: Complexity rules, expiration, etc
● Auditing: DML auditing for INSERT, UPDATE, DELETE, TRUNCATE
by user and database, syslog integration, etc.
⇒ Manage audit logs separately from server logs ⇐
● Data Redaction (EPAS 11)
18. 18
RESOURCES
Webinar: 5 Ways to Make Your PostgreSQL GDPR-ready
Blog: Native Data Redaction Capability in EDB Postgres Advanced Server 11
Blog: EDB Postgres Secure Technology Implementation Guide
Blog: Managing Roles with Password Profiles: Part 1-3