A new security feature available in Fujitsu Enterprise Postgres
Fujitsu Enterprise Postgres provides several enterprise-class security features, such as Transparent Data Encryption, Data Masking, Dedicated Audit Log, confidentiality management, and policy-based login security. These features have been available in Fujitsu Enterprise Postgres for a few releases now.
Fujitsu Enterprise Postgres 17 has added another security feature - privileged user management with CyberArk Privileged Access Manager (PAM). Unlike other security features, such as Transparent Data Encryption, Dedicated Audit Log, and confidentiality management, this feature does not add any additional component into Fujitsu Enterprise Postgres database like extensions, libraries, or configuration parameters. Rather, it provides support for enabling a third-party enterprise security product - CyberArk Privileged Access Manager - for monitoring the privileged access to Fujitsu Enterprise Postgres database (by Fujitsu Enterprise Postgres privileged users), in an enterprise setup.
What advantage does Fujitsu Enterprise Postgres get by adding this feature?
It makes Fujitsu Enterprise Postgres more suitable for applications in the enterprise scenarios, where it is mandated to monitor, control and audit all privileged access to enterprise resources and operations from one central system or one central screen.
Fujitsu Enterprise Postgres can be deployed seamlessly in enterprises where CyberArk Privileged Access Manager is being used for controlling, monitoring, and preventing possible security breaches to privileged access. Along with privileged access being monitored and controlled for various other systems in an enterprise, Fujitsu Enterprise Postgres privileged database access can get controlled and monitored for all audit and compliance purposes.
What types of privileged access in Fujitsu Enterprise Postgres can be monitored in CyberArk Privileged Access Manager?
There are several types of privileges that can be provided to database users in Fujitsu Enterprise Postgres. In addition to the SUPERUSER privilege, users can be provided other privileges such as: CREATEDB, CREATEROLE, BYPASSRLS, INHERIT, CONNECTION LIMIT, PASSWORD, VALID UNTIL, and several others.
Each of these privileges provides different capabilities to users, permitting them to perform some specific operation on database objects. A compromise in security for any of these users would pose different levels of security risk for the enterprise, and therefore it needs to be prevented.
CyberArk Privileged Access Manager with appropriate configuration for each such user can provide a central place to monitor and control access for such privileged users, based on the enterprise policy governed centrally
Configuration and setup required on Fujitsu Enterprise Postgres side
There are very simple configuration changes required on the Fujitsu Enterprise Postgres side to support the CyberArk Privileged Access Manager. User access to Fujitsu Enterprise Postgres database is controlled through the connection details provided in pg_hba.
Changes to connection details are required only for the privileged users. For non-privileged users, there are no changes required to connection details.
For the privileged users, the connection request to database will come from CyberArk Privileged Access Manager through psql session. The entries for these connections have to be specified in pg_hba accordingly.
As the privileged user connections come through the CyberArk Privileged Access Manager, the password check for these connection requests are already done using the centralized password policy implemented in CyberArk Privileged Access Manager, therefore the built-in policy-based login in Fujitsu Enterprise Postgres has to be disabled for these privileged users.
Configuration and setup required on CyberArk Privileged Access Manager
The CyberArk Privileged Access Manager system consists of five functional modules, namely:
- PrivateArk client - Allows you to perform administrative activities in the Enterprise Password Vault
- Digital Vault - Prevents password leaks
- Password Vault Web Access (PVWA) - Prevents privilege abuse and malicious operations
- Central Policy Manager (CPM) - Simplifies security operation
- Privileged Session Manager (PSM) - Facilitates the understanding of operation
Configuration and setup are required for each of these modules for registering and managing the Fujitsu Enterprise Postgres privileged user accounts and sessions. The Fujitsu Enterprise Postgres client must be installed on the server, as it is used by the Central Policy Manager and Privileged Session Manager modules. The Central Policy Manager plugin and the Privileged Session Manager connector developed by CyberArk for Fujitsu for CyberArk Privileged Access Manager can be downloaded from CyberArk marketplace.
For details on configuration and setup please refer to the CyberArk documentation and the brochure Achieving secure and productive database Privileged Access Management.
