From c203b91353209ce92b418496483079dc694f4bcd Mon Sep 17 00:00:00 2001 From: Thanh Pham Date: Thu, 2 Jan 2025 14:44:11 +0700 Subject: [PATCH] add case study database hardening for trading platform (#454) * add case study database hardening for trading platform * fix: update typos * update voice --- .../assets/nn-security-architecture.webp | Bin 0 -> 22700 bytes ...database-hardening-for-trading-platform.md | 206 ++++++++++++++++++ 2 files changed, 206 insertions(+) create mode 100644 Use Cases/assets/nn-security-architecture.webp create mode 100644 Use Cases/database-hardening-for-trading-platform.md diff --git a/Use Cases/assets/nn-security-architecture.webp b/Use Cases/assets/nn-security-architecture.webp new file mode 100644 index 0000000000000000000000000000000000000000..e464d0cabb2f1a5e3e276cd2fd925b75b504e098 GIT binary patch literal 22700 zcmZsvxnN zwO7w8w0pUO-WA`DpVeR6XQ}VR7I?K^(;wF*=w@@@59|NZ^l|8)E+{qRM_tM@JVwf|{-n7jgi zr+f6h$J^$c`0e@G|NZ?jJ;=TBz4jgajsM;K(fj@Fyq)sx_U-yb`$_!ueg9|VgHOOW z!I%42?7Q=;_UHD#_xJbvd&T$TW%g6)cXaFb`S92G^c@ezq`qDH!m7lXRf#i`B3mYD zrewlY$(X6UA$@86|Np>R7@uf(gGZp%=(pT|RCaKH-R0BIS@RpGE|cI^sjKaKkPfQa zHEr{!I!-O!r9*uOoVP)%vBdg6{w26VNcG3$gu`9o4{Hq4NWXb{jl7SX_c-YK zH)o9EsB%q`5Zq&X#xcDA+SdQ@j;n61jDz#BA)sN{fKd=bWo%Jvn|oBfTRZ;{#VflY zFXdO2iVam|Q!&jxak~*%hu?5`88%wwnsFu1?1#U#26U?i1Gae8*~p&D9HaU z{-OHlCo2)D4U~*?`D8xN21mD^2b0n3umYtiK-_Ebj*v1N+cTw!+KH0%SDkogLAGxN z|7TjmI}7?7#pK{ z6ZM7V^@@Ogkkie3%aL-3N|6XjF+rU*e67VuO0HVm$uA0=nR4=}T zjvZ_DB)QiQ^4W!R6n^E3ie}NAruiVY_E{5BN-+(X|2w^G1ZI@Y9PW^>p`{fjNJgVl zrPUxNV3>kxTv%XT#}=XI4?=SrxDa~#;gEjzQrX5iq5 zGR*f}*eJ4v*{v_E3dc$6a`UNF=9VqSv;Q?x1#l7?jsTL;{(C?JHBmZA(a(oxdMQon zf44x$U34xqoaWE=v`cw@y@1q|R7no_zwVfn$OAaEgcwmUfd2zlDB4%LF9H~@M|?r^ z{-$=i|L=zkC#4?E+EmX3#FsK9&02T9Fl+7ov+rj9^J+lJ!O&@oJL~>*b(J)Lj zci<8l3>?=8+Ab=zZ-&9!QY^=czk{Van2FZN6;Kay-R|;+N~VWTYUP=X0>LX{6K2*skN+F@rPAsbI4 zzju2pn-Kg_s#>ys!>#D$d<-<5X<%g*h%lt@Uhw0IY<2~Tq4RsU2_NGgRh zrvRG;l>K#P$@>l z`UL?+g1j$;A_1yfEJw;N3Qt)q3J*HW;wEdUG#(@G%&5V}xgn^I%f_fGKIfB8SU&_e z)anM;0^n4dV#}Smrc0wFL7x4v&7upqD+sS&RQK_02Iy7P1(2r)z?C#CkZJH#$Al~w zc}Q4w;X`(CsyP=(5p6q+xwPHDLlkAXrfmY+51A(_$Ojm>k*FwtQ;-UZQTY5CS<6aZ z+)iaffT-hu(FBnM)i9qG33?)0*={t?E-5jqn`i5E?s+doWs&Y7&%6>1pgRxW8Od$Z zGa*XpVKaC00iSM>l&nI(AQ+QLt-AjHx91pxFkwa31r10kEiS{8s7wQ;wAb}>$RANo z5O$n__L3TH^szAMs@dW@XCj*F;Lwh{I{9!^zOAw|hTtrtKYG{z>qV*aZaXJnK0R|vMzchOZ16^PUuq+=Ka4%d4+~mA3|f--5)BVVChBR zNrxlWpNi2DviuZg)ffYM_NLJ;IW20CzEu>{F2-s-#MVS`N!LDexi_1AdRvwYdV;B&K1`6 z?Ad}m5yju4u!Mi}V5>xx-xzT^@mHKAk+YzDpJ_(_Tf;m?p%SYaFz<(?M^2-M8Xo@r zoArwOi%cO@TP0cqq8xS<-1xzFv1Q1VCMsCi;uC2PQ*-(>oz}`qI~y`4&ZHA7y_B57 zJ=|%rXHt32=$;h~_mBnv_392PTfA%Wfc6C_*z~h}+3+lJJO8LeY^Lp=F;s0@WghYRG;XIV1$Z${8Ulpu&i8Ar=nM(hn+F7H3pQGD)=)+kz?#%O9lMo6 z0l+$M!L);m!3bp1WB4#V3uqZYA~hd&LKx9m(!aP4>zC*CYoiGhOzF|R$g;jVf=2BN zVygrq;435;2seTAipIv$#HLI*e=oPiSiOKa#3kWJ_HOhGER&Ci49{w_1V!A93+;( zInb1x3Ww<?^hyek3frVQwSPAOzUshHPWboH>-jT;o$om<}D;J6p^bPOfLlc#?T7}%zM~x zj9tnZVcHRC>Zq2q^Eelcd7lwTdD?X(^W=d~ z*Dw&D;<$@CYa4z)=-;<06Ytm{n2-3q z;I0K|J4hFbfnAJKhX4ikpY(oow^;hzrx`IT-+WqK6QkrI5?!Z&V&5pamhK?jew)QZ zASnSn;J;S$vkM$;IOdU)WcT!IW`n8b(?5iBNB+EeV68aUaARH21?qv~Si(Av7ZC07 zz3ul2N5|cY#mg1IWN{`;OfY~M1$@3iM%f@kjtE#)%Q$DKF2>yBo8>Pr0E2e!*Nvs& zs1gyVL5cJ}HHHhN=K4D(=}!QLH&s<@v<6p-g?1po-XmT$u}>}%gDX*vD(efi0;JMm zq^Ktaus$d{3${2ct*#l|KMyv*29c{pM3E$|9ny?Sf?SrZ;3 zTiAt;MtWL;V6N>obftF7Hku>FW@RPYAcq94eCQuBsj3WVYLBmpHTRL)M{T2SD^49r z4~dwUsMw5%N2?