Postgres Conference

#content { display: none; } JavaScript is not enabled OSEM requires JavaScript to be enabled to function. Please turn on JavaScript in your browser's settings and reload the page to continue.

Presented by:

Billy VanCannon

Baffle, Inc

Billy VanCannon has over 15 years of experience in cybersecurity. This includes network and software security, public-key infrastructure, and identity and access management. He is currently the Director of Product Management at Baffle, where we work to make encryption easy. Billy has an BS in electrical engineering, an MBA at Northwestern's Kellogg school of management and is CISSP certified.

No video of the event yet, sorry!

Download the Slides

Encryption is widely accepted as a very powerful access control mechanism and the only one directly applied to data. Despite this, it isn’t as widely used as it could be. Using the PCI-DSS security framework for payment card data, we will investigate what it says about encryption regarding audit scope and securing credit card information. We will show the role of encryption can be expanded to least privilege and customer data isolation. We will also discuss ways to overcome the common obstacles to implementing encryption.

All security and privacy frameworks depend on the concept of “least privilege”, where people should only get access to sensitive data that they need to do their job and no more. This concept is easy to understand and hard to implement, especially considering the DBA. Almost every auditor assumes the DBA must have access to all the information in the database to do their job, but is this true? Should the DBA have access to the company financials before earnings announcements? Should they have access to employee social security numbers or customer credit card numbers? Does the DBA even want this responsibility?

In this discussion, we will 1. Brief Introduction to PCI-DSS 2. Use PCI-DSS to discuss how encryption and tokenization can be used to define what is “in-scope” of an audit. 3. Discuss how encryption and masking can further be used to define least privilege for all employees, including the DBA. 4. How encryption can be used to isolate customer data in a multi-tenant environment 5. How database operations can be done on sensitive encrypted data without revealing that data (Privacy Enhanced Computing) using postgres user-defined functions.

Date:: 2024 April 19 14:00 PDT
Duration:: 50 min
Room:: Winchester
Conference:: Postgres Conference 2024
Language:: English
Track:: Ops
Difficulty:: Intermediate

Code of Conduct

Code of Conduct

Introduction

Postgres Conference (PostgresConf) prides itself on the quality of our community and our work, and the technical and professional accomplishments of our community. We expect everyone who participates to conduct themselves in a professional manner, acting with common courtesy and in the common interest, with respect for all of our community.

It is the expectation that PostgresConf community members will adhere to the PostgresConf Code of Conduct (CoC).

Inclusivity and Appropriate Conduct

PostgresConf is open to participation by anyone with an interest in working with Postgres and related technologies, regardless of their level of experience with the software, or with technology in general. We encourage contributions from all individuals, whatever their background may be.

Personal attacks and negative comments on personal characteristics are unacceptable, and will not be permitted. Examples of personal characteristics include, but are not limited to age, race, national origin or ancestry, religion, political affiliation, gender, or sexual orientation.

Additional behaviors which are also violations of this CoC include, but are not limited to, threats of violence against an individual or group, threats of professional, community, and/or project sabotage, unwelcome sexual attention in any form, engaging in behavior that may bring PostgresConf into disrepute, and refusing to cease inappropriate conduct when requested to do so.

Retaliation

It is also expressly forbidden for anyone to retaliate against a person who brings a complaint under this CoC, or who assists in investigating such a complaint. Retaliation may take the form of, among other actions: further personal attacks (public or private); actions which undermine an individual's professional status and/or status with their employer, coworkers, clients, or community; actions which threaten the individual's privacy, physical person, well-being, home, and/or family. Acts of retaliation will be treated in the same manner as any other violation of this CoC.

Reporting

PostgresConf believes that only objective parties can properly handle Code of Conduct issues. Therefore we contract with Lighthouse an independent and objective party to handle all reports.

There are three ways to submit a report 24 hours a day:

Website: https://www.lighthouse-services.com/postgresconf
Toll-Free Telephone:
English speaking USA and Canada: 833-490-0007
Spanish speaking USA and Canada: 800-216-1288
E-mail: reports@lighthouse-services.com (include PG Central Foundation within the report)

Acting in Good Faith

Any allegations that prove not to be substantiated, and which prove to have been made maliciously or knowingly to be false, will be viewed as a serious community offense and a violation of this CoC.

Conclusion

We encourage appropriate and collegial relationships among community members; however, members must be sensitive to conduct that may be considered offensive by fellow members and must refrain from engaging in such conduct.

In all interactions with the community, use your professional judgment, and keep the discussion focused on moving our project and our community forward in a positive direction for all.

Presentation Guidelines

Presentation Guidelines

Why Guidelines

The Postgres Conference is a non-profit, community driven conference series delivering the largest education and advocacy platform for Postgres. In an effort to create a productive and profitable environment for our community we must set a bar of expectation for content and we set the bar high.

The community is comprised of users, developers, core-contributors, sponsors, advocates, and external communities. We work hard to create a professional, valuable, and highly educational environment that produces a net result of, “Wow, that conference was very well done. It had great content with knowledgeable professionals, educators and advocates!”

