Welcome!

Containers Expo Blog Authors: Elizabeth White, Liz McMillan, Pat Romanski, Yeshim Deniz, Moshe Kranc

Blog Feed Post

Best Practices for MySQL Encryption

MySQL encryption cloud security best practices  mytechlogy Best Practices for MySQL EncryptionMany applications have a database at their core, and very often, this database is the mature and popular MySQL. Often it is the most sensitive information that gets stored in the database: customer details, credit card numbers, passwords (or password hashes) and so on. MySQL encryption is an industry best practice.

MySQL Encryption: Why?

Obviously, the sensitive information within the database is enough motivation for secure MySQL Encryption.
Often there are also requirements by regulatory bodies to encrypt the database-resident data, either applying to the entire database or to selected tables or columns.
There is often another motivation to encrypt some of the data: segregation between users, between applications, and most often between administrative users – such as the Database Administrator – and the business data. Without encryption, the DBA can read any of the data stored in the database. With encryption, provided it happens at the right layer, you can protect the most sensitive data, while keeping most of the data unencrypted and so more accessible to applications and utility tools.

MySQL Encryption: How?

Until recently, you typically needed to set up your own MySQL instance on a server, and manage the database yourself. The organization would have to deal with scaling, replication, backups and disaster recovery. Many organizations ended up employing a full time person to continuously care for the database.
In the last few years, cloud-based databases have become increasingly popular. The most prominent one is Amazon Web Services’ RDS, a service that supports several database technologies, including MySQL. It should be noted that RDS and other cloud databases do not in general provide encryption out of the box. Some of the techniques described below also apply to cloud databases, with the important exception of full-disk encryption.

MySQL Encryption: Available Options

The simplest way to encrypt a database is to overlay it on a fully-encrypted disk. There are many solutions available for full-disk encryption (FDE). Two examples are the Linux open-source dm-crypt, and the more user-friendly Porticor Virtual Private Data, which bundles up-in-minutes full disk encryption together with an innovative and highly secure key management service.
Once you have the encrypted disk, it is an easy matter to configure the database so that the data directory resides on that disk. Now, assuming you manage your encryption keys correctly, if you ever lose your disk, you do not need to worry about your sensitive data being exposed to prying eyes. This addresses some of the threats facing your data, but clearly not all of them. For example, someone who breaks into the application or someone who obtains administrative privileges on the database would still be able to read the data, even though it is fully encrypted.
So let us look at encryption at a higher layer. The next layer up from the disk would be the RDBMS (database engine) itself. Unlike other databases, MySQL unfortunately does not provide a Transparent Data Encryption (TDE) solution. Which means we need to go still higher.
MySQL does offer encryption functions that are available to SQL code run from the application, as well as to stored procedures. Please refer to the MySQL documentation for details. You can use these functions to encrypt specific database tables, columns or even individual fields. Just like for disk encryption, it is best to have a key management solution available, so that you don’t need to rely on easy to guess passwords or end up storing your encryption keys along with the data. Once you have a cryptographic key from your key management solution, you can use it in the following SQL statement:
UPDATE T1 SET T1.f = AES_ENCRYPT(value, encryption_key) WHERE …
This will encrypt the value before it is saved into the database. To retrieve the original value you can use AES_DECRYPT to decrypt stored value, as part of a SELECT statement.
There are different ways to wrap this functionality so that code changes are minimized. One alternative is to create a database view that performs decryption of data on the fly, which eliminates the need to change all relevant SELECT statements. The security cost is high though: the encryption key would need to be specified during the view definition and so would be available to all database users with the appropriate privileges. That is, no more protection from a rogue DBA.
You should note that when using the native MySQL encryption functions, the sensitive data is still sent to the database, even if it is never stored. If you want to protect against an active attacker on the database, your best bet is application-level encryption. Essentially all programming languages are nowadays available with decent encryption facilities. Examples include the Java SealedObject class and .NET Cryptographic Services). This may be more onerous than using the MySQL built-ins, but the upside is that you can get better security by using cipher-block chaining (a.k.a. CBC mode) than you’d get with the MySQL native ECB mode.

MySQL Encryption: An Important Layer of Security

To summarize, database encryption provides an important layer of security to your sensitive data. There are different ways to encrypt the data, all very practical. But remember that even the best crypto library will not secure your data unless you are using a secure key management infrastructure

The post Best Practices for MySQL Encryption appeared first on Porticor Cloud Security.

Read the original blog entry...

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

@ThingsExpo Stories
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
"We are focused on SAP running in the clouds, to make this super easy because we believe in the tremendous value of those powerful worlds - SAP and the cloud," explained Frank Stienhans, CTO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We provide IoT solutions. We provide the most compatible solutions for many applications. Our solutions are industry agnostic and also protocol agnostic," explained Richard Han, Head of Sales and Marketing and Engineering at Systena America, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
In his opening keynote at 20th Cloud Expo, Michael Maximilien, Research Scientist, Architect, and Engineer at IBM, discussed the full potential of the cloud and social data requires artificial intelligence. By mixing Cloud Foundry and the rich set of Watson services, IBM's Bluemix is the best cloud operating system for enterprises today, providing rapid development and deployment of applications that can take advantage of the rich catalog of Watson services to help drive insights from the vast t...
SYS-CON Events announced today that EnterpriseTech has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. EnterpriseTech is a professional resource for news and intelligence covering the migration of high-end technologies into the enterprise and business-IT industry, with a special focus on high-tech solutions in new product development, workload management, increased effic...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Cloud Academy named "Bronze Sponsor" of 21st International Cloud Expo which will take place October 31 - November 2, 2017 at the Santa Clara Convention Center in Santa Clara, CA. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud com...
SYS-CON Events announced today that Cloudistics, an on-premises cloud computing company, has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cloudistics delivers a complete public cloud experience with composable on-premises infrastructures to medium and large enterprises. Its software-defined technology natively converges network, storage, compute, virtualization, and ...
SYS-CON Events announced today that CHEETAH Training & Innovation will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CHEETAH Training & Innovation is a cloud consulting and IT training firm specializing in improving clients cloud strategies and infrastructures for medium to large companies.
SYS-CON Events announced today that Datanami has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datanami is a communication channel dedicated to providing insight, analysis and up-to-the-minute information about emerging trends and solutions in Big Data. The publication sheds light on all cutting-edge technologies including networking, storage and applications, and thei...
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...