Feb
19
2021
--

SailPoint is buying SaaS management startup Intello

SailPoint, an identity management company that went public in 2017, announced it was going to be acquiring Intello, an early-stage SaaS management startup. The two companies did not share the purchase price.

SailPoint believes that by helping its customers locate all of the SaaS tools being used inside a company, it can help IT make the company safer. Part of the problem is that it’s so easy for employees to deploy SaaS tools without IT’s knowledge, and Intello gives them more visibility and control.

In fact, the term “shadow IT” developed over the last decade to describe this ability to deploy software outside of the purview of IT pros. With a tool like Intello, they can now find all of the SaaS tools and point the employees to sanctioned ones, while shutting down services the security pros might not want folks using.

Grady Summers, EVP of product at SailPoint, says that this problem has become even more pronounced during the pandemic as many companies have gone remote, making it even more challenging for IT to understand what SaaS tools employees might be using.

“This has led to a sharp rise in ungoverned SaaS sprawl and unprotected data that is being stored and shared within these apps. With little to no visibility into what shadow access exists within their organization, IT teams are further challenged to protect from the cyber risks that have increased over the past year,” Summers explained in a statement. He believes that with Intello in the fold, it will help root out that unsanctioned usage and make companies safer, while also helping them understand their SaaS spend better.

Intello has always seen itself as a way to increase security and compliance and has partnered in the past with other identity management tools like Okta and OneLogin. The company was founded in 2017 and raised $5.8 million according to Crunchbase data. That included a $2.5 million extended seed in May 2019.

Yesterday, another SaaS management tool, Torii, announced a $10 million Series A. Other players in the SaaS management space include BetterCloud and Blissfully, among others.

Feb
18
2021
--

Logging startups are suddenly hot as CrowdStrike nabs Humio for $400M

A couple of weeks ago SentinelOne announced it was acquiring high-speed logging platform Scalyr for $155 million. Just this morning CrowdStrike struck next, announcing it was buying unlimited logging tool Humio for $400 million.

In Humio, CrowdStrike gets a company that will provide it with the ability to collect unlimited logging information. Most companies have to pick and choose what to log and how long to keep it, but with Humio, they don’t have to make these choices, with customers processing multiple terabytes of data every single day.

Humio CEO Geeta Schmidt writing in a company blog post announcing the deal described her company in similar terms to Scalyr, a data lake for log information:

“Humio had become the data lake for these enterprises enabling searches for longer periods of time and from more data sources allowing them to understand their entire environment, prepare for the unknown, proactively prevent issues, recover quickly from incidents, and get to the root cause,” she wrote.

That means with Humio in the fold, CrowdStrike can use this massive amount of data to help deal with threats and attacks in real time as they are happening, rather than reacting to them and trying to figure out what happened later, a point by the way that SentinelOne also made when it purchased Scalyr.

“The combination of real-time analytics and smart filtering built into CrowdStrike’s proprietary Threat Graph and Humio’s blazing-fast log management and index-free data ingestion dramatically accelerates our [eXtended Detection and Response (XDR)] capabilities beyond anything the market has seen to date,” CrowdStrike CEO and co-founder George Kurtz said in a statement.

While two acquisitions don’t necessarily make a trend, it’s clear that security platform players are suddenly seeing the value of being able to process the large amounts of information found in logs, and they are willing to put up some cash to get that capability. It will be interesting to see if any other security companies react with a similar move in the coming months.

Humio was founded in 2016 and raised just over $31 million, according to Pitchbook Data. Its most recent funding round came in March 2020, a $20 million Series B led by Dell Technologies Capital. It would appear to be a decent exit for the startup.

CrowdStrike was founded in 2011 and raised over $480 million before going public in 2019. The deal is expected to close in the first quarter, and is subject to typical regulatory oversight.

Feb
17
2021
--

Spectral raises $6.2M for its DevSecOps service

Tel Aviv-based Spectral is bringing its new DevSecOps code scanner out of stealth today and announcing a $6.2 million funding round. The startup’s programming language-agnostic service aims to automated code security development teams to help them detect potential security issues in their codebases and logs, for example. Those issues could be hardcoded API keys and other credentials, but also security misconfiguration and shadow IT assets.

