Creating a Multi-Layered Secured Postgres Database
•Download as PPTX, PDF•
1 like•2,289 views
Join EDB’s SVP of Product Development and Support, Marc Linster in this webinar, he discusses the process of creating a multi-layered security architecture for your Postgres database. During this session, we will cover: - Aspects of Data Security - Authentication, Authorization & Auditing - Multiple Layers of Security Learn security best practices for managing your Postgres databases.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Creating a Multi-Layered Secured Postgres Database
Similar to Creating a Multi-Layered Secured Postgres Database (20)
More from EDB
More from EDB (20)
Recently uploaded
Recently uploaded (20)
Creating a Multi-Layered Secured Postgres Database
- 1. CONFIDENTIAL © Copyright EnterpriseDB Corporation, 2019. All rights reserved. Marc Linster SVP, Product Development and Support 1 Creating a Multi-layered Security Architecture for Your Postgres Databases
- 2. WHO IS EDB? The world leader in open-source based Postgres software and services 2 • Founded in 2004 • Recognized RDBMS leader by: • Gartner • Forrester • Customer base > 4000 • 300+ employees • Offices worldwide • Largest PostgreSQL community leader
- 3. EDB POSTGRES SOLUTION USE CASES New Applications DevOps, schema-less rapid development, and multiple programming language support Application Modernization Multi-model flexibility and integration with popular data sources Legacy Migration Compatibility with Oracle leverages existing DBA and developer skills 3 Migration to Cloud Flexible deployment options and simple business terms for moving to the cloud Our customers rely on our expertise and solutions to develop new applications, move applications to the cloud, modernize applications, and migrate off legacy databases like Oracle.
- 4. ONLY OPEN SOURCE BASED RDBMS IN GARTNER MQ EDB Recognized 6 Years In A Row on Gartner’s Magic Quadrant 4
- 5. 5 Customers working SMARTER, reducing RISK and being more PRODUCTIVE with EDB. OVER 4,000 CUSTOMERS U.S Customers EMEA Customers APAC Customers 102 of the Fortune 500 337 of the Forbes Global 2000
- 6. EDB OPEN SOURCE LEADERSHIP NAMED EDB OPEN SOURCE COMMITTERS AND CONTRIBUTORS 6 • CORE TEAM • • • • MAJOR CONTRIBUTORS • CONTRIBUTORS Akshay Joshi Amul Sul Ashesh Vashi Dilip Kumar Jeevan Ladhe Mithun Cy Andres Freund Devrim Gündüz Thomas Munro Amit Kapila Bruce Momjian Dave Page Robert Haas Ashutosh Sharma Rushabh Lathia - designates committers
- 8. 8 Aspects of Data Security Data Security Unauthorized access Data corruption Loss of access Data breaches (Un)intentional corruption Hardware failure Operator error Process failure Loss of encryption keys Network failure Disaster recovery Notification and compliance
- 9. 9 Key Concepts: AAA ● Authentication: verify the user is who they claim to be ● Authorization: verify the user is allowed access to the system and the data ● Auditing: record all database activity, including username and time
- 10. 10 KEY CONCEPTS: MULTIPLE BARRIERS ● Secure physical access to the host ● Limited access to the network ● Limited access to the database host ● Limited access to the database application ● Limited access to the data in the database
- 11. 11 DB Host Database files Data base Data base Data baseData access control: • Tables • Columns • Rows • Views • Security barriers DB Server Authentication: • Users • Roles • Password profiles Data Center Physical access Host access DB Server network access File system encryption Data file encryption Data encryption • Column based encryption DML/DDL Auditing SQL Injection Attack Prevention Encryption in transit w. host authentication Data redaction/masking Key Management System MULTIPLE LAYERS OF SECURITY
- 12. 12 MULTIPLE BARRIERS 1. Physical access (locks on doors, cameras, etc.): If a data center is not physically protected, all other data security measures become significantly less valuable. 2. Host access (Operating System controls): Securing access at the host-level ensures no users have unfettered access to the database host. 3. DB Server Network Access: Through Postgres’s hba.conf, connections to the database server can be controlled and limited. 4. File system encryption (through native Linux or third-party solutions): Encrypting the file system protects the files on the drive if the drive is stolen. Third party solutions can also leverage third- party key management systems
- 13. 13 MULTIPLE BARRIERS 5. SQL injection attack prevention: SQL injection attack prevention blocks corruption or co-opting of a database, including unauthorized relations, utility commands, SQL tautology, and unbounded DML. 6. Database authentication: Passwords, LDAP, Keberos, certificates or using operating systems credentials. Database authentication should be tied with overall user management to make sure access credentials get revoked when users leave the business or cease to be customers. 7. Database authorization and access control: Users must be granted permissions to view and work with data in the database. A principle of least privilege should be applied.
- 14. 14 MULTIPLE BARRIERS 9. File system encryption (native Linux or third-party): Encrypting the file system protects the files on the drive if the drive is stolen. Third party solutions can leverage third- party key management systems 10. Data encryption (pgCrypto): If a user gets past file system encryption, they can access a database that’s been logged into. Encrypting data at the column level keeps the database information secure. 11. Auditing: Track and analyze database activities, like the creation, changing, or deletion of data. EDB recommends auditing based on user connections, DDL changes, data changes, and data views. 12. Data redaction: Data redaction shields certain data elements from certain types of users, like Social Security numbers.
- 15. 15 EXAMPLE: DATA REDACTION 15 Username [enterprisedb]: privilegeduser mycompany=> select * from employees; id | name | ssn | phone | birthday ----+--------------+-------------+------------+-------------------- 1 | Sally Sample | 020-78-9345 | 5081234567 | 02-FEB-61 00:00:00 1 | Jane Doe | 123-33-9345 | 6171234567 | 14-FEB-63 00:00:00 1 | Bill Foo | 123-89-9345 | 9781234567 | 14-FEB-63 00:00:00 (3 rows) Username [enterprisedb]: redacteduser mycompany=> select * from employees; id | name | ssn | phone | birthday ----+--------------+-------------+------------+-------------------- 1 | Sally Sample | xxx-xx-9345 | 5081234567 | 02-FEB-02 00:00:00 1 | Jane Doe | xxx-xx-9345 | 6171234567 | 14-FEB-02 00:00:00 1 | Bill Foo | xxx-xx-9345 | 9781234567 | 14-FEB-02 00:00:00 (3 rows)
- 16. 16 ADVANTAGES OF EDB POSTGRES ● SQL Injection Attack Prevention ● Password Profiles: Complexity rules, expiration, etc ● Auditing: DML auditing for INSERT, UPDATE, DELETE, TRUNCATE by user and database, syslog integration, etc. ⇒ Manage audit logs separately from server logs ⇐ ● Data Redaction (EPAS 11)
- 17. 17 Conclusions ● AAA: ○ Authentication ○ Authorization ○ Auditing ● Multi-layered security measures ● Protection and security includes: ○ Physical security ○ Network security ○ Host security ○ Application security ○ Data security
- 18. 18 RESOURCES Webinar: 5 Ways to Make Your PostgreSQL GDPR-ready Blog: Native Data Redaction Capability in EDB Postgres Advanced Server 11 Blog: EDB Postgres Secure Technology Implementation Guide Blog: Managing Roles with Password Profiles: Part 1-3
- 19. Contact Information, info@enterprisedb.com QUESTIONS & DISCUSSION 19