SlideShare a Scribd company logo
Best Practices in
Security with
PostgreSQL
Dave Page
Marc Linster
September 2020
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.2
• Slides and recording will be available in next 48 hours
• Submit questions via GotoWebinar – will be answering at end
• We will be sharing info about EDB and Postgres later
Welcome – Housekeeping Items
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.3
Agenda
• Introduction to EDB
• Aspects of Data Security
• General recommendations
• Overall Framework and today’s focus
• Key Concepts: Authentication, Authorization, Auditing
• Data encryption
• Summary
• Q&A
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.4
• Enterprise PostgreSQL innovations
• 4,000+ global customers
• Recognized by Gartner Magic Quadrant for 7 years in a row
• One of the only sub-$1bn revenue companies
• PostgreSQL community leadership
2019
Challengers Leaders
Niche Players Visionaries
Abilitytoexecute
Completeness of vision
1986
The Design
of PostgreSQL
1996
Birth of
PostgreSQL
2004
EDB
is founded
2020
TodayMaterialized
Views
Parallel
Query
JIT
Compilation
Heap Only
Tuples (HOT)
Serializable
Parallel Query
We’re database fanatics who care
deeply about PostgreSQL
Expertise
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.5
Core team Major contributors Contributors
EDB Open Source Leadership
Named EDB open source committers and contributors
Akshay Joshi Amul Sul Ashesh Vashi Ashutosh Sharma Jeevan Chalke
Dilip Kumar Jeevan Ladhe Mithun Cy Rushabh Lathia Amit Khandekar
Amit Langote Devrim Gündüz
Robert Haas
Bruce Momjian
Dave Page
Designates PostgreSQL committers
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.6
Aspects of Data Security
Data
Security
Unauthorized
access
Data
corruption
Loss of
access
Data breaches
(Un)intentional corruption
Hardware failure
Operator error
Process failure
Loss of encryption keys
Network failure
Disaster recovery
Notification and compliance
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.7
General Recommendations
• Keep your operating system and your database patched.
• Don’t put a postmaster port on the internet
• Isolate the database port from other network traffic
• Grant users the minimum access they require to do their work, nothing more
• Restrict access to configuration files (postgresql.conf and pg_hba.conf)
• Disallow host system login by the database superuser roles
• Provide each user with their own login
• Don’t rely solely on your front-end application to prevent unauthorized access
• Keep backups, and have a tested recovery plan.
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.8
DB Host
Database files
Data
base
Data
base
Data
baseData access control:
• Tables
• Columns
• Rows
• Views
• Security barriers
DB Server
Authentication:
• Users
• Roles
• Password profiles
Data Center Physical access
Host access
DB Server network
access
File system encryption
Data file encryption
Data encryption
• Column based
encryption
DML/DDL Auditing
SQL Injection Attack
Prevention
Encryption in transit w.
host authentication
Data
redaction/masking
Key
Management
System
MULTIPLE LAYERS OF SECURITY
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.9
Today’s Focus
• Access to the database application
• Access to the data contained within the database
• Secure the data stored in the database
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.10
AAA Model
Popular model for security architectures
• Authentication: verify that the user is who they claim to be.
• Authorization: verify that the user is allowed access.
• Auditing (or Accounting): record all database activity, including the user name and the time
in the log files.
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.11
Authentication
Defined in hba.conf ⇐ make sure you understand how this works and protect that file!
• Kerberos/GSSAPI Single Sign-On (SSO) authentication
• data sent over the database connection is unencrypted unless SSL or GSS encryption is in use.
• SSPI — Windows Single Sign-On (SSO) authentication
• LDAP and RADIUS
• LDAP (specifically, LDAP+STARTTLS) should only be used if Kerberos is out of the question.
• LDAP passwords are forwarded to the LDAP server, and it can easily be set up in an insecure way.
• RADIUS should not be used because it has weak encryption, using md5 hashing for credentials.
• Cert — TLS certificate authentication; often used in machine-to-machine communication.
