PGCon2017 - 0626

PGCon 2017
The PostgreSQL Conference

Masanori Oyama
Day Talks - Day 2 - 2017-05-26
Room DMS 1160
Start time 11:00
Duration 00:45
ID 1070
Event type Lecture
Track DBA
Language used for presentation English

PostgreSQL Security

How Do We Think?

In recent years, applicable area of PostgreSQL has quickly extended into the enterprise sector thanks to continuing effort of the community to improve performance and functionality. As a result, there is an emerging demand to use PostgreSQL in more security-critical circumstances.

In this presentation, I will talk about the following two topics.

  • Considerations for securing a database system.
  • Current status of database audit on PostgreSQL

I am working for the open source software center (OSS center) of NTT which is the largest telecommunications company group in Japan. We have encouraged many of our customers to migrate a lot of database systems to PostgreSQL so far and this contributed much to cost reduction.

Some projects need to conform to security standards, for example PCI DSS (Payment Card Industry Data Security Standard). It is one of the most prevailing security standard in the world. However it is not easy to build and operate a PostgreSQL-based system conformant to these security standards. I'd like to describe some aspects required for secure database systems in general, such as encryption, key management, identity management and auditing.

Then I explain considerable points for building a secure database system using PostgreSQL, and show the remaining challenges for secure database systems using PostgreSQL.

Finally, I introduce a forked version of pgaudit that we are maintaining, then explain how to use it. pgaudit is developed by 2ndquadrant and Crunchy Data, especially by David Steel with a great contribution. However, it does not meet our customer's requirements. For example, It cannot output the audit log and server log separately, it cannot audit Superuser fully, etc. So we forked it and added some changes.