Securing PostgreSQL

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

um thank you everyone for attending my name is Christoph Pettis I'm the CEO of PostgreSQL experts we're a small Postgres consultancy based in Alameda which is that way I think and the slides will be up at the build comm that's my personal blog this is the company website hire us to do something and that's my twitter handle and there's my email address okay so today we're going to do the impossible which is talk about security there's security security is not a single topic or practice and there is more folk wisdom about this than probably curing headaches but the the reason that that it's very hard to have a comprehensive view of security it's basically everything has a security aspect so the problem is perfect security is impossible and so all life is a trade off and followed by certain death but we'll do what we can anyway yeah so this talk is probably gonna come off something like this because I'm going to rant at you about things you must do and the the problem is that the the situation is every you know you achieve perfect security by taking your computer locking in a box and burying it somewhere and never booting it which greatly reduces its utility so everything is a trade-off between the utility of the system the convenience of the users and how secure it's going to be so nobody does everything that I'm going to talk about here and that's ok don't feel guilty about it just make sure you understand what risks you are creating and mitigating when you do and don't do certain things so we're gonna talk at least briefly about the various components of the stack the hope the underlying host operating system Postgres itself including access to the database server the data that's in Postgres and which includes encryption and permissions and things like that and the application which is all at all the application is the most important part of this and the end will get the least conversation because that's just the unfortunate of life so the first thing to remember about post Chrissy is there's nothing magic about a post course applicant about a post go server it's just a program that's managing access to a bunch of files so someone can get access to the server none of the none of the rest of this matters one of the things that you will occasionally hear as they say well okay yeah maybe somebody can get access to the server but they can't get access to the post Chris user and Linux has permissions and this will be fine and don't assume that if they can get to the Box assume they can get root it could do anything on the server because because they probably can privilege escalation bugs are like you know you can't move for for hitting a privilege escalation bug everybody patched for this everybody know what this is who doesn't know what this slide is referring to okay go and google it because this means any local user on any Linux system that's shipped in the last 15 15 plus years can get root if they can get on to the box including all those routers and all those lightbulbs doesn't that fill you with confidence so the first rule about security any host is minimize the attack surface always put your database server behind a firewall or VPC or inside of EPC never ever expose port 5 4 3 2 to the public this brilliant idea you have where your remote application is good to just connect directly to the database via five four three two it's a bad idea and you should feel bad for even thinking that before you sent there have been Postgres bugs that will allow you to crash and corrupt a post cursor ver if you can get it 5 4 3 2 even if you can't connect successfully even if you have no privileges you could still that those bugs as far as we know have been completely fixed as far as we know and remember if you're on AWS or any other housing service you're basically everything you put in is on the public Internet it's sitting on the sidewalk listening to packets the don't trust the amazon's routing out infrastructure to keep you isolated from everything don't allow direct SSH into the database server so require a hop through a specific Bastion host make them work that get into at least one more box and restrict access to the to that bastion host by VPN or IP don't just leave port 22 or any other port just dangling out there in space allowing it I mean come on everybody knows about doing port you know everyone knows about to twitch acing SSH to 20 to 22 or 10 zeros or one zero zero to two you know in amplify that don't do it don't just move the port around and feel like you've done anything for security don't run unnecessary services on the database server don't worry wraps over there don't run your IRC server there yes I've seen this in client installations don't run your general-purpose mail server obviously if you want to mail transfer agent to push out errors and things like that that's fine don't run a giant you know if you have a giant mysterious Java VM that the previous DBA installed that you're not sure exactly what it's do it's for monitoring kind of find out what it's there for or just add and you know do be proactive run and map against it and see what ports are actually being advertised this could be surprising to you you know it's like suddenly there's like these ports and you wonder why are these surfaces on my database server use IP tables or something like that to block local access you know or whatever your favor you know whatever you want to do for firewalls just restrict access to just expected users don't rely on just PG hbo.com to completely secure the box and