• md5 and scram — stores username and password information in the database
• Scram is highly preferred over md5 as the passwords are securely hashed.
• Use with EDB Postgres password profiles
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.12
Password Profiles
EDB Postgres Advanced Server 9.5 and above
Oracle compatible password profiles can be used to:
• specify the number of allowable failed login attempts
• lock an account due to excessive failed login attempts
• mark a password for expiration
• define a grace period after a password expiration
• define rules for password complexity
• define rules that limit password reuse
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.13
Password Profiles - Setup ( 1 of 4)
-- Create profile and a user
CREATE PROFILE myprofile;
CREATE USER myuser IDENTIFIED BY mypassword;
-- Assign profile to a user
ALTER USER myuser PROFILE myprofile;
-- Check the user-profile mapping
SELECT rolname, rolprofile FROM pg_roles WHERE rolname = 'myuser';
rolname | rolprofile
---------+------------
myuser | myprofile
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.14
Password Profiles - Definition of Rules ( 2 of 4)
ALTER PROFILE myprofile LIMIT
FAILED_LOGIN_ATTEMPTS 3
PASSWORD_LOCK_TIME 2;
SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles
WHERE rolname = 'myuser';
rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate
---------+------------+---------------------+-----------------+-------------
myuser | myprofile | OPEN | 0 |
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.15
Password Profiles - 1st failed login ( 3 of 4)
c - myuser
Password for user myuser:
FATAL: password authentication failed for user "myuser"
SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles
WHERE rolname = 'myuser';
rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate
---------+------------+---------------------+-----------------+-------------
myuser | myprofile | OPEN | 1 |
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.16
Password Profiles - Account Locked ( 4 of 4)
c - myuser
Password for user myuser:
FATAL: role "myuser" is locked
Previous connection kept
SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles
WHERE rolname = 'myuser';
rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate
---------+------------+---------------------+-----------------+----------------------------------
myuser | myprofile | LOCKED(TIMED) | 0 | 13-NOV-18 12:25:50.811022 +05
Super user interaction
ALTER USER myuser ACCOUNT UNLOCK;
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.17
Authorization
We know who you are - what are you allowed to do?
● Standard method: Manage access privileges to tables, views and other objects
● Best Practice:
○ Revoke CREATE privileges from all users and grant them back to trusted users only.
○ Don't allow the use of functions or triggers written in untrusted procedural languages.
○ SECURITY DEFINER functions ⇐ understand what that means
○ Database objects should be owned by a secure role
● Beware: when log_statement is set to 'ddl' or higher, ALTER ROLE command can result in
password exposure in the logs, except in EDB Postgres Advanced Server 11
○ Use edb_filter_log.redact_password_command to redact stored passwords from the log file
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.18
Row Level Security (a.k.a. Virtual Private
Database)Restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification
commands
CREATE TABLE accounts (manager text, company text, contact_email text);
ALTER TABLE accounts ENABLE ROW LEVEL SECURITY;
CREATE POLICY account_managers ON accounts TO managers
USING (manager = current_user);
DBMS_RLS provides key functions for Oracle’s Virtual Private Database in EDB Postgres
Advanced Server
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.19
Data Redaction
Username [enterprisedb]: privilegeduser
mycompany=> select * from employees;
id | name | ssn |   phone |   birthday
----+--------------+-------------+------------+--------------------
 1 | Sally Sample | 020-78-9345 | 5081234567 | 02-FEB-61 00:00:00
 1 | Jane Doe   | 123-33-9345 | 6171234567 | 14-FEB-63 00:00:00
 1 | Bill Foo | 123-89-9345 | 9781234567 | 14-FEB-63 00:00:00
(3 rows)
Username [enterprisedb]: redacteduser
mycompany=> select * from employees;
id | name | ssn |   phone |   birthday
----+--------------+-------------+------------+--------------------
 1 | Sally Sample | xxx-xx-9345 | 5081234567 | 02-FEB-02 00:00:00