The four-person founding team has a deep background in building AI, monitoring and security tools. CEO Dotan Nahum was a Chief Architect at Klarna and Conduit (now Como, though you may remember Conduit from its infamous toolbar that was later spun off), and the CTO at Como and HiredScore, for example. Other founders worked on building monitoring tools at Elastic and HP and on security at Akamai. As Nahum told me, the idea for Spectral came to him and co-founder and COO Idan Didi during their shared time at mobile application build Conduit/Como.

Image Credits: Spectral

“We basically stored certificates for every client that we had, so we could submit their apps to the various marketplaces,” Nahum told me of his experience at Counduit/Como. “That certificate really proves that you are who you are and it’s super sensitive. And at each point at these companies, I really didn’t have the right tools to actually make sure that we’re storing, handling, detecting [this information] and making sure that it doesn’t leak anywhere.”

Nahum decided to quit his current job and started to build a prototype to see if he could build a tool that could solve this problem (and his work on this prototype quickly discovered an issue at Slack). And as enterprises move from on-premises software to the cloud and to microservices and DevOps, the need for better DevSecOps tools is only increasing.

“The emphasis is to create a great developer experience,” Nahum noted. “Because that’s where we started from. We didn’t start as a top down cyber tool. We started as a modest DevOps friendly, developer-friendly tool.”

Image Credits: Spectral

One interesting aspect of Spectral’s approach, which uses a machine learning model to detect these breaches across programming languages, is that it also scans public-facing systems. On the backend, Spectral integrates with tools like Travis, Jenkins, CircleCI, Webpack, Gatsby and Netlify, but it can also monitor Slack, npm, maven and log providers — tools that most companies don’t really think about when they think about threat modeling.

“Our solution prevents security breaches on a daily basis,” said Spectral co-founder and COO Idan Didi. “The pain points we’re addressing resonate strongly across every company developing software, because as they evolve from own-code to glue-code to no-code approaches they allow their developers to gain more speed, but they also add on significant amounts of risk. Spectral lets developers be more productive while keeping the company secure.”

The company was founded in mid-2020, but it already has about 15 employees and counts a number of large publicly-listed companies among its customers.

Feb
17
2021
--

vArmour, the multi-cloud security startup, raises $58M en route to IPO

Enterprises have been loading more of their operations into cloud — and, more often than not, multi-cloud — environments over the last year, creating vast networks of services that can be complex to manage. Today, vArmour, a startup that provides ways to manage in real time and ultimately secure how applications (and people) work in those fragmented environments, is announcing funding to capitalize on the demand for its services.

The Bay Area startup has picked up funding of $58 million in what it described as an oversubscribed round. Co-led by previous backers AllegisCyber Capital and NightDragon, existing investors Standard Chartered Ventures, Highland Capital Partners, Australian carrier Telstra, Redline Capital and EDBI also participated.

CEO Tim Eades (who co-founded the company with Roger Lian) said this round is likely to be its final fundraising ahead of an IPO for the company.

“We had one hell of a year in 2020 with companies rushing to the cloud,” he said in an interview, with net new annual recurring revenue doubling year over year in the last year. It started out, he noted, with perhaps 10% of business processes in the cloud, and ended at more like 50%. “Now the focus for us is to get to the public markets, maybe in two or 2.5 years from now.”

The company appointed a CFO last October as part of its go-public plan, he noted — Chris Dentiste, who previously had been the CFO of RSA. “His job is to help me find the right window. My job is to make sure we have enough fuel in the tank, and we do,” said Eades.

He added that the company is likely also to look at making some acquisitions in the meantime. A recent launch of an AI lab in Calgary, Canada, points to one area where we might see some activity.

The company is not disclosing its valuation, although Eades confirmed it was a significant up-round. It has raised $197 million to date.

For some context, in the last round of funding that we covered — a $44 million round in 2019 led by the same two investors — we mentioned a PitchBook estimate of $420 million from the previous round — a figure that the company did not dispute with us at the time.

VArmour has been around for several years, with the first three spent in stealth mode, quietly building its technology, raising money and amassing early customers. Those customers, Eades said, fall into categories like telecommunications (strategic backer Telstra being one of them), and financial services.

