Databases have played a major role in business systems for decades. In early use, a database was a monolithic repository: software focused on a narrow range of tasks was built around it, with the database acting somewhat like the nucleus of a single-cell organism. Fast forward a few decades, and databases have become real-time, infinite, ever-expanding sets of data interacting with other systems and subsystems, like the bloodstream in a sophisticated organism, where data branches off in workloads to nurture the various organs and subsystems that make the business’ body run.
The challenge now is finding a way to govern this huge volume of data, while protecting confidential and private information. This blog post is part of a series that will cover the data security features that help protect information in MongoDB, PostgreSQL, and other database engines now supported by NetApp Cloud Data Sense to show you how to solve data security problems using their feature sets.
Oracle acquired the MySQL relational database engine in 2010. It pledged to keep maintaining the free (Community) edition of MySQL. It then added more robust tools for the paid (Enterprise) version. What you’ll find as we walk through the topics of data masking, data de-identification and data encryption is that Community MySQL offers some support for data privacy, but (unsurprisingly) Enterprise MySQL offers more.
Customers require database vendors to house ever-increasing volumes of data from various sources, such as, transactional systems, analytics, third-party vendors and even IT infrastructure log files. Much of the data collected is confidential and/or personal information. Because of global privacy regulations, most businesses are obligated to protect this type of data from misuse, thereby leading.
Toward that goal, we’ll look at three database platform security features that assist businesses with implementing data protection and adhering to global privacy regulations:
Let’s see what MySQL has to offer for these important data security features.
Protecting data stored in a database has been on the wish list for system builders for many years. To begin with, this had to be done outside of the database engine. The options included:
Database vendors started to offer at-rest database-level encryption starting in 2015, and MySQL was among the leaders. It provides database encryption at-rest and in transit, which helps businesses implement encryption security in order to meet privacy obligations under various national and international privacy rules and regulations.
MySQL has had in-flight encryption options using SSL (Secure Socket Layer) for much longer. There are also third-party tools to use in place of MySQL SSL that offer performance enhancements and additional features.
Oracle has added to the at-rest MySQL encryption options since MySQL 5.7. Here’s how at-rest support breaks down between the two editions.
Community Edition provides you with following set of encryption features:
MySQL Enterprise edition support for encryption adds the following capabilities:
MySQL’s encryption offering allows application developers to encrypt and decrypt data using functions at the database level.
Oracle recently introduced data-masking functionality for MySQL exclusively for Enterprise edition.
You can still get data-masking in the Community edition, but you’ll have to look toward the diverse third-party tool market to find a suitable implementation. There are a number of plugins available, such as from Percona and DataSunrise.
The MySQL data-masking feature installs as a plugin. Once installed, you apply the masking functionality as part of SELECT statements using the database functions supplied by the plugin. By extension, you can also create views that implement your business rules for masking.
Examples for masking include:
As with encryption, developers manage how masking gets applied at the SQL statement level, which provides data masking on views as needed.
MySQL data de-identification comes as part of the same package as the data-masking, and is therefore only available in the Enterprise edition.
The approach MySQL takes on de-identification is to leverage the same tools as data masking while relying on the internal business processes to dictate the appropriate form of de-identification, whether that is to pseudonymize or anonymize data. MySQL does not offer a feature to bifurcate data to de-identify it but rather provides the developer with options that should be used in line with existing privacy regulations and corporate policy and procedure.
You can look at the same third-party plugins that you find for data masking to see what they offer in terms of data de-identification at the database level.
Additional SQL functions that you can apply for the purpose of data de-identification are as follows:
Blocklisting and substitution: Any blocklisted data is replaced, while non-blocklisted data is left as is.
Database administrators and system builders have a lot to think about when it comes to securing data. MySQL provides tools for at-rest and in-flight data. The rich MySQL third-party vendor community offers many plugins to help in your efforts to secure data as well. Performance depends on the features used and how they are configured.
NetApp Cloud Data Sense supports MySQL, as well as a number of other popular databases, including Postgres, MSSQL, Oracle, and SAP HANA, and MongoDB. Cloud Data Sense gives database deployment an additional utility for data governance and privacy: AI-driven data mapping that can identify the data stored in your database so you can pinpoint and report on that data to find the data that needs the highest level of care, where it’s stored, and how it’s used.