PGCon2017 - 20180510
PGCon 2017
The PostgreSQL Conference
Speakers | |
---|---|
Masanori Oyama |
Schedule | |
---|---|
Day | Talks - Day 2 - 2017-05-26 |
Room | DMS 1160 |
Start time | 11:00 |
Duration | 00:45 |
Info | |
ID | 1070 |
Event type | Lecture |
Track | DBA |
Language used for presentation | English |
PostgreSQL Security
How Do We Think?
In recent years, applicable area of PostgreSQL has quickly extended into the enterprise sector thanks to continuing effort of the community to improve performance and functionality. As a result, there is an emerging demand to use PostgreSQL in more security-critical circumstances.
In this presentation, I will talk about the following two topics.
- Considerations for securing a database system.
- Current status of database audit on PostgreSQL
I am working for the open source software center (OSS center) of NTT which is the largest telecommunications company group in Japan. We have encouraged many of our customers to migrate a lot of database systems to PostgreSQL so far and this contributed much to cost reduction.
Some projects need to conform to security standards, for example PCI DSS (Payment Card Industry Data Security Standard). It is one of the most prevailing security standard in the world. However it is not easy to build and operate a PostgreSQL-based system conformant to these security standards. I'd like to describe some aspects required for secure database systems in general, such as encryption, key management, identity management and auditing.
Then I explain considerable points for building a secure database system using PostgreSQL, and show the remaining challenges for secure database systems using PostgreSQL.
Finally, I introduce a forked version of pgaudit that we are maintaining, then explain how to use it. pgaudit is developed by 2ndquadrant and Crunchy Data, especially by David Steel with a great contribution. However, it does not meet our customer's requirements. For example, It cannot output the audit log and server log separately, it cannot audit Superuser fully, etc. So we forked it and added some changes.