Those industries speak largely to the challenges that vArmour is addressing in its business.

Legacy businesses in critical verticals often pre-date the modern era of business, and while many of them are going through what enterprise people like to refer to as “digital transformation”, the evolution is not a smooth one.

In many cases, adopting new technologies can be slow, and in almost every case, when you are talking about large enterprises, the changes are very piecemeal, affecting one particular service, or region, or department, or even a subsection of any of those.

All of this means that for malicious actors, there are a number of options to tackle when setting out to look for vulnerabilities in a business or its network, and for those on the inside, it makes for a very complicated and fragmented situation when it comes to monitoring those networks and the services running on them, finding vulnerabilities or suspicious activity, and doing something about that. VArmour’s term that it uses for this is “Application Relationship Management.”

Eades — whose background includes working for the likes of IBM but also leading a number of startups acquired by bigger technology giants — has first-hand understanding of how that complexity looks from both sides, from the end user end and from the service provider end. That is in essence what his company has identified and is trying to fix.

Having started out in managing application policies and providing insights to protect on that front, the company is expanding the range of tools that it provides with the recent launch of identity access management on top of that.

But that is likely to be just one of the product steps that it takes to tackle what remains a difficult problem to fix, as its growth is related not just to the growth of activity on a network, but further digital migration of services, and the rise of new technology within an organization’s stack.

(And that is also an area that vArmour is not alone in considering, or even the only approach to tackling it: consider yesterday’s news of Palo Alto Networks acquiring Bridgecrew to extend its own ability to provide automated security monitoring services to DevOps teams.)

“Managing risk and resiliency in the hybrid cloud is one of the most significant security challenges for enterprises,” said Bob Ackerman, founder and managing director at AllegisCyber Capital, in a statement. “vArmour’s platform provides the visibility, controls, and accountability necessary to actively manage these challenges and has done this for hundreds of customers. We are ecstatic to be part of their next stage of growth.”

“As applications become more complex, more distributed, and more targeted by attackers, the importance of full visibility into the relationships between applications becomes increasingly important,” added Dave DeWalt, founder of NightDragon. “vArmour’s approach to application relationship management ensures that enterprises of all sizes can continuously audit, respond, and control identity relationships to best protect their important IP, and mitigate risk to the business.”

Feb
11
2021
--

Base Operations raises $2.2 million to modernize physical enterprise security

Typically when we talk about tech and security, the mind naturally jumps to cybersecurity. But equally important, especially for global companies with large, multinational organizations, is physical security — a key function at most medium-to-large enterprises, and yet one that to date, hasn’t really done much to take advantage of recent advances in technology. Enter Base Operations, a startup founded by risk management professional Cory Siskind in 2018. Base Operations just closed their $2.2 million seed funding round and will use the money to capitalize on its recent launch of a street-level threat mapping platform for use in supporting enterprise security operations.

The funding, led by Good Growth Capital and including investors like Magma Partners, First In Capital, Gaingels and First Round Capital founder Howard Morgan, will be used primarily for hiring, as Base Operations looks to continue its team growth after doubling its employe base this past month. It’ll also be put to use extending and improving the company’s product and growing the startup’s global footprint. I talked to Siskind about her company’s plans on the heels of this round, as well as the wider opportunity and how her company is serving the market in a novel way.

“What we do at Base Operations is help companies keep their people in operation secure with ‘Micro Intelligence,’ which is street-level threat assessments that facilitate a variety of routine security tasks in the travel security, real estate and supply chain security buckets,” Siskind explained. “Anything that the chief security officer would be in charge of, but not cyber — so anything that intersects with the physical world.”

Siskind has firsthand experience about the complexity and challenges that enter into enterprise security since she began her career working for global strategic risk consultancy firm Control Risks in Mexico City. Because of her time in the industry, she’s keenly aware of just how far physical and political security operations lag behind their cybersecurity counterparts. It’s an often overlooked aspect of corporate risk management, particularly since in the past it’s been something that most employees at North American companies only ever encounter periodically when their roles involve frequent travel. The events of the past couple of years have changed that, however.

