AWS re:Invent 2023
Managing Database Roles with Active Directory and Heimdall Data Dat205

Title

AWS re:Invent 2023 - Managing Database Roles with Active Directory and Heimdall Data (DAT205)

Summary

  • Eric Bransberg, CTO of Heimdall Data, discusses automating role and user management for databases using Heimdall Data's capabilities.
  • The solution supports MySQL, Postgres, SQL Server, and variants like Aurora and Redshift.
  • Heimdall Data addresses security principles such as segregation of duty, least privilege, and zero trust model, which are often violated by database administrators (DBAs).
  • Traditional database integration with Active Directory is limited and does not synchronize role changes effectively.
  • Heimdall Data introduces zero touch user management through a proxy that authenticates users via Active Directory, maps groups to database roles, and creates users with appropriate roles at login.
  • A new database portal is announced, enhancing security with features like two-factor authentication, Kerberos, and an approval chain for role access requests.
  • The portal provides an audit trail, role management, and auditing functionality, including detailed access reports down to the column level.
  • Database administrators are relieved from user and role management, and emergency access ("break glass") functionality is available for urgent situations.
  • Additional security features include a database firewall and honey token detection for suspicious activity monitoring.

Insights

  • Heimdall Data's approach to database role management aligns with compliance requirements such as Sarbanes-Oxley by enforcing segregation of duty and least privilege principles.
  • The zero touch user management system simplifies the synchronization of organizational role changes with database access rights, reducing administrative overhead and potential for human error.
  • The database portal's request and approval workflow for accessing data sets ensures that access is granted based on current needs and permissions, enhancing the security posture.
  • The audit trail and reporting capabilities provided by Heimdall Data can significantly ease the process of demonstrating compliance during audits.
  • The inclusion of advanced security features like honey token detection indicates a comprehensive approach to database security, going beyond just role management.
  • The ability to integrate biometric authentication methods for superuser access suggests a forward-thinking approach to security, leveraging the latest technology to protect sensitive data.
Manage Resource Lifecycle Events at Scale with Aws Health Sup309Managing Your Commercial Linux Workloads on Amazon Ec2 Ent218