Crunchy Data is pleased to announce the publication of the Crunchy Data PostgreSQL Security Technical Implementation Guide (STIG) by the United States Defense Information Systems Agency (DISA). Crunchy Data collaborated with DISA to make PostgreSQL the first open source database to provide a published STIG in 2017, and this new STIG reflects Crunchy Data's ongoing collaboration with DISA to provide enhanced security guidance as PostgreSQL continues to advance and evolve.
While the STIG was authored to enable the U.S. Government to comply with U.S. Government security requirements, the Crunchy Data PostgreSQL STIG offers security-conscious enterprises a comprehensive guide for the configuration and operation of open source PostgreSQL. Organizations of all sizes can refer to the STIG for information on security best practices as they consider PostgreSQL as an alternative to proprietary, closed source, database software.
The security functionality reflected within the Crunchy Data PostgreSQL STIG is provided by 100% open source Postgres, Postgres extensions and documentation. The Crunchy Data PostgreSQL STIG provides security guidance regarding the use of PostgreSQL (versions 10 - 12) used in conjunction with certain open source PostgreSQL extensions – most notably, pgaudit.
In order to help PostgreSQL users benefit from the guidance provided in the Crunchy Data PostgreSQL STIG, let's provide some background information for getting started.
What is a DISA STIG?
The Security Technical Implementation Guide (STIG) is the configuration standards for United States Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA). Since 1998, DISA has played a critical role enhancing the security posture of DoD's security systems by providing the STIGs. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.
Is the Crunchy Data PostgreSQL STIG US Government Specific?
The PostgreSQL STIG is from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4 and related documents. While the DISA STIG is intended to provide technical guidance to “lock down” information systems and software used within the DoD, the guidance provided in it is not specific to the DoD and is generally helpful to those interested in securing their PostgreSQL deployments.
What does the Crunchy Data PostgreSQL STIG Cover?
PostgreSQL STIG provides guidance on the configuration of PostgreSQL to address requirements associated with:
- Data Encryption at Rest
- Data Encryption Over the Wire
- Access Controls
- Protecting against SQL Injection
How does the Crunchy Data PostgreSQL STIG work?
The PostgreSQL STIG provides a series of Requirements, Checks and Fixes where:
- Requirements are provided as a series of security requirements for an operating environment.
- Checks are provided as a series of instructions or commands for verifying compliance with the stated requirement.
- Fixes are provided as remediation steps to the extent the Check determines that the system is not in fact in compliance with the stated Requirement.
Crunchy Data views the Crunchy Data PostgreSQL STIG as yet another validation of the comprehensive security functionality of PostgreSQL and the accomplishments of the PostgreSQL Global Development Community. The Crunchy Data PostgreSQL STIG demonstrates that open source PostgreSQL is capable of meeting the exacting security requirements of the DoD.
We are proud to be part of the team that developed this STIG for PostgreSQL and look forward to working with all of the organizations who have been anxiously waiting for the Crunchy Data PostgreSQL STIG to be approved for modern versions of this quality open source relational database.
January 7, 2021 •More by this author