“This was the last bastion of a company that hadn’t been optimized by a SaaS platform, basically, so there was some resistance and some allegiance to legacy players,” Siskind told me. “However, the events of 2020 sort of turned everything on its head, and companies realized that the security department, and what happens in the physical world, is not just about compliance — it’s actually a strategic advantage to invest in those sort of services, because it helps you maintain business continuity.”

The COVID-19 pandemic, increased frequency and severity of natural disasters, and global political unrest all had significant impact on businesses worldwide in 2020, and Siskind says that this has proven a watershed moment in how enterprises consider physical security in their overall risk profile and strategic planning cycles.

“[Companies] have just realized that if you don’t invest [in] how to keep your operations running smoothly in the face of rising catastrophic events, you’re never going to achieve the profits that you need, because it’s too choppy, and you have all sorts of problems,” she said.

Base Operations addresses this problem by taking available data from a range of sources and pulling it together to inform threat profiles. Their technology is all about making sense of the myriad stream of information we encounter daily — taking the wash of news that we sometimes associate with “doom-scrolling” on social media, for instance, and combining it with other sources using machine learning to extrapolate actionable insights.

Those sources of information include “government statistics, social media, local news, data from partnerships, like NGOs and universities,” Siskind said. That data set powers their Micro Intelligence platform, and while the startup’s focus today is on helping enterprises keep people safe, while maintaining their operations, you can easily see how the same information could power everything from planning future geographical expansion, to tailoring product development to address specific markets.

Siskind saw there was a need for this kind of approach to an aspect of business that’s essential, but that has been relatively slow to adopt new technologies. From her vantage point two years ago, however, she couldn’t have anticipated just how urgent the need for better, more scalable enterprise security solutions would arise, and Base Operations now seems perfectly positioned to help with that need.

Feb
10
2021
--

SecuriThings snares $14M Series A to keep edge devices under control

Managing IoT devices in a large organization can be a messy proposition, especially when many of them aren’t even managed directly by IT and often involve integrating with a number of third-party systems. SecuriThings wants to help with a platform of services to bring that all under control, and today the startup announced a $14 million Series A.

Aleph led the round with participation from existing investor Firstime VC and a number of unnamed angels. The company has raised a total of $17 million, according to Crunchbase data.

Roy Dagan, company CEO and co-founder, says that he sees organizations with many different connected devices running on a network, and it’s difficult to manage. “We enable organizations to manage IoT devices securely at scale in a consolidated and cost-efficient manner,” Dagan told me.

This could include devices like security cameras, along with access control systems and building management systems involving thousands — or in some instances, tens of thousands — of devices. “The technology we build, we integrate with management systems, and then we deploy our capabilities which are focused on the edge devices. So that’s how we also find the devices, and then we have these different capabilities running on the edge devices or fetching information from the edge devices,” Dagan explained.

SecuriThings Horizon - Screenshot - Device view

Image Credits: SecuriThings

The company has formed partnerships with a number of key device manufacturers, including Microsoft, Convergint Technologies and Johnson Controls, among others. They work with a range of industries including airports, casinos and large corporate campuses.

Aaron Rosenson, general partner at lead investor Aleph, says the company is solving a big problem managing the myriad devices inside large organizations. “Until SecuriThings came along, there were these massive enterprise software categories of automation, orchestration and observability just waiting to be built for IoT,” Rosenson said in a statement. He says that SecuiThings is pulling that all together for its customers.

The company was founded in 2016 originally with the idea of being an IoT security company, and while they still are involved in securing these devices, their ability to communicate with them gives IT much greater visibility and insight and the ability to update and manage them.

Today, the company has 30 employees, and with the new investment it will be doubling that number by the end of the year. While Dagan didn’t cite specific customer numbers, he did say they have dozens of customers with deal sizes of between five and seven figures.

Feb
09
2021
--

SentinelOne to acquire high-speed logging startup Scalyr for $155M

SentinelOne, a late-stage security startup that helps customers make sense of security data using AI and machine learning, announced today that it is acquiring high-speed logging startup Scalyr for $155 million in stock and cash.

SentinelOne sorts through oodles of data to help customers understand their security posture, and having a tool that enables engineers to iterate rapidly in the data, and get to the root of the problem, is going to be extremely valuable for them, CEO and co-founder Tomer Weingarten explained. “We thought Scalyr would be just an amazing fit to our continued vision in how we secure data at scale for every enterprise [customer] out there,” he told me.

