The Internet is not a SAFE place. PERIOD!
Well, YOU can make it Safer!
At OpenSource DB, we took the standard DBA processes and turned them into Safe & Best practices. Read on to know more:
Below are some processes that can be implemented as Database safety measures.
- CIS Benchmarking for Postgres
- DB security practices for DBA/Developer/DevOps
- Whitelisting and blacklisting (yes, you read it correctly) of user connections
- Kerberos authentication
CIS Benchmarking for Postgres
Each CIS benchmark undergoes two phases of consensus review:
- Initial benchmark development
- Publish benchmark after review
The Benchmark tests are broadly classified into the following:
- PostgreSQL Installation and Patches
- Directory and File Permissions
- Overall Logging And Audit Trail
- PostgreSQL User management and Authorization
- PostgreSQL parameters and configuration
- Replication and Special considerations
DB security practices for DBA/Developer/DevOps
Database security is addressed at several levels:
Clear classification of Access Controls: Database file protection. All files stored within the database are protected from reading by any account other than the Postgres superuser account. Be vigilant about enforcing the principle of least privilege.
credcheck from MigOps: The credcheck
PostgreSQL extension provides a few general credential checks, which will be evaluated during the user creation, password change, and user renaming.
Database Encryption At Rest & In-Transit: TLS is a good start, communication across the board via SSL. Using various postgres extensions like anon
, pgcrypto
etc., are a good starting point.
Classification of PII PHI and Sensitive data: Adhering to compliance standards, knowing your dataset, and continuous audits are good practices.
Test dataset vs Production dataset: Test environments to “never ever” contain real production data. Instead, create synthetic or anonymized datasets to enable testing on realistic data.
Constant Monitoring: Continuous monitoring allows you to identify compromised accounts quickly.
Whitelisting and Blacklisting User connections
HBA stands for host-based authentication. The general format of the pg_hba.conf
file is a set of records, one per line.
Below is an example of whitelisting & blacklisting a user. It will allow connections with a password for this specific user from this specific LAN/WAN IP. Only this user and postgres
will be allowed.
TYPE | DATABASE | USER | ADDRESS | METHOD | |
DBA Admin login by Unix Domain Socket | local | all | postgres | peer | |
IPv4 Local Connections | host | all | YOUR_USER | [USER_IP]/32 | md5 |
IPv4 Local Connections | host | all | bad-guy | [bad-guy-ip] | reject |
Kerberos authentication
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is an industry-standard secure authentication system suitable for distributed computing over a public network.
Here’s a reference article on AWS that talks about Connecting to PostgreSQL with Kerberos authentication
How does OpenSource DB ensure the Safety of Customer data?
We at OSDB, being a pioneer in OpenSource Database Services, understand the importance of the Customers’ data and it is our top priority to safeguard the same.
Our quest towards continuous safety is empowered by being:
“GDPR Complaint and an ISO 27001:2013 compliant company”
Talk to us to know more about Safer DBA practices.
Also, we’re presenting at the PG Conf India Feb 22 – 24 2023, come to say Hi to us!
Till then, Be Safe!!!
Leave a Reply