Speaker Interview - Christoph Moench-Tegeder

Beyond Trust - PostgreSQL Client Authentication
Christoph Moench-Tegeder

Devroom, 2017/02/05, 11:00 - 11:50

Could you please introduce yourself? What is your relationship with the PostgreSQL Project? —  I'm Christoph, currently working as a consultant with 2ndQuadrant. Most of my work is advising German and European clients on all things PostgreSQL: setup, backup and recovery, performance, operations, application development and migrations from other databases. I started using PostgreSQL in the early 2000s, with the 7.x versions and shortly after developed an application in PL/pgSQL and Perl. Some years later I joined a company building network security appliances as a developer. My responsibilty included converting some different databases in their software to PostgreSQL and maintaining and enhacing that setup. About 2.5 years ago, I joined 2ndQuadrant.

Why is authentication important for a database? And why is just username and password not enough? —  Without authentication, anyone who can connect to the database can do almost anything on the database - read, modify and delete data. Very few environments can ensure that level of network security to keep outsiders out - and even then, not everyone on the inside should be allowed access to the database. Passwords are the bare minimum security for these cases - but they are not optimal. Passwords are ok for humans - they can be remembered and typed, but even then there are limts. That's why 2 factor authentication and password managers are on the rise. For databases, it's common that there is no human authenticating to the database but just "another program" - think of your web application. In this scenario, passwords tend to end up in deployment scripts and hardcoded in the application. Soon, about everyone knows the password (and if you're unlucky, it ends up on Github), and the passwords are hard to change: because they are hardcoded, and because the change has to happen at the same time on the database and the application side. At the same time, regulations like PCI-DSS (Payment Card Industry Data Security Standard) mandate regular password changes.

What other stakeholders are typically involved, when it comes to company-wide authentication? —  In smaller organisations, authentication is often just added as an afterthought - there has never been the investment into a global authentication strategy. Creating such a strategy can quickly become a large undertaking: identifying all the components, the requirements and regulations, etc.

How did you come up with the idea for this talk? —  During my work with customers, I got quite a few questions about authentication options. And there were some installations with a rather poor authentication configuration, and at least one case where authentication had been accidentially weakened after misunderstanding both industry regulations and PostgreSQL workings. Obviously, there's a lot of demand for this topic (even if some people haven't realized their needs yet).

Have you been to FOSDEM or FOSDEM PGDay before? —  This is my fourth FOSDEM and FOSDEM PGDay. I guess I'm becoming a regular visitor.