I love analytic services like GROW.COM because they make it super simple for teams to become more productive through data insights; however, a lot of businesses find it hard to fully utilize these cloud services because of security concerns.

The two key security concerns businesses have are:

  1. How to securely expose the database to the service
  2. How to prevent invalid use of the database credential used by the service.  These logins are a prime target for hackers because they can’t be multi-factored, and are distributed to the technical staff creating and maintaining the solution for the business unit.

The good news for businesses today is that Cirro Secure Connect addresses both of these security risks, making it super simple to securly use external cloud services.

This blog will show you how to

  1.  securely expose an AWS RDS postgres database to the service
  2.  create a unique login that will only work from the GROW.COM IP address(s)
  3.  receive notifications via an email and slack.com on invalid use of the login

Cirro can be found here.   It is free for small teams and comes with a simple directory service and one-time passwords.

 

Step 1 – Securely exposing the database

Within Cirro I’ll create a data source with the connection details to the postgres database. You can connect to a database via a VPN connection, SSH Tunnel, firewall rules & IP whitelisting. For this blog I whitelisted the IP address of my Cirro server in the RDS’ security group. Making it the only IP address that can access the postgres RDS.

The benefit of defining a datasource in Cirro is that you can use it to serve all the cloud services, applications, and client tools that need access to the database.  This avoids having to poke holes in the firewall for every different access requirement.

Note:  Ticking the “enable for data puppy” checkbox  allows this data source to be included in federated queries and data moves.

create_data_source_pgRDS

Step 2 – Assigning the database credential

Cirro allows you to add credentials to user logins or roles.  To make it easy to manage long term I’m going to add the analyst credentials for the postgress database to the  Cirro analyst_credentials role, and then assign the role to the CHART.IO login.

cirro_add_credential

 

Step 3 – Create the login for GROW.COM

With the data source and credentials added to the role, now I can create the login that we are going to use to connect from GROW.COM to postgres.   I won’t multi-factor this login because many different people might be looking at the data and also we might schedule the data refresh.

grow_create_user

 

We assign the required roles: secure_connect and the analyst_credentials role.   If you remember I added the database login to the analyst_credentials role in the prior step.

create_user_02

 

Step 4 – Create the alert

Alerts define what you want to happen when a Cirro access rule matches.

I’m going to create an alert that both sends an email and a slack notification.   The email setup is pretty straight forward.  The slack integration requires a Slack application with the webhook feature enabled.  You then use the URI provided by slack in your HTTPS post.

 

chartio_alert01

Step 5 – Create the access rule

Access rules can be defined on the login, ip, netmask, day of week, time of day, and the role assigned to the login.

To secure the GROW.COM  login we need a rule on the user and the list of the GROW.COM IP addresses. When there is a match and the connection is denied the securityGroup_denied alert will be triggered.

 

grow_access_rule

Step 6 – Create the GROW.COM data source

With all the Cirro configuration done, now we can use GROW.COM and create a postgres datasource. The host is the cirro server address, the user name is growlogin and the database is pgRDS, and tick the use SSL checkbox.

 grow_add_pg_ds

Step 7 –  Use GROW.COM as you would normally

 

grow_usage

 

Final Step 8 – Finally test the security alerts by using the growlogin from outside GROW.COM

Login using the growlogin login from any database tool and the connection should fail.  You should also get an email and slack notification.

 

alert_email_growlogin

 

slack_growlogin

 

 

ALL DONE! Now you can let your team use GROW.COM without any worry that someone will misuse the login account.

 

 

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Category

Uncategorized