 1 | Jane Doe | xxx-xx-9345 | 6171234567 | 14-FEB-02 00:00:00
 1 | Bill Foo | xxx-xx-9345 | 9781234567 | 14-FEB-02 00:00:00
(3 rows)
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.20
Auditing
EDB Postgres Advanced Server offers enhanced auditing
• Track and analyze database activities
• Record connections by database Users
• Successful and failed
• Record SQL activity by database Users
• Errors, rollbacks, all DDL, all DML, all SQL statements
• Session Tag Auditing
• Associate middle-tier application data with specific activities in the database log (e.g. track
application Users or IP addresses not just database users)
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.21
Audit Configuration Params
• postgresql.conf parameter: edb_audit (Values = XML or CSV )
• edb_audit_directory & edb_audit_filename
• edb_audit_rotation_day, edb_audit_rotation_size, edb_audit_rotation_seconds
• edb_audit_connect and edb_audit_disconnect
• edb_audit_statement
• Specifies which SQL statements to capture
• edb_filter_log.redact_password_commands ⇐ Redacts passwords from audit file!!!
edb_audit_connect = 'all'
edb_audit_statement = create view,create materialized view,create
sequence,grant'
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.22
Encryption
Encrypt at rest and in transit -- key: Understand the threat vector!
• Password storage hashing/encryption
• Encryption for specific columns
• Data partition encryption
• Encrypting passwords across a network
• Encrypting data across a network
• SSL host authentication
• Client-side encryption
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.23
VTE - Advanced Option for PCI Compliant Storage Encryption
Compatible with EDB Postgres Advanced Server - Used for PCI compliance
https://www.brighttalk.com/webcast/2037/396902?utm_source=Thales&utm_medium=brighttalk&utm_campaign=396902
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.24
SQL Injection Prevention
• SQL Injection attacks are possible where applications are designed in a way that allows the
attacker to modify SQL that is executed on the database server.
• By far the most common way to create a vulnerability of this type is by creating SQL queries
by concatenating strings that include user-supplied data.
From: https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.25
SQL Injection Prevention
Example
• Consider a website which will login a user using a query constructed as follows:
login_ok = conn.execute("SELECT count(*) FROM users WHERE name = '" + username + "' AND
password = '" + password + "';");
• If the user enters their username as dave and their password as secret' OR '1' = '1, the generated
SQL will become:
SELECT count(*) FROM users WHERE name = 'dave' AND password = ' secret' OR '1' = '1';
• If the code is testing that login_ok has a non-zero value to authenticate the user, then the user will be
logged in regardless of whether the username/password is correct.
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.26
SQL Injection Prevention
Protecting against it in the application - sanitize the user input!
• Don't use string concatenation to include user supplied input in queries!
• Use parameterised queries instead, and let the language, driver, or database handle it.
• Here's a Python example (using the psycopg2 driver):
cursor.execute("""SELECT count(*) FROM users WHERE username = %s
AND password = %s;""", (username, password))
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.27
SQL Protect
EDB Postgres Advanced Server: Additional SQL Injection Prevention at the Database Level
• Utility Commands
• Any DDL commands: DROP TABLE
• SQL Tautologies
• SQL WHERE predicates such as… and 1=1
• Empty DML
• DML commands with no WHERE filter, such as: DELETE FROM EMPLOYEE;
• Unauthorized Relations
• Results from Learn mode associating roles with tables
© Copyright EnterpriseDB Corporation, 2020. All rights reserved.28
Conclusion
Security comes in layers!
AAA (Authorization, Authentication, Auditing) reference model
Encryption at rest and on the wire has to be part of the plan
Least privilege approach is key
Read, read, and read some more!
● EDB Security Technical Implementation Guidelines (STIG) for PostgreSQL on
Windows and Linux
● Blog: How to Secure PostgreSQL: Security Hardening Best Practices & Tips
● Blog: Managing Roles with Password Profiles: Part 1
● Blog: Managing Roles with Password Profiles: Part 2
● Blog: Managing Roles with Password Profiles: Part 3
Thank You

