HeliosDB Security Hardening Guide v7.0

HeliosDB Security Hardening Guide v7.0

Version: 7.0 (Phase 3B) Date: December 9, 2025 Classification: Public Audience: Security Engineers, System Administrators, DevOps

Table of Contents

1. Security Overview
2. Authentication & Authorization
3. Network Security
4. Data Encryption
5. Multi-Tenancy Security
6. Row-Level Security (RLS)
7. Audit Logging
8. Security Best Practices
9. Compliance
10. Security Checklist

---

Security Overview

HeliosDB v7.0 implements defense-in-depth security with multiple layers of protection:

• Network Layer: TLS 1.3, IP filtering, DDoS protection
• Application Layer: Authentication, RBAC, rate limiting
• Data Layer: Encryption at rest and in transit, tenant isolation
• Audit Layer: Comprehensive logging and monitoring

Security Model

┌─────────────────────────────────────────────┐
│  Network Security (TLS, Firewall)           │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Authentication (JWT, API Keys, MFA)        │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Authorization (RBAC, Policies)             │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Tenant Isolation (Logical/Physical)        │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Row-Level Security (RLS Policies)          │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Data Encryption (AES-256-GCM)              │
└─────────────────────────────────────────────┘
┌─────────────────────────────────────────────┐
│  Audit & Compliance (Logging, Monitoring)   │
└─────────────────────────────────────────────┘

---

Authentication & Authorization

API Key Management

Generation:

# Generate new API key
heliosdb apikey create --name "production-app" --role admin

# Output:
# API Key: hdb_sk_abc123xyz789...
# Key ID: key_abc123
# Created: 2025-12-09T12:00:00Z
# IMPORTANT: Save this key securely. It will not be shown again.

Configuration:

[security.apikeys]
# Enable API key authentication
enabled = true

# Key format: hdb_{type}_{random}
# Types: sk (secret key), pk (public key)

# Key rotation policy
rotation_days = 90
warn_before_expiry_days = 14

# Failed attempt lockout
max_failed_attempts = 5
lockout_duration_minutes = 15

Best Practices:

• Store keys in secure vault (HashiCorp Vault, AWS Secrets Manager)
• Never commit keys to source control
• Rotate keys every 90 days
• Use separate keys for dev/staging/production
• Implement key rotation without downtime

JWT Token Authentication

Configuration:

[security.jwt]
# Enable JWT authentication
enabled = true

# Signing algorithm: HS256, HS512, RS256, ES256
algorithm = "RS256"

# Token expiry
access_token_ttl_minutes = 15
refresh_token_ttl_days = 30

# Issuer and audience validation
issuer = "https://auth.heliosdb.com"
audience = "heliosdb-api"

# Public key for verification (RS256)
public_key_path = "/etc/heliosdb/jwt-public.pem"

Token Structure:

{
  "iss": "https://auth.heliosdb.com",
  "sub": "user_12345",
  "aud": "heliosdb-api",
  "exp": 1735689600,
  "iat": 1735603200,
  "tenant_id": "tenant_abc",
  "role": "admin",
  "permissions": ["read", "write", "delete"]
}

Role-Based Access Control (RBAC)

Roles:

[security.rbac]
# Built-in roles
[security.rbac.roles.admin]
permissions = ["*"]  # All permissions

[security.rbac.roles.user]
permissions = ["read", "write", "create_table"]

[security.rbac.roles.readonly]
permissions = ["read"]

[security.rbac.roles.service]
permissions = ["read", "write", "batch_write"]

# Custom roles
[security.rbac.roles.analyst]
permissions = ["read", "create_view", "run_analytics"]

Multi-Factor Authentication (MFA)

Configuration:

[security.mfa]
# Enable MFA
enabled = true

# MFA methods: totp, sms, email
methods = ["totp", "email"]

# TOTP settings
totp_issuer = "HeliosDB"
totp_period_seconds = 30
totp_digits = 6

# Require MFA for admin actions
require_for_admin = true

# Remember device (days)
remember_device_days = 30

---

Network Security

TLS/SSL Configuration

TLS 1.3 Only:

