Let’s first look at the three main OS level vulnerabilities that allow an attacker to breach security and get to the sensitive information stored in a MySQL database. These vulnerabilities are not unique to a MySQL database server. They apply to most application servers. However, we’ll continue to refer to the MySQL server here as it’s widely used database on the Internet. So here are the top system level vulnerabilities:
* Super-users can simply change or modify MySQL data as it is stored in flat files.
* Most system services on the MySQL database server are run with administrative privileges. If a service gets compromised through a remotely-exploitable bug, then the attacker could gain access to the information stored in the database.
* Many times the application accessing the MySQL database is installed on the same server. This further opens up the resulting setup to all sort of attacks depending on depending on how secure the application is.
– Reduce the Radar Cross-Section
Trim down your operating system to run only essential services that are needed to run the MySQL server. A smaller number of running programs reduces the “radar cross-section” and makes it easier to actively monitor those few services for problems.
– Encrypt Your Data At The OS Layer
Encryption doesn’t lead to automatic security – it’s just one step in the right direction towards making your data secure. However, encrypting MySQL data comes with its own set of challenges:
– At what level should encryption take place?
– What encryption algorithm should be used?
– What key length is appropriate?
– Where should the encryption key be stored?
– Will the encryption key be available five or ten years from now?
– Should MySQL backups be encrypted? If so, what is the key management plan for the archived data sets?
– Can I recover my data in case of a disaster?
To summarize, a MySQL server that has been stripped down to run just the essential services combined with transparent data encryption and advanced access control mechanisms (that can stop a malicious “root” user from accessing data) can raise the security posture of your MySQL operating environment. Server General TDE can help you encrypt MySQL data with ease while Server General KMS can help you manage the MySQL master encryption key in case you are using the embedded encryption functionality of your MySQL server (the embedded encryption functionality within the MySQL server is available starting with the release 5.7.12 and above).