Devroom, 2017/02/05, 11:00 - 11:50
Could you please introduce yourself? What is your relationship with the PostgreSQL Project? —
I'm Christoph, currently working as a consultant with 2ndQuadrant. Most
of my work is advising German and European clients on all things PostgreSQL:
setup, backup and recovery, performance, operations, application
development and migrations from other databases.
I started using PostgreSQL in the early 2000s, with the 7.x versions
and shortly after developed an application in PL/pgSQL and Perl.
Some years later I joined a company building network security appliances
as a developer. My responsibilty included converting some different
databases in their software to PostgreSQL and maintaining and enhacing
that setup. About 2.5 years ago, I joined 2ndQuadrant.
Why is authentication important for a database? And why is just username and password not enough? —
Without authentication, anyone who can connect to the database can do
almost anything on the database - read, modify and delete data. Very
few environments can ensure that level of network security to keep
outsiders out - and even then, not everyone on the inside should be
allowed access to the database. Passwords are the bare minimum security
for these cases - but they are not optimal. Passwords are ok for humans -
they can be remembered and typed, but even then there are limts. That's
why 2 factor authentication and password managers are on the rise.
For databases, it's common that there is no human authenticating to the
database but just "another program" - think of your web application.
In this scenario, passwords tend to end up in deployment scripts and
hardcoded in the application. Soon, about everyone knows the password
(and if you're unlucky, it ends up on Github), and the passwords are hard
to change: because they are hardcoded, and because the change has to
happen at the same time on the database and the application side.
At the same time, regulations like PCI-DSS (Payment Card Industry
Data Security Standard) mandate regular password changes.
What other stakeholders are typically involved, when it comes to company-wide authentication? —
In smaller organisations, authentication is often just added as an
afterthought - there has never been the investment into a global
authentication strategy. Creating such a strategy can quickly
become a large undertaking: identifying all the components, the
requirements and regulations, etc.
How did you come up with the idea for this talk? —
During my work with customers, I got quite a few questions about
authentication options. And there were some installations with a
rather poor authentication configuration, and at least one case
where authentication had been accidentially weakened after
misunderstanding both industry regulations and PostgreSQL workings.
Obviously, there's a lot of demand for this topic (even if some
people haven't realized their needs yet).
Have you been to FOSDEM or FOSDEM PGDay before? —
This is my fourth FOSDEM and FOSDEM PGDay. I guess I'm becoming a regular visitor.