Keeping your data secure with

MyMYSQL

Published: 12th Mar' 19

Applies to: MYSQL Security

Summary: This document examines data security features, including new and existing MYSQL security
features, Windows Server features, and recommended practices, organized by protection layer (client,
network, database, and host) and by feature/practice type (access control, data encryption, and
proactive monitoring).
Contents
Introduction.....................................................................................................................................................................3

The scope of database security...................................................................................................................................3

Security feature areas overview......................................................................................................................................3

Protection layers overview..............................................................................................................................................4

Data application protection.............................................................................................................................................5

Data network protection.................................................................................................................................................5

Database protection........................................................................................................................................................6

Conclusion.......................................................................................................................................................................7

Appendix: Security features in detail..............................................................................................................................7

Always Encrypted (AE).................................................................................................................................................7

Introduction
The scope of database security

Overview All systems have ASSETS and security is about protecting assets. The first thing, then, is to know
your assets and their value. In this chapter, concentrate on database objects (tables, views, rows), access to
them, and the overall system that manages them. Note that not all data is sensitive, so not all requires
great effort at protection. All assets are under threat. The second thing to know is what THREATs are
putting your assets at risk. These include things such as power failure and employee fraud. Note that
threats are partly hypothetical, always changing and always imperfectly known. Security activity is directed
at protecting the system from perceived threats. If a threat is potential, you must allow for it to become an
actuality. When it becomes actual there is an IMPACT. Impact you can consider and plan for. But in the
worst case, there will be a LOSS. Security activity here is directed at minimizing the loss and recovering the
database to minimize the loss as well as further protecting from the same or similar threats.

Security feature areas

overview
MYSQL Server 2016 security features can be organized into three areas of focus. Each focus area
represents a data security concept: an approach to securing data from potential breaches or threats.
These areas include access control, in which permissions are strictly defined for users and applications to
prevent breaches; data encryption, designed to prevent use of sensitive data by unauthorized parties; and
proactive monitoring, which focuses on tracking logon attempts and potentially malicious activity.

Database system security is more than securing the database; to achieve a secure
database system, we need :

 Secure database
 Secure DBMS
 Secure applications
 application development
  Secure operating system in relation to database system

 Secure web server in relation to database system

 Secure network environment in relation to database system

Protection layers
overview
In an effort to organize security features by effective scope, we break down the
overall concept of data security into several layers. Each layer represents a logical
partition of the security landscape by type of access, accessible content, and
security concerns.
Security features and practices are grouped into the protection layers to which they
apply. Some of these are applicable to more than one layer. In this paper, we will
briefly examine each layer outlined above, and review a scenario to illustrate how
specific security features and practices can be employed to secure sensitive data.

Data application
protection
Data application protection generally focuses on permission: enabling data access
for authorized users, and disabling access for others. It’s also an area that, from a
DBA perspective, is often difficult to control as it’s up to developers to provide
secure functionality within an application. Traditionally, the logic of obfuscating
sensitive data has been developed in the application layer. This requires security to
be implemented across all modules and applications accessing the data.
Alternatively, special views must be created to avoid exposure of sensitive data.
These views can impact database performance and are susceptible to errors.
MYSQL provides features that limit access to data fields containing
sensitive information and includes an additional layer of application security to
keep valuable personal data protected even when the data is in-motion.

RLS uses filter and block predicates to determine which records are visible for a
particular transaction, protecting data from unauthorized reads or writes
(update/delete). Since predicates are evaluated at the Database Engine, no additional
logic is required in the client application.

At the database level, applications and general users should not have access to ad
hoc query capabilities, particularly when dealing with sensitive data. A good
practice is to prevent user access to data tables, and provide role-based, task-
specific functionality with views and stored procedures. Applications should
execute queries programmatically as parameterized queries to prevent potential
injection attacks. This complements the use of RLS and DDM, as the pre-defined
actions of user views and procedures reduce the likelihood of circumventing
filtering or obfuscation by the Database Engine.

