I love analytic services like GROW.COM because they make it super simple for teams to become more productive through data insights; however, a lot of businesses find it hard to fully utilize these cloud services because of security concerns.
The two key security concerns businesses have are:
- How to securely expose the database to the service
- How to prevent invalid use of the database credential used by the service. These logins are a prime target for hackers because they can’t be multi-factored, and are distributed to the technical staff creating and maintaining the solution for the business unit.
The good news for businesses today is that Cirro Secure Connect addresses both of these security risks, making it super simple to securly use external cloud services.
This blog will show you how to
- securely expose an AWS RDS postgres database to the service
- create a unique login that will only work from the GROW.COM IP address(s)
- receive notifications via an email and slack.com on invalid use of the login
Cirro can be found here. It is free for small teams and comes with a simple directory service and one-time passwords.
Step 1 – Securely exposing the database
Within Cirro I’ll create a data source with the connection details to the postgres database. You can connect to a database via a VPN connection, SSH Tunnel, firewall rules & IP whitelisting. For this blog I whitelisted the IP address of my Cirro server in the RDS’ security group. Making it the only IP address that can access the postgres RDS.
The benefit of defining a datasource in Cirro is that you can use it to serve all the cloud services, applications, and client tools that need access to the database. This avoids having to poke holes in the firewall for every different access requirement.
Note: Ticking the “enable for data puppy” checkbox allows this data source to be included in federated queries and data moves.
Step 2 – Assigning the database credential
Cirro allows you to add credentials to user logins or roles. To make it easy to manage long term I’m going to add the analyst credentials for the postgress database to the Cirro analyst_credentials role, and then assign the role to the CHART.IO login.
Step 3 – Create the login for GROW.COM
With the data source and credentials added to the role, now I can create the login that we are going to use to connect from GROW.COM to postgres. I won’t multi-factor this login because many different people might be looking at the data and also we might schedule the data refresh.
We assign the required roles: secure_connect and the analyst_credentials role. If you remember I added the database login to the analyst_credentials role in the prior step.
Step 4 – Create the alert
Alerts define what you want to happen when a Cirro access rule matches.
I’m going to create an alert that both sends an email and a slack notification. The email setup is pretty straight forward. The slack integration requires a Slack application with the webhook feature enabled. You then use the URI provided by slack in your HTTPS post.
Step 5 – Create the access rule
Access rules can be defined on the login, ip, netmask, day of week, time of day, and the role assigned to the login.
To secure the GROW.COM login we need a rule on the user and the list of the GROW.COM IP addresses. When there is a match and the connection is denied the securityGroup_denied alert will be triggered.
Step 6 – Create the GROW.COM data source
With all the Cirro configuration done, now we can use GROW.COM and create a postgres datasource. The host is the cirro server address, the user name is growlogin and the database is pgRDS, and tick the use SSL checkbox.
Step 7 – Use GROW.COM as you would normally
Final Step 8 – Finally test the security alerts by using the growlogin from outside GROW.COM
Login using the growlogin login from any database tool and the connection should fail. You should also get an email and slack notification.
ALL DONE! Now you can let your team use GROW.COM without any worry that someone will misuse the login account.