He said they spent a lot of time shopping for a company that could meet their unique scaling needs and when they came across Scalyr, they saw the potential pretty quickly with a company that has built a real-time data lake. “When we look at the scale of our technology, we obviously scoured the world to find the best data analytics technology out there. We [believe] we found something incredibly special when we found a platform that can ingest data, and make it accessible in real time,” Weingarten explained.

He believes the real time element is a game changer because it enables customers to prevent breaches, rather than just reacting to them. “If you’re thinking about mitigating attacks or reacting to attacks, if you can do that in real time and you can process data in real time, and find the anomalies in real time and then meet them, you’re turning into a system that can actually deflect the attacks and not just see them and react to them,” he explained.

The company sees Scalyr as a product they can integrate into the platform, but also one which will remain a standalone. That means existing customers should be able to continue using Scalyr as before, while benefiting from having a larger company contributing to its R&D.

While SentinelOne is not a public company, it is a pretty substantial private one, having raised over $695 million, according to Crunchbase data. The company’s most recent funding round came last November, a $267 million investment with a $3.1 billion valuation.

As for Scalyr, it was launched in 2011 by Steve Newman, who first built a word processor called Writely and sold it to Google in 2006. It was actually the basis for what became Google Docs. Newman stuck around and started building the infrastructure to scale Google Docs, and he used that experience and knowledge to build Scalyr. The startup raised $27 million along the way, according to Crunchbase data, including a $20 million Series A investment in 2017.

The deal will close this quarter, at which time Scalyr’s 45 employees will join SentinelOne.

Feb
08
2021
--

Container security acquisitions increase as companies accelerate shift to cloud

Last week, another container security startup came off the board when Rapid7 bought Alcide for $50 million. The purchase is part of a broader trend in which larger companies are buying up cloud-native security startups at a rapid clip. But why is there so much M&A action in this space now?

Palo Alto Networks was first to the punch, grabbing Twistlock for $410 million in May 2019. VMware struck a year later, snaring Octarine. Cisco followed with PortShift in October and Red Hat snagged StackRox last month before the Rapid7 response last week.

This is partly because many companies chose to become cloud-native more quickly during the pandemic. This has created a sharper focus on security, but it would be a mistake to attribute the acquisition wave strictly to COVID-19, as companies were shifting in this direction pre-pandemic.

It’s also important to note that security startups that cover a niche like container security often reach market saturation faster than companies with broader coverage because customers often want to consolidate on a single platform, rather than dealing with a fragmented set of vendors and figuring out how to make them all work together.

Containers provide a way to deliver software by breaking down a large application into discrete pieces known as microservices. These are packaged and delivered in containers. Kubernetes provides the orchestration layer, determining when to deliver the container and when to shut it down.

This level of automation presents a security challenge, making sure the containers are configured correctly and not vulnerable to hackers. With myriad switches this isn’t easy, and it’s made even more challenging by the ephemeral nature of the containers themselves.

Yoav Leitersdorf, managing partner at YL Ventures, an Israeli investment firm specializing in security startups, says these challenges are driving interest in container startups from large companies. “The acquisitions we are seeing now are filling gaps in the portfolio of security capabilities offered by the larger companies,” he said.

Feb
08
2021
--

BeyondID grabs $9M Series A to help clients implement cloud identity

BeyondID, a cloud identity consulting firm, announced a $9 million Series A today led by Tercera. It marked the first investment from Tercera, a firm that launched earlier this month with the goal of investing in service startups like Beyond.

The company focuses on helping clients manage security and identity in the cloud, taking aim specifically at Okta customers. In fact, the firm is a platinum partner for Okta. As they describe their goals, they help clients in a variety of areas, including identity and access management, secure app modernization, Zero Trust security, cloud migration and integration services.

CEO and co-founder Arun Shrestha has a deep background in technology, including working with Okta from its early days. Shrestha came on board in 2012 as the head of customer success. When he began, the startup was in early days, with just 50 customers. When he left five years later just before the IPO, it had more than 3,500.

