Bryan Alsdorf, MariaDB: “logs and backups should be protected from everyone, including your administrative account”

This article first appeared in Cybernews. It is reprinted with permission.  © 2022 Cybernews – Latest Cybersecurity and Tech News, Research & Analysis. All rights reserved Bryan Alsdorf, MariaDB: “logs and backups should be protected from everyone, including your administrative account”

 

Today, enterprises are constantly considering how to leverage open-source cloud management.

As a consequence, you can now find multiple free-to-download tools and use them within a public cloud platform. But how to choose the right one?

To talk about this and more, we sat down with Bryan Alsdorf, Director of IT and Head of Information Security at MariaDB Corporation – one of the most popular open-source relational databases providers.

Tell us about your journey. How did the idea of MariaDB originate?

I joined MariaDB Corporation almost 14 years ago and have watched the company grow and celebrate some key milestones. With over 20 years of IT experience, I currently lead and oversee all IT and security operations at the company. Prior to joining MariaDB, I was at MySQL.

MariaDB builds the database for all. Our database software is designed to support any workload, any scale, and any cloud, and meets the same core requirements as proprietary databases at a fraction of the cost. MariaDB database software has been downloaded over one billion times and is used by fast-growing startups to the Fortune 500. Our database products are the backbone of services people use every day. Real businesses rely on MariaDB™.

Can you introduce us to what you do? What are the main challenges you help navigate?

I contribute to making the company succeed on a daily basis, from the day-to-day mundane things like mailing someone a new laptop to overseeing our strategic cloud initiatives. I also manage our security and ensure our employees can operate efficiently while being secured at all times and create the necessary guardrails.

This can be challenging at times to determine how to strike the right balance between business needs and security but also plan strategically when prioritizing immediate needs. I am also very passionate about our company’s culture and continue to promote it while also serving as a mentor to employees and coordinating projects between different departments.

It is evident that open source is an important part of MariaDB. Would you like to share more about your vision?

Since I’ve worked the majority of my career in open source, I actually struggle to find why anyone would want to be locked into a closed source vendor. External contributions stimulate new ideas, facilitating MariaDB engineers to build revolutionary features that are forging a new future for developers and their use of databases.

MariaDB’s position as a disruptor both in terms of price and technology is a result of its open source heritage. Unlike proprietary legacy alternatives, we have cultivated a vibrant community that has racked up over 190,000 contributions to the product line – a level of contribution second to no other open source database based on Github counts.

How did the recent global events affect your field of work?

I think recent global events such as COVID have made companies more aware of cyber threats. But cyber threats haven’t changed much. While some attacks are to create chaos and terror, cybercriminals are generally motivated by profit, so any attack is extortion to make money. Companies are increasingly investing in security solutions now to hopefully avoid paying more down the road.

One way companies are looking to secure themselves is with a database-as-a-service (DBaaS) to avoid database breaches. As opposed to deploying and configuring databases on their own, a DBaaS has security baked into the product and dedicated staff to design, implement and maintain a secure environment instead of relying on your staff who may be juggling many responsibilities and manually configuring an open community version.

For example, MariaDB SkySQL was designed with a data security first approach, incorporating security features by default, including a number of methods to control who has access to the database, enterprise auditing capabilities, and isolation due to the use of Kubernetes. All these security measures help reduce risk and ensure the database is fully secure from outside attacks or misconfigured databases.

Why do you think certain companies are reluctant to update their cybersecurity or try out new, innovative measures?

I actually think we have seen more companies investing in security solutions now to hopefully avoid paying more down the road.

Besides quality data backup and recovery solutions, what other security measures do you think should be adopted by every modern company?

Zero trust approaches to security are indeed the way forward—where no entity is trusted, and only those privileges needed for a person, application, or microservice to complete its task are granted.

Cloud databases are a special animal when it comes to zero-trust security. They have complex properties, but right now, beyond access policies, zero trust is enforced at the application level and in the movement of data to and fro, rather than inside the database itself. It may be that row-level and field-level encryption can be embedded in a cloud database, but that’s not a feature in general use now.

That said, here are the must-haves for security:

Choose a cloud database with configurations that are secure by default, not open by default. Misconfiguration is one of the biggest issues that result in data breaches. This doesn’t necessarily mean that dials are tuned to the absolutely most locked-down settings, but well-configured baseline security is a must-have.

Use network isolation with a virtual private cloud or connection (VPC) or private link. Ensure there’s no possibility that an external connection can get to your database. If not using a VPC, restrict access by IP address not just on the firewall but at the database and database proxy level. Firewalls generally can’t distinguish between an approved user and an attacker.

Enforce unique accounts with strong passwords. Give different application servers and different users all their own accounts; give them all strong passwords and rotate those passwords. Reusing accounts and passwords increases the risk of exposure.

Use multi-factor authentication and enhanced, granular access control that seeks constant validation of entities seeking data. Limit accounts to the data they need to access. That is, enforce least privilege access to sensitive data and implement alerts on suspicious activities and policy violations.

Monitor database activity rigorously. Monitoring the real-time data stream of database activity for unusual or non-compliant behaviors helps protect against insider risks. Use policy-based monitoring and enforcement. Ensure detection of database misconfiguration that exposes vulnerabilities.

Implement key data protection measures, including encryption of data in transit and backups at rest, and automate the patching of vulnerabilities.

Make sure offsite logs and backups are immutable. Logs and backups should be protected from everyone, including your administrative account. If attackers compromise DBA credentials, they will not be able to go in and delete backups.

In a system leveraging cloud microservices architecture, for “east-west” communications inside a network, use microsegmentation, which isolates workloads in order to neutralize malicious lateral movement. With this approach, certain kinds of service mesh proxy filters can produce metadata to stop writes into a database, so that a packet will never reach the database, thus containing data breaches.

Have a clear, detailed plan ready to deal with major events like cloud outages, ransomware attacks, and data breaches. A plan should explain exactly how the team is expected to respond to a disaster and who does what.

As for individual users, what personal cybersecurity tools do you think everyone should invest in?

It is important to use multi-factor authentication for your personal accounts and have a strong password. And just as valuable, always have a suspicious mindset. If an email or website has any red flags, be cautious.

Tell us, what’s next for MariaDB?

Earlier this year, we announced the intent to become a publicly traded company via combination with Angel Pond Holdings Corporation, and we’re very excited about this. We also recently announced the appointment of Christine Napoli as chief financial officer, and Christine Russell as a new board member to support MariaDB’s next phase of growth.