this is especially important in cloud hosting environment because all sorts of random packets are gonna come flying in and bounce up against your server and you know and do basic stuff like use specific users in sudo never ever ever allow direct route login I hope you know 2016 I hope we all know that but I still you know will sign up a new client and I'll say okay so well credential so they say well it's route at public IP address okie-doke if you say so you have horrible passwords and make people use password managers to store them don't make people memorize passwords because they will because if you can memorize it it can be guessed if you have a system because we're all we still haven't figured out how to do security right you will ultimately have super critical passwords like the root passwords on hosts and things like that you'll need to store those somewhere ideally split them give them to take the password split it in half and give it to two people ideally two people who don't like each other very much so that you so that you you KITT you don't have you you you don't have these root these fabulously Club sophisticated group Pass where it's floating around someplace and keep your systems up-to-date always subscribe to p PG SQL announce because there will be security patches that are released and you'll want to know about that or data corruption bugs or all that native stuff if it's a security related update or frankly any other update apply it immediately you've come up with a strategy it's so it's very painful to log into a system that's running a post chris 9-3 and it says and they're running nine-30 it said well why are you running nine-30 well upgrading is such a big risk trust me running nine-30 is a much bigger risk that read it that upgrading to the most recent version and also subscribes to the appropriate security list for your platform find out about things like dirty cow stuff like that and keep up to date with the patches make it someone's job to do this make it someone's job make sure they do it never ever allow critical security patch to go unheeded this this kind of stuff happens all the time we are always finding critical security bugs in operating systems and the only way to be secure against this is to it is to patch because the time between an announced of Allah Nura bility and it being available in the wild is about 30 seconds so do it so in a perfect world you use multi-factor authentication for all your logins for your VPN for all this stuff use LDAP now I'm going to use the term LDAP a lot by ldap read LDAP or Kerberos that gets a little tedious on slides over the time the the point is to have a central place of truth for your logins so that when you just when you have to revoke someone's credentials you can revoke it everywhere because it is very common that when you someone leaves you discover that their passwords are so that they have logins still hanging around in various services and that's a big issue and require password rotation if you're probably anyone ever anyone who's subject to PCI compliance because you're handling a live credit card data I am password rotation is required for petabyte PCI but it's a good idea in general and at an absolute minimum never reuse passwords don't have the same password for the Postgres of linux account and the Postgres login to to Postgres set all this stuff may make them get at least have to guess a bunch of different passwords the reason you want to do this and have good strong passwords and you want to have two-factor authentication is Google up code spaces this is a company that doesn't exist anymore because they didn't have two factor authentication on their AWS console and somebody got the password logged in and deleted everything all their instances all their backups everything and that company then ceased to exist so this is why you want to factor authentication make sure your machines are properly secured in the data center you know you may have to ask some unpleasant questions of your hosting environment like what kinds of physical access controls they have which means real security like access control video mantrap biometrics that kind of stuff on so that people can get to the hardware because if you can get to the hardware there's a lot of damage you can do that's very hard to defend against and you know make sure your cloud provider actually provides this stuff ask these questions I've you know one cloud one hosting provider I talked to about this no one had ever asked them what physical access controls they have and the answer was basically none so that was kind of unfortunate especially because this was a a company that was going to be handling HIPAA compliant information really briefly on PPG hbh off because we can go into endless detail about this but you can read the docs you can understand what it does for you the first rule is see this no you don't see that there's no such thing as trust authentication mode it never existed it you know you you'll read about the documentation the documentation lies it doesn't exist trust me on this one always require specific users even for super users yes everybody kind of gets sloppy and logs in as Postgres and does things as Postgres don't do that give everyone their own login so that when you have to revoke so if somebody leaves the company you can easily revoke that individuals login don't use the post chris unix or suit database user require specific logins because again you want to if you have to revoke somebody that means there's one fewer password live past we're kicking out there you have to change or remember