Context: After some old cases involving social media(you know…) and data analysis companies. Many nations are now enforcing tough data protection laws. This is the kind of theme that database administrators should be aware of.
Some nations have(or are creating) complicated laws and sometimes without much knowledge of how the IT market works. But it’s definitely something you should keep an eye on.
Recently there have been two major leaks in Brazil with more than 200 million people targeted by the leak. The first by the Government(I mean a Special State Secretariat) and the second by a private company of bank score. Imagine the situation. How much private information is in the possession of third parties now?
Both cases are believed(not 100% sure) to have been an internal leak. A database administrator with unrestricted access in theory was able to sneak out all data and then expose it on the internet. But the first one could be easily a hack as the gov divisions use old tech. SQL injection is a common thing and in some cases, you can dump the whole DB through that.
This type of action can be avoided by double administration of the database. One with general powers and the other with the power to audit what the admin did or can do (limiting him).
Dgraph provides ACL, Encryption at Rest, binary backups, and auditing. With ACL you can limit which predicates the user/admin has access to. This is good to limit access to important data (private in general) stored in predicates.
Analyzing this type of cases mentioned above, I believe that it would be possible to increase the security of Dgraph’s ACL by adding more features like limitations. Some of these enforced limitations include, how many UIDs the user/admin can reach, what admin endpoints he can have access to (like state, cluster configs, and so on). Thus limiting the impact of such behave of the admin or attacker.
Not that we don’t have to trust our admins, but I believe that One Ring shouldn’t rule them all. And firewalls won’t protect the data from domestic attacks.
Remembering that this topic is about the cluster administration. The end-user of the application can be limited via the application, e.g. via GraphQL (search for “Securing Your GraphQL API from Malicious Queries”), and so on.
Cheers.
PS. This text reflects only my opinion.