We were able to share views and insights, problems and solutions! My presentation focussed on the changes in legislation occurring across the world in data privacy.
One example is the new Privacy Amendment (Notifiable Data Breaches) Act 2017 in Australia that has established the Notifiable Data Breaches (NDB) scheme. This makes the database features such as Data Masking even more compelling. Public and private firms operating in the European Union will also be subject to the General Data Protection Regulation starting May 2018.
These schemes oblige organisations to notify authorities of a serious breach, as well as those individuals whose personal information was involved. Non-compliance carries serious penalties. You can read more about the new Australian regulations and European situation.
Let us consider a scenario. One day your day starts as usual and you reach your office on time. All seems normal until you receive a telephone call from someone who identifies themselves as an Application Manager within your company to provide him a password for a very critical database. Why? because he has forgotten his laptop and can’t get into the system. Being a DBA, you have all the passwords and you could easily help him.
You could respond with:
- Sorry, this is against our company policies. Please send an email using your work phone to request the same. I’m really sorry I cannot help you.
- Yes sure, this is the password, happy to help you out.
What do you think is the best answer to the caller, one or two? What is wrong with these approaches? Will your boss comment that you were rude and not helpful, or will he/she appreciate you for following company policy to potentially save a data breach and the costs that can follow. The correct answer to this caller is of course the first option.
Types of Breaches
There are many types of breaches:
- Hacking and Malware
- Portable Device loss
- Unintended disclosure
- Physical Loss
- Insider Leak
Impact of Breaches on Organisations
Organisations can be quite seriously impacted by a data breach including:
- Loss of reputation
- Financial losses
- Legal costs
- Loss of competitive edge
- Inability to trade because of bankruptcy
- Loss of data protection insurance
- Government imposed fines
Amendments in Data Privacy Laws
There have been many weaknesses in data protection laws around the world that have allowed companies to conceal breaches from public scrutiny. New laws are correcting this situation. For example, in Australia, organisations have to inform the authorities and anyone whose information has been breached immediately or potentially face penalties up to fines of AU$360,000 for individuals and AU$1.8 million for organisations.
Data Privacy and PostgreSQL
We can tune our PostgreSQL database in many ways to reduce the chance of data breaches and comply with these new legal amendments:
- Patch your operating system regularly. In order to have secure database, the operating system should be secure as this is the entry to database.
- Always ensure the firewall is enabled unless required
- Use access method-trust, md5, scram-sha-256 with extra care
- Password, server and backup theft should also be taken very seriously
- Try to avoid using default database port
- Restrict access of files like postgresql.conf, pg_hba.conf and log file (pg_log) to administrator only.
- Manage roles with extra care and grant these roles very carefully as needed only
- Permissions on database objects should be given with proper care. Restrict users to access objects of other users if not required
- Use various encryption options available in PostgreSQL like password encryption, column encryption, client-side encryption, SSL Host Authentication etc
- Use pg_audit extension in order to allow detailed session and object audit logging. This log can help to identify any possible attack.
If you have data security concerns or are looking for a more robust, secure and scalable database, then contact one of our experts on +612 9452 9191.