to change or forget to change LDAP or Kerberos or something like that is your friend here as much LDAP is not your friend LDAP hates you and wants you to die but it's um but having some kind of centralized way of managing these users is very important so what about the Postgres user well it exists it's going to have to exist so create a nasty pass forward for it keep it in doable split custody and never use it unless you're it's a dire emergency and there's no way out of a bind you're in and don't allow no non-local logins for it the only way anyone should be able to get to the post chris users they first log into the box sudo to the post chris user or or or from their local user and then get in don't have people just randomly connecting from the outside as the Postgres user and don't use it for routine system administration tasks yes sure you know you just said it to said to peer authentication only right yeah this is something i just started to do this as a relatively new recommendation listen and and the reason was i was terrified by something i saw that i didn't expect to happen said it's the specific addresses that you know they're on the right networks the standard usage of this is you say listen address equals star which means bind to every address on the host I always did that seemed like not a problem and then I brought up a host that I thought was in a V PC and one one port was on the V PCM one wasn't and that was the default configuration for that is they would always leave one public-house thing dangling outside the V PC so now I call this for the brave you really have to know what you're going to get because also what happens if they change the system configuration you reboot and suddenly you have a new port and that happens on host providers in a cloud environment you can't always guarantee they're on the V PC you know frankly you can't guarantee it on any environment but cloud environments are particularly bad in this regard yes sir well you should know what addresses it you want it to bind to so just specify those rather than say star because you meet you know what happens if the configuration gets changed it gets rebooted you know or you forget to save a change permanently into a config file and it gets rebooted and suddenly a new a new interface comes back up you know we'll know what you probably no one will say you know you'll still be able to get drinks at a bar if you say listener a sequel star it's like not you won't be publicly shunned but I prefer now to list all the addresses so that I know for sure what addresses it's going to bind to I don't believe listen address lets you do a CIDR I believe you have to have a full full length IP so again use LDAP Kerberos something like that to manage credentials you know it every user and it role should have its own post Chris role so make sure that so you shouldn't be logging into it as web unless you're the web application itself you should be locking into it as Fred and only grant the permissions this role needs if you're sound about if this is starting to sound like it's going to be very tedious in a lot of work right it will be but it is but this is the way if you really want to lock down your database this is what you do do you know and this is basic stuff like a data analyst doesn't need to probably doesn't need to modify the schema so why give them why you allow that permission remember every single the you every single thing that a data analyst who has direct psql access or runs PG admin is exactly the kind of person who goes to lunch today with everything logged in if they can start manipulate the schema or dump the whole schema now somebody might come along to the journal or that machine might get compromised so if you're if you're not using LDAP or something like that Postgres passwords must be Singleton's the only place in your entire universe that the the Postgres logins should be used is for this particular thing don't reuse passwords the problem is to this day Post restores its passwords locally as md5 hashes which might as well be clear text at this point so don't reuse them anywhere else because if somebody gets access is able to get access to the Postgres version of the data bit of the password they'll be able to crack it you know garden-variety PC can take apart md5 and no time at all now it just makes them horrible and long you know make them cut and paste them don't them from a password manager don't don't have things people can memorize so this is the worst single anti-pattern from a security point of view which is there's one user called web which can do everything probably owns the database and maybe a super user and this is maybe worse because some migration systems like rails like Django kind of force you to use or expect you use the same user for general web operations as for applying migration so revoking the schema access permissions from them is a path that is being resisted by your framework so fight that resistance you can make it work in both rails in Django and I'm sure other things to create a separate user for doing migrations and deploys and things like that and only use web for the for the application servers that need to do your basic basic queries against the date of the database and lockdown this user to the app server IDs wet IPs don't let it come in from arbitrary locations in particular don't let it come in from the bastion host why would it ever need to do that unless somebody was trying to do something bad require SSL and see a certificate and see a signed certificates you know you run your own CA if you want but require it