|csvo<%2d+f z`Cct^N{lkRJ!VVC7R+;XoO@T`@56!assLO)9K0Q6_$S>>&1w(vFz-b_UmE@Ks^J<) zI#r1u0)=n2pkexebb-S79SfLOX?d{dlA>D%os#7Wu&=s1|4Qa$1ub(yEkoYhwQfbG zu6~h7A4xkR$-3G%Yl|^96XD6!^;c{nEZ!s_Oc~6#BYJ?mbj_xm?o-ALQkl538qL{1 z0TtBFKC%oc8s+B=hC+mq9k?#s+i^$jyZRE?%11qCFBBisB~PbvV?+$z}{DS5c4 z3y^I}sDnZ1Z}0|sN)V12O^XDIhb~fDO5N@VJKro3>1#L_fT+X|z&i7{_`LDbpL_g9VXMy1VDD%5hi+Z=!W1k z!j)%E4=T^$oYxLow!|dTCG`yo+28xH%mh53pZ>}d2??Jvf#t1WcUc6AtXtY9EL@V> zq5x*de6RJCOv6G*ADnibP0}XV(vt8kNHjZv4&H3NJ=V=0oi^p&8HkUTC(E-2u$K;~ z4E;!kOb7uMH_bae?^k9IbsS#Uamn>`xPczn^FPbv?C_@H-ILZbUWpPzC|OhG-VYpz zYQ7hci@QjG%&3mrhBs#H60gS>L{=v!R6p=?Ve3g9b9g z8cWgkZ$MKlYKig8nYcGqXl7)~hcQ=)AsS6YOfB*%zMZLW&knE8g)m2R>YOt$))zfm zTjX`Hs(8IwBu+4=Ykg);Fc&}CYTrbpzdzCeIvPQzE*gr&ZRuV9kSl9#TI;g9HmUsCdR5ij)giVn)b3JCW(D@Mk0R#9c5 z>pPNn(Q<29pClH4tv^%b>tc~ zf)rn~QX$*wCCr^JzxNs1*%R68;!B6uN2fjDP&Q07!y3>)9+ zG0eT%;CSb*I5D_(+NkadE**1iE#U`#*MZ0=+?WPDGNb9Sw)F9Iyc6m?`VzQA>4*5p zJlNE$GTG9_DA3d2$;w6ZLIW;H^L2Tflh3o7VLbSoj%JO|vp!>~5YhKmx+1&!xejwP z`MC1H>Uol?MPmFJ7VNdAYFB6SA2XBQJ7da1R}t0qQSzK+*S-=jJlg{FylmoRfSeTEj_(Q$So_ejQ#L(}gq5X#Sof8cHau_PQ>vsUMs{T!|$D zE^X>fzY&N;oPnwgR@#!TH>nG^_Q?l@3s}q(ToU1^lFo5WiI-ft)1bLzbdcKsu1vL5jY1W3SF&6KkYiZnav*nFtcILKW)CRK50LD=p67HBDp>Z3 zT-kg3Yq7!=4501Gx6K3m67pxN-OsK-7cML?ZG`JJ-AMZk;ao$4M~Qs4CjyHb4$aYR zccr5A1ri`_#4GAhV4KF>JG~dC?DE*2F89<7c}#BZJmmT+8b4+kORdi!E`o$5IjCRr zrXLJZbmtR!b7v>z=gwB`XKB*xwP<63O(sh#Bgn?{^%~`1#stVqu@gDJjflB#&sPBvcpbGut=}@`!{EFG1 zw9oaFSROwimsUulZPj@Seer3!0VFxCjG(RUM3i(5_GP7-Tpbvo1Z$b?+Uo^L$lG-z z{Xn}ONd#yNU&re_p#aP^o-j|U9-KP5ByfHv?@0DOtULC?G6Je_pZH#dJI4a>c9xNA? zmmm=8@Nd;zK&fxp6f*}&-ZqB=g+H%;HrD`p|mS=UTsu!*Z^iOh~vH_4Kt+SD-XneUEciKdHIuz8imj!a3UY zmsT)hPu^;qc4h zp>%M;dwQGlrecAXK04l&8TsnMdIU!nNv?r&t;$SUfqg_>2l_Rolgqi1$F3por%S(6 zX_zu2%j|0XIT0ob%PzA*h zEr(KV$`j2S;!M8hxUweC&1U?*K6xB_{gkNibnMV2K~=ds6|~8VyOg8hvrZUNCAigV zPaS&+jNqh*X(e3UyFscP@(Txzb-HJJ^KBz3Oqgf(UYIb}0$f=eGg=qFIJFwjmWTSlt!vKau*nb!OCB#{W2ua&>&*~fkD^9+ zzdozSc&v}!3HJ_oe!CzMa|B4?&hpibJasy#><)6#IHo8gw!kS-P?%4_cuu#p?^<<; z8xp~KK)kz$;nlZNco~%LuPQsyisb#{CgD(8$fUh(D@==F8*eI>00XvP6`}LuLBY)S zp=<9A6$10+f>OAz$pTM~K0h)&KqV@~H&`*17WnFOcLGw;8R=br9!5txV@9yF&eiO4 z(e@A&qJjgwGXUUe5Z^*>bI~LE4P(J~g~N%%h0g%uH=lx1Cb<2HS5#hCW{i+G5*526F|32>fE=I5Y79c~12;dbm?2IKa-5|$yjX!+= z!tf%AskX*0Mvs@n)pb%&_tbNA*VRyIqgbPQLCq0zx|af@1YU?ZG~k0z6{bkea_=U-*EbM04%Bw-^L z741MPfk$yS0MVpQ$nxUI0j<2tjO}V`F~T1V0V`&&i-!DrpHQ-&SxXCA_mJDj`AH?``zpNI zqRK8l!Kgwt;WE2WONhrW&~1K{3~C-Tk_inFHxTxe+bzV+2&}QHeWCDxHt)4T!@jTKYgX?V=YvF&IPhllKgSy`z z8ssz=NoPtM{+AMI=i4565P{2vXA``)u#z$Jw!FPiTGOP!PB1mDkqXYV7P`gU6OJn&z`)1I_I+WF?M4@qK(}zOqK|hAWiK1CQsoCcG17$KeIF|2E{C0cRkmg0(o6F9Y1&=I#HrhQA zCVjGP+-fE8Jp>8aCz&0Q!kmoM)?O)ZtdQyn6K~0?Cd!#%5L{v$!rG{e`}Mk(<}{}d zO~`R_iFTQQ-Z0sd{_q#l;y9u$;+}i~H*!(uBfV=*WLl`*QCbr-+Z=E>?xIk=2%!6h zV;E$2??@#!*UB@seB@#{AFLOqBfiVEtB3Km^5UL`V%9Kn1DsSKUtPJPGJ{Rx9hk-{ zSe#C3wAYS^eNrNm<~)#d^z5PiVgk6Erz7sBfF>eA`Tbt~mV}^Nl6B^f&y83itU4Hd zY>7(ApYnOSaiIob`MZf(;NrjO!F9YoL|T`Mnsh<{7$mfiRkw~a2AdwbiNj}mN4NM_ zz_>+~#{S&Z3Z4`c-MV^JAZEiHotP;`eB!4Ua7fG~os(WO*P{x;50Y?dW zZ>&oy2J9}!99osk&h1iKb{wxbVkg3Q8RKrot#8b@F7EgIU1D957YLrXp z?BY{I6TWSTZTqz@v0`Yk?yxDkVsQc~W8ZIzD+LNFf!pha2)y{u7VqvXxefE{aF0rF z>#oa^3vf#1k>Gec-E&KH=~VNt&`8W0X%CI9?NRCL8fa-CN;Fa6Y%D}fbFt)dxPsQI zb-J>$?;KW^88K;uP*27;yPkN!zs^kD0U&!Rz@tMe{fxt{VC_6~b}IpXReLmBnKnhiRk>w;8JRjOg%r+n z9FDzCMAc)kqCAc~kDcx~eEw>9$=`=jW^{ZXVLzMf$^&@yP#o2DM`LPE61cw8gt;Oh57fOce!#wOA*+uSTBZ^{?k^!BZ3Y_8nRMeO31EJk>plfvWSbp6%@8RMN;`BRE8 z$?yE^9;*ZacbsL?yWnd-Sc0zcS#U69AO2LxP`6W_}J$Apcx_7wdvT4}M8eSUXYZmnf%PeM8_^QCupFW4LvcjB|jl5#4( z5bsxrTR|y>JqpSc&J17!Sy|bK*!Gv0U3=MPMapWBrRqX_NFuPjA~_X}$&O>ufxhRa zZEXUPvv!