Standardizing PostgreSQL Security Across Multi-Cloud Environments

Sebastian Insausti

Multi-Cloud Environment is a common topology and even recommended for a Disaster Recovery Plan (DRP), but the security could be a risk here as you need to add to the common security checks an extra point or more than one to ensure your data across Multi-Cloud environments.

In this blog, we will mention some of the most common security checks in a PostgreSQL environment running in the cloud, and what you need to take into account when you are using a Multi-Cloud Environment.

Security Checks for PostgreSQL in the Cloud

Let’s see some of the most common security checks for a PostgreSQL Database in a Cloud Environment.

Controlling Database Access

You must limit the remote access to only the necessary people, and from the least amount of source possibles. Using a VPN to access it is definitely useful here, but there are also other options like SSH Tunneling or Firewall Rules.

Managing Database User Accounts

There are many ways to improve security for your user accounts.

  • Remove inactive users.

  • Grant only the necessary privileges to the necessary users.

  • Restrict the source for each user connection.

  • Define a secure password policy.

Secure Installations and Configurations

There are some changes to do to secure your database installation.

  • Install only the necessary packages and services on the server.

  • Change the default admin user password and restrict the usage from only the localhost.

  • Change the default port and specify the interface to listen in.

  • Enable audit plugin.

  • Configure SSL certificates to encrypt data-in-transit.

  • Encrypt data-at-rest.

  • Configure the local firewall to allow access to the database port only from the local network or from the corresponding source.

If you are using a managed database, some of these points won’t be possible.

Implement a WAF (Web Application Firewall)

SQL Injections or DoS attacks (Denial of Service) are the most common attacks to a database, and the most secure way to avoid them is by using a WAF to catch this kind of SQL queries or a SQL Proxy to analyze the traffic.

Keep Your OS and Database Up-to-Date

There are several fixes and improvements that the database vendor or the operating system release in order to fix or avoid vulnerabilities. It is important to keep your system as up-to-date as possible by applying patches and security upgrades.

Check CVE (Common Vulnerabilities and Exposures) Frequently

Every day, new vulnerabilities are detected for your database server. You should check it frequently to know if you need to apply a patch or change something in your configuration. One way to know it is by reviewing the CVE website, where you can find a list of vulnerabilities with a description, and you can look for your database version and vendor, to confirm if there is something critical to fix ASAP.

Security Checks for PostgreSQL in a Multi-Cloud Environment

Apart from the checks mentioned above, the most important thing to secure in a Multi-Cloud Environment is the communication between the Cloud Providers.

For security reasons, the communication between the Cloud Providers must be encrypted, and you must restrict the traffic only from known sources to reduce the risk of unauthorized access to your network.

The usage of VPN, SSH, or Firewall Rules, or even a combination of them, is a must for this point. You must restrict the traffic only from known sources, so only from Cloud Provider 1 to Cloud Provider 2 and vice versa.

Conclusion

Your Multi-Cloud Environment will be safer by checking the points mentioned above, but unfortunately, there is always a risk of being hacked as there is not a 100% secured system.

The key here is to minimize this risk, and for that, you should run periodically security scan tools like Nessus, looking for vulnerabilities, and to have a good monitoring system like ClusterControl, that not only allow you to have your system monitored, but also auto recover your systems in case of failure, or even quickly set up replication in a Multi-Cloud environment and manage the setup in an easy and friendly way.

ClusterControl
The only management system you’ll ever need to take control of your open source database infrastructure.