DataMod — Azure PostgreSQL Security Recommendation

Azure PostgreSQL

Azure Database for PostgreSQL is a relational database service in the Microsoft cloud based on the PostgreSQL open-source relational database. Azure Database for PostgreSQL delivers:

• Built-in high availability.
• Data protection using automatic backups and point-in-time-restore for up to 35 days.
• Automated maintenance for underlying hardware, operating system, and database engine to keep the service secure and up to date.
• Predictable performance, using inclusive pay-as-you-go pricing.
• Elastic scaling within seconds.
• Enterprise-grade security and industry-leading compliance to protect sensitive data at-rest and in motion.
• Monitoring and automation to simplify management and monitoring for large-scale deployments.
• Industry-leading support experience.

For more detail, you can view Azure Learn.

By using the PostgreSQL Database on Azure, sometimes you may need to ensure the security of your PostgreSQL database. Security is important for nowadays modern architecture.

Data Encryption

User Azure Key Vault for key management and using the key to perform data encryption.

Requirements

• Customer-Managed Key
• No expiration date
• Not disabled (enabled)
• Able to perform get, wrap key, and unwrap key operations
• Permissions
• Subscription Administrator

Reference Link: Data encryption — Azure portal — for Azure Database for PostgreSQL — Single server

Azure Security Baseline Checklist

For PostgreSQL Database, Azure offers a checklist for us to review our database. By using the checklist we could have a preliminary understanding of the database security level.

1. Network Security
2. Protect Azure resources within virtual networks
3. Monitor and log the configuration and traffic of virtual networks, subnets, and network interfaces
4. Deny communications with known-malicious IP addresses
5. Record network packets
6. Deploy network-based intrusion detection/intrusion prevention systems (IDS/IPS)
7. Minimize complexity and administrative overhead of network security rules
8. Maintain standard security configurations for network devices
9. Document traffic configuration rules
10. Use automated tools to monitor network resource configurations and detect changes
11. Logging and Monitoring
12. Configure central security log management
13. Enable audit logging for Azure resources
14. Configure security log storage retention
15. Monitor and review logs
16. Enable alerts for anomalous activities
17. Identity and Access Control
18. Maintain an inventory of administrative accounts
19. Change default passwords where applicable
20. Use dedicated administrative accounts
21. Use Azure Active Directory single sign-on (SSO)
22. Use multi-factor authentication for all Azure Active Directory-based access
23. Use secure, Azure-managed workstations for administrative tasks
24. Log and alert on suspicious activities from administrative accounts
25. Manage Azure resources from only approved locations
26. Use Azure Active Directory
27. Regularly review and reconcile user access
28. Monitor attempts to access deactivated credentials
29. Alert on account sign-in behavior deviation
30. Provide Microsoft with access to relevant customer data during support scenarios
31. Data Protection
32. Maintain an inventory of sensitive information
33. Isolate systems storing or processing sensitive information
34. Monitor and block unauthorized transfer of sensitive information
35. Encrypt all sensitive information in transit
36. Use an active discovery tool to identify sensitive data
37. Use Azure RBAC to control access to resources
38. Log and alert on changes to critical Azure resources
39. Vulnerability Management
40. Run automated vulnerability scanning tools
41. Inventory and Asset Management
42. Use an automated asset discovery solution
43. Maintain asset metadata
44. Delete unauthorized Azure resources
45. Define and maintain inventory of approved Azure resources
46. Use only approved Azure services
47. Limit users’ ability to interact with Azure Resource Manager
48. Secure Configuration
49. Establish secure configurations for all Azure resources
50. Maintain secure Azure resource configurations
51. Securely store the configuration of Azure resources
52. Deploy configuration management tools for Azure resources
53. Implement automated configuration monitoring for Azure resources
54. Manage Azure secrets securely
55. Manage identities securely and automatically
56. Eliminate unintended credential exposure
57. Malware Defense
58. Pre-scan files to be uploaded to non-compute Azure resources
59. Data Recovery
60. Ensure regular automated backup
61. Perform complete system backups and backup any customer-managed keys
62. Validate all backups including customer-managed keys
63. Ensure the protection of backups and customer-managed keys
64. Incident Response
65. Create an incident response guide
66. Create an incident scoring and prioritization procedure
67. Test security response procedures
68. Provide security incident contact details and configure alert notifications for security incidents
69. Incorporate security alerts into your incident response system
70. Automate the response to security alerts
71. Penetration Tests and Red Team Exercises
72. Conduct regular penetration testing of your Azure resources and ensure remediation of all critical security findings

For more details, you can refer to the reference on Azure Learn.

Next section, we will be discussing the enhancement of database security. Stay tuned.