especially in a cloud environment because you don't know where these connections are coming from necessarily remember that you can that SSL without a certificate without proper certificate authority management is does not nothing to prevent man-in-the-middle attacks it's very so there's the and every API in the world unfortunately API is tend to be really bad about this they tend to not use proper certificates and so don't do that do that require this so you know every yeah mm-hmm well the you you have to you know the question is some cloud providers don't um will won't let you do verify full usually because they're proxying something somewhere and the answer is open a ticket and say that's not acceptable because for example for PCI compliance that is not acceptable so and you know create a business reason that they shouldn't do that behavior so anyway databases have sensitive information you know kind of why you have a database if you're a business you know just the customer and order info is sensitive you know you can there it is there's the I believe it was Cardinal Richelieu or somebody of that nature who said give me five lines written by the most honest man in the world and I will find enough to hang him and this is true of order info also it's amazing what you can find find out just trolling order info from the most benign sites imaginable and some things are really sensitive so like credit card info health records utility bills utility bills are considered highly sensitive information actually for example if you see someone's with unusually high access maybe they're running medical devices and now you're starting to find out things about their medical records and it's essential to protect this against theft if nothing else you don't want to be on the front page of hacker news for the wrong reason so the first answer a lot of companies do is they say okay we'll just take locks which is a full volume encryption software encryption thing and we'll layer it on top of LVM and we're layer enough of EBS and the ow care now we're like getting you know USB stick speeds out of our data but it's we're secure because it's all encrypted right no full disk encryption is useless let me say that again full disk encryption is useless full disk encryption prevents against one thing which is the theft of the media it's great for a laptop highly recommended for a laptop but not but for your server that's it that's the only thing you get out of it and that's vanishingly small percentage of your possible threats if your own the only threat you have now guarded against to someone breaking through all these the access controls into your dataset are walking in opening up the thing and unscrewing it and pulling the disk out of the rack but nothing else the easy rule is if you can read it in clear text with psql it's not secure because most intrusions are not by stealing the media most intrusions are they'll they gain shell access or they just got your application to send you that send the data to them and all these full disk encryption in the world won't help you there but it's great for laptops that being said sometimes you got to do it because sometimes they'll someone will hand you a contract like if you do business with any utility in California and you're getting raw customer data from them they'll hand you a contract that says you have to do full disk encryption fine sure sign it eautiful you know use locks what it use whatever you want but and make sure your key management is safe then don't bake the keys in just on into startup scripts on the host because you kind of blew the whole deal right there so come on the right way of handling this is per column encryption is always encrypt specific columns not the entire database or the or the entire disk you get better performance that way because it doesn't have to do the decryption on every disk access and you get higher security key management here is a pain there is no bit there is no nice way of saying this in a really secure environment automatic restart is basically impossible because some because every time you push the automated ability to read the key you've been created a vulnerability because somebody an attacker can read that key too sometimes you have to make a trade-off here like putting into appliance and concluding ok that's secure enough but remember somebody with access to the to the box that can read the key out of a key appliance that could be an attacker not just you so for restart just assume a human being is going to be the loop in a highly secure environment sorry so you can encrypt each column as a texture by day each column that you want to encrypt this is good for small items like credit cards things like that or you can create a JSON blob and encrypt the whole JSON blob which is more complex things like medical records and structure they have structure of things like that and of course that you can mix and match you can have multiple columns that are encrypted whatever you want use a well-known secure algorithm please don't roll your own crypto I hate I hate have tits helps it tell people this but some people do basically the weakest algorithm you should consider is aes-256 this is considered by by PCI this is considered the minimum standard so never ever roll your own crypto because cryptography tional crypto md5 was designed by very smart professional cryptographers just sayin don't bake the keys into coder still or put them into repositories github has all sorts of great API keys in it you know in public repos it's really fun you can find all sorts of ones there so you often have to