DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
postgres_data_security_2017
1. Securing Data in Postgres
Payal Singh
@pallureshu
OmniTI Computer Consulting
https://omniti.com 1
2. Agenda
Host Based Authentication
Access Control Lists
Row-Level Security
SSL/TLS
Auditing
Encryption
PCI Compliance
Upcoming Features in pg10
Desired Features
2
9. ACL
Access Control List
“list of permissions attached to an object. An ACL specifies which users or system processes are granted access to
objects, as well as what operations are allowed on given objects.”
GRANT - define access privileges
REVOKE - revoke access privileges
https://www.postgresql.org/docs/current/static/sql-grant.html
9
15. ACL
Roles and role membership
A role has privileges of all roles it is a member of
15
16. ACL
SET DEFAULT PRIVILEGES
ALTER DEFAULT PRIVILEGES IN SCHEMA <schema_name> GRANT <privilege> ON TABLES TO <role>;
Only applies to objects created in future
16
17. ACL
USAGE:
Roles must have usage on schema to access tables, functions
Usage on public schema granted by default to public role
Usage granted by default on all roles in MySQL
17
21. RLS
User-based or command-based row level access restrictions
Disabled by default
Exceptions - TRUNCATE, REFERENCES
Not a SQL Standard
Watch for performance improvements in pg10!
21
25. RLS
In case of multiple policies, access is determined if any one or more of the policies
allow it (OR)
Referential integrity checks - covert channel leaks should be avoided
Race conditions - e.g. SELECT … FOR UPDATE
Solutions - SELECT … FOR SHARE; Exclusive locks on referenced
table
25
28. SSL/TLS
Requirement: OpenSSL
At build time: --with-openssl
Authentication without encryption overhead: NULL-SHA or NULL-MD5
Not recommended: less secure
Overhead is minimal compared to authentication overhead
Certificate file permissions must be 600
Restart required for certs change
28
49. Desired
Data Redaction
Active Directory support
Oracle TDE - key management
http://www.oracle.com/technetwork/database/security/twp-transparent-data-encryption-bes-130696.pdf
SHOW GRANTS
49