Home ยป Security Questions Applied to MySQL

Reply to comment

Security Questions Applied to MySQL

Posted June 6th, 2007 by JonC

I came across a list of possible questions for a security panel and thought it may be interesting to apply some of them to MySQL and see what happens .


* What is the biggest challenge in data security?

I would suggest it is always the same problem with security - human error. It seems that no matter how well you protect the data, people will be the weakest link in the chain. This could come from social engineering, or to the point where the admin does silly things like deleting/dropping data from the wrong area.

How can we address this problem with MySQL? There are some configuration options that let you force safer interaction like safe-updates etc, but it will never be enough. Backups are probably the best answer.


* How important is it to bring users (i.e. the business side of the house) into data security conversations?

This one is an interesting one and should probably have its own blog article, but I will keep it simple this time :)
What do the users have to offer, particularly the business people, that could improve data security? Most importantly, it is a different perspective to the typical data architect or DBA. Quite often a DBA can look at the data purely from a resource point of view - how much storage, RAM etc, or maybe a performance perspective - throughput, inserts per second etc. Often the schema can be created based on these ideas and certain areas can be missed that are obvious to these other business areas.

This can even be the case of users of a web application. Sometimes a DBA will design the database for best performance, but does not see it from the viewpoint of the user. Why did they miss out certain information, why are the fields abbreviated rather than informative etc? It can be good to have somebody take an alternative view of what is being worked on to see if "tunnel vision" is causing problems.


* How many of you are using encrypted data transmission?

I must say that I have not seen too many sights with MySQL using encrypted data connections in production. Is this a security issue? I guess it depends on the path of the data. It must be considered that many of the MySQL servers are based on simple web application setups. These are quite often single server setups running both web server and database on the one machine and accessing it through a unix socket, so encrypted data transmission in this scenario does not make much sense.

So when can it make sense for encrypted data? Geographical replication is one example where it could be useful. Setting up SSL connections make sense here to avoid interception. Even transfer between departments within a large company may require the encryption, but it is not a matter of encrypting for the sake of it. Encryption adds overhead, and if it is not necessary, then it is better not to use it. Encryption can be a significant area of data security, but it is not an essential element for data protection.


* How many of you are using single sign-on? What were the challenges implementing it?

Currently this is not possible with MySQL, or many other open source databases for that matter. This will change in the newer versions of MySQL from an estimated 5.2 upwards when the new pluggable authentication framework is in place. This has the ability to change the authentication method to use techniques such as LDAP, Radius or PAM authentication for example, rather than the system tables under the mysql database.

The advantage will be that MySQL can authenticate again all major methods of authentication, and even customized solutions based on a simple positive/negative type result being return from custom code.


* The new Web 2.0 technologies are introducing new security concerns, how are they managed?

I am uncertain what specific security concerns are exposed with Web 2.0 technologies, so I will address the areas I think may apply. The first one is that it is predominantly XML based data. Can XML data be managed with MySQL? Yes, there is newer functions within MySQL to handle XML data including XPath style searches. Does MySQL offer the optimal storage method for XML data - probably not, but XML is simply text so this is easily stored and compressed in MySQL.

The other is data access using Web 2.0 technologies. However, the Web 2.0 principles are designed with the idea of data encapsulation in mind. Data is accessed indirectly through web services which return not a standard record format, but a formatted XML object. So can this be managed with MySQL? Well, there is the my_http engine which supposedly works with http requests and can query web services, but I have not tested this as yet.


* Some classify the data security process into five concepts: inventory (know what you have), streamline (keep only what is needed), protect (defend what you have), dispose (properly remove what's no longer required, per retention policies), and plan (data security response plan). Of these five concepts, where are you focusing the bulk of your effort right now? Which does the industry as a whole need to improve in? Where do you forecast the biggest upcoming changes?

I think this one I will save to do a complete blog article on next time - so stay tuned! :)

Reply

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
  • You may post PHP code. You should include <?php ?> tags.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options