|Ht?W^P9jNnQTsC|L=NZK>3Yhu;RlF_pDy+6ln&hz0T~n1g+L?RA1S2-u z|6=b5?yeLp&kT?sW#*xNn4XL!7fDvWo0w6$BFuv9l1z2hLAHhJgqe+itziJgB*Yj` zwbqw@3u(pST7-B$2TjB1eMmscEad#JReNsNnB^9-r2(&DNFH`KEu(?RA#H9YIMg_c zh<@6{;tUFMe33VhRxqj6OK>0@WGh@MhQjJtDxHFH0hWXYu=r`Dq zjg39ypMc!i8ZNEp5o=E?ISCcFaAEB%-%mN%9fe|CI50yM9yWhW;X&jbUsW)yr|R0~ zC+R#l`psv~_(XU8a~7B?QeRVI!3fd~W9P0?!(h~A3S1e^XAb)*);D&fb_wtJ$wya8 za-u9z+jaRI9sXE46?U`_Da4Ie`{zn5H1pzc6JZJ>UJEPUOot8nn#jX-jU>p3f%G!l zk&824c5=~oT~}fiIp|VE`&WO8S#2jB4G`)G`BaOUaV4YM11w}A*tlTsC!#gD>Zm8ER&236%YI^b3`0N@R!D>T z&>fW*<+HZqN;P0lMGE9oK#%=ItaO4vJan*iUKmWAd$&`P!ial(yH@#UC2hmh~Q&i z!9JS`okO>q*mX309kIcw-k0Eu6yMH0IVM!IfYu2+POy3z60lBF1_W69Hafzls4Py= zeTyeP1VQvF6RLB{iXh2~G=Mg*6k^S5FwyR)#3NW>H^!QwT(P7QUh30x(ou2u6){>xHQYTvP;C?UV@m zw~cnqZrKm@&d$jEXvfeCQ-}@t!FbsF`HYGqeyV-cjFXC1Ee@*?@f#EXG-tZ7(`|yT zJuNp)UbCAL|oltCqB9^o`?d4Pzax?IB5D2lNG72}Tl=!`C{4gXmO6CLnp@4(UV&&h`y7RIB@N`{#kx7l; zEpSVcP0k+O5QK9|JG$(=V<?6l z63=#@479v8k@~$dPh3}d`|Tt7D_%H6)IN_IbPiZ%ikHvD%}hQRKaE2^>BG7?r{NIB z;{QBPTs4N4?mYB>hSW7z1RLBFS5v4v@O%wHq;hO-`Hc#5)vS238$+=Z6f{zwtyf}E zyl6UVVnGc1cAD*TJ5&~a#DXgU?awEUXP{YbEY^^n$Md=_vkFyt{%&mflg>^}BxoB#@Q6B8v)A&A4JjNyIU*{_$YR?gZ5+XZ zem(U5P~|TJgVFyTU8rC1qN*p&p?_6)L>ndc$vA30U7Q2|`dhkbS_^lW+8p3Wj}H$G zVKjsbOiTn>bkt^zX67TL;~y|FjwtMDy1F-d1V*pyIDY77`U4bm)@OYvI|1BW$%>E(URZv_1NG zfr*KpKa{N;^j6e7`~{MI05Ox7i43JlDF+@{e!dwCG9VnA%;Jal?Kt3#*Z7H@`+7m@ zCZl)G9wCyfjW%QV-3YP!LF0)Vv%7(D5yW7dmy2F$_XjgMpu{vS9&7CIv_^0!pvw=< zJ(^Rm5e!^~@>yH%y!_4|V*bjv-fJs!&nq3N4G?Ac2{NoD+J)U;!6E(0iF*b#!D=8c zccwBa3+UVr)F~JVns5kp#~_t2BNBJbXe%e^uWth7!lh2+F9rH&rm*qK$OvnnPYXP?>G>{4q`_kTPz4M zAVME2bZ-fS_UU;)l@y&saNUH9BjozhNt#&2(lj&@`e-pv8yC&p^0i|txx4x}k-PSZ zz}Ph`Cs&a`j6Ax21Y1m!o#qPGa5&0mC&4yEF9qu>+trN;gp@Es3XQy`ZEl}op?!E3 zDWws94@sE5>=H}l?Fey+t*}qX z=>eu%QJ(WrpPgwkX>5*-T17&+o`~^oW(TdtN3txJ>I(TZn{OTXEh`l6hW;$g;0~G* zq$?;N`|xY~l{jcKZY7r9sedsb`;i%(D5P=|cld3EpI{7w)W^G~Y3c_mBOOYR$MI~| z8eH}l;k+{O-U^Cn&3J9F=L1H_yh7-PX8CjUq~hO^$Eb41(A}xeOOwpx!u#XK)|c%y z$Ad={foIDGS*mULXTI|F5Ox(RdE(I=@BV>v`szqI4G!e`#f#Z1XBdi2gvdk`_Cu$- zEP=G@BBNyj+fP23n(DE*^F;XR5 z(j|o{1I!pwqVmtM(&yqAs<2Ie1<_H8#T~=SfxZ`Ogbg7eL?ik?9sl?ZkwW4M-^Civ z{`z-oBQPaxxE{UVZ`Dc8hEO3hm2fa*r2d5?+?q zu2^>5%XBz-7(R3m`UuKqou~PhbC&tnJYQ$_WGT7pAV57-YMUN}RtICTgDx}Y7nT@P zU`X1NCCb3u)4-W}QATE7H{i+VjJzk6MA;3;>7Yz2KVQ^?=)p)~f{!~Fm(kHmB(p&y zhhi%E3Su7B*B)4Q+S4NzG5#HT|6gz*BM?xNvV<-esFA}MoKQxZX;P(DbV7d*urIvr&%A{>##s*8Y;ve-N9XD{l+FpW>R<4}%QEU?ZI|j?_)}~GTeD!xd=ag>dLCiEX z*4V+glm}c#;Eu3(9qTGyK|-~ZCI@!hGP~4_ILc-WsoN>uP*-pNwmDkc!g``u9{5-*ew5%j}+CbGlk(`i=NcW^vRIyfh9x0?|VuVIh zS~Jd$*15w>*yo%D0Y%JX@_AV?NbI$se~JVRoQ|C@-Ys&XYP`Fh#mAKy8Dzqb)CP%+ zs?HdfBE395Ar4UBqD&O!!RF^c^e_qUW8i_lsh{E~5x#_p&9fCrRA1t|+&2SoZHTM& zJ3}bmR2H=d@h)G!^qFSGoqf6xP3Y%GA!J=CN6*uWP-J=ZolZf@x`w0d00tf6Q&WJe za9)j$+u~4)%9E(>$5rtHdZ-zS%fk0Cl(aj^r=FZmOW84t;-@E527|OiU2b#p9DOx% zTDn*Us0B#Dy<$6=^Lq{?YMJsTo;dswN zH>x>lmkjblTpinKj?!&Q?Ro9%>*GMAnmcP*1I>>hx~Y8+Zs;+)dzt(v?@-$}woKK5 ziP4AA$O*b5z!ZsE8r`&#BJpj7#ur7wyih|^cUQAs`jnyDx{dtJlJXg=yoRe{Bmo`y zd|6xoJ<;~!xr)culQB2;N{}xD|8z=k^+{;H$+t#*_)!uI^{dW{nqN_cc!68}RFk_z zr87GXk_`v@-~)nt8TYkd1$WRYS>_Hb!3comOsDltIWq!C>vTp5jhI?X?b3xXJxsA| zXT90;fTR}oX7aDA^yY(=fg1UX#Ta5;xwU4bd~Vg2ILpa*z{2o$34nQyodjk2fHUT4 zN<0|?3{4x)y9bq3dmvTpsye#>$rXK``O%R?`jwxm;fYb5-0UFUm{}GHE^_TdKw%-4 zg9%g#O1O-*7n|Aneeq zKN?f<+pPX9RaV&K5dKEOoUsc+yXO`*naT2PSW4fM>1M%Z^ zFv{wCjKKpDFrGNwV>q6O7{E}q&@>quc=uW6m4^#0%N~ZolxVn>~j&@XM zT7#Si(oo`1G43J1-DmP&1-2C$L|(Q9rA-$`vgMhm5V{n0*B4%8R6H8H&(Pz4V{C@l1{?