More Related Content

What's hot (20)

PPTX
Data Guard Architecture & Setup
Satishbabu Gunukula
 
PDF
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
PPTX
PostgreSQL Security. How Do We Think?
Ohyama Masanori
 
PDF
PostgreSQL replication
NTT DATA OSS Professional Services
 
PDF
Developer Special: How to Prepare Applications for Notes 64-bit Clients
panagenda
 
PDF
Apache Hudi: The Path Forward
Alluxio, Inc.
 
PPSX
Oracle Performance Tuning Fundamentals
Carlos Sierra
 
PDF
Data Engineer's Lunch #83: Strategies for Migration to Apache Iceberg
Anant Corporation
 
PPT
LiquiBase
Mike Willbanks
 
PDF
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 
PDF
DOAG - Oracle Database Locking Mechanism Demystified
Pini Dibask
 
PDF
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
PPTX
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Memory Fabric Forum
 
PDF
MySQL Performance Schema in Action
Sveta Smirnova
 
PDF
Oracle Performance Tuning Fundamentals
Enkitec
 
PDF
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
PDF
Advanced backup methods (Postgres@CERN)
Anastasia Lubennikova
 
PDF
Understanding PostgreSQL LW Locks
Jignesh Shah
 
ODP
Linux commands
Balakumaran Arunachalam
 
PPT
ASM
VINAY PANDEY
 
Data Guard Architecture & Setup
Satishbabu Gunukula
 
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
PostgreSQL Security. How Do We Think?
Ohyama Masanori
 
PostgreSQL replication
NTT DATA OSS Professional Services
 
Developer Special: How to Prepare Applications for Notes 64-bit Clients
panagenda
 
Apache Hudi: The Path Forward
Alluxio, Inc.
 
Oracle Performance Tuning Fundamentals
Carlos Sierra
 
Data Engineer's Lunch #83: Strategies for Migration to Apache Iceberg
Anant Corporation
 
LiquiBase
Mike Willbanks
 
Linux Training For Beginners | Linux Administration Tutorial | Introduction T...
Edureka!
 
DOAG - Oracle Database Locking Mechanism Demystified
Pini Dibask
 
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
Q1 Memory Fabric Forum: Intel Enabling Compute Express Link (CXL)
Memory Fabric Forum
 
MySQL Performance Schema in Action
Sveta Smirnova
 
Oracle Performance Tuning Fundamentals
Enkitec
 
Anatomy of a Container: Namespaces, cgroups & Some Filesystem Magic - LinuxCon
Jérôme Petazzoni
 
Advanced backup methods (Postgres@CERN)
Anastasia Lubennikova
 
Understanding PostgreSQL LW Locks
Jignesh Shah
 
Linux commands
Balakumaran Arunachalam
 

Similar to Best Practices in Security with PostgreSQL (20)

PPTX
Best Practices in Security with PostgreSQL
EDB
 
PDF
Best Practices in Security with PostgreSQL
EDB
 
PDF
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
PPTX
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
 
PPTX
Creating a Multi-Layered Secured Postgres Database
EDB
 
PDF
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
Ashnikbiz
 
PDF
Security Best Practices for your Postgres Deployment
PGConf APAC
 
PPTX
5 Ways to Make Your Postgres GDPR-Ready
EDB
 
PPTX
GDPR Webinar January 2018
EDB
 
PPTX
Row level security in enterprise applications
Alexander Tokarev
 
PDF
PostgreSQL Security. How Do We Think? at PGCon 2017
Ohyama Masanori
 
PDF
Using PostgreSQL for Data Privacy
Mason Sharp
 
PDF
Transparent Data Encryption in PostgreSQL
Masahiko Sawada
 
PPTX
Enterprise-class security with PostgreSQL - 2
Ashnikbiz
 
PDF
Expanding with EDB Postgres Advanced Server 9.5
EDB
 
PPTX
New enhancements for security and usability in EDB 13
EDB
 
PPTX
Protecting PII & AI Workloads in PostgreSQL
Dev Raj Gautam
 
PPTX
Enterprise grade deployment and security with PostgreSQL
Himanchali -
 
PPTX
Oracle Database 23c Security New Features.pptx
Satishbabu Gunukula
 
PPTX
postgres_data_security_2017
Payal Singh
 
Best Practices in Security with PostgreSQL
EDB
 
Best Practices in Security with PostgreSQL
EDB
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot
 
