Welcome!

Apache Authors: Pat Romanski, Liz McMillan, Elizabeth White, Christopher Harrold, Janakiram MSV

Blog Feed Post

Best Practices for MySQL Encryption

MySQL encryption cloud security best practices  mytechlogy Best Practices for MySQL EncryptionMany applications have a database at their core, and very often, this database is the mature and popular MySQL. Often it is the most sensitive information that gets stored in the database: customer details, credit card numbers, passwords (or password hashes) and so on. MySQL encryption is an industry best practice.

MySQL Encryption: Why?

Obviously, the sensitive information within the database is enough motivation for secure MySQL Encryption.
Often there are also requirements by regulatory bodies to encrypt the database-resident data, either applying to the entire database or to selected tables or columns.
There is often another motivation to encrypt some of the data: segregation between users, between applications, and most often between administrative users – such as the Database Administrator – and the business data. Without encryption, the DBA can read any of the data stored in the database. With encryption, provided it happens at the right layer, you can protect the most sensitive data, while keeping most of the data unencrypted and so more accessible to applications and utility tools.

MySQL Encryption: How?

Until recently, you typically needed to set up your own MySQL instance on a server, and manage the database yourself. The organization would have to deal with scaling, replication, backups and disaster recovery. Many organizations ended up employing a full time person to continuously care for the database.
In the last few years, cloud-based databases have become increasingly popular. The most prominent one is Amazon Web Services’ RDS, a service that supports several database technologies, including MySQL. It should be noted that RDS and other cloud databases do not in general provide encryption out of the box. Some of the techniques described below also apply to cloud databases, with the important exception of full-disk encryption.

MySQL Encryption: Available Options

The simplest way to encrypt a database is to overlay it on a fully-encrypted disk. There are many solutions available for full-disk encryption (FDE). Two examples are the Linux open-source dm-crypt, and the more user-friendly Porticor Virtual Private Data, which bundles up-in-minutes full disk encryption together with an innovative and highly secure key management service.
Once you have the encrypted disk, it is an easy matter to configure the database so that the data directory resides on that disk. Now, assuming you manage your encryption keys correctly, if you ever lose your disk, you do not need to worry about your sensitive data being exposed to prying eyes. This addresses some of the threats facing your data, but clearly not all of them. For example, someone who breaks into the application or someone who obtains administrative privileges on the database would still be able to read the data, even though it is fully encrypted.
So let us look at encryption at a higher layer. The next layer up from the disk would be the RDBMS (database engine) itself. Unlike other databases, MySQL unfortunately does not provide a Transparent Data Encryption (TDE) solution. Which means we need to go still higher.
MySQL does offer encryption functions that are available to SQL code run from the application, as well as to stored procedures. Please refer to the MySQL documentation for details. You can use these functions to encrypt specific database tables, columns or even individual fields. Just like for disk encryption, it is best to have a key management solution available, so that you don’t need to rely on easy to guess passwords or end up storing your encryption keys along with the data. Once you have a cryptographic key from your key management solution, you can use it in the following SQL statement:
UPDATE T1 SET T1.f = AES_ENCRYPT(value, encryption_key) WHERE …
This will encrypt the value before it is saved into the database. To retrieve the original value you can use AES_DECRYPT to decrypt stored value, as part of a SELECT statement.
There are different ways to wrap this functionality so that code changes are minimized. One alternative is to create a database view that performs decryption of data on the fly, which eliminates the need to change all relevant SELECT statements. The security cost is high though: the encryption key would need to be specified during the view definition and so would be available to all database users with the appropriate privileges. That is, no more protection from a rogue DBA.
You should note that when using the native MySQL encryption functions, the sensitive data is still sent to the database, even if it is never stored. If you want to protect against an active attacker on the database, your best bet is application-level encryption. Essentially all programming languages are nowadays available with decent encryption facilities. Examples include the Java SealedObject class and .NET Cryptographic Services). This may be more onerous than using the MySQL built-ins, but the upside is that you can get better security by using cipher-block chaining (a.k.a. CBC mode) than you’d get with the MySQL native ECB mode.

MySQL Encryption: An Important Layer of Security

To summarize, database encryption provides an important layer of security to your sensitive data. There are different ways to encrypt the data, all very practical. But remember that even the best crypto library will not secure your data unless you are using a secure key management infrastructure

The post Best Practices for MySQL Encryption appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
Existing Big Data solutions are mainly focused on the discovery and analysis of data. The solutions are scalable and highly available but tedious when swapping in and swapping out occurs in disarray and thrashing takes place. The resolution for thrashing through machine learning algorithms and support nomenclature is through simple techniques. Organizations that have been collecting large customer data are increasingly seeing the need to use the data for swapping in and out and thrashing occurs ...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
SYS-CON Events announced today that A&I Solutions named "Bronze Sponsor" of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded over 15 years ago in 1999, A&I Solutions continues to provide companies with premier integrated enterprise solutions. By partnering with the trusted and proven solutions of leading technology companies, our customers are assured high performance levels across all IT environments including:...
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs ofte...
SYS-CON Events announced today that Loom Systems will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2015, Loom Systems delivers an advanced AI solution to predict and prevent problems in the digital business. Loom stands alone in the industry as an AI analysis platform requiring no prior math knowledge from operators, leveraging the existing staff to succeed in the digital era. With offices in S...
SYS-CON Events announced today that Enzu will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Enzu’s mission is to be the leading provider of enterprise cloud solutions worldwide. Enzu enables online businesses to use its IT infrastructure to their competitive ad...
The 21st International Cloud Expo has announced that its Call for Papers is open. Cloud Expo, to be held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, brings together Cloud Computing, Big Data, Internet of Things, DevOps, Digital Transformation, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm.
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @CloudExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
SYS-CON Events announced today that T-Mobile will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on ...
Five years ago development was seen as a dead-end career, now it’s anything but – with an explosion in mobile and IoT initiatives increasing the demand for skilled engineers. But apart from having a ready supply of great coders, what constitutes true ‘DevOps Royalty’? It’ll be the ability to craft resilient architectures, supportability, security everywhere across the software lifecycle. In his keynote at @DevOpsSummit at 20th Cloud Expo, Jeffrey Scheaffer, GM and SVP, Continuous Delivery Busine...
SYS-CON Events announced today that SoftLayer, an IBM Company, has been named “Gold Sponsor” of SYS-CON's 18th Cloud Expo, which will take place on June 7-9, 2016, at the Javits Center in New York, New York. SoftLayer, an IBM Company, provides cloud infrastructure as a service from a growing number of data centers and network points of presence around the world. SoftLayer’s customers range from Web startups to global enterprises.
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that Hitachi Data Systems, a wholly owned subsidiary of Hitachi LTD., will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City. Hitachi Data Systems (HDS) will be featuring the Hitachi Content Platform (HCP) portfolio. This is the industry’s only offering that allows organizations to bring together object storage, file sync and share, cloud storage gateways, and sophisticated search and...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. @ThingsExpo Silicon Valley Call for Papers is now open.
SYS-CON Events announced today that DivvyCloud will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. DivvyCloud software enables organizations to achieve their cloud computing goals by simplifying and automating security, compliance and cost optimization of public and private cloud infrastructure. Using DivvyCloud, customers can leverage programmatic Bots to identify and remediate common cloud problems in rea...
SYS-CON Events announced today that Tintri, Inc, a leading provider of enterprise cloud infrastructure, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Tintri offers an enterprise cloud platform built with public cloud-like web services and RESTful APIs. Organizations use Tintri all-flash storage with scale-out and automation as a foundation for their own clouds – to build agile development environments...