~F=A5VG?8DX^}a-jpu+=VPw5^AYCzN`ULxBEka*)MmO9)@`;e|nmzv}={Yb7 zh}{Hrv~V>%Z!_4%XrI%D(Jo8T7|Cc=YZ|e-KNYT=RpWOqn}i3zq9J`uz?x^4L5AUC z9rOQNR>?RZ{zTw~p>8@|`#~l@{UvgsQ>$n3ucn=r6h2fl!*qPsH>N7l|Hc-(KQJ?H zj9Fl-HfH5GlDg2E5r_+E=V&M$w%=mMg|JA}>86gV?P3iG`}DbS10fibz$06}%*UNC zlNTn|S87bkER?%*6B(5OMj}WzNTlAMD$cA!F5~v(SxgX-)iYUxS+0H0eg~d{+(TOH zmDcO5G@Ap41qc5%DEl(*SH9JW6W9W{B&%m|K(7RtcYSnVJ@=RhT7)5}C&n`38ptSN zqvv@6KP{23>=1#Cp(?94^K9U=Y#AH`CP!oMgb;pgJ(mYvt6)j2XJ2JUpZTZ zfSiH8X{Qd7qbT@|w}$!~1V$-+@t>b7a9!pSY5OUNs?E-9`lW^iQvN9vIXF2L;nRa zAS#A!uW<)Uh>1-6Pfv)FvrO61K?EO0XbhKunnWTw5|zcW;_SyYw~>E0Fdd9@;GEd( zi*@$;O@N8)TZr{xR-CTC+Jel_dPq_L#t2Jrl)xljw6s{#Ia&JGzBW>+Gi!Y&4o$YF*b!fE}j6MKeN>>*?OBQ z{0%~ovx~H?OspHxtd3Q5irws6=;CUzp!4lfnz45y6o}^ujuCJIy;p3IJY2ah-nU;y zinDWbaUG;&re_@#Ql{X?0e{Gd4bkk4ghN;|z7e^Qf&g!we?R^j9>lJN12#Ok0(%B3 zhIRqceWzc=j)qd5@MpUgm$r(({@LAoIKk_i+FuEAuU&g|35g`*@nJUH-0uAgGN$>SG0YKQMLI<&AhngZ60A)a0VcVS1Z0?}SX z(K_*U6dG_6-l4luy7B6303fCu(myEbk+e%83|Knaz2>2+PxdQgCL9=5Z|w~&f|4RM zY_e(rD}HsHglFP#lf&UAaM##SUaTK?T7AA)lvhDu&aqp6*oR7_3S5W6wb79C&j858 zMoudsS3A(16Y3bJL06)R81g?;zAOHlW5)trExu%*B}>Yp{HNF5D&_v+ThTsVk0m&T zp5*QTV{=?k?Onx)o1gN}$7!&@PSf4}Na+VUx9@n^m%8DO+=9TnSM3}pb&B?Nc0U)) z*3KtxcnD*2_mnkP!aiv{WGh?L;y7FTF>(%!}2wQr*l zkdg{8vC}HFByN-wD;%EMXj*ZJF_Uh*d7qv+*Bc-Xf zYK@zmSkIb`n@=_UY?8*%D*JsiFeo6R!doe1jikEnRlRkP1L2^82 za!F|#4jkVngIlbl(__^=AM`a)Y)goh;KeKA0HeNC3Hz0!OiS5*PzUO1N8va3uC{3x z2jWX>1-V@R=nDDMFsc=*jB3*fWa;b_t=oS1XqnsIBl=zC=C2&}aAHUcn>!{k^8!_X zBrUI}V#~hprP>hs!9j8s1{ys6=VVj2tz+9(#ui{rdhfu{!CyWKxMn0_!}(g?=K!J- z3#>p!YbNb5AyBWNLJkuq6D!`cfuEK(J{$x|a+X=zoA;0!nI`utd=<6@i^tsichIOa zE)Pe0Ivum}o`bpS%XO?F1vBD)OmRCX=*a;@UP8`%G=Ah__{W(U7X0-@hO!5Jth?fa zt9L_si%{Ro0da9Ni`+W$0}JpSF()UV;CTB)nLuW;6s2VLOW?O6wJd-@zw*j}`%T2l zyv_BwxqLhJwMM~GPc2ZTbb|FQ`6W4YK^jeB^Ft&7Z!kqOHK^2L#jG17VZi8-LO&`@ zCCE`3fhdk|ieoq~sZU;oDr2g=w1|%5huv+xd~*2}fDl_|<;s(8M$O_`2{{E9s26Ca zo4K1&5;#LO_FyzJ`PvGK6XAK=mBO#Menn~<*CC3a4>vCZwEsWG%O$~olmR*S7sq)=@>2m%nH@WaW!5-6OB zIJgjL^5LdJ`hAxMDvK(66;K#x)zNI_GyOqbb(t>JQ}*o6gLeV=jIErePI)3B98QtZ z*j26PCO#dssC<=H0E`i39_+r@a24Oq~O#UXZrgZVV zRVEUS=$MEduW+cCTH?p2s3PSQojg;y7?eVS-!a~}nu~|IB>qWUyDXa8f-I4g2-_$> zE`fR#j)4&1~MX+2So8EFa}e4$JJ$zz`nNm+K^dS7gP&j>cb> ztntm&rpMH2x@Al{^hcpFUTFnf-?yVR%XzSw+g>qe@L_=R4Yad8jyi{j708roNi(@N z_zVL~H^lZx@Uk^Q>Sj_=yeTyYMk%OV4>*!)Su^KegT|R(rL8-*u`YJV5~rf!EL@dZ zg`#}9=uj6+V+!?>%!Y5YyHBw*3^(w2eISd54%*@zu_w-Z-}l1P26}-s9@IPf5>HE# zrSJ zEIm{r0dXJnc#1czliwoZOU>oT-_cmHqs;_7G`T1#l>PKTE1{0~%5YJ+AuSER}x2oasWmHoRb{6PmCmD|{fe4~86qKct zqWk`<$I!J`8lGi^PI8bvA-Bezu4-A){5iGJ)Ck5%N@1(2LG#wvkr=a?b`S* zEg_9`EF~!&(%l^rOGz!TgoH?ggmkk@vvet4(k(6B9U_fL=ga%N&o|$hx$kq$nQN~5 z|9j^Ax|AQfO7n|AVz>w3F6+MUFhL|`Jgu<_VqLv)*}nJ$4+eyn1%A%uVv~SMX2|OE zc2E6+&q3!c@GTRJlSk(L?_Aba19{0Uxv?pEW!l`#M0%iI_luupr{QL;B`|~1jj%RF zB9_RgY0r))^T$sUqp5=V6POXHw4$1gW%*Y&^UR!?MGLPMk4Jv-t76ocXpkWY)juCo zWSl1H^OQ}UZbO$>-9kw((|M9tJ-3SV`_jbKQNAku5H|UW(eCNyWdF^^Pxb47cH#)X zUtW{`$+$HQwTcTYh&&^Do7uE2o1pXdRa`c6$>g3GM8eojpoH9EL_I4CNkCgiEU7Dk%O^@CpLqkQhe=9X$71*pRcrhn zUxVb1hsMZn_%L!2V!gGlf*@zaXM2y~=w1=va*)_mpR|5`n=CCCLxaS%MIxO<#z+2PXKyEr_V2U0cu zAzV!9p;u#xg`BB2N9jg_rq%-ii=xBRQf6gbbqB<-7@Wupo{&H zAD>{_=kM(9cpMk%S&4B2w43haMX5XnPY2_^VPV;X1VnUjxs7P@+=2>|g+@N)Wegf( zx!sb9{&U!_pG#5x1LaXrA zvu}@<4-Cg3g!_pFYL1h@4^ZftX^cyS-B|DoiFQzRwKZk`(0#}w;|0*35HlBglX2T4 znpy2GTgVEIbN}GBZqXbXxuqHi)i0U_(*&~UT+PKsep7wXdfc^`B-0OJ8zP(H{EI5v z>{4IWW>@;2)J^rSVd%?Z7!