Safer Internet Day – The Postgres Way

The Internet is not a SAFE place. PERIOD!
Well, YOU can make it Safer!

At OpenSource DB, we took the standard DBA processes and turned them into Safe & Best practices. Read on to know more:

Below are some processes that can be implemented as Database safety measures.

  • CIS Benchmarking for Postgres
  • DB security practices for DBA/Developer/DevOps
  • Whitelisting and blacklisting (yes, you read it correctly) of user connections
  • Kerberos authentication

CIS Benchmarking for Postgres

Each CIS benchmark undergoes two phases of consensus review:

  • Initial benchmark development
  • Publish benchmark after review

The Benchmark tests are broadly classified into the following:

  • PostgreSQL Installation and Patches
  • Directory and File Permissions
  • Overall Logging And Audit Trail
  • PostgreSQL User management and Authorization
  • PostgreSQL parameters and configuration
  • Replication and Special considerations

DB security practices for DBA/Developer/DevOps

Database security is addressed at several levels:

Clear classification of Access Controls: Database file protection. All files stored within the database are protected from reading by any account other than the Postgres superuser account. Be vigilant about enforcing the principle of least privilege.

credcheck from MigOps: The credcheck PostgreSQL extension provides a few general credential checks, which will be evaluated during the user creation, password change, and user renaming.

Database Encryption At Rest & In-Transit: TLS is a good start, communication across the board via SSL. Using various postgres extensions like anon, pgcrypto etc., are a good starting point.

Classification of PII PHI and Sensitive data: Adhering to compliance standards, knowing your dataset, and continuous audits are good practices.

Test dataset vs Production dataset: Test environments to “never ever” contain real production data. Instead, create synthetic or anonymized datasets to enable testing on realistic data.

Constant Monitoring: Continuous monitoring allows you to identify compromised accounts quickly.

Whitelisting and Blacklisting User connections

HBA stands for host-based authentication. The general format of the pg_hba.conf file is a set of records, one per line.   

Below is an example of whitelisting & blacklisting a user. It will allow connections with a password for this specific user from this specific LAN/WAN IP. Only this user and postgres will be allowed.

TYPEDATABASEUSERADDRESSMETHOD
DBA Admin login by Unix Domain Socketlocalallpostgrespeer
IPv4 Local ConnectionshostallYOUR_USER[USER_IP]/32md5
IPv4 Local Connectionshostallbad-guy[bad-guy-ip]reject
Note: HBA changes need a config reload

Kerberos authentication

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is an industry-standard secure authentication system suitable for distributed computing over a public network.

Here’s a reference article on AWS that talks about Connecting to PostgreSQL with Kerberos authentication

How does OpenSource DB ensure the Safety of Customer data?

We at OSDB, being a pioneer in OpenSource Database Services, understand the importance of the Customers’ data and it is our top priority to safeguard the same.

Our quest towards continuous safety is empowered by being:

GDPR Complaint and an ISO 27001:2013 compliant company”

Talk to us to know more about Safer DBA practices. 

Also, we’re presenting at the PG Conf India Feb 22 – 24 2023, come to say Hi to us!

Till then, Be Safe!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>