Enterprise-class security with PostgreSQL - 1
Ashnikbiz
 
Creating a Multi-Layered Secured Postgres Database
EDB
 
PgDay Asia 2016 - Security Best Practices for your Postgres Deployment
Ashnikbiz
 
Security Best Practices for your Postgres Deployment
PGConf APAC
 
5 Ways to Make Your Postgres GDPR-Ready
EDB
 
GDPR Webinar January 2018
EDB
 
Row level security in enterprise applications
Alexander Tokarev
 
PostgreSQL Security. How Do We Think? at PGCon 2017
Ohyama Masanori
 
Using PostgreSQL for Data Privacy
Mason Sharp
 
Transparent Data Encryption in PostgreSQL
Masahiko Sawada
 
Enterprise-class security with PostgreSQL - 2
Ashnikbiz
 
Expanding with EDB Postgres Advanced Server 9.5
EDB
 
New enhancements for security and usability in EDB 13
EDB
 
Protecting PII & AI Workloads in PostgreSQL
Dev Raj Gautam
 
Enterprise grade deployment and security with PostgreSQL
Himanchali -
 
Oracle Database 23c Security New Features.pptx
Satishbabu Gunukula
 
postgres_data_security_2017
Payal Singh
 
Ad

More from EDB (20)

PDF
Cloud Migration Paths: Kubernetes, IaaS, or DBaaS
EDB
 
PDF
Die 10 besten PostgreSQL-Replikationsstrategien für Ihr Unternehmen
EDB
 
PDF
Migre sus bases de datos Oracle a la nube
EDB
 
PDF
EFM Office Hours - APJ - July 29, 2021
EDB
 
PDF
Benchmarking Cloud Native PostgreSQL
EDB
 
PDF
Las Variaciones de la Replicación de PostgreSQL
EDB
 
PDF
NoSQL and Spatial Database Capabilities using PostgreSQL
EDB
 
PDF
Is There Anything PgBouncer Can’t Do?
EDB
 
PDF
Data Analysis with TensorFlow in PostgreSQL
EDB
 
PDF
Practical Partitioning in Production with Postgres
EDB
 
PDF
A Deeper Dive into EXPLAIN
EDB
 
PDF
IOT with PostgreSQL
EDB
 
PDF
A Journey from Oracle to PostgreSQL
EDB
 
PDF
Psql is awesome!
EDB
 
PDF
EDB 13 - New Enhancements for Security and Usability - APJ
EDB
 
PPTX
Comment sauvegarder correctement vos données
EDB
 
PDF
Cloud Native PostgreSQL - Italiano
EDB
 
PDF
New enhancements for security and usability in EDB 13
EDB
 
PDF
Cloud Native PostgreSQL - APJ
EDB
 
PDF
EDB Postgres & Tools in a Smart City Project
EDB
 
Cloud Migration Paths: Kubernetes, IaaS, or DBaaS
EDB
 
Die 10 besten PostgreSQL-Replikationsstrategien für Ihr Unternehmen
EDB
 
Migre sus bases de datos Oracle a la nube
EDB
 
EFM Office Hours - APJ - July 29, 2021
EDB
 
Benchmarking Cloud Native PostgreSQL
EDB
 
Las Variaciones de la Replicación de PostgreSQL
EDB
 
NoSQL and Spatial Database Capabilities using PostgreSQL
EDB
 
Is There Anything PgBouncer Can’t Do?
EDB
 
Data Analysis with TensorFlow in PostgreSQL
EDB
 
Practical Partitioning in Production with Postgres
EDB
 
A Deeper Dive into EXPLAIN
EDB
 
IOT with PostgreSQL
EDB
 
A Journey from Oracle to PostgreSQL
EDB
 
Psql is awesome!
EDB
 
EDB 13 - New Enhancements for Security and Usability - APJ
EDB
 
Comment sauvegarder correctement vos données
EDB
 
Cloud Native PostgreSQL - Italiano
EDB
 
New enhancements for security and usability in EDB 13
EDB
 
Cloud Native PostgreSQL - APJ
EDB
 
EDB Postgres & Tools in a Smart City Project
EDB
 
Ad

Recently uploaded (20)

PDF
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
“Computer Vision at Sea: Automated Fish Tracking for Sustainable Fishing,” a ...
Edge AI and Vision Alliance
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PPTX
Agentforce World Tour Toronto '25 - Supercharge MuleSoft Development with Mod...
Alexandra N. Martinez
 
PPTX
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PPT
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
PDF
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
PDF
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
PDF
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 
Future-Proof or Fall Behind? 10 Tech Trends You Can’t Afford to Ignore in 2025
DIGITALCONFEX
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
“Computer Vision at Sea: Automated Fish Tracking for Sustainable Fishing,” a ...
Edge AI and Vision Alliance
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Agentforce World Tour Toronto '25 - Supercharge MuleSoft Development with Mod...
Alexandra N. Martinez
 