[security.tls]
# Enable TLS
enabled = true

# TLS versions (1.2, 1.3)
min_version = "1.3"
max_version = "1.3"

# Certificate and key paths
cert_path = "/etc/heliosdb/server.crt"
key_path = "/etc/heliosdb/server.key"

# CA certificate for client verification
ca_cert_path = "/etc/heliosdb/ca.crt"

# Client certificate authentication
require_client_cert = false

# Cipher suites (TLS 1.3)
cipher_suites = [
    "TLS_AES_256_GCM_SHA384",
    "TLS_AES_128_GCM_SHA256",
    "TLS_CHACHA20_POLY1305_SHA256"
]

Certificate Generation:

# Generate self-signed certificate (development only)
openssl req -x509 -newkey rsa:4096 \
  -keyout server.key -out server.crt \
  -days 365 -nodes \
  -subj "/CN=heliosdb.local"

# Production: Use Let's Encrypt or enterprise CA
certbot certonly --standalone -d heliosdb.example.com

Firewall Configuration

iptables:

# Allow HeliosDB API (8080)
iptables -A INPUT -p tcp --dport 8080 -j ACCEPT

# Allow metrics endpoint (9090) - restrict to monitoring network
iptables -A INPUT -p tcp --dport 9090 -s 10.0.1.0/24 -j ACCEPT

# Allow PostgreSQL protocol (5432)
iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

# Drop all other traffic
iptables -A INPUT -j DROP

# Save rules
iptables-save > /etc/iptables/rules.v4

IP Allowlisting:

[security.firewall]
# Enable IP filtering
enabled = true

# Allow list (CIDR notation)
allow_list = [
    "10.0.0.0/8",      # Internal network
    "192.168.1.0/24",  # Office network
    "203.0.113.50/32"  # Specific IP
]

# Block list
block_list = [
    "198.51.100.0/24"  # Known malicious network
]

# Default action: allow or deny
default_action = "deny"

DDoS Protection

Rate Limiting:

[security.rate_limiting]
# Enable rate limiting
enabled = true

# Global rate limit (requests per second)
global_rps = 10000

# Per-IP rate limit
per_ip_rps = 100

# Per-API-key rate limit
per_apikey_rps = 1000

# Burst allowance
burst_size = 200

# Ban duration for rate limit violations
ban_duration_minutes = 60

---

Data Encryption

Encryption at Rest

AES-256-GCM:

[security.encryption_at_rest]
# Enable encryption
enabled = true

# Algorithm: aes-256-gcm, aes-256-cbc
algorithm = "aes-256-gcm"

# Key management: local, kms, vault
key_management = "kms"

# AWS KMS configuration
[security.encryption_at_rest.kms]
provider = "aws"
region = "us-west-2"
key_id = "arn:aws:kms:us-west-2:123456789012:key/abc-123"

# Key rotation
auto_rotate = true
rotation_days = 90

# Encrypt specific tables
encrypt_tables = ["users", "orders", "payments"]

# Or encrypt all tables
encrypt_all_tables = true

Key Rotation:

# Rotate encryption keys
heliosdb security rotate-keys

# Progress:
# [1/10] Rotating key for table 'users'... done
# [2/10] Rotating key for table 'orders'... done
# ...
# Key rotation completed successfully

Encryption in Transit

All connections encrypted:

[security.encryption_in_transit]
# Enforce TLS for all connections
enforce_tls = true

# Reject non-TLS connections
reject_plaintext = true

# TLS version
min_tls_version = "1.3"

FIPS 140-2 Compliance (Optional)

Configuration:

[security.fips]
# Enable FIPS 140-2 mode
enabled = true

# Approved algorithms only
# - AES-256-GCM
# - RSA-4096
# - ECDSA P-384
# - SHA-256/384/512

# Non-FIPS algorithms disabled
# - RC4, MD5, SHA-1

---

Multi-Tenancy Security

Tenant Isolation

Logical Isolation:

[multitenancy.security]
# Isolation mode
default_isolation_mode = "logical"

# Enforce tenant_id in all queries
enforce_tenant_filter = true

# Prevent cross-tenant queries
prevent_cross_tenant = true

# Audit cross-tenant attempts
log_cross_tenant_attempts = true

Physical Isolation:

[multitenancy.security]
# Physical isolation for sensitive tenants
isolation_mode = "physical"

