MariaDB SkySQL Takes a Data Security First Approach

According to a recent report by Palo Alto Networks, “Regarding publicly disclosed cloud security incidents, 65% were the result of misconfigurations.”

Given the confluence of ever more business migrating to the cloud and the prevalence of security breaches in the news, security was a top priority for us when designing MariaDB SkySQL. Data security is a guiding principle for MariaDB SkySQL, and all SkySQL databases incorporate features that make them secure by default.

  • SSL/TLS required for any database access
  • MariaDB Enterprise Audit for audit logging
  • 100% automatic Data-at-Rest Encryption
  • Data-in-Transit Encryption with support for TLS 1.2 and TLS 1.3
  • Locked-down firewalls, access restricted to whitelisted IP addresses
  • Audit of internal access to SkySQL
  • Isolation via Google Kubernetes Engine

Encryption

Your data is automatically secure both in transit and at rest in SkySQL. Data-in-transit encryption is supported with TLS 1.2 and TLS 1.3. Data-at-rest encryption is 100% automatic due to the security inherent in Google Cloud. Google Cloud automatically encrypts all customer content stored at rest, without any action required from the customer. More details are available at Google Data-at-rest Encryption.

Controlled Access

Access on SkySQL is controlled using a variety of methods. All database access connections must use SSL/TLS. Access to MariaDB SkySQL services is restricted to whitelisted IP addresses managed by the account owner from the SkySQL Portal. A separate IP whitelist is maintained for access to SkySQL Monitoring and Workload Analysis.

Even the SkySQL team’s access to backend systems for maintenance, updates etc. go through a security umbrella where each and every keystroke is logged and stored.

Audit

MariaDB Enterprise Audit is included with SkySQL services using MariaDB Enterprise Server 10.4 and 10.5.  MariaDB Enterprise Audit includes advanced filtering features to enable narrowly defining which information is logged. MariaDB Enterprise Audit comes pre-installed but must be enabled and configured before logging will occur. Customers can configure it to log data access and database operations, and when control parameters also must be audited, MariaDB Enterprise Audit can log configuration changes.

Isolation

MariaDB Platform on SkySQL services run in containers powered by Kubernetes which inherently provides isolation. Privileges within the container are tightly restricted by a security context that prevents malicious users from gaining root privileges. Network access is restricted by network policies. Storage devices are also accessed through Kubernetes, providing strict isolation of each account.

Secure by Default

Of course you will add controls specific to your application and database, but you can be secure in the knowledge that your SkySQL database immediately incorporates features that keep your service and data secure without requiring additional configuration.

For More Information