Mastering ODC + Okta Configuration - Chennai OSUG
HathiMaryA
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Ericsson LTE presentation SEMINAR 2010.ppt
npat3
 
Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
The Rise of AI and IoT in Mobile App Tech.pdf
IMG Global Infotech
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
ICONIQ State of AI Report 2025 - The Builder's Playbook
Razin Mustafiz
 
[Newgen] NewgenONE Marvin Brochure 1.pdf
darshakparmar
 

Best Practices in Security with PostgreSQL

  • 1. Best Practices in Security with PostgreSQL Dave Page Marc Linster September 2020
  • 2. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.2 • Slides and recording will be available in next 48 hours • Submit questions via GotoWebinar – will be answering at end • We will be sharing info about EDB and Postgres later Welcome – Housekeeping Items
  • 3. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.3 Agenda • Introduction to EDB • Aspects of Data Security • General recommendations • Overall Framework and today’s focus • Key Concepts: Authentication, Authorization, Auditing • Data encryption • Summary • Q&A
  • 4. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.4 • Enterprise PostgreSQL innovations • 4,000+ global customers • Recognized by Gartner Magic Quadrant for 7 years in a row • One of the only sub-$1bn revenue companies • PostgreSQL community leadership 2019 Challengers Leaders Niche Players Visionaries Abilitytoexecute Completeness of vision 1986 The Design of PostgreSQL 1996 Birth of PostgreSQL 2004 EDB is founded 2020 TodayMaterialized Views Parallel Query JIT Compilation Heap Only Tuples (HOT) Serializable Parallel Query We’re database fanatics who care deeply about PostgreSQL Expertise
  • 5. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.5 Core team Major contributors Contributors EDB Open Source Leadership Named EDB open source committers and contributors Akshay Joshi Amul Sul Ashesh Vashi Ashutosh Sharma Jeevan Chalke Dilip Kumar Jeevan Ladhe Mithun Cy Rushabh Lathia Amit Khandekar Amit Langote Devrim Gündüz Robert Haas Bruce Momjian Dave Page Designates PostgreSQL committers
  • 6. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.6 Aspects of Data Security Data Security Unauthorized access Data corruption Loss of access Data breaches (Un)intentional corruption Hardware failure Operator error Process failure Loss of encryption keys Network failure Disaster recovery Notification and compliance
  • 7. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.7 General Recommendations • Keep your operating system and your database patched. • Don’t put a postmaster port on the internet • Isolate the database port from other network traffic • Grant users the minimum access they require to do their work, nothing more • Restrict access to configuration files (postgresql.conf and pg_hba.conf) • Disallow host system login by the database superuser roles • Provide each user with their own login • Don’t rely solely on your front-end application to prevent unauthorized access • Keep backups, and have a tested recovery plan.
  • 8. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.8 DB Host Database files Data base Data base Data baseData access control: • Tables • Columns • Rows • Views • Security barriers DB Server Authentication: • Users • Roles • Password profiles Data Center Physical access Host access DB Server network access File system encryption Data file encryption Data encryption • Column based encryption DML/DDL Auditing SQL Injection Attack Prevention Encryption in transit w. host authentication Data redaction/masking Key Management System MULTIPLE LAYERS OF SECURITY
  • 9. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.9 Today’s Focus • Access to the database application • Access to the data contained within the database • Secure the data stored in the database
  • 10. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.10 AAA Model Popular model for security architectures • Authentication: verify that the user is who they claim to be. • Authorization: verify that the user is allowed access. • Auditing (or Accounting): record all database activity, including the user name and the time in the log files.
  • 11. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.11 Authentication Defined in hba.conf ⇐ make sure you understand how this works and protect that file! • Kerberos/GSSAPI Single Sign-On (SSO) authentication • data sent over the database connection is unencrypted unless SSL or GSS encryption is in use. • SSPI — Windows Single Sign-On (SSO) authentication • LDAP and RADIUS • LDAP (specifically, LDAP+STARTTLS) should only be used if Kerberos is out of the question. • LDAP passwords are forwarded to the LDAP server, and it can easily be set up in an insecure way. • RADIUS should not be used because it has weak encryption, using md5 hashing for credentials. • Cert — TLS certificate authentication; often used in machine-to-machine communication. • md5 and scram — stores username and password information in the database • Scram is highly preferred over md5 as the passwords are securely hashed. • Use with EDB Postgres password profiles