# Dedicated resources
dedicated_cpu = true
dedicated_memory = true
dedicated_storage = true

# Network isolation (VLANs)
network_isolation = true
vlan_id = 100

Tenant Data Separation

Schema-Level Separation:

-- Tenant A schema
CREATE SCHEMA tenant_a;
CREATE TABLE tenant_a.orders (...);

-- Tenant B schema
CREATE SCHEMA tenant_b;
CREATE TABLE tenant_b.orders (...);

-- User can only access their tenant's schema
GRANT USAGE ON SCHEMA tenant_a TO user_from_tenant_a;
REVOKE ALL ON SCHEMA tenant_b FROM user_from_tenant_a;

Row-Level Separation:

-- Single table with tenant_id column
CREATE TABLE orders (
    order_id BIGINT PRIMARY KEY,
    tenant_id UUID NOT NULL,
    user_id BIGINT,
    ...
);

-- RLS policy enforces tenant isolation
CREATE POLICY tenant_isolation ON orders
FOR ALL
USING (tenant_id = current_tenant_id());

-- Index for performance
CREATE INDEX idx_tenant ON orders(tenant_id);

---

Row-Level Security (RLS)

RLS Policies

User-Level Isolation:

-- Create RLS policy
CREATE POLICY user_own_data ON orders
FOR SELECT
USING (user_id = current_user_id());

-- Enable RLS on table
ALTER TABLE orders ENABLE ROW LEVEL SECURITY;

Team-Level Isolation:

-- Users can see data from their team
CREATE POLICY team_access ON projects
FOR ALL
USING (
    team_id IN (
        SELECT team_id FROM team_members
        WHERE user_id = current_user_id()
    )
);

Manager Access:

-- Managers see all their team's data
CREATE POLICY manager_team_access ON employee_data
FOR SELECT
USING (
    department_id IN (
        SELECT department_id FROM managers
        WHERE manager_id = current_user_id()
    )
);

RLS Performance Optimization

-- Create indexes for RLS predicates
CREATE INDEX idx_user_id ON orders(user_id);
CREATE INDEX idx_team_id ON projects(team_id);
CREATE INDEX idx_tenant_user ON orders(tenant_id, user_id);

-- Composite index for complex policies
CREATE INDEX idx_complex_rls ON data(tenant_id, user_id, status, created_at);

RLS Bypass (Admin)

[security.rls]
# Roles that bypass RLS
bypass_roles = ["admin", "system"]

# Log RLS bypass events
log_bypass_events = true

# Require additional authentication for bypass
require_mfa_for_bypass = true

---

Audit Logging

Comprehensive Audit Logs

Configuration:

[security.audit]
# Enable audit logging
enabled = true

# Log destination: file, syslog, database, s3
destination = "database"

# Log level: info, warn, error
level = "info"

# Events to log
log_events = [
    "authentication",
    "authorization",
    "data_access",
    "data_modification",
    "schema_changes",
    "admin_actions",
    "rls_bypass",
    "quota_exceeded"
]

# Include query text
log_query_text = true

# Redact sensitive data
redact_sensitive = true

# Retention period (days)
retention_days = 365

Audit Log Structure:

{
  "timestamp": "2025-12-09T12:00:00Z",
  "event_type": "data_access",
  "user_id": "user_12345",
  "tenant_id": "tenant_abc",
  "ip_address": "192.168.1.100",
  "action": "SELECT",
  "resource": "orders",
  "query": "SELECT * FROM orders WHERE user_id = $1",
  "params": ["[REDACTED]"],
  "result": "success",
  "rows_affected": 42,
  "duration_ms": 12.5,
  "rls_policies_applied": ["user_own_orders"],
  "request_id": "req_abc123"
}

Audit Queries

-- View recent authentication events
SELECT * FROM audit_logs
WHERE event_type = 'authentication'
  AND timestamp > NOW() - INTERVAL '1 day'
ORDER BY timestamp DESC;

-- Failed authentication attempts
SELECT user_id, COUNT(*) as attempts
FROM audit_logs
WHERE event_type = 'authentication'
  AND result = 'failure'
  AND timestamp > NOW() - INTERVAL '1 hour'
GROUP BY user_id
HAVING COUNT(*) > 5;

