DataMod – Azure PostgreSQL Security Recommedation

Post View : 1772

Azure PostgreSQL

Azure Database for PostgreSQL is a relational database service in the Microsoft cloud based on the PostgreSQL open source relational database. Azure Database for PostgreSQL delivers:

  • Built-in high availability.
  • Data protection using automatic backups and point-in-time-restore for up to 35 days.
  • Automated maintenance for underlying hardware, operating system and database engine to keep the service secure and up to date.
  • Predictable performance, using inclusive pay-as-you-go pricing.
  • Elastic scaling within seconds.
  • Enterprise grade security and industry-leading compliance to protect sensitive data at-rest and in-motion.
  • Monitoring and automation to simplify management and monitoring for large-scale deployments.
  • Industry-leading support experience.

For more detail, you can view Azure Learn.

By using the PostgreSQL Database on Azure, sometimes you may need to ensure the security of your PostgreSQL database. Security is important for nowadays modern architecture.

Data Encryption

User Azure Key Vault for key management and using the key to perform data encryption.

Requirements

  • Customer-Managed Key
    • No expiration date
    • Not disabled (enabled)
    • Able to perform get, wrap key, and unwrap key operations
  • Permissions
    • Subscription Administrator

Reference Link: Data encryption – Azure portal – for Azure Database for PostgreSQL – Single server

Azure Security Baseline Checklist

For PostgreSQL Database, Azure offers a checklist for us to review our database. By using the checklist we could have a preliminary understanding of the database security level.

  1. Network Security
    1. Protect Azure resources within virtual networks
    2. Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces
    3. Deny communications with known-malicious IP addresses
    4. Record network packets
    5. Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)
    6. Minimize complexity and administrative overhead of network security rules
    7. Maintain standard security configurations for network devices
    8. Document traffic configuration rules
    9. Use automated tools to monitor network resource configurations and detect changes
  2. Logging and Monitoring
    1. Configure central security log management
    2. Enable audit logging for Azure resources
    3. Configure security log storage retention
    4. Monitor and review logs
    5. Enable alerts for anomalous activities
  3. Identity and Access Control
    1. Maintain an inventory of administrative accounts
    2. Change default passwords where applicable
    3. Use dedicated administrative accounts
    4. Use Azure Active Directory single sign-on (SSO)
    5. Use multi-factor authentication for all Azure Active Directory-based access
    6. Use secure, Azure-managed workstations for administrative tasks
    7. Log and alert on suspicious activities from administrative accounts
    8. Manage Azure resources from only approved locations
    9. Use Azure Active Directory
    10. Regularly review and reconcile user access
    11. Monitor attempts to access deactivated credentials
    12. Alert on account sign-in behaviour deviation
    13. Provide Microsoft with access to relevant customer data during support scenarios
  4. Data Protection
    1. Maintain an inventory of sensitive information
    2. Isolate systems storing or processing sensitive information
    3. Monitor and block unauthorized transfer of sensitive information
    4. Encrypt all sensitive information in transit
    5. Use an active discovery tool to identify sensitive data
    6. Use Azure RBAC to control access to resources
    7. Log and alert on changes to critical Azure resources
  5. Vulnerability Management
    1. Run automated vulnerability scanning tools
  6. Inventory and Asset Management
    1. Use automated asset discovery solution
    2. Maintain asset metadata
    3. Delete unauthorized Azure resources
    4. Define and maintain inventory of approved Azure resources
    5. Use only approved Azure services
    6. Limit users’ ability to interact with Azure Resource Manager
  7. Secure Configuration
    1. Establish secure configurations for all Azure resources
    2. Maintain secure Azure resource configurations
    3. Securely store the configuration of Azure resources
    4. Deploy configuration management tools for Azure resources
    5. Implement automated configuration monitoring for Azure resources
    6. Manage Azure secrets securely
    7. Manage identities securely and automatically
    8. Eliminate unintended credential exposure
  8. Malware Defense
    1. Pre-scan files to be uploaded to non-compute Azure resources
  9. Data Recovery
    1. Ensure regular automated backup
    2. Perform complete system backups and backup any customer-managed keys
    3. Validate all backups including customer-managed keys
    4. Ensure protection of backups and customer-managed keys
  10. Incident Response
    1. Create an incident response guide
    2. Create an incident scoring and prioritization procedure
    3. Test security response procedures
    4. Provide security incident contact details and configure alert notifications for security incidents
    5. Incorporate security alerts into your incident response system
    6. Automate the response to security alerts
  11. Penetration Tests and Red Team Exercises
    1. Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

For more details, you can refer to the reference on Azure Learn.

Next section, we will be discussing the enhancement of database security. Stay tuned.

Chris Wan
Website | + posts

Microsoft Certified Trainer (MCT)
Application Architect, SOS Group Limited

Leave a comment

SOS Group Limited © 2022. All Rights Reserved.