  • 12. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.12 Password Profiles EDB Postgres Advanced Server 9.5 and above Oracle compatible password profiles can be used to: • specify the number of allowable failed login attempts • lock an account due to excessive failed login attempts • mark a password for expiration • define a grace period after a password expiration • define rules for password complexity • define rules that limit password reuse
  • 13. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.13 Password Profiles - Setup ( 1 of 4) -- Create profile and a user CREATE PROFILE myprofile; CREATE USER myuser IDENTIFIED BY mypassword; -- Assign profile to a user ALTER USER myuser PROFILE myprofile; -- Check the user-profile mapping SELECT rolname, rolprofile FROM pg_roles WHERE rolname = 'myuser'; rolname | rolprofile ---------+------------ myuser | myprofile
  • 14. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.14 Password Profiles - Definition of Rules ( 2 of 4) ALTER PROFILE myprofile LIMIT FAILED_LOGIN_ATTEMPTS 3 PASSWORD_LOCK_TIME 2; SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles WHERE rolname = 'myuser'; rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate ---------+------------+---------------------+-----------------+------------- myuser | myprofile | OPEN | 0 |
  • 15. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.15 Password Profiles - 1st failed login ( 3 of 4) c - myuser Password for user myuser: FATAL: password authentication failed for user "myuser" SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles WHERE rolname = 'myuser'; rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate ---------+------------+---------------------+-----------------+------------- myuser | myprofile | OPEN | 1 |
  • 16. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.16 Password Profiles - Account Locked ( 4 of 4) c - myuser Password for user myuser: FATAL: role "myuser" is locked Previous connection kept SELECT rolname, rolprofile, edb_get_role_status(oid), rolfailedlogins, rollockdate FROM pg_roles WHERE rolname = 'myuser'; rolname | rolprofile | edb_get_role_status | rolfailedlogins | rollockdate ---------+------------+---------------------+-----------------+---------------------------------- myuser | myprofile | LOCKED(TIMED) | 0 | 13-NOV-18 12:25:50.811022 +05 Super user interaction ALTER USER myuser ACCOUNT UNLOCK;
  • 17. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.17 Authorization We know who you are - what are you allowed to do? ● Standard method: Manage access privileges to tables, views and other objects ● Best Practice: ○ Revoke CREATE privileges from all users and grant them back to trusted users only. ○ Don't allow the use of functions or triggers written in untrusted procedural languages. ○ SECURITY DEFINER functions ⇐ understand what that means ○ Database objects should be owned by a secure role ● Beware: when log_statement is set to 'ddl' or higher, ALTER ROLE command can result in password exposure in the logs, except in EDB Postgres Advanced Server 11 ○ Use edb_filter_log.redact_password_command to redact stored passwords from the log file
  • 18. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.18 Row Level Security (a.k.a. Virtual Private Database)Restrict, on a per-user basis, which rows can be returned by normal queries or inserted, updated, or deleted by data modification commands CREATE TABLE accounts (manager text, company text, contact_email text); ALTER TABLE accounts ENABLE ROW LEVEL SECURITY; CREATE POLICY account_managers ON accounts TO managers USING (manager = current_user); DBMS_RLS provides key functions for Oracle’s Virtual Private Database in EDB Postgres Advanced Server
  • 19. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.19 Data Redaction Username [enterprisedb]: privilegeduser mycompany=> select * from employees; id | name | ssn |   phone |   birthday ----+--------------+-------------+------------+--------------------  1 | Sally Sample | 020-78-9345 | 5081234567 | 02-FEB-61 00:00:00  1 | Jane Doe   | 123-33-9345 | 6171234567 | 14-FEB-63 00:00:00  1 | Bill Foo | 123-89-9345 | 9781234567 | 14-FEB-63 00:00:00 (3 rows) Username [enterprisedb]: redacteduser mycompany=> select * from employees; id | name | ssn |   phone |   birthday ----+--------------+-------------+------------+--------------------  1 | Sally Sample | xxx-xx-9345 | 5081234567 | 02-FEB-02 00:00:00  1 | Jane Doe | xxx-xx-9345 | 6171234567 | 14-FEB-02 00:00:00  1 | Bill Foo | xxx-xx-9345 | 9781234567 | 14-FEB-02 00:00:00 (3 rows)