-- Admin actions
SELECT * FROM audit_logs
WHERE event_type = 'admin_actions'
  AND timestamp > NOW() - INTERVAL '7 days'
ORDER BY timestamp DESC;

---

Security Best Practices

1. Principle of Least Privilege

# Grant minimum required permissions
[security.permissions]
default_role = "readonly"

# Explicit permission grants
[security.permissions.user_roles]
developer = ["read", "write", "create_table"]
analyst = ["read", "create_view"]
admin = ["*"]

2. Secure Configuration

# Disable insecure features in production
[security]
debug_mode = false
allow_plaintext = false
allow_weak_passwords = false
require_tls = true
require_authentication = true

3. Regular Security Updates

# Check for security updates
heliosdb security check-updates

# Apply security patches
heliosdb security apply-patches --verify

# Verify patch integrity
heliosdb security verify-integrity

4. Password Policy

[security.password_policy]
# Minimum length
min_length = 12

# Complexity requirements
require_uppercase = true
require_lowercase = true
require_numbers = true
require_special = true

# Password history
history_count = 5

# Expiry
expiry_days = 90
warn_before_expiry_days = 14

# Lockout
max_failed_attempts = 5
lockout_duration_minutes = 30

5. Secure Defaults

[security.defaults]
# New users are readonly by default
default_role = "readonly"

# New tenants have minimal quotas
default_storage_quota_gb = 10
default_qps_limit = 100

# All tables have RLS enabled by default
default_enable_rls = true

# All data encrypted by default
default_encryption = true

---

Compliance

SOC 2 Type II

Requirements Met:

• ✓ Encryption at rest and in transit
• ✓ Audit logging with 1-year retention
• ✓ Access controls (RBAC, RLS)
• ✓ Multi-factor authentication
• ✓ Regular security patching
• ✓ Incident response procedures

GDPR

Data Protection:

[compliance.gdpr]
# Enable GDPR features
enabled = true

# Data subject rights
enable_right_to_access = true
enable_right_to_deletion = true
enable_right_to_portability = true

# Data retention
default_retention_days = 730  # 2 years

# Audit logging
log_data_access = true
log_data_deletion = true

# Encryption
require_encryption = true

Right to Deletion:

-- Delete user data (GDPR Article 17)
DELETE FROM users WHERE user_id = :user_id;
DELETE FROM orders WHERE user_id = :user_id;
-- Audit log entry created automatically

HIPAA (Healthcare)

Configuration:

[compliance.hipaa]
# Enable HIPAA mode
enabled = true

# Encryption required
require_encryption_at_rest = true
require_encryption_in_transit = true

# Audit logging
audit_all_data_access = true
audit_retention_years = 6

# Access controls
require_mfa = true
session_timeout_minutes = 15

---

Security Checklist

Production Deployment

• TLS 1.3 enabled with valid certificates
• Strong password policy enforced
• MFA enabled for admin accounts
• API keys rotated regularly (90 days)
• Firewall rules configured (IP allowlist)
• Rate limiting enabled
• Encryption at rest enabled (AES-256-GCM)
• All tables have RLS policies
• Audit logging enabled with 1-year retention
• Security updates applied
• Backup encryption enabled
• Monitoring and alerting configured
• Incident response plan documented
• Security training completed
• Penetration testing performed
• Compliance requirements met (SOC 2, GDPR, etc.)

Monthly Security Review

• Review audit logs for anomalies
• Check for failed authentication attempts
• Verify RLS policies are functioning
• Review and update firewall rules
• Rotate API keys if needed
• Check for security updates
• Review user access permissions
• Test backup restoration
• Review incident response procedures
• Update security documentation

---

Conclusion

Security is an ongoing process. Follow this guide to establish a strong security posture, and continuously monitor and improve your security controls.

Key Takeaways:

1. Defense in depth: Multiple security layers
2. Least privilege: Grant minimum required permissions
3. Encryption everywhere: At rest and in transit
4. Audit everything: Comprehensive logging
5. Regular updates: Stay current with security patches

---

Related Documentation:

• Architecture Update
• Configuration Reference
• Performance Tuning
• Compliance Documentation

Document Information:

• Version: 7.0
• Last Updated: December 9, 2025
• Lines: 650+
• Classification: Public
• Status: Production Ready