%w--e{edy8jo){j@~ovWTjIl>sk|w|)9({&o4oTyCW%yTJVt-1{Y%=8w*if}moG<7?u*96 zZefTZ`d&F_H4NS@n~??r9ozWB(@g zapg3u=*btt2D7#|!qHihU*NmkhJ(X;i`824Iev2u52pPPG%2;lWaAe%$WIZ9=Ko$J znQe}i08(l9j|L*xj-)V#-t9q3l$fjX6w5Z2 zO|$8l!#1Fj6_g?DX-sGQ0VNLF3}N`xsVANWCDg8KB3IzSuTN_a}^?g&S=N@2DZOyrm`YU27fH@wop7@*VvkDIm&sY zU&=A%hJGJZ`2mf^OYe?dtc)%9^{hf$+n5?_*$V|XW%TUyxO&JDCs3Vn>^7!2{obd)zfb%kioz39ZNvML)7WVz$1``5?MQba zXaO85FOVNR-IU(oXLTkhYB-&pQFyfJJ{svE(kE@yU7k#(@o%+dd_R;}2#na+AZkP!9+uw3tH9KnM({5XBle}OWCn%G9kXg^G*P=-&ItD@ z`-h5YB#QMu=rG_=-x~w5@z2N%yQ6a#lZiA5o3ivJU~gPuV}fF|%V(YKf2U24O4+_t zo!X*?r)Skt+{oDa^Tu6ajtrR(6ZohZZn|_I#eTA7XHvfNHqkl^-9Faz3OS}_pl}A_2nd+s&-_e z#*ek9hJWuK#jWHP^n#}UxZv^X&$>eZZAr?(4o-Bjlww}5lg6t-s*?+7D&W9vrI&a0 zn0NA*y*F<~&HUY^9R%=Hu`8>{HRRh`O&uQi3h_^V&JlF9<=pDZxv5pZyB?7Abv+;p z|GE$oF_(PkA+Giim%z~8F*128`&A5ic9`P}OMz`i>2gQPwoQve8b>+2M_{8K;C7tRHTX|qxCNe7ly|05P6?K~q4Vx!_o%P*D+G8-c|%Sja0mTI5lmvT z91ppFol2WMRLf4s2-RPGm2=`=Gf#6&+gWY3XD(%HTc!0W(jVn@48D0B4?DSCrilw0 zt73o}1R-axr1<4sUu6e(@g)ly;?fki;G0>BpNd%1EzWpA3B$Gqh2^Uui5^=I*WM#M z&%XRYC4XbNd!dXv@=w>TWpYzqCY>Qvz`z@`e2H)x51V>6T{79>wXm9ajZLb2LDX#3 zE6vt6f{R!Xt6j~RSr`$ri}MCES}W7|oEl`CqL!)n1hPZ%M}ckgVPKL;yZooMHLbzL z2-4GT;18lN*U_TF&hIjJp{}sDQ=iSTN~E z#*Fwxn4FXkl!ZBiuX#MxV=-W0-4`&6A9WXr}YNCW$Vk(q5`9*(2enP##^{gd*0y>=a~gAzZZr_SW`u^w|*YAlGkw*nGu< zbS*YB?#F8Pkw9alxFq88x~yu<>YA;?2tzmmT&Zv9Y99DZ3Td@tEzw~}dP=j6h}dvz z`Qc}3*m_`i5LlpWM#Sl`>AGn!en7?+mWZ>oFz+b(&C;J>L)AI4^@gv)k>M=%)m!}G zzu5rdSrj2U*(M03>p{BnHzLs?NiY+))t|Pdn0WJs3;p`_Y0QdxQ&JWeL$}LzCj@Hj z(V@Swc>^XhmDWWM?Z>~x#3}hU(bIgjqo6bP(iH_zAd3=@@nbP&d@xM*;xUD<H~HG576rTPXhvTxL=@y3pD_8^OjySvXSxN!8T{FixUUy=>fZ4u#Q1-xb$fRWv$ zdGcAY?iqZq52Hu)dOYOLZ^p=LJ!Yh>22vrq6KVHoL2J`*E5laWAvyD8A`u7K!OrgH zp@58X^NQJMd3LrL7wwkRY=WKnXtZuq;g~^A^k$OETbGO<&?jnjyq9Dg6K?H(x-24uy z0hQfa2-h^$_#SNz+2?-qPsbs4R`116sm5k5=|Huas&@|Z^d!XlO)MrO8ZTTA<&iDk zP_As*tPW75HZ^_J>4J9>KJ1}DVQaf#iX{?zR!_6!(*iz}Yz@NaAnF*3$mHV^mGykl zi_>CG>#{N|xoU~w7?9noLb(mP@mh9FlZx}QtxHRZ z;<;U%y5u4FdX@K6_Ql^ur_n-TU{`}N3-PmGjH)P@&t6TfivvpXcT^^@GeqVPg7#P5S!>)M%MJ-c2*lrjJ*k-tZv7v z2-#kma3$T8j$S9sx;C+`z?3tWwy6IEa-W zu!gGWJi1_PudlFc$xI$GeMfG?;hG@tBiBCY`8XI3;)9+YK%6pGDrDw2xAr;xZo$y+ z3eYebd2v!I{5M7Jh@Z-zVaQdLdBK=+d=DGVBhzL3_2pIGwdubb56O;-Ho~hDs@W~L z_2v-NJFI2&*I#QF9roJBntbMG{H%vwxi(bH0Bc`^9hs{w^F_m>{i4N3aByRoFzD-` zGDijw*V?<2?ouxe+-cz86fd}r1PD4O`Ri)|cd???Wl(hAOnB?@_Qejv>~-{T+VjUd zrJU_t*}1Uuo^$+KzchBQy&=;3vT-?vckh|~4yE#_2fi6XD!fFrK?$h6H7OVfQAQoL z=&8S-e19SvJj5D*?1n6pMX|it0W$7|7Wbl#SI;l`KwVFE8Ig2pvRSa5yS8kX$8kDyfFe z3afT+S!x}(j=aWGOCe|!u}r~YEA^fSZg~*w+l{2zQ7=g2EaTJT{+!irj0HE-b=s{D$4G&&shL{2745Lv#GpFzogo>@X?n6c(tvo$p~cXh32|XcHDV1 z2`sqb`YliB;}tcrvtM7lJSa21Ia`jY!afGAm;Qw2GA3p%>V(v4(~1O=QqA{1E=_H& zr=!7326h?G_O|KAl5Q;go=!;UT;)Oaf|`jGY+T7^zqNo-aW( zo6_|e){@69APd^pa1vHbO3!2jC}=eLnoGnYxC z^I8F2j&}uNPIT9yieR(W zp8xxBQc0_{A ztFqP#Sb;`zbPrSH^h|=`@ryf~nNdi9fq_J&ERBO(gLm7|v zOFM#z6>8BYS?XKmUJ}0h{46z(J!E9|M^*3-iD&0_imXex+@-=){5Yb>Nse7tb(+LX zZ-MIbHkX|Hj4^7&oO?e_L7S&-Bs|PFqZ9N=Qv?wyf9cuZ?62Yc9$_={n{_oyrDVn6 zHlH15An?2F)**00%GjhMf~AGK%7};B zp5!D|gROj%_O5SIxoOTTGUeV${>|4f?C6E|uG6_2h$q93XJ_g6wwRb9JAgoT_w}kK z_c9rum6h+3L4b3ai9P2 zV&Oc-7lI@oc;>Yn9Qd_xO)T80iJGzLg3JQ!G^je}DvZL;9q(@y`c{+rhqrYt>0H6I zhobB}TTv7|kRvzbB57?