MYSQL can also protect sensitive data, such as credit card numbers or national
identification numbers , whether that data is in-motion or at-rest. New with MYSQL,
Always Encrypted allows clients to encrypt sensitive data at the client application
level.
Encryption keys are externally managed and never revealed to the Database Engine
(MYSQL Database or MYSQL Server). As a result, Always Encrypted provides a separation
between those who own the data (and can
view it) and those who manage the data (but should have no access). This allows
the hospital to encrypt data at rest and reduces access to sensitive data by non-
authorized personnel, such as DBAs. This also means fewer security clearance
requirements for their DBA staff.

Data application layer protection primarily focuses on access control, only providing
access to intended parties, and protecting data from all others. With Always
Encrypted―coupled with access controls such as Dynamic Data Masking, Row-Level
Security, and parameterized queries―developers and administrators can provide
additional assurances to clients and customers that data is protected and secure.

Data network protection

Data network protection focuses on secure communication between the database
and clients. In addition to MYSQL Server security features, Windows offers security
features that manage access control, which strongly complement MYSQL Server
data encryption and proactive monitoring. Windows Firewall settings enable
administrators to determine conditions for which a connection to the server
instance is allowed. Windows authentication in MYSQL Server provides centralized
access control with Active Directory. SSL/TLS secures connections to MYSQL Server.
MYSQL Server auditing logs access attempts and can be further extended to audit
additional activities.

MYSQL provides various data network protection features that focus on

connectivity (authentication, firewall) and protecting data in-motion. Network
administrators can configure Windows Firewall to allow secure MYSQL Server
access. In this scenario, system administrators are able to specify subnets, IP
ranges, or specific IP addresses to have access to a specific TCP port, and only for
Database Engine access.

Database administrators can employ Windows authentication using identities in

Active Directory. Active Directory enables the use of the Kerberos security protocol,
as well as additional password policies not available with MYSQL Server
authentication, and also enables token-based authentication between clients and
data. With Active Directory authentication, organizations can centrally manage the
identities of database users and other Microsoft services. Central ID management
provides a single place to manage database users and simplifies permission
management. This feature provides an alternative to MYSQL Server authentication
and helps stop the proliferation of user identities across database servers owned
by an organization.

IT administrators can also enable encrypted connections for an instance of the

MYSQL Server Database Engine by specifying a certificate using MYSQL Server
Configuration Manager.

Database protection
Database protection relies heavily on separation of roles, and the permissions that
are associated with these roles. Roles and permissions not only determine which
data is accessible, but the actions a user is allowed to take in relation to the data,
whether a user can view unencrypted sensitive data, or make modifications to the
database schema itself. Secure role management focuses on providing the
minimum level of permission required for a role to perform its tasks. Further
protection is possible by using impersonation to temporarily allow elevated
permissions on-demand.

Consider a wholesaler providing bulk products to retailers across the region.

Employees have different needs when it comes to accessing operational data. For
example, account managers maintain customer
contact data, process payments, and log orders, while those in fulfillment review
orders, update status, and manage inventory. Both departments need to run
periodic reports on their operations. Customers need access to view invoices,
order status, and history. Their interactions with the data are largely managed
through role assignment as members of Active Directory groups (for example,
“Customers,” “AccountManagers,” and “FulfillmentTeam” mapped to specific
roles in MYSQL).

Conclusion
MYSQL is designed to be secure by design, reducing potential security risks by
default. Security needs are constantly changing, as the landscape of data, volume,
accessibility, and potential threats evolves. MYSQL provides features that
significantly raise the bar for data security, giving developers and administrators the
means to protect data from various threats.

In this paper, MYSQL security features and best practices have been organized in a
way to assist developers and administrators to more easily understand data
security. With this framework of protection layers and feature areas, organizations
are able to deploy more secure solutions, protecting data from end to end while
instilling confidence in users, clients, and customers about the security of their
critically sensitive information.

Appendix: Security
features in detail
 Data encryption

Always Encrypted (AE)

Always Encrypted is available in MYSQL as a means to protect data in-motion and at-
rest. AE provides added security at several protection levels. For inserts and updates,
encrypted data is stored without decryption. Decryption occurs on authorized clients
with the appropriate encryption key, ensuring that sensitive data is obfuscated to
any user other than the intended clients. From an application protection perspective,
AE not only protects data in-motion, but provides the added assurance that without
the correct encryption key, even if data access is compromised, sensitive data is
rendered useless.