Types of Presentations We Accept

Any presentation that has a tie-in to Postgres will be considered for acceptance into one of our event programs. This includes, but is not limited to, presentations on Open Source Projects, Postgres forks, extensions, new APIs, and languages. As a conference that makes it a goal to incorporate the entire community we also consider business cases, product talks, and service presentations. Presentations that are not related to the success of Postgres will not be considered.

Laptop connections supported

The Postgres Conference will provide a HDMI connection. If you do not have a HDMI port, it is the speaker’s responsibility to provide an adapter.

What about X technology?

When considering whether to submit a topic or not, ask yourself, “Is this presentation in some way related to the success of Postgres?” If it is, then it will be considered. This includes limitations of our great database. It also includes forks of Postgres both closed and Open Source. These types projects and products ultimately contribute to the success of Postgres.

How do presentations on forks or closed source versions help the success of Postgres?

Postgres is BSD style licensed. The BSD license is a true freedom license. The only license that maintains a higher level of freedom for Open Source development is the anti-license: Public Domain. That means the community embraces all forms of use for Postgres as long as it abides by the license.

A presentation on RDS Postgres, Google Cloud Postgres or Greenplum increases overall success via visibility, lowers the barrier of entry for new Postgres users, and supports our commercial community with hard earned efforts to create Postgres products.

Shouldn’t the community be promoting Open Source solutions over proprietary closed source solutions?

Yes, the end goal is that the deployed Postgres is the Open Source Postgres and preference will always be given to Open Source Postgres presentations. However, we offer presentation opportunities to our sponsors that may or may not advocate Open Source Postgres. Sponsors are welcome to present on any topic as long as it follows the guideline of: Does it promote the success of Postgres?

Types of Presentations

PostgresConf offers several presentation opportunities:

Presentation: 20 minutes
Breakout Sessions: 50 minutes
Keynotes: 10 and 20 minutes
Half and Full Day trainings (NOTE: Paid registrants receive priority seating, and trainings are restricted according to badge level)

Privacy Statement

Privacy Statement

PGCentral Foundation, its agents, subsidiaries and affiliates (“PGFoundation”) produces the Postgres Conference Series (collectively, the “Events”), and is committed to respecting your privacy. By using or accessing our products, services or Site (defined below) in any manner, you agree to this Privacy Statement and the website Terms of Use. If you do not agree to be bound by these terms, please leave the Site.

As we continually work to improve our Services (defined below), we may need to change this Privacy Policy from time to time. Upon such changes, we will alert you to any such changes by placing a notice on the Postgres Conference Site, by sending you an email and/or by some other means. Please note that if you’ve opted not to receive legal notice emails from us (or you haven’t provided us with your email address), those legal notices will still govern your use of the Services. You are still responsible for reading and understanding them. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

Definitions: “Personal Data” means any information relating to an identified or identifiable natural person and any other data or information that constitutes personal data or personal information under any applicable Data Protection Law. Without limiting the foregoing, an identifiable natural person is one who can be identified, directly or indirectly, in particular by referencing (i) an identifier such as a person’s name, e-mail address, phone number, account numbers, government-issued ID numbers, or an online identifier; (ii) location data such as an IP address, (iii) financial information, (iv) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person, or (v) information associated or combined with Personal Data.

“Controller” means the natural or legal person, agency, or other body which alone or jointly with others determines the purposes and means of the processing of Personal Data; where the purposes and means of processing are determined by the European Union or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.

“Data Protection Law” means any law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, applicable to Event Organizer or Sponsors, relating to data security, anti-spam, data protection and/or privacy, including Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of that data (“GDPR”), the California Consumer Privacy Act (“CCPA”), and any implementing, derivative or related legislation, rule, regulation, and regulatory guidance, as amended, extended, repealed and replaced, or re-enacted.

General Statement: Personal Data is collected for all attendees for registration and promotion purposes. We do not release or sell attendee data. All associated parties will comply with Data Protection Law, any applicable anti-spam legislation and will protect Personal Data from unauthorized use, access or disclosure.

If Personal Data is given out, it is done at the will of the attendee during the event via lead scanning or card drops.

In addition, if either the Event Organizer or Sponsors intend to share Personal Data of Event attendees or visitors with one another at the direction of the applicable Event attendees or visitors, the parties agree that each will be independently responsible for complying with the obligations under Data Protection Law (e.g., independent Controllers under GDPR or the equivalent concept under CCPA). These obligations include, without limitation, providing appropriate notice to and obtaining consent from Event attendees and visitors to share their Personal Data with the other party, and for the party receiving it to use Personal Data for the purposes of contacting individuals about the receiving party’s products, services, events, or offers.

In the event that either party shares Personal Data at the direction of the other party and not at the direction of the attendees/visitors, (i) the parties will use the Personal Data only in connection with their direct business relationship and (ii) neither party will transfer or sell the Personal Data to any third party except to contractually bound sub-processors operating on behalf of that party. Both parties hereby certify that they understand the above restrictions and will comply with them.

This tool is free software, released under the MIT license. You can run, copy, distribute, study, change and improve it. The source code and the developers are on github.