MariaDB Database Security

Advanced database security

data protection + threat detection and prevention

The importance of advanced database security cannot be underestimated. That’s why MariaDB database products take a security-first approach. All MariaDB database products meet rigorous security standards, including a DOD approved Security Technical Implementation Guide (STIG) for MariaDB Enterprise Server. For more on security and compliance, visit our Trust Center.

How to maximize security and data protection with MariaDB Enterprise Server

This webinar provides a detailed overview of the security features available in MariaDB Enterprise Server.

Watch Now

6 key steps to ensuring database security

SkySQL and all its MariaDB databases deploy as cloud native, containerized services, taking advantage of all AWS and Google Cloud security services. Additionally, there are built-in, enterprise-grade security features.


The firewall plugin uses rule-based configuration to intercept and block suspect queries based on multiple parameters (e.g., user or syntax) to, for example, prevent malicious attacks like SQL injection from deleting rows in a table or accessing restricted tables/columns.

End-to-end encryption

The connections between clients, proxies and databases can be encrypted with Transport Layer Security (TLS) to protect data in motion while tables and binary logs can be encrypted with Advanced Encryption Standard (AES) algorithms to protect data at rest – and there are plugins for the AWS Key Management Service (KMS) and the eperi Gateway.

Data masking

SkySQL through MaxScale has built-in, granular data obfuscation to prevent unauthorized viewing of any column of data within a row. The data masking plugin can be configured to granularly hide sensitive data (e.g., PII/SPI – credit cards, Social Security numbers).


The auditing plugin can be configured to track all database events – connections, queries (DML/DDL/DCL) and tables accessed – logging the time, username and host, database and operation, and more. In addition to local files, remote files are supported via syslog and rsyslog – often to aggregate database events from multiple servers and/or restrict access.

Denial of service protection

The result limiting filter can be configured to block malicious queries intended to slow down the database by returning thousands if not millions of rows. In addition, to protect from denial of service (DoS) and distributed denial of service (DDoS) attacks, user resource limits can be set to restrict the frequency of connections, queries and more.

Pluggable authentication and role/group authorization

LDAP authentication with user and group mapping – SSH passwords, one-time passwords and two-factor authentication via Google Authenticator, too – is supported via the Pluggable Authentication Module (PAM) plugin while password validation plugins can be enabled to enforce strong passwords. In addition, administrators can configure role-based access control (RBAC).


Data protection and regulations

Today, many companies have to comply with one or more security standards and regulations – PCI, HIPAA, SOX and GDPR, to name a few. MariaDB is engineered for security, whether it’s encryption and key management for PCI compliance or pseudonymization (i.e., data masking) for GDPR compliance.

MariaDB security components

MariaDB security topology using multi-master clustering with synchronous replication and splits reads and writes.

Enterprise data security with MariaDB

MariaDB secures data at every layer – from encrypted communication and storage to pluggable authentication and role-based access control, plus an advanced database proxy with a built-in firewall to detect and prevent data breaches by blocking queries and masking sensitive data.

Download now