search

Lab 18: Database Security Architecture

Time: 50 minutes | Level: Architect | DB: PostgreSQL 15, MySQL 8

A production database faces threats from network intrusion, compromised credentials, SQL injection, and insider threats. This lab implements a defense-in-depth security architecture covering network isolation, encryption, access controls, and monitoring.

hashtag
Step 1: Defense-in-Depth Framework

Security must be layered — no single control is sufficient.

┌─────────────────────────────────────────────────────────────────┐
│                  DEFENSE-IN-DEPTH LAYERS                         │
├─────────────────────────────────────────────────────────────────┤
│ LAYER 1: Network       │ VPC, private subnet, security groups   │
│ LAYER 2: Transport     │ TLS 1.2+ for all connections           │
│ LAYER 3: Authentication│ Strong passwords, certificates, MFA    │
│ LAYER 4: Authorization │ RBAC, least privilege, Row-Level Sec.  │
│ LAYER 5: Data          │ TDE at rest, column encryption         │
│ LAYER 6: Application   │ Parameterized queries, input validation│
│ LAYER 7: Monitoring    │ Audit logs, anomaly detection, alerts  │
└─────────────────────────────────────────────────────────────────┘

Attacker must breach ALL layers — you only need ONE to hold.

hashtag
Step 2: Network Isolation (VPC / Private Subnet)

The database should never be directly reachable from the internet.

PostgreSQL pg_hba.conf — connection access control:

💡 hostssl rejects the connection if TLS is not used. This ensures encryption in transit is mandatory, not optional.

hashtag
Step 3: TLS In Transit Configuration

hashtag
Step 4: Transparent Data Encryption (TDE) at Rest

Linux LUKS disk encryption for self-managed PostgreSQL:

hashtag
Step 5: Column-Level Encryption with pgcrypto

💡 Never store the encryption key in the database. Use environment variables → AWS Parameter Store → AWS KMS in that order of security preference.

hashtag
Step 6: Least Privilege Role Architecture

hashtag
Step 7: SQL Injection Prevention & Database Activity Monitoring

💡 Database Activity Monitoring (DAM) tools like IBM Guardium, Imperva, or open-source pgaudit provide real-time alerting. Set up PagerDuty alerts for off-hours access, bulk extractions, and privilege escalation.

hashtag
Step 8: Capstone — Security Validation Suite

Run verification:

📸 Verified Output:

hashtag
Summary

Layer
Control
Implementation

Network

VPC private subnet

No public IP on DB, Security Groups

Network

pg_hba.conf allowlist

Restrict to app subnet CIDR only

Transport

TLS 1.2+

ssl_min_protocol_version = TLSv1.2

Transport

sslmode=verify-full

Client verifies server cert + hostname

At Rest

TDE

AWS RDS encryption (KMS), LUKS on self-managed

At Rest

Column encryption

pgcrypto pgp_sym_encrypt

Authorization

RBAC

Minimal roles, no superuser for apps

Authorization

Row-Level Security

Per-tenant data isolation

Application

Parameterized queries

Never string-concatenate SQL

Application

Input validation

Whitelist, not blacklist

Monitoring

pgaudit

Session + object-level audit logging

Monitoring

pg_stat_activity

Real-time connection monitoring

Monitoring

Anomaly detection

Off-hours access, bulk extraction alerts

PreviousLab 17: Vector Databases & pgvectorNextLab 19: Global Data Platform

Last updated