Re: securing the sql server ?

From: Chris Travers <chris(dot)travers(at)gmail(dot)com>
To: condor(at)stz-bg(dot)com
Cc: pgsql-general(at)postgresql(dot)org
Subject: Re: securing the sql server ?
Date: 2011-08-22 18:09:55
Message-ID: CAKt_Zfu=KDptn0euOz7bXQAjxah_=R0T7nHvtwu+t5Y+HD9uOw@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

On Mon, Aug 22, 2011 at 1:40 AM, Condor <condor(at)stz-bg(dot)com> wrote:
> Hello ppl,
> any one can tell me how I can secure linux server with database postgres for
> example ?

Here are a few steps:
1) Identify your environment. Focus on details. For example, this
might be in a monitored server room where access is required to reach
the physical server.
2) Identify the security threats of that environment. In such an
environment you have physical security threats which are handled
through physical security, and network security threats which are
handled through network security. The software might also have other
security considerations.
3) Identify a level of risk that is an acceptable tradeoff between
security and usability.
4) Create a plan along the general lines of that acceptable tradeoff.

> Im thinking to make a cryptfs file system and to deploy database over the
> cryptfs. The problem
> here may will be when front end need any data for in/out cpus of the server
> will aways
>  decrypt/encrypt data and performance will be very low.

And besides what does it buy you? What are you protecting against?

>
> I remember a few months ago some one ask similar question about how he can
> crypt data that is
> stored on database and problem was the key. Key is stored on the same server
> if some one
> get access can decrypt data.

In general, trying to use cryptography-based security is a bad
tradeoff. There are times when it is important but then the
cryptographic management needs to be built in at every level. For
example, the user might have a key which is used to decrypt the actual
storage key. The thing is that has to be handled app-side, and unless
you really have a good idea of what you are doing and why, chances are
all you will succeed in doing is killing performance.

I have looked at a very few cases where this is not a bad tradeoff.
However those are pretty rare.

Best Wishes,
Chris Travers

In response to

Browse pgsql-general by date

  From Date Subject
Next Message Chris Travers 2011-08-22 18:15:03 Re: securing the sql server ?
Previous Message Merlin Moncure 2011-08-22 18:03:09 Re: Updating Arrays