MariaDB Enterprise Security

Overview

MariaDB SkySQL incorporates features focused on enterprise governance, risk, compliance (GRC) and information security (infosec) requirements.

Portal Accounts

The SkySQL Portal is used to manage SkySQL services.

Portal Accounts

Authenticate to SkySQL using MariaDB ID, tied to social login or email account

SkySQL Teams

Optionally, multiple SkySQL user accounts jointly maintain services under a single billing profile

Enterprise Authentication

Optionally, authenticate to SkySQL Portal with your SAML 2.0 IDP (identity provider)

Database Accounts

Database user accounts

Authentication to SkySQL services

LDAP

Optionally, authenticate to SkySQL services using LDAP (Lightweight Directory Access Protocol)

2FA

Optionally, authenticate to SkySQL services with two-factor authentication

IP Allowlisting

IP allowlist for monitoring

Control ability for an IP to access SkySQL Monitoring

IP allowlist for services

Control ability for an IP to connect to a SkySQL service

Security Controls

Default Security Controls

MariaDB SkySQL has been designed and built from the ground up to incorporate security features by default:

  • Access control with IP allowlisting

  • API keys for automation

  • Database user accounts and privileges

  • Portal user accounts

  • Data-at-rest encryption

  • Data-in-transit encryption

  • Server hardening

    • Shell access to database servers is not offered

    • Users cannot write to the server file system

    • Some standard MariaDB plugins can be installed using Configuration Manager

    • It is not possible to install additional plugins to the file system's plugin directory

  • Power Tier customers have dedicated Kubernetes clusters

For additional information on MariaDB security practices, see the MariaDB Trust Center.

Available Options

  • Enterprise Audit

  • AWS PrivateLink, which can reduce the exposure of cross-region traffic from AWS to the public internet

  • VPC peering, which can reduce the exposure of cross-region traffic from GCP to the public internet