index this encrypted data you know for example somebody you your customer service representative may need to take calls they say I see this charge from you and I have no idea what it what it is and they give them the credit card number and they have to look up the order to find out if it's valid or not that happens and obviously if you're going to scan your entire database by sequentially decrypting each record at a time that's probably not going to give you a great user interface experience so there's nothing wrong with with storing a hashed value or a partial but be careful about hashing things because it's very easy to reverse some hashes if you have mass data for example PCI lets you store the first six digits of credit card number and the last four in clear-text it's only sixteen digits long really no hash in the world is going to be that resistant to that so be careful about that stuff sort of the absolute minimum necessary like for a credit card only store the last four digits you don't really need the first sex for anything and use a strong hash you know sha-256 we no argon 2 is supposedly the new hotness on the Block in this regard so the question always comes up now well what about PG crypto you know it's right there it's sitting there in contribs sort of looking at you plaintively saying I'm a cryptography module so why not use it to encrypt the data I mean you know why not it's great it's right there so here's what we do we have our super secret table and we call PG symmetric encrypt sim encrypt PG this is a PG crypto function that does symmetric encryption various types here's my credit card number this one's not valid just in case you were wondering the password and this is great it stores this encrypted blob into the into the disk we assume that card here is a byte a value because that's what you get back out and then you look at the logs and there's that there's the credit card number in plain text and the password so yeah that wasn't so great was it so be careful about what you expose in text logs because you know that diagnostic run you're doing with logged in duration state me equals zero to collect data for PG Bajor that logs everything well now you've gotten all the credit card numbers and all the passwords and you probably didn't mean that this is another good reason to always do the encryption in the application not in the database because in the logs all you'll see are these nasty by day values which are encrypted so and log everything log connections disconnections log all the DML changes so you know who did them make sure the logs are kept secure and they can't be tampered with like these are syslog or something that ship seen shipping them off the other office off the box so someone can't modify them or just delete them to cover their tracks PCI requires this and it's generally a good idea make sure the log record can be traced back to an individual person so for example on all individual users set log min duration statement equals 0 so that that everything an individual user that logs in does is logged you may not be able to handle the log volume of everything that web or something like that does but anybody who's directly connecting using p SQL or PG admin 3 now PGM in for you should be about you should see everything that they do but again remember you dot to log sensitive information in clear-text so which is another good reason to encrypt in the application not in the database don't give every developer production system access why do they need it yeah I know DevOps whatever don't do it you want to have a limited number of people who have direct access to the production system not every developer needs production system access and when production data data comes out of production and you want to use it to prime developer systems which is a great idea I'm very much in favor of this have a process to scrub it so that the data is still useful for development but is not revealing sensitive information people can't you know can't dump that restore the data into their into their lab their development laptop and then start doing queries of for their friends remember the that your backups are also your data so make sure that they are just as secure encrypt them store them someplace that's hard to get to and if you're using a shared cloud store like s3 make sure that this stuff is private because s/3 s/3 defaults are pretty good but it's very easy to boggle it and suddenly make and suddenly have people be able to get at your your backups um if you're really intense you can use row-level security i'm not going to go into a lot of detail because it's a fairly complex it's a fairly sophisticated feature with a lot to go into it conceptually you can think of real level security is a mandatory view that's applied to a table based on access controls so can filter out data include columns and rows based on the you on the user who's doing the accessing so users that don't have permission to see things that that fail that pass or fail a particular boolean predicates don't see those rows similarly you can screen out individual columns that way you could you could in theory use this for multi-tenancy I haven't seen this done across highly sensitive information but you could do multi-tenancy this way or have applications that don't need the sensitive data don't get just flat-out can't get at it because of these access controls and after all that this is usually not where breaches happen usually breaches happen in the application or in the client of the database most big credit card thefts have big because the the point-of-sale