Database Reverse Proxy 101

Organizations use proxy servers to effectively route and secure traffic between various networks and systems, either internally or externally, in order to apply security, caching, or other functions.

A proxy server can be a forward proxy where the client directs traffic through a proxy, or it can be a reverse proxy where the server to which the client connects is behind a proxy. This article covers:

• What Is a Database Reverse Proxy?
• Database Reverse Proxy Architecture
• What Can a Database Reverse Proxy Be Used For?
• Alternative Solutions to a Database Reverse Proxy
• Advantages of a Database Reverse Proxy

A database reverse proxy is a server used to proxy traffic to database servers (or other data stores such as data warehouses and data lakes). The proxy server accepts a request from a client and reroutes it to one or more servers. When one of these other servers processes the request, it returns the result to the proxy server which then sends it back to the client.

This way, the client only communicates with the reverse proxy rather than directly with the server—which is the database server in our case. Thus,  the reverse proxy acts as a gateway between clients, users, and servers.

Beyond directing requests and results, a reverse proxy can also handle policy management and traffic routing operations. Routing client traffic through the reverse proxy makes security administration much more efficient, as it is decoupled from the data platform and can be managed regardless of the data platforms’ native capabilities.

A database reverse proxy also makes it easier to manage changes at scale. Instead of performing changes manually and separately on all of your various data stores, you can perform the modification on one centralized location, and it will be effectively implemented throughout.

The database reverse proxy is a component in client-server computing architecture which bridges the client and server endpoints and facilitates communication between the two. Regardless of how many servers you have, you can deploy reverse proxies to secure client-server interactions. In addition, a database reverse proxy can be used both for binary protocols as well as textual ones.

The database reverse proxy is similar to a website reverse proxy used for security or content delivery. The address of the reverse proxy is what users and visitors utilize to visit the website, and all of the requests from web browsers, mobile apps, and other devices for the web content go through this server before being directed to other servers.

Learn More:

• Blog: Access Control: The Dementor of Data Engineering
• Blog: Data Security Projects Keep Data Teams Away From Their Core Responsibilities
• How Satori’s data access proxy helps secure data data-driven organizations

There are several use-cases where it makes sense to use a reverse proxy technology in data access. Here are some examples:

One of the most important reasons for using a database reverse proxy is to enforce security policies. Since the reverse proxy allows for secure client-server interactions, it facilitates efficient implementations of security policies regardless of the specific data platforms used. In addition, security policies can be configured according to the actual data that the proxy analyzes, unlike with data access orchestration solutions.

Database reverse proxies can also be used to facilitate more comprehensive data access logging and monitoring within the organization—all within a single location where the proxy can enrich the access log with contextual information. This capability also means that, when logs are required (for compliance or security reasons), they are already found in one central location and are thus easier to analyze and report on.

A database reverse proxy can also be used to discover or identify any sensitive information or data that is being accessed. This way, even if data is continuously changing, you know immediately when users are accessing sensitive data and can act on accordingly.

Now that you have an understanding of what a database reverse proxy is and what it does, let’s look at some of its benefits.

Data Awareness

One of the biggest advantages of a database reverse proxy is that it can analyze the data transferred; in other words, it is data-aware. Since the accessed data is not in the logs themselves, you gain access to a myriad of capabilities like continuous data discovery, building a continuous data inventory, applying fine-grained access controls based on data types and more.

Real-Time Actions

Another benefit of implementing a database reverse proxy is that it enables admins to perform actions in real-time, such as blocking a request or transaction or masking the results. This efficiency helps promote increased data security and traffic monitoring.

Reduced Business Disruption

Last but not least, database reverse proxy servers help you achieve better data access control with less interference to both the data platforms and the users. If security policies are enforced by a reverse proxy, the database probably requires no changes to allow running the security policies.

There are several alternative solutions to the database reverse proxy that admins can employ to secure their servers.

Existing Features of the Data Store

Datastores usually contain features that can be used to perform actions such as enforcing security policies. Nevertheless, this option may have operational overheads when performed at scale and often lacks many of the capabilities provided by the database reverse proxy. You can read more specifically about how Satori’s reverse proxy differs from such native capabilities here.

Log Aggregation

Log aggregation refers to the process of consolidating and standardizing log data from the data stores for log analysis purposes. It may be used in addition to or instead of a database reverse proxy. However, log aggregation does not contain the full contextual information logged by the reverse proxy (e.g., the types of data being accessed, identity groups of the users, and the columns pulled in the result set). Log aggregation is also only retroactively actionable, unlike a proxy, which sometimes results in traffic interference.

Data Access Orchestration Services

Instead of having a database reverse proxy, you can also utilize data access orchestration services, which are products that manage native database capabilities in a central location. Read more about the differences between such products and the database proxy approach here.

In today’s data-driven world, a database proxy approach enables Satori to offer the capabilities organizations need to accelerate data access while reducing security and compliance risks. The key capabilities Satori provides are:

• Fine-Grained Access Control
• Dynamic Data Masking
• Decentralized Data Access Workflows
• Data Access Auditing & Monitoring
• Continuous Data Discovery & Classification

Learn More:

• Blog: Access Control: The Dementor of Data Engineering
• Blog: Data Security Projects Keep Data Teams Away From Their Core Responsibilities
• How Satori’s data access proxy helps secure data data-driven organizations