^S$o+Hv!D8LI_2}|p~p80LK@qcs zbvpxUvf%sHa50jUPuxb<%AcEUsJ?yF}oX)fwK#d(bu1R3#~vq6DcFOe*II-mt{E3zU*`7uC1&b z2MI&R$8Xc+Y8sXI0Hvs#*t8>zQ-iU!L9JR+yha8CdPuG9e z6#r_|XZ`wL57M(HMEZZf-4~R9{Lg{^l;ZRK-<<#JXaGPwIsoN)!o|bQ1x)y#20kYM i5dY4(xwwFc|0O;>0RTvd|0SkBTaf?N8vlLvx&8yf2j6l4 literal 0 HcmV?d00001 diff --git a/Use Cases/database-hardening-for-trading-platform.md b/Use Cases/database-hardening-for-trading-platform.md new file mode 100644 index 00000000..efb00c82 --- /dev/null +++ b/Use Cases/database-hardening-for-trading-platform.md @@ -0,0 +1,206 @@ +--- +authors: + - 'thanh' +date: '2025-01-02' +description: 'Discover how a trading platform mitigated database access risks, enhanced security, and ensured data integrity through role-based access control, network isolation, MFA, and robust logging. Learn about the strategies and tools, like Teleport, that transformed operational efficiency and reinforced client trust.' +tags: + - 'security' + - 'database' + - 'case-study' +title: 'Database hardening for a trading platform' +--- + +## Introduction + +Database vulnerabilities are a silent threat in trading platforms. They lurk in unrestricted access controls, posing risks of data breaches, operational disruptions, and loss of client trust. This case study examines how we identified these risks and implemented a structured, practical approach to mitigate them. By integrating tools like Teleport, enforcing strict access controls, and embedding detailed logging mechanisms, we significantly enhanced our security posture and operational resilience. + +## Problem statement + +Every trading platform depends on its database to handle sensitive operations—from storing client funds to managing trade records. Yet, our initial access controls had critical gaps: + +**Unrestricted access to sensitive data** + +Developer accounts could access client funding information, exposing the platform to intentional misuse or accidental exposure. + +**Data manipulation** + +Developers with write permissions could inadvertently or maliciously alter critical data, risking financial discrepancies. + +**Data loss** + +Permissions to execute destructive commands, such as table deletions, left the system vulnerable to catastrophic data loss. + +**Lack of auditability** + +Without logging and audit trails, accountability gaps hindered issue resolution and increased operational risks. + +> Developer accounts refer to those belonging to engineers and DevOps personnel. These accounts, if compromised, could act as vectors for unauthorized access. + +### Operational needs vs. security risks + +While access should be minimized, it is recognized that developers occasionally need to: + +- **Manipulate data** to fulfill client requests (e.g., updating specific records). +- **Query data** to trace production issues when source code analysis is insufficient. + +These activities must be conducted under strict safeguards to prevent "oops" moments, where accidental actions result in catastrophic data loss or manipulation. + +### Risk assessment + +| **Type** | **Impact** | **Cause** | +| -------------------------- | ------------------------------------------------------------------------------ | ------------------------------------------------- | +| **Fund loss** | Misuse of sensitive funding data for personal gain | Unrestricted developer access | +| **Data loss** | Irreversible deletion of critical data | Developer accounts performing destructive actions | +| **Information loss** | Exposure of sensitive client data | Unregulated read access | +| **Operational disruption** | Downtime caused by accidental or malicious actions | Developer accounts with write permissions | +| **Operational cost** | Increased expenses for data