systems were running Windows an old unpatched version of Windows and got malware and they just started downloading all the credit cards directly as they went by this it makes the user interface on your clicker good so it's either they breach the application they convince the application to do something bad or the clients are affected with malware you know point-of-sale tools compromises your workstations things like that that's where all this stuff that's where these big breaches come from very rarely do you have reaches that are where they have direct access to the database the one the probably you know people remember they Ashley Madison breach that was one of the few examples of where someone actually had access to the underlying database and it was an inside job so the base you do the basics all you should always use parameter parameter substitution in your library in 2016 the fact that we're still dealing with sequel injection attacks is really embarrassing never build sequel by text substitution unless you absolutely have to for example you can't do parameter substitution on table names so you have to do that way but anytime you find yourself putting sequel together using raw using text operators think about what you're doing and whether parameter substitution would is really what you want just remember all user input is hostile and wants to kill you anything that comes out from the outside world will be constructed in the worst possible way make sure your application can handle it if someone submits a 500 megabyte form make sure they handles it they they can handle but they put raw sequel into every field things like that if you're running a remote API you know mobile app or something like that require TLS 1.2 not 1.0 not 1.1 1.2 there's no reason not to anymore for dedicated clients like mobile apps always use a proper certificate management because if you don't you you're subject to man-in-the-middle attacks it's very easy for someone at a college or a business to put up a compromised access point with the right SSID and harvest all the text that goes by I got burned by that at a django con Europe make API keys long and rotate them it's not you know it's don't have you know four-digit API keys which I have seen make them big they're just big random numbers you know ideally you want them to be if the application deployment platform you're on lets you make individual API keys and have individualized API keys do that so you can do revocation on a granular basis and of course log everything do what you can and there are lots of tools that will do this but detect unusual access patterns and take action everyone's familiar with the CAPTCHA with with reCAPTCHA right you know how that works you know where it says pick the things that have a pick the things to have a squid in them it doesn't care what it doesn't know what has a squid in them what it's looking for is things that move too fast or things that move into a pattern that represents a bot what they are looking for is the human going squids is that a squid so do the same thing do you have a user who's suddenly able to type at 5,000 words per minute does do you have a user who tries to log in at the same within five minutes from each other from Palo Alto and from Bangladesh you know max mine's really cheap do the IP reverse law of this the do are the are the user sorry to cycle through password l you at least lockdown on multiple password attempts to start doing delays and things like that if you're if you see one one thing you can you know are your if you have a non PHP application someone requests a dot PHP file don't just throw up a for a 404 but do something if you're feeling particularly gruesome you can do a slow Laura you know as a slow loris a reverse low loris attack and start saying I'll get back to you within three seconds later you returned the error because some script Kitty is trying to pound your site and you might as well slow them down you know blocking rate limiting admin alerts because almost all of these attacks you'll see weird happening before the actual before if anyone before as it happens one thing to remember is users will generally share passwords across systems if you're running a commercial customer facing site most customers will not generate an individual password for each site they they go into people like us are the exceptions they'll they'll use ABC one two three four on all of their sites so you will get people who intrude and start doing things and be aware of that and so and use reCAPTCHA it works pretty well for screening out this stuff maybe one of the reasons that these attacks are so successful is people don't care enough is make security testing a critical part of testing always write tests that deliberately try and get around security controls make you have your your QA try to break the security on the site this is a great thing for new engineers to do because they're new you they're all fired up they don't have a lot of preconceptions about how your application works so they don't know how it's supposed to work in so it's not work and most importantly if they break it make sure everyone knows they did and give them high praise for doing so because culturally you want this to be a rewarded activity and of course run appropriate malware detecting stuff don't allow people double-click jjs extensions use the OSS antivirus tools everybody now for all the the bad press Microsoft has get gotten their current suite of antivirus tools is very very good as long as they're all enabled which they're frequently not follow swift on security very entertaining