Introduction
Tessell for MySQL—a fully managed MySQL database service on the cloud of your choice and at your terms—is available with the most advanced security features. Several security best practices measures have already been implemented by default at provisioning. Customers can implement additional security practices to further protect against unauthorized access or to get certified for industry-standard compliance levels like PCI-DSS, ISO, etc.
This document describes the current security measures implemented with Tessell for MySQL and additional available options that can be implemented at the customer’s discretion.
Authentication and Authorization
Username and Password with Default Plugin
Tessell implements an OPA policy for username and password validation. By default, the new instance comes with a master user and the option to configure the password with the enforcement of complex password rules during provisioning:
- Length: Min 12 Characters. Max 32Characters.
- Should not be the same as Login - Username.
- At least 1 Character should be Lowercase and Uppercase.
- Should have at least 1 Number.
- Should have at least 1 symbol or special character.
<p class="info">During database migration, the same users' passwords and plugin methods are copied from the source to Tessell. The customer must explicitly review these usernames and passwords.</p>
It is advisable to use the caching_sha2_password plugin which encrypts the password with SHA-256 hashing and RSA-based exchange mechanisms instead of the mysql_native_password plugin for passwords which use deprecated algorithms.
validate_password Plugin
This plugin, which can be enabled using parameter profiles, can help implement additional security and strict policies for database usernames and passwords. It can also help set up complex passwords and enforce strict guidelines.
More information can be found at MySQL :: MySQL 8.0 Reference Manual :: 8.4.3 The Password Validation Component
<p class="info">Please raise a support ticket on the Tessell console to enable this plugin.</p>
Active Directory and LDAP Authentication plugin
Tessell supports the most advanced and secure form of MySQL authentication using Enterprise Active Directory, which is implemented using natively available plugins - LDAP and Kerberos.
With this available authentication method, you can integrate existing Windows AD users with email addresses as usernames and password policies set by AD Admin
This feature can be configured directly from the Tessell UI’s DB Governance Page, and AD users can be added to the MySQL database.
<p class="info">For further help in enabling Active Directory, please raise a support ticket on the Tessell console.</p>
Privileges for master account user
The master account created at provisioning has the following privileges:
SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, RELOAD, PROCESS, REFERENCES, INDEX, ALTER, SHOW DATABASES, CREATE TEMPORARY TABLES, LOCK TABLES, EXECUTE, REPLICATION SLAVE, REPLICATION CLIENT, CREATE VIEW, SHOW VIEW, CREATE ROUTINE, ALTER ROUTINE, CREATE USER, EVENT, TRIGGERP
The above privileges ensure seamless database tasks for CREATING or ALTERING all user database-level tasks. Additionally, the master user can be used to create additional users with the same or lower privileges that can be useful for other contexts.
The root-level privilege SUPER is not granted to the master user, and hence, it protects against any unauthorized activity, including altering system-level Global Variables, Server Stop/Restart, etc.
Encryption
Storage Encryption at Rest
Tessell supports 256-Bit Encryption for Data Volume, a full-disk storage-level encryption of a Tessell Database instance using default available or customer-managed keys in Azure or AWS cloud. This safeguards the data files and snapshots and ensures data remains encrypted.
This option be selected during provisioning as below:
Transparent Data Encryption (TDE) at Table/Database Level
Additionally, MySQL supports TDE-based encryption for InnoDB Engine Tables using plugin and server-level variables. This encryption can help in compliance with regulations, including GDPR, HIPAA, and PCI DSS, through an uncomplicated approach to encrypting data at rest.
More information is available at MySQL :: MySQL Secure Deployment Guide :: A Transparent Data Encryption (TDE) and MySQL Keyring
Encrypt data in Transit (SSL)
Tessell provides an option to enable SSL during the provisioning of MySQL Instances. When enabled, this feature encrypts the connection using a key exchange mechanism and the data shared between Client Machines and the Tessell Database over a TCP connection.
The available key can be downloaded (Tessell Account Level Access Users Only) and used for authentication using MySQL client or database endpoint connectivity string.
By default MySQL allows the connection to fail back to non-SSL mode (default) even with SSL enabled at the server level.
Strict SSL connection can be enabled at the database User level. It can be modified by the MySQL command below:
Network Security
Limited Network Access
Tessell implements a virtual firewall between the Instances hosted in Tessell to the outside world or even to resources within the same cloud account, VPC, or Resource Groups using AWS Security Groups or Azure Network Security Group.
Only IPs listed or added in the Allowed IP addresses will be allowed to connect to the database instance on a specific port configured for the instance.
No direct SSH access
Tessell Instance VMs are disabled for SSH access by default even hardening further.
Audit Logging and Security Monitoring
Error Log Monitoring
By default, any unauthorized attempt to connect to the Tessell MySQL database is logged in the Error Logs. This can be reviewed to strengthen security and prevent this access.
Error Log Monitoring is enabled by default for all the instances.
Audit Log Plugin
Tessell MySQL comes with a feature - Audit Log Plugin, which enables monitoring and logging of connections and query activity at the host, user, or database level.
This plugin-based auditing solution helps organizations to be ready and compliant with various regulations like HIPPA, PCI-DSS, etc.
As more sensitive data is collected, this audit log is generated. It is encrypted using the AES-256 algorithm and decrypted only by security admins with encryption keys.
Security Information and Event Management (SIEM) solutions can help centralize and analyze logs from various security sources, including your MySQL database.
Backups
Storage Snapshots in the Cloud
Tessell MySQL is configured for a daily incremental snapshot routine which is a snapshot of the data disk of Tessell Instance. This strategy allows you to restore the database in any case, be it - hardware failures, software errors, or security incidents like ransomware attacks.
The snapshots use the same encryption key used for encryption at rest for storage.
Native Backup
Tessell also provides an encrypted Native backup solution at the file level that can be stored in secure cloud storage solutions like AWS S3 or Azure Blobs. This feature is available in the Data Flix app in the Tessell Console.
Conclusion
Implementing database security is a complex process and involves multiple challenges. Tessell for MySQL comes with several out-of-the-box security features and additional options, making it easy to implement. An organization planning for compliance can easily leverage the above features with Tessell.