recovery, incident response, and breach mitigation | Lack of log trails and recovery mechanism | + +## Proposed approach + +Addressing these risks required a phased approach. Each step introduced a new layer of security, designed to mitigate specific vulnerabilities. + +### **Role-based access control** + +Unrestricted developer access was the root cause of several risks. To address this: + +- Enforce least-privilege principles: Developers accessed only the data essential to their roles. +- Differentiate access levels: + - **Read-only access**: For troubleshooting non-sensitive data. + - **Write permissions**: Granted only with explicit, time-limited approval. +- Provide standby databases: Developers used a read-only copy of the production database for debugging. + +### **Network isolation** + +Open access points created opportunities for unauthorized interactions with the database. To minimize exposure: + +- Restricted database access to approved endpoints or IP addresses. +- Mandated VPN usage or secure proxy connections for all database interactions. + +### **Multi-factor authentication** + +Insufficient authentication measures left accounts vulnerable to compromise. Implementing MFA added an extra layer of security by requiring developers to verify their identities using multiple factors before accessing the database. + +### **Database observability and audit logging** + +Lack of visibility into database interactions hindered accountability. To address this, we: + +- **Implemented robust logging**: Tracked every database interaction, including queries, data changes, and administrative actions. +- **Set up alerts**: Suspicious activities, such as bulk deletions or schema modifications, triggered instant notifications. +- **Made logs tamper-proof**: Ensured secure storage to prevent alterations. + +### **Break glass access** + +In emergencies, developers needed immediate access to resolve critical issues. However, such access carried risks if not carefully managed. We implemented a "break-glass" process: + +- **Multi-party approval**: Emergency access required sign-offs from multiple stakeholders. +- **Time-limited access**: Permissions expired automatically after a set duration. +- **Comprehensive logging**: Every action during emergency access was logged for accountability. + +## Technical implementation + +### System architecture + +We used [**Teleport**](https://goteleport.com/) as the central platform for managing access controls and monitoring database interactions. The architecture featured: + +![](assets/nn-security-architecture.webp) + +- **Public network**: Developers authenticated via HTTPS or CLI (tsh) to obtain access certificates. + +- **Teleport proxy**: Served as the gateway, enforcing MFA, role-based permissions, and secure connections. + +- **Private network**: Hosted the database tier, segregated into read-only and write-only instances, and the logging infrastructure. + +- **Event aggregator**: Used Fluentd to process and route logs to tamper-proof storage and notification systems. + +- **Notification system**: Alerted administrators to suspicious activities and provided actionable insights. + +**Workflow** + +1. A developer authenticated via Teleport, receiving a temporary certificate. +2. The Teleport proxy validated their permissions before granting access to the private network. +3. Logs of all interactions were processed by the event