Priyank Parikh
Priyank Parikh
,
August 3, 2024
MySQL

Tessell for MySQL: Security Overview and Guidelines

Priyank Parikh
Priyank Parikh
,
August 3, 2024
Table of Contents

TABLE OF CONTENTS

Share this blog
arrow icon

Introduction

Tessell for MySQL—a fully managed MySQL database service on the cloud of your choice and at your terms—is available with the most advanced security features. Several security best practices measures have already been implemented by default at provisioning. Customers can implement additional security practices to further protect against unauthorized access or to get certified for industry-standard compliance levels like PCI-DSS, ISO, etc.
This document describes the current security measures implemented with Tessell for MySQL and additional available options that can be implemented at the customer’s discretion.

Authentication and Authorization

Username and Password with Default Plugin

Tessell implements an OPA policy for username and password validation. By default, the new instance comes with a master user and the option to configure the password with the enforcement of complex password rules during provisioning:

  1. Length: Min 12 Characters. Max 32Characters.
  2. Should not be the same as Login - Username.
  3. At least 1 Character should be Lowercase and Uppercase.
  4. Should have at least 1 Number.
  5. Should have at least 1 symbol or special character.

<p class="info">During database migration, the same users' passwords and plugin methods are copied from the source to Tessell. The customer must explicitly review these usernames and passwords.</p>

It is advisable to use the caching_sha2_password plugin which encrypts the password with SHA-256 hashing and RSA-based exchange mechanisms instead of the mysql_native_password plugin for passwords which use deprecated algorithms.

validate_password Plugin

This plugin, which can be enabled using parameter profiles, can help implement additional security and strict policies for database usernames and passwords. It can also help set up complex passwords and enforce strict guidelines.

More information can be found at MySQL :: MySQL 8.0 Reference Manual :: 8.4.3 The Password Validation Component

<p class="info">Please raise a support ticket on the Tessell console to enable this plugin.</p>

Active Directory and LDAP Authentication plugin

Tessell supports the most advanced and secure form of MySQL authentication using Enterprise Active Directory, which is implemented using natively available plugins - LDAP and Kerberos.
With this available authentication method, you can integrate existing Windows AD users with email addresses as usernames and password policies set by AD Admin
This feature can be configured directly from the Tessell UI’s DB Governance Page, and AD users can be added to the MySQL database.

Register Active Directory

<p class="info">For further help in enabling Active Directory, please raise a support ticket on the Tessell console.</p>

Privileges for master account user

The master account created at provisioning has the following privileges:

SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGERP

The above privileges ensure seamless database tasks for CREATING or ALTERING all user database-level tasks. Additionally, the master user can be used to create additional users with the same or lower privileges that can be useful for other contexts.
The root-level privilege SUPER is not granted to the master user, and hence, it protects against any unauthorized activity, including altering system-level Global Variables, Server Stop/Restart, etc.

Encryption

Storage Encryption at Rest

Tessell supports 256-Bit Encryption for Data Volume, a full-disk storage-level encryption of a Tessell Database instance using default available or customer-managed keys in Azure or AWS cloud. This safeguards the data files and snapshots and ensures data remains encrypted.
This option be selected during provisioning as below:

Tessell - MySQL provision with Encryption at rest

Transparent Data Encryption (TDE) at Table/Database Level

Additionally, MySQL supports TDE-based encryption for InnoDB Engine Tables using plugin and server-level variables. This encryption can help in compliance with regulations, including GDPR, HIPAA, and PCI DSS, through an uncomplicated approach to encrypting data at rest.

More information is available at MySQL :: MySQL Secure Deployment Guide :: A Transparent Data Encryption (TDE) and MySQL Keyring

Encrypt data in Transit (SSL)

Tessell provides an option to enable SSL during the provisioning of MySQL Instances. When enabled, this feature encrypts the connection using a key exchange mechanism and the data shared between Client Machines and the Tessell Database over a TCP connection.
The available key can be downloaded (Tessell Account Level Access Users Only) and used for authentication using MySQL client or database endpoint connectivity string.

Enable SSL

By default MySQL allows the connection to fail back to non-SSL mode (default) even with SSL enabled at the server level.
Strict SSL connection can be enabled at the database User level. It can be modified by the MySQL command below:

Copied to clipboard!
  
alter user 'my_user'@'host' REQUIRE SSL; 
  
  

Network Security

Limited Network Access

Tessell implements a virtual firewall between the Instances hosted in Tessell to the outside world or even to resources within the same cloud account, VPC, or Resource Groups using AWS Security Groups or Azure Network Security Group.
Only IPs listed or added in the Allowed IP addresses will be allowed to connect to the database instance on a specific port configured for the instance.

Allowed IP Addresses

No direct SSH access

Tessell Instance VMs are disabled for SSH access by default even hardening further.

Audit Logging and Security Monitoring

Error Log Monitoring

By default, any unauthorized attempt to connect to the Tessell MySQL database is logged in the Error Logs. This can be reviewed to strengthen security and prevent this access.
Error Log Monitoring is enabled by default for all the instances.

Audit Log Plugin

Tessell MySQL comes with a feature - Audit Log Plugin, which enables monitoring and logging of connections and query activity at the host, user, or database level.
This plugin-based auditing solution helps organizations to be ready and compliant with various regulations like HIPPA, PCI-DSS, etc.

As more sensitive data is collected, this audit log is generated. It is encrypted using the AES-256 algorithm and decrypted only by security admins with encryption keys.
Security Information and Event Management (SIEM) solutions can help centralize and analyze logs from various security sources, including your MySQL database.

Backups

Storage Snapshots in the Cloud

Tessell MySQL is configured for a daily incremental snapshot routine which is a snapshot of the data disk of Tessell Instance. This strategy allows you to restore the database in any case, be it - hardware failures, software errors, or security incidents like ransomware attacks.
The snapshots use the same encryption key used for encryption at rest for storage.

Native Backup

Tessell also provides an encrypted Native backup solution at the file level that can be stored in secure cloud storage solutions like AWS S3 or Azure Blobs. This feature is available in the Data Flix app in the Tessell Console.

Conclusion

Implementing database security is a complex process and involves multiple challenges. Tessell for MySQL comes with several out-of-the-box security features and additional options, making it easy to implement. An organization planning for compliance can easily leverage the above features with Tessell.  

Follow us
Youtube Button