Automating Postgres Security Compliance and Data Assuredness in the Age of Kubernetes
By Loren Blinde
August 19, 2024
From IC Insider Crunchy Data
By: Adam Timm
Data is the crown jewel of any system and is the reason why the Authority To Operate (ATO) process is so thorough within the United States Department of Defense (DoD) / Intelligence Community (IC). It is the Authorizing Officials (AO)’s responsibility to ensure that the system is properly designed and configured to protect the data from unauthorized access and disclosure. Security Technical Implementation Guides (STIG) exist as resources for both system developers and AO’s to reference, but they are often not simple step-by-step instructions and can seem like they were written in foreign languages, especially when not specific to the applicable software. This is a major source of friction for ATO and slows program deployments. Add in the complexity of Kubernetes, and AO’s are quickly overwhelmed.
The number of Postgres deployments have grown dramatically due to its efficiency and performance, with Postgres being named the most popular database for developers for the second year in a row by Stack Overflow 2024 Developer Survey. However, Postgres is no stranger to complexity when it comes to configuring Postgres instances according to the STIG to meet the demands of an ATO. Crunchy Data has been working with the DoD / IC for over a decade to enable programs to confidently and securely deploy Postgres, from proof of concept to ATO, saving program engineering time and fielding mission systems more rapidly and securely.
The Crunchy Postgres STIG
The STIG is the configuration standards for DoD Information Assurance (IA) and IA-enabled devices/systems published by the United States Defense Information Systems Agency (DISA).
The Crunchy Postgres STIG translates these higher-level DoD security objectives into Postgres specific guidance. This removes ambiguity for both new, and experienced Postgres users, making compliance easier to achieve the first time.
The Crunchy Data PostgreSQL STIG covers 35 different standards with over 100 individual security controls, providing actionable guidance on the configuration of PostgreSQL to address requirements associated with:
- Auditing
- Logging
- Data Encryption at Rest
- Data Encryption Over the Wire
- Access Controls
- Administration
- Authentication
- Protecting against SQL Injection
Compliance Challenges in the Era of Containers
Containers and Kubernetes have facilitated modernization and enabled a number of new workflows. Crunchy Data provides leading tooling to bring Postgres to containerized and Kubernetes native workflows. However, security configuration and compliance can still be a manual, or customer process, thereby slowing down time to deployment in production. How do we align rapid deployments with rapid compliance?
The typical approach to security with containers is to ensure the container base image is “hardened” (i.e. free of CVE’s, proper settings in the OS, etc). This is a necessary, but not sufficient, first step in deploying container images generally, and containerized Postgres specifically. The challenge that is often initially overlooked is the number of security controls that need to be applied to the containerized STIG once the image is running. In particular, the Postgres STIG includes several controls that can only be applied to a running Postgres instance.
STIG Automation in Kubernetes
Container images deployed in a Kubernetes environment present the additional challenge in that Kubernetes is designed to be a stateless platform that will dynamically redeploy container images. While this approach has several benefits, the downside is that manual configuration of Postgres in Kubernetes is not particularly attractive as those manually applied configurations will be reset in connection with a redeployment.
Kubernetes fortunately provides the foundational automation framework that can be extended to support both the deployment and secure configuration of containerized database deployments. Crunchy Postgres for Kubernetes extends Kubernetes through the use of its market-leading Kubernetes Operator for Postgres that customizes Kubernetes automation in order to support post installation security configurations through the use of a standard Kubernetes API – Custom Resource Definition (CRD). Additionally, just as with other aspects of Postgres, you will want to monitor the configuration in operations to ensure there is no drift or unintended modifications to the security configuration.
Crunchy Postgres for Kubernetes addresses these specific challenges associated with applying Postgres STIG configuration in a containerized and Kubernetes environment by:
- Providing secure Postgres Container Images as a Baseline. Crunchy Postgres and PostGIS container images provide the benefit of an actively maintained and “hardened” container image available through a variety of registries including the IronBank or deployed locally to program local registries.
- Automating the Crunchy Postgres STIG Assessment. Crunchy Postgres for Kubernetes provides this Kubernetes native automation through an API that enables programs to perform an on-demand assessment of their Postgres cluster to observe the current status of the security configuration.
- Applying Configuration of Crunchy Postgres STIG controls. Crunchy Postgres for Kubernetes enables users to apply the STIG configurations via manifest file. Crunchy Data provides a customizable default file with the recommended settings configured as well as supporting ‘justification’ materials that can be easily ingested into common STIG viewers and ATO authorization packages.
On average, this has saved Crunchy Data customers over 100 hours of engineering time and integrated with enterprise-continuous monitoring solutions for a holistic security view of their Postgres environments.
Beyond the STIG, Kubernetes-Native ATO Ready Postgres
Data security and assuredness goes beyond ensuring that Postgres is properly configured according to the STIG. Crunchy Postgres for Kubernetes provides Kubernetes-native automation and tooling to support the full spectrum of secure production Postgres deployment including:
- High Availability
- Disaster Recovery
- Self Healing
- Automated, Postgres aware backups
- Monitoring
- Ease of Scaling
- Ease of upgrades
These aspects should be considered as foundational elements to any system; however they are often viewed as “too expensive” or the mission makes certain compromises because adding these features is viewed as too complicated. This is no longer the case, and programs should not accept excuses otherwise.
Benefits of Crunchy Postgres
Crunchy Postgres builds on the ‘community’ PostgreSQL database server maintained by the PostgreSQL Global Development Group to add extensions and utilities that are commonly required for production use cases such as High Availability, Disaster Recovery and Self-healing among others.
To ensure that Crunchy Postgres provides users with the most trusted distribution of production-ready PostgreSQL, addressing the range of potential security and potential requirements – from supply chain to disaster recovery – Crunchy Data builds, integrates and packages and certifies Crunchy Postgres the PostgreSQL database server with these essential open source components. To meet the unique needs of the US DoD/IC, this trusted distribution is combined with Crunchy Data’s 24 x 7 x 365 expert Postgres support from US Based, US citizen engineers.
| Community Postgres | Crunchy Postgres | |
| ACID Compliant Relational Database | X | X |
| Multi-Version Concurrency Control (MVCC) | X | X |
| Developer and Data Science Friendly functions | X | X |
| Numerous third party integrations | X | X |
| Certified Deployments on all major operating systems | X | X |
| Common Criteria EAL 2+ certificate | – | X |
| Automated Backups | – | X |
| Point in Time Recovery (Disaster Recovery) | – | X |
| High Availability (automated failover) | – | X |
| Managed, seamless version upgrades
|
– | X |
| 24x7x365 support team | – | X |
See Crunchy Postgres for Kubernetes in Action
Crunchy Postgres for Kubernetes delivers an operationally proven, “ATO ready”, secure Postgres experience for Kubernetes, enabling organizations to streamline and standardize their approach to securely configuring Postgres in Kubernetes per the STIG. Check out our upcoming events for upcoming opportunities to see Crunchy Postgres for Kubernetes in action, or reach out to learn more about how Crunchy can help you with your ATO.
About Adam Timm:
Adam is the Field CTO-US Public Sector for Crunchy Data. He is an Air Force vet, former Intelligence Officer, and now an open source advocate. He has experience with Government Acquisitions, satellite and airborne Intelligence, Surveillance, and Reconnaissance systems, Digital Transformation initiatives, and now driving adoption of open-source software in the DoD and Federal Government. He currently lives in WI with his wife and four children.
About IC Insiders
IC Insiders is a special sponsored feature that provides deep-dive analysis, interviews with IC leaders, perspective from industry experts, and more. Learn how your company can become an IC Insider.