aggregator and stored securely. +4. Alerts were sent to the security team for any suspicious activities. + +### Masking data + +We hide some sensitive information in our tables to keep data safe. Most of these fields stay hidden forever. However, a few can be accessed with special permissions when needed. Right now, we use [postgresql-anonymizer](https://postgresql-anonymizer.readthedocs.io/en/latest/) for data masking and follow this process: + +1. **Identify the table**: Find out which table you need access to. +2. **Request the tight role**: Use the table name with `unmasked_` as the role name. + +For example, if you need to see hidden fields in the `deposits` table, request the `unmasked_deposits` role. + +### Request a new role for extensive access + +If there is a special request for an action beyond the permissions of the existing role, the requester must follow this protocol to perform the action: + +```mermaid +sequenceDiagram + participant User + participant Approval as Teleport + participant Database + participant Audit as Audit logs + + User->>Approval: Submit emergency access request + activate Approval + Note over User,Approval: Includes: reason, duration, resources + + loop Approval Process + Approval->>Approval: Notify approvers + Approval->>Approvers: Wait for the request to be approved + end + + alt Request Approved + Approval->>Database: Grant temporary permission + activate Database + Database->>Approval: Acknowledge credential issuance + deactivate Approval + + Approval->>User: Notify approval with the new permission grant + + User->>Database: Connect with new permission + activate Database + Database->>Audit: Log connection attempt + + Note over Database,Audit: Auto-cleanup after X hours + + loop During Access Period + User->>Database: Execute queries + Database->>Audit: Log operations + end + + alt Time Limit Reached + Database->>Database: Terminate session + Database->>Audit: Log session end + else Manual End + User->>Database: End session + Database->>Audit: Log manual end + end + deactivate Database + + else Request Denied + Approval->>User: Notify rejection + Approval->>Audit: Log rejected request + end +``` + +**Workflow summary:** + +1. Developer initiates the request. +2. Approvers evaluate and approve the request via Teleport. +3. Developer performs required actions with temporary permissions. +4. All activities are logged, and permissions are automatically revoked after expiration. + +## Results and benefits + +The implementation delivered measurable benefits: + +- **Enhanced security**: Reduced risks of unauthorized access, data breaches, and misuse. +- **Improved data integrity**: Maintained through RBAC and robust logging. +- **Operational efficiency**: Developers performed essential tasks without compromising security. +- **Accountability and traceability**: Comprehensive logs enabled rapid issue resolution. +- **Increased client trust**: Demonstrated commitment to safeguarding sensitive data. + +## Conclusion + +This case study highlights how robust access control measures can transform database security in a trading platform. By layering tools like Teleport, enforcing RBAC, and integrating detailed observability, we not only mitigated immediate risks but also established a secure foundation for future growth. These measures underscore the importance of proactive security in maintaining operational resilience and client trust.