Re: hide data from admins - Greg Sabino Mullane

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Greg Sabino Mullane <[email protected]>
To: Siraj G <[email protected]>
Cc: [email protected]
Cc: Ron Johnson <[email protected]>
Subject: Re: hide data from admins
Date: Thu, 13 Mar 2025 15:17:00 -0400
Message-ID: <CAKAnmmJVZOmX8Cjq+xPZd0k9YbXO=TRn78cV0iny7EpbEQefpg@mail.gmail.com> (raw)
In-Reply-To: <CAC5iy63SkK=C2f4Z+C9110brQPKEGLxpOn8fLnPs4A2vsMmpAA@mail.gmail.com>
References: <CAC5iy63SkK=C2f4Z+C9110brQPKEGLxpOn8fLnPs4A2vsMmpAA@mail.gmail.com>

On Tue, Mar 11, 2025 at 9:48 PM Siraj G <[email protected]> wrote:

> What are the features available in Postgresql to hide PII (personal
> identifiable information) from the Admin team?
>

Can you explain your threat model here, and who exactly the "Admin team" is
and what access they have? As a general rule of thumb, anyone with "root"
command-line access to the server can get at your data. You can introduce
some speed bumps (e.g. TDE), but truly locking it down is a very difficult
thing to do.

> Like in Oracle we have data vault
>

Nothing equivalent, other than locking down the superuser account(s) and
making sure people always connect as some other account. You can exclude
the superusers from logging in via pg_hba.conf (which can of course be
edited). TDE (transparent data encryption) can help for some threats.

> and data redaction
>

In addition the aforementioned pg_sodium project, you can check out pg
anonymizer:

https://postgresql-anonymizer.readthedocs.io/en/latest/

As far as restricting/masking data, take a look at row-level security,
creative use of views, forcing access through user-defined functions, and
column-level permissions:

https://www.postgresql.org/docs/current/ddl-rowsecurity.html

https://www.postgresql.org/docs/current/sql-createview.html

https://www.postgresql.org/docs/current/sql-createfunction.html

https://www.postgresql.org/docs/current/sql-grant.html

Honestly the best and easiest solution is to keep your servers secure, use
OS-level encryption, and encrypt your backups.

Cheers,
Greg

--
Crunchy Data - https://www.crunchydata.com
Enterprise Postgres Software Products & Tech Support

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected], [email protected], [email protected]
  Subject: Re: hide data from admins
  In-Reply-To: <CAKAnmmJVZOmX8Cjq+xPZd0k9YbXO=TRn78cV0iny7EpbEQefpg@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox