For businesses that handle personal data everyday, the security aspect of their database is of utmost importance.
With an increasing number of hack attacks and frauds, organizations want their open source databases to be fully equipped with the top security features.
2. Ajit G.
Principal Solution Architect, Ashnik
Jayaraj S.
Solution Architect, EnterpriseDB
Nishchay K.
Database Consultant, Ashnik
3. Webinar Covers
• Understanding the criticality of the security aspect in database design and why
Postgres is today’s default choice.
• What security features does Postgres offer to help organizations achieve the
Enterprise level security for their databases?
• Demo: Data redaction and EDB* Wrap (How it secure the business data and logic
inside the database)
4. “The average cost of a security breach has increased to $2.71 million per organization across ASEAN,
with the time taken to identify and contain an attack rising to 287 days.”
-- Channel News Asia, 20th Aug 2020
Business Impact
• Financial Lost/ Revenue Lost.
• Brand Value / Reputation.
• Stock Prices.
• Consumer Trust.
• Customers Turn Over
5. Standards and Techniques
• ISO, PCI DSS, GDPR, PII (Personal
Identifiable Information, HIPAA, PHI)
• AI and Machine Learning based
technique using XDR
• Multi Cloud adoptions
• Zero Trust Authentication /Network
• Focus on IT Security
6. RDBMS Security Techniques
“AAA” Model
• Authentication
• Authorization
• Accounting
Backup & Recovery
Encryption
Data Masking
Tokenization
Deleting and Ensure
8. I will be covering
• Security Model
• Security Features in PostgreSQL
• Security Features in EPAS
• Best Practices
• Demo
9. Security Model
• Secure access is a two step process:
Authentication:
Ensures a user he/she claims to be
Authorization:
Ensures an authenticated user has access to only the data for which he/she has
been granted the appropriate privileges
10. Authentication Methods
• Password: Store password in scram-sha-256 & md5
• Certificate: It use SSL client certificates to perform authentication.
• RADIUS: Use RADIUS server for authentication
• LDAP: It use LDAP as the password verification method
12. Security Features in PostgreSQL
• Row Level Security – Virtual Private Database
• SSL support
• Encryption
Password Encryption
Encryption For Specific Columns
Data Partition Encryption
Encrypting Data Across A Network
• Data Masking
• Audit
pgAudit – Extension
13. Security Features in EPAS
• All Security features of PostgreSQL
• Password Policy
• Code Protection
• SQL Protect
• Encryption
DBMS_CRYPTO
• Data Masking
Data Redaction
• Audit
EDB Audit
14. Password Profile
• Advanced Server allows a database superuser to create named profiles. Each profile
defines rules for password management that augment password and md5
authentication. The rules in a profile can:
Count failed login attempts
Lock an account due to excessive failed login attempts
Mark a password for expiration
Define a grace period after a password expiration
Define rules for password complexity
Define rules that limit password re-use
15. Code Protection
• The EDB*Wrap utility protects proprietary source code and programs (functions, stored
procedures, triggers, and packages) from unauthorized scrutiny.
• The EDB*Wrap program translates a file that contains SPL or PL/pgSQL source code (the
plaintext) into a file that contains the same code in a form that is nearly impossible to
read.
• Once you have the obfuscated form of the code, you can send that code to EPAS and it
will store those programs in obfuscated form.
• edbwrap does not validate SQL source code - if the plaintext form contains a syntax
error, edbwrap will not complain but EPAS will report an error and abort the entire file
when you try to execute the obfuscated form.
16. SQL Protect
• Guards against the various types of SQL injections.
Unauthorized Relations
Utility Commands
SQL Tautology
Unbounded DML Statements
17. Encryption
• DBMS_CRYPTO package provides functions and procedures that allow you to encrypt or
decrypt RAW, BLOB or CLOB data.
• DBMS_CRYPTO functions to generate cryptographically strong random values.
• ENCRYPT function or procedure uses a user-specified algorithm, key, and optional
initialization vector to encrypt RAW, BLOB or CLOB data.
• DECRYPT function or procedure decrypts data using a user-specified cipher algorithm,
key and optional initialization vector.
• HASH function uses a user-specified algorithm to return the hash value of
a RAW or CLOB value.
18. Data Masking
• Data Redaction limits sensitive data exposure by dynamically changing data as it is
displayed for certain users.
• Data redaction is implemented by defining a function for each field to which redaction is
to be applied. The function returns the value that should be displayed to the users
subject to the data redaction.
• For example, bank account numbers as XXXXXX1235
• Supports DBMS_REDACT package
19. Auditing
• Advanced Server allows database and security administrators, auditors, and operators
to track and analyze database activities using the EDB Audit Logging functionality.
• EDB Audit Logging generates audit log files, which contains all of the relevant
information.
The audit logs can be configured to record information such as:
When a role establishes a connection to an Advanced Server database
What database objects a role creates, modifies, or deletes when connected to Advanced
Server
When any failed authentication attempts occur
• Audit parameters specified in the configuration
files, postgresql.conf or postgresql.auto.conf, control the information included in the
audit logs.
• EDB Audit files/logs can be generate in CSV or XML format
20. Best Practices
• Avoid to use default values
Change default port
Use non-default name for superuser. Can be specified during initdb
By default, each new database has connect privileges to public schema
o Revoke connect on my_db from public;
o Grant connect to my_db to my_app_user;
• Control who can connect from where
• Configure pg_hba.conf effectively
• Avoid to use 0.0.0.0/0
• Avoid “trust” authentication
• Allow DBAs to use their personal user_id (Ex. DBA Nishchay need to use user
“nishchay”)
• Application user should not have superuser privileges
21. Best Practices
• Password policy should be implemented
• Use connection timeout, logging of connection & disconnection with duration
• Use Grant & Revoke appropriately to control the access
• Sensitive data should be masked
• Apply patch on Time