Along the way, he gained a unique level of expertise in the Okta tool set, and he decided to put that to work to help Okta customers implement and maximize Okta usage, especially in companies with complex implementations. He launched BeyondID in 2018 with the intention of focusing on systems integrations and managing a company’s identity in the cloud.

“We believe we are becoming a managed identity service provider, so managing anything identity, anything related to cybersecurity. We’re helping these companies by being a one-stop shop for companies acquiring, deploying and managing identity services,” Shrestha explained.

It seems to be working. The last couple of years the company revenues grew at 300% and as it matures, and the growth rates settle a bit, it’s still expected to grow between 70 and 100% this year. The firm has 250 customers, including FedEx, Major League Baseball, Bain Capital and Biogen.

It currently has 75 employees serving those customers with plans to grow that number in the next year with the help from today’s investment. As Shrestha adds new employees, he sees building a diverse workforce as a crucial goal for his company.

“Diversity is absolutely critical to our long-term sustainable success, and it’s also the right thing to do,” he said. He says that building an organization that promotes women and people of color is a key goal of his as the leader of the company and something he is committed to.

Chris Barbin, who is managing partner and founder at lead investor Tercera, says that he chose BeyondID as the firm’s first investment because he believes identity is central to the notion of digital transformation. As more companies move to the cloud, they need help understanding how security and identity work differently in a cloud context, and he sees BeyondID playing a critical role in helping clients get there.

“BeyondID is in a rapidly growing space and has an impressive customer list that represents nearly every industry. Arun and the leadership team have a strong vision for the firm, deep ties into Okta and they’re incredibly passionate about what they do,” he said.

Feb
01
2021
--

PostgreSQL Database Security: Authentication

PostgreSQL Database Security: Authentication

Recently, I wrote an overview about what you need to know about PostgreSQL security. For this post, I want to write about PostgreSQL authentication. It is divided into three categories: 1. PostgreSQL Internal Authentication, 2. OS-based Authentication, and 3. External Server-Based Authentication.  In most cases, PostgreSQL is configured to be used with internal authentication, so here we will discuss each and every internal authentication method in detail. The next blog will cover the OS authentication methods such as PAM, Peer, and Ident.

 

Figure 1: PostgreSQL Authentication method.

 

The following is the list of PostgreSQL internal authentication supported methods.

  • Trust
  • Reject
  • md5
  • SCRAM
  • Cert

PostgreSQL has a configuration file to configure authentication called pg_hba.conf. All the authentication-related settings are part of this configuration file. Here is the sample pg_hba.conf file:

 

host    database             user               address      auth-method    [auth-options]
------+--------------- +-----------------+----------------+--------------+---------------
Local |  all           |     all         |                |   trust 
host  |  all           |     all         | 127.0.0.1/32   |   trust
host  |  postgres      |     postgres    | 192.168.1.1/24 |   md5
host  |  replication   |     postgres    | 127.0.0.1/32   |   md5

 

The first column of the “pg_hbaa.conf” file is the “host”. It can be either local or host. The local is fixed for the Unix-Domain socket, and in the case of a host, you need to specify the host IP address in the address column. The second column is the database, which is used to specify the database name. You can set the authentication method based on databases, meaning your database can have its own authentication method. If these values are set to all, then all the databases will use the same authentication method. The third column of the file is the user, which means you can set separate authentication methods for different users and “all” means apply to all users. The fourth parameter is to specify the IP address, which means which IP address can use that authentication method. The next column is the auth-method which can be any of the authentication methods shown in Figure 1. The last column is auth-options, in case any authentication method has some options.

Trust and Reject

When you specify the authentication method Trust, then any user who fulfills the requirement will not require any password. Similarly, in the case of Reject, any user who fulfills the requirement will not be allowed to login into the system. Here is the example of Trust and Reject:

host        database          user    address        auth-method    [auth-options]
------+-----------------+-----------------+----------------+-------------------------+--------------------
host  |    all          |     all   | 127.0.0.1/32    |   trust
host  |    all          |     all   | 127.0.0.1/32    |   Reject

The pg_hba.conf file has two entries; the first one has authentication method trust and the second one has authentication method reject. A local host user no longer needs to have a password and will be granted permission to login into the system without the password. But any computer other than localhost will be rejected, because of the second line of the pg_hba.conf file.