account hire outside penetration testing firms if your PCI if you're a PC in the PCI world you're familiar with this other but just do it you know cause this is one you know there are lots of them and also get them that actually understand security not just that run pen test scripts because this actually happened to me is like I get a call from the I'm doing being PC I audited on one of my sites and say we need you to disable your firewall why well our penetration test is failing because the firewall won't let it through which you know kind of sounds like what if I were all supposed to do and of course what was going on is that they had this checklist they needed to complete and they couldn't get to the host so they couldn't see that there were any ports o queued up their reports there were any open ports which is a little bit like saying well I came up and I tried to break through the barbed wire around your house and I couldn't get through so your door may have been unlocked ok whatever yes interesting question if this was social engineering they were - charging enough to do that level of social engineering it would have been it would have been clever though in the end what I had to do was open like open just their IP and then they went through discovered that only that only 80 was open on my host and everything was fine but and so by now you're listening to this guy up here ranting Isaac do this do this do this do this and thinking oh my god you know we're doomed you know it's a lot of work and there are a lot of risks and you have to pick your fights you'll never be perfectly secure you know you never know when someone's going to have a bad day at work and decide you know you keep your employees happy by the way that also helps a lot and even the most secure companies get intrusions you know even even companies that do everything right some they they just leave that one door open a tiny crack and someone walks through you know life is full pain and despair what can you say but do you have hope do as much set it and forget it security as possible because the more you have to fiddle with them where you have a chance of doing wrong the more you've set up as being secure the better your chances as long as you maintain it just do regular audits and destruction tests you know beep hair you know don't don't lose sleep but do be paranoid and more than anything else make sure that the come you know and as especially people are in senior roles in a company make sure that they care because the companies that stay really really secure tend to be the ones where the CEO is the CEO really cares that he never hear about a breach because all of these have trade-offs and if you trade off the wrong way you'll end up with you you'll end up with an insecure system so and you'll always trade off there will always be some that you decide because no nothing is any system that's useful is not perfectly secure almost by definition just okay complacent don't have convenience be the most important thing and just be proud of it you know be proud that your system is highly secure that's a lot of a lot of it is that people are proud of their performance they're proud of their scalability they're proud of a lot of their deployment speed they're proud of how fast they can develop but they tend not to be proud of how secure they are and changing that will change more than any other single thing and thank you very much any questions I have stunned everybody yes yes sir the question is if your product based company so you're shipping a package software product that someone else installs and how do you you know how do you you get them involved in the security thing and that's a really good question one thing that I am always surprised when I get these things and there's nothing at all in the documentation or the installation notes about security that always surprises me because there must be something they could say about security I you know it's one of the things I would call I will you know if I get one of these I call the vendor and say okay what are the security implications of this what ports do I need to expose what ports do I not need to expose what roles do I need to so if you're a product company having a security section near the front of the docks that says you must do the following things these are the vectors that people could use to attack a lot of companies don't like doing that because if they feel like they're you know implying something bad but that's like saying well we don't want to sip ship a service manual for our car cuz it implies it may break down you know it's trust me the customers you really want will care about that a lot and if you have a really good security story on the sales call and when they evaluate the software that will be a big plus not a big minus the one on the most familiar with his RDS I would say RDS is reasonably secure or can be secured by default it's pretty secure the the base the main thing the good part is you that you don't have there's no one has access to the box unless you work for Amazon so in that sense they've eliminated this huge attack surface the bad news is the only way of getting in is five five four three two so you have to make sure five four three two is really locked down so always put it inside of EPC for example just step one make sure PG HBR Kampf is set up so that no one outside of that V PC can get at it make sure your security rules in Amazon or lockdown so only the servers that you really know Amazon Amazon provides really good security tools the problem is they're fiendishly complicated it's very easy