  • 20. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.20 Auditing EDB Postgres Advanced Server offers enhanced auditing • Track and analyze database activities • Record connections by database Users • Successful and failed • Record SQL activity by database Users • Errors, rollbacks, all DDL, all DML, all SQL statements • Session Tag Auditing • Associate middle-tier application data with specific activities in the database log (e.g. track application Users or IP addresses not just database users)
  • 21. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.21 Audit Configuration Params • postgresql.conf parameter: edb_audit (Values = XML or CSV ) • edb_audit_directory & edb_audit_filename • edb_audit_rotation_day, edb_audit_rotation_size, edb_audit_rotation_seconds • edb_audit_connect and edb_audit_disconnect • edb_audit_statement • Specifies which SQL statements to capture • edb_filter_log.redact_password_commands ⇐ Redacts passwords from audit file!!! edb_audit_connect = 'all' edb_audit_statement = create view,create materialized view,create sequence,grant'
  • 22. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.22 Encryption Encrypt at rest and in transit -- key: Understand the threat vector! • Password storage hashing/encryption • Encryption for specific columns • Data partition encryption • Encrypting passwords across a network • Encrypting data across a network • SSL host authentication • Client-side encryption
  • 23. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.23 VTE - Advanced Option for PCI Compliant Storage Encryption Compatible with EDB Postgres Advanced Server - Used for PCI compliance https://www.brighttalk.com/webcast/2037/396902?utm_source=Thales&utm_medium=brighttalk&utm_campaign=396902
  • 24. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.24 SQL Injection Prevention • SQL Injection attacks are possible where applications are designed in a way that allows the attacker to modify SQL that is executed on the database server. • By far the most common way to create a vulnerability of this type is by creating SQL queries by concatenating strings that include user-supplied data. From: https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom
  • 25. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.25 SQL Injection Prevention Example • Consider a website which will login a user using a query constructed as follows: login_ok = conn.execute("SELECT count(*) FROM users WHERE name = '" + username + "' AND password = '" + password + "';"); • If the user enters their username as dave and their password as secret' OR '1' = '1, the generated SQL will become: SELECT count(*) FROM users WHERE name = 'dave' AND password = ' secret' OR '1' = '1'; • If the code is testing that login_ok has a non-zero value to authenticate the user, then the user will be logged in regardless of whether the username/password is correct.
  • 26. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.26 SQL Injection Prevention Protecting against it in the application - sanitize the user input! • Don't use string concatenation to include user supplied input in queries! • Use parameterised queries instead, and let the language, driver, or database handle it. • Here's a Python example (using the psycopg2 driver): cursor.execute("""SELECT count(*) FROM users WHERE username = %s AND password = %s;""", (username, password))
  • 27. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.27 SQL Protect EDB Postgres Advanced Server: Additional SQL Injection Prevention at the Database Level • Utility Commands • Any DDL commands: DROP TABLE • SQL Tautologies • SQL WHERE predicates such as… and 1=1 • Empty DML • DML commands with no WHERE filter, such as: DELETE FROM EMPLOYEE; • Unauthorized Relations • Results from Learn mode associating roles with tables
  • 28. © Copyright EnterpriseDB Corporation, 2020. All rights reserved.28 Conclusion Security comes in layers! AAA (Authorization, Authentication, Auditing) reference model Encryption at rest and on the wire has to be part of the plan Least privilege approach is key Read, read, and read some more! ● EDB Security Technical Implementation Guidelines (STIG) for PostgreSQL on Windows and Linux ● Blog: How to Secure PostgreSQL: Security Hardening Best Practices & Tips ● Blog: Managing Roles with Password Profiles: Part 1 ● Blog: Managing Roles with Password Profiles: Part 2 ● Blog: Managing Roles with Password Profiles: Part 3 Thank You