Trust Authentication

postgres@127.0.01:~$ psql postgres -h 127.0.0.1 -U postgres
psql (12.4)
Type "help" for help.
postgres=>

Reject Authentication

postgres@10.0.2.2:~$ psql postgres -h 10.0.2.1 -U postgres
psql: error: could not connect to server:
FATAL:  pg_hba.conf rejects connection for host "10.0.2.2", user "postgres", database "postgres"

 

md5

In the case of md5 authentication, you need to provide the password. Let’s look at a simple example of that.

host        database          user    address            auth-method               [auth-options] 
------+-----------------+-----------------+-----------+-------------------------+-------------------- 
host  |    all          |     all   | 10.0.2.2/32     |   md5

 

vagrant@vagrant:~$ psql postgres -h 10.0.2.1 -U postgres
Password for user postgres: 
psql (12.4)
Type "help" for help.
postgres=>

SCRAM

The SCRAM, or more specifically scram-sha-256, is a challenge-response scheme that prevents password sniffing on untrusted connections. It is one of the most secure authentication methods, using secure, cryptographically-hashed security, to store the passwords on the server.

Step 1: Change the password of the user

postgres=# SET password_encryption = 'scram-sha-256';
SET

postgres=# ALTER USER postgres WITH PASSWORD 'test';
ALTER ROLE

Step 2: Change the pg_hba.conf file.

host        database          user    address        auth-method    [auth-options] 
------+-----------------+-----------------+-----------+-------------------------+-------------------- 
host  |    all          |     all   | 10.0.2.2/32    |   scram-sha-256

Step 3: Test the connection

$ psql postgres -U postgres
Password for user postgres: 
psql (13.0)

Type "help" for help.

 

Percona Distribution for PostgreSQL is free to download and use. It is the best and most critical enterprise-level components from the open-source community, designed and tested to work together in one single source. 

 

CERT

Server Key and Certificate

Step 1: Generate Server keys

$  openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.+++++
..................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

$ chmod og-rwx server.key

Step 2: Generate Server Certificate

$ openssl req -new -key server.key -days 3650 -out server.crt -x509
-----
Country Name (2 letter code) [AU]:PK
State or Province Name (full name) [Some-State]:ISB
Locality Name (eg, city) []:Islamabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Percona
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:ibrar.ahmad@gmail.com 


$ cp server.crt root.crt

Client Keys and Certificate

Step 3: Generate a client certificate

$ openssl genrsa -des3 -out /tmp/postgresql.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........................+++++
.....................................................+++++
e is 65537 (0x010001)
Enter pass phrase for /tmp/postgresql.key:
Verifying - Enter pass phrase for /tmp/postgresql.key:



$ openssl rsa -in /tmp/postgresql.key -out /tmp/postgresql.key
Enter pass phrase for /tmp/postgresql.key:
writing RSA key


$ openssl req -new -key /tmp/postgresql.key -out /tmp/postgresql.csr
-----
Country Name (2 letter code) [AU]:PK
State or Province Name (full name) [Some-State]:ISB
Locality Name (eg, city) []:Islamabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Percona
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:127.0.0.1
Email Address []:ibrar.ahmad@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:pakistan
An optional company name []:Percona

Step 4: Copy root.crt to the client.

$ cp $PGDATA/root.crt /tmp/

PostgreSQL Settings

Step 5:  In postgrsql.conf file set ssl = on

# - SSL -
ssl = on

#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'

Step 6: Restart PostgreSQL

pg_ctl restart

Connection

Now, all set here, and you can test the connection using the psql command.

$ psql 'host=localhost port=5432 dbname=postgres user=vagrant sslmode=verify-full sslcert=/tmp/postgresql.crt sslkey=/tmp/postgresql.key sslrootcert=/tmp/root.crt'
psql (13.0)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.
postgres=# 

Conclusion

This is the second part of the security series blog, and in the first blog post, we see the main features of security we need to consider. In this blog, we started with authentication and only focused on the PostgreSQL authentication mechanism and still need to see how external authentication methods work in PostgreSQL. Stay tuned!

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com