to push the wrong button and suddenly something wrong happens which is a good reason to come outside grab a box run an app and make sure that you did the right thing because I don't always you know I'll look at this giant JSON security group output ago I think I know what I just did but I would prefer to like think about as an attacker rather than you know rather try to audit you know human being trying to read it a 20k JSON file yeah I mean again there's this whole you know RDS in particular another ones the good news is you've eliminated us huge attack surface so that part's really nice the bad news is if something goes weird in the Box hard to say what's going on anything else yes sir [Music] well I just use PCI which is 90 days you know you know it's like there III am NOT into to it to be a little more analytical on your question which is how long should a password rotation cycle be I'm not aware of any academic work that says you know 90 days good 120 days bad 45 days bad it's almost the it's really I think everyone's intuition about what's annoying and what's not I think PCI PCI is set 90 days because it's just about as short as it can be without rioting you know a lot of the a lot of these were determined by some of us I am if I do 60 days everyone you know my users will try and kill me so I'll do 90 but it's a good question I generally you know generally if you're you know in that environment you have especially you have a document that's that says you must do it every 90 days so you just do that and call it good it would be an interesting it would be an interesting academic bit of academic research though it's who you know where we get this 90 days from because I don't I'm not aware of any actual grounding on it except it seems it seems right they're not currently in Postgres yeah so just assume it's clear text and make it a one-off I mean if it's one if it's you know passwords are just rare are just big random numbers you know you just want to make it as random as but make it hard to guess so if it's really if it's a big long password it could be stored as md5 could be as sort of clear text it could be stored anything as long as it's a one-off the danger is that if it's not a one-off somebody could grab the password out of post-christian used to someplace else yes sir password management I like one password or Fast Pass or our pass back hmm I you know as as anything the side of the grave is safe you know it's I think there you there is a trade-off because in theory if someone breaks that they have all the keys to the kingdom the question I had the alternative is what you know you either use everybody you give every you you give everybody the same giant password at which point if that becomes broken you're you're vulnerable you make people write them down in a book but I assure you people won't do that you know they'll keep a notepad file things like that no and then your your point I mean I don't mean to dismiss your point which is it does create this single point of failure I resisted using a password manager for a long time for exactly that until I started thinking well it's what I'm doing really any better than this and I ended up concluding no because usually the way passwords get compromised if someone goes to the other system and steals it and if you if every one of those is a singleton the damage is relatively small that's my basic rule is I don't I just never use the same password twice anywhere and it does mean if someone steals my laptop gets in manages to break the encryption on my on that I'm in a load of trouble and that's an interesting problem but in terms of actual product recommendations I like one password their story about how they do security seems very compelling to me and I like pass back others are fine but those are the ones I have personal experience with yes yes sir well conceptually Nestle certificate is a really really big password and I and the answer is yes that I for example if it's especially in an API environment where the you you can bake the certificate into the API client into the API I think that's I I'm very in favor of that so yes and I should put that in the slides thank you I promise whether the question is is if you're a live effect to repeat the question make sure I got it if you're on running an ec2 instance do you need to use security groups and IP tables and the answer is probably not you know it's a little bit of a belt and suspenders thing but the main thing that you would shut you would be blocking yourself against is you screw up something in the secure in one or the other place and then the other one guards you what I would really do is come up is use a configuration management system like you know puppet or chef for salt or you know whatever your favorite is use batos scripts and maintain that all as a single thing so the chance of screwing any of that up is relatively small and it also greatly reduces your workload to in configuring these things so you know that's one of the things about it you see to it that that everyone needs should do and doesn't is it's really automatable I mean it's Elastic Compute so use all that stuff that it gives you you know the the days you know the fact that you don't have to pick up the phone whip out your credit card and have iock systems ship you a new box is like the best part about Amazon so use that for everything anything else great thank you very much [Applause]

Info

Channel: Citus Data

Views: 2,599

Rating: 4.9111109 out of 5

Keywords:

Id: s-BvKkVSyTA

Channel Id: undefined

Length: 50min 5sec (3005 seconds)

Published: Wed Dec 07 2016