PostgreSQL Secured by SG
ONE-CLICK DEPLOYMENT | ENCRYPT DATA TRANSPARENTLY
ELIMINATE CONFIGURATION MISTAKES | ACHIEVE COMPLIANCE EASILY
The PostgreSQL Secured by SG is a ready-to-deploy Shielded PostgreSQL Server instance designed to eliminate the need to build a patchwork security solutions in order to protect the PostgreSQL data.
The instance uses advanced security techniques such as secure boot, vTPM, UEFI firmware, integrity monitoring at the virtualization layer and transparent encryption, extended access controls, tamper-resistant logs at the data layer in order to protect the PostgreSQL data.

- Google Cloud
- Your Data Center
PostgreSQL Secured by SG
- Encrypt PostgreSQL Data Transparently
- Reduce OS Attacks With JeOS
- Protect Data Against Malicious “root’ User
- Generate Tamper-Resistant Logs
- Use VM With Built-in Security Measures
> Virtual Appliance
Our VM uses advanced security techniques such as secure boot, vTPM, UEFI firmware, integrity monitoring at the virtualization layer and transparent encryption, extended access controls, tamper-resistant logs at the data layer in order to protect PostgreSQL data against unauthorized access.
All Server General operations are logged on four different servers making it very challenging for an attacker to successfully launch a log tampering attack. You can deploy our PostgreSQL Secured by SG instance in less than 10 minutes.
Our automated scripts will install and configure the instance to provide you maximum security and performance. The PostgreSQL Secured by SG can enable you to achieve regulatory compliance without having to create a patchwork of security solutions.
Enterprise-grade Data Security and Compliance
The HIPAA Act requires covered entities to provide public notification upon discovery of a breach of unsecured ePHI (Electronic Patient Health Information) involving more than 500 records. However, ePHI that is secured via encryption does not trigger the breach notification requirement. SG-TDE-AnyCloud can help covered entities to gain protection under the Safe Harbor provision of the HITECH Act by helping them transparently encrypt their ePHI stored in a database or a file server, hosted on any cloud platform.
The European Union’s General Data Protection Regulation (GDPR) will become effective as of May 25, 2018. Just like California’s SB 1386 data breach notification legislation, GDPR stipulates that any entity that handles EU citizen’s data must provide notification of a successful breach. The law requires the entity to prove that it had put all the right measures in place to protect the personal information of EU citizens. SG-TDE-AnyCloud can be used not only to encrypt data-at-rest but to also control access, manage keys and for generating immutable log files.
Businesses rely on SG-TDE-AnyCloud to meet PCI DSS mandates 3, 7 and 10. Our customers include tier-1 merchants as well as small businesses. We have gained experience over the years and designed our solution in a manner that makes it easy for you to comply with the PCI DSS mandates.
SB 1386 was signed into law on September 25, 2002 and became effective on July 1, 2003. AB 1950 was signed into law on September 29, 2004 and became effective on January 1, 2005. SB 1386 states that businesses, which conduct business in California, and keep personal information about individuals, must put measures in place to monitor such information – and upon discovery of any breach or any suspected breach, must report the event to all individuals that may have been affected. AB 1950 extends the intent of SB 1386 beyond notification, and mandates that these organizations must take adequate steps to safeguard personal information about individuals. SG-TDE-AnyCloud can help you comply with California’s SB1386 by transparently encrypting data and controlling access.
Main Features
Transparent Encryption
The MySQL data is transparently encrypted at the file-system layer before it hits the disk. This in-kernel is quick. You are in control of your data encryption key while we help you store it in our managed key locker so it is available when you need it.
Reduced Attack Surface
The instance uses a trimmed down version of the OS thereby reducing the attack surface significantly. The total footprint that includes the OS, MySQL server and our security software is around 850MB.
Protection Against Unauthorized Users
Advanced access controls makes it difficult for unauthorized users, including the “root” user, from accessing the protected data sets in clear-text.
Tamper-resistant Logs
Every Server General operation is logged at four different locations in order to nullify log tampering attempts. All privileged operations conducted by the MySQL Secured by SG administrators are logged within and outside of the administrative domain of our customers. This feature provides non-repudiation and is heavily relied upon by auditors. In fact each Server General command is stored at four different locations.
Based On Open-Source
MySQL Secured By SG uses standard encryption functionality embedded within the mainstream Linux kernel. This functionality is based on a stackable file system that was developed by Erez Zadok, CTO, Server General Inc.
CIS Compliant MySQL Server
The MySQL server installed on the instance complies with security recommendations made by the Center of Internet Security (CIS).
Virtual Instance Security
The instance uses "Secure Boot" to make sure that only authenticated software is installed at the OS layer.
Integrity Monitoring
Remote attacks, privilege escalation and insider attacks are prevented with help of integrity monitoring.
Role-Based Management
Many solutions cling to old security concepts that result in misplaced trust in the network/system administrator. This completely defies application’s access control logic as intended by the application vendor thereby exposing the application data to a whole host of attacks. MySQL Secured by SG segregates management responsibilities based on roles in order to safeguard data.
How Does it Work?
-
Select Instance TypeChange machine configuration
-
Install InstanceInstall your instance
-
Run ScriptLicense your instance Configure administrators Define a security policy Encrypt MySQL data Control access
-
Manage Your InstanceChange temporary passphrases
Start/Stop the security policy Rotate data encryption keys -
LogsServer General administrative logs are stored locally and at three other servers
-
That’s ItYour PostgreSQL is fully protected now.
Technology
The core components of MySQL Secured By SG are a data encryption engine, a key management engine, an access control engine, and a reporting engine. Each component performs a critical function in securing sensitive information and collectively they provide active countermeasures against various types of attack vectors.
A high-performance Data Encryption Engine is employed to provide strong encryption for all writes, and decryption for all reads. The application server data is encrypted at the file-system layer using the AES algorithm. This in- kernel data encryption is quick, transparent and you control the data encryption keys while we help you manage them.
Data encryption protects against theft of media, data images – even if intruders are able to obtain physical or electronic copies of data. The stolen data would be unusable without the decryption keys. Any probing of files would only yield blocks of ciphertext.
The Key Management Engine allows our customers to control their own encryption keys at all times. The encryption keys are stored in one or more key lockers deployed within the Server General global key management infrastructure. The encryption keys are themselves wrapped in another layer of encryption using a master key (a passphrase) that is only known to the data owner. This way only cipher blobs are stored in key lockers preventing other parties from deciphering them. The key management system allows customers to generate strong keys, rotate them on-demand, revoke any key at any time and store them in a secure location. Our security staff ensures their availability.

The Access Control Engine provides industrial strength identification and authentication mechanism that results in reduction of the ‘trust domain’. Only authorized Server General administrators are able to access administrative functions: this one measure reduces the risk posed by rogue systems administrators (or any other entity that has progressed beyond perimeter security). The access control engine allows only authorized users to access the protected data sets.
The Logging Engine logs every administrative operation related to Server General. The logs are stored at four different locations – on the host server and remotely within our cloud infrastructure. These logs provide crucial information during a security audit. In case of a regular server, an external or a malicious internal user may gain unauthorized access to the sensitive data – then perform acts to conceal the breach by removing or editing audit logs. However, this is not possible with Server General, as logs are stored outside the administrative domain of the compromised entity.
Data Security

VM Security
