You need to keep your systems running at the speed of business, and at the same time make sure that data is properly secured, not only to protect your customer's data and your organisation's reputation, but also to comply with strict regulations.
Every system is exposed to potential data breaches, and your organisation already has measures in place to deter unauthorised access to data. But it is not enough to secure your network against attackers, you also need to have safeguards in case this line of defence is compromised.
Apart from measures against unauthorised access from cyber attacks, you may also need to have policies in place to restrict who in your own organisation can access some of the sensitive information you store– data such as passwords, credit numbers, and personally identifiable information (PII).
Your data security strategy must provide protection against ever-evolving threats, while also having minimum impact in your business operations and uptime.
That is where FUJITSU Enterprise Postgres can help you with its extended features to protect, redact, and audit access to your data. And since FUJITSU Enterprise Postgres is an enhancement of the OSS community version of PostgreSQL, all its enterprise-ready security features are 100% compatible with PostgreSQL.
Transparent Data Encryption
All data in FUJITSU Enterprise Postgres can be encrypted using Advanced Encryption Standard, a PCI DSS-compliant 256-bit encryption technology that is standard for the credit card industry.
Data at rest can encrypted, which renders a copy useless to anyone who could get to the underlying storage. Regarding the scope of the encryption, you can encrypt only information that you deem critical (done on a tablespace basis), if you feel that only that data needs to be secured, or all your data. Many encryption technologies encrypt only the data and the database, but FUJITSU Enterprise Postgres' Transparent Data Encryption ensures that everything, including transaction logs and backups, are brought under the fold, greatly improving your security posture.
Faster encryption/decryption with minimum overhead is achieved by manipulating entire blocks, instead of one bit at a time. Overhead is further minimised by using AES-NI built into the processor – Intel and AMD have a range of processors that provide this feature. You no longer need to reduce the scope of encryption to ensure application performance, as you can now encrypt all the data of an application with minimum impact.
No additional storage needs to be allocated, because the encryption algorithm does not alter the size of the object (table data, index, backup, etc) being encrypted. Data is securely encrypted without requiring disk size increases.
And because data is encrypted as it is written to disk and decrypted as it is read, there is also no need to change existing applications.
What can be encrypted?
As mentioned before, not only your data can be encrypted, but also the WAL, backup files, and archive logs. The encryption unit is the tablespace. All tables, indexes, temporary tables, and temporary indexes created in a specified tablespace are encrypted.
The solution also supports streaming replication, as objects encrypted on the primary server are transferred in its encrypted format to the standby server.
Data masking (a.k.a., data obfuscation or data redaction) enables user-based confidentiality, altering original data with random characters while maintaining its usability.
FUJITSU Enterprise Postgres implements data masking using a powerful yet user-friendly policy approach. The benefit of this implementation is that existing queries do not need to be changed – the result set is appropriately redacted according to the user’s role and existing masking policies.
Using policies removes the complexity from the operation but still allows immense flexibility in the redaction of different types of data to different types of roles. Data in columns can be fully masked, with all characters changed with replacements value, partially masked, with only certain character positions being changed, or masked using regular expressions, where the original value is redacted according to the regular expression specified in the policy.
It also supports different modes of masking, where data can go through a one-off, batch redaction, or an on-demand redaction when data is actually read.
The first mode is called offline data masking, which transfers data to another database while applying the specified policies – it is suitable to generate realistic data in test environments without exposing sensitive information.
The second mode is called online data masking, which applies masking policies on the fly, as data is read from the disk – this is the mode used in production environments to hide sensitive data.
As with Transparent Data Encryption, applications do not need to be changed to make use of this feature.
Dedicated Audit Log
The last item that I would like to mention is the Dedicated Audit Log, and how if differs from and extends PostgreSQL's own audit tool pgaudit.
The pgaudit extension logs session and object records to the same server log that PostgreSQL uses to log system messages.
As a result, the same file contains heterogeneous data that will then be used for 2 important but distinct activities – message monitoring and data auditing. This causes unnecessary overhead and increased complexity to both activities.
A dedicated audit trail makes it easier to analyse and address performance/database use issues separately from security issues
By saving the log records into 2 different files according to their purpose (server log for system messages, and audit trail for accountability, traceability, and auditability) provides the following advantages:
- System management is more secure, since records are saved into different files
- Obtaining relevant audit information is simplified, since the audit log contains only audit data
- Overhead is further reduced because the Dedicated Audit Log is asynchronously written using background workers
- I previously wrote a post explaining how to apply Transparent Data Encryption, and describing just how strong is the encryption used by this feature – you can read it here.
- For an in-depth exploration of Data Masking and the Dedicated Audit Log, please download the white papers below.
If you’d like to hear how Fujitsu’s Enterprise PostgreSQL can help protect your data without sacrificing performance, feel free to get in touch with us via firstname.lastname@example.org.