In the previous posts, we discussed GDPR and how we could enforce it in the scope of Oracle , SQL Server and Postgresql databases. We now cover the same topic with Mysql and Mariadb databases in mind.
As always, please refer to GDPR Data Security requirements laid down in the initial post. We will continue to walk the same task and activity structure for all RDBMs we cover. Let’s go to the identified GDPR tasks and requireements and then the identified database options, features and/or related products to implement recommendations.
Risk Assessment
- Personal Data identification
- Access, role and privilege analysis
- Security configuration analysis
Attack Prevention
- Encryption of data and data transfers
- Anonimyzation/Pseudonymization of Personal Data
- Personal Data Access Control
Monitoring
- Audit implementation and centralization
- Audit event notification implementation
Brief overview of Mysql/MariaDB versions
MariaDB is a fork of the Mysql project born after Oracle acquired Mysql via Sun. Initially Mariadb followed Mysql versions so it was quite easy to see which base release was Mariadb: 5.6, 5.7 and so on. Since version MariaDB version 10.0 however, it’s less obvious to map releases since Mariadb ported features from different mysql releases. The recent Mysql 8.0 adds to this confusion.
Therefore trying to provide a single link to technical resources might be a bit more complicated than for Postgresql, for which we had the latest release in mind (10.0). Covering 2 branches of the same project with different stable releases
Mysql/MariaDB built-in features and tools of the trade
In contrast with our previous reviewed RDBMs (Oracle and SQL Server), Mysql and Mariadb – as is the case of Postgresql – an Open Source project. This post does not compare distribution capabilities nor review the whole set of features offered by each system. The purpose is to review features and tools that help us enforce GDPR recommendations. We will therefore focus on core Mysql / Mariadb features and open-source extensions and projects for this purpose.
Mysql and MariaDB databases provides the necessary tools and technologies to address each of the above mentioned tasks. Some third-party open source projects come in handy as well for implementing certain GDPR recommendations.
Risk Assessment
Task | MariaDB | Mysql |
---|---|---|
Personal Data Identification | Mysql Workbench, data dictionary views. | Idem |
Access, role and privilege analysis | Roles overview | Access Privilege System |
Security configuration analysis | DevAudit | Idem |
While the privilege system is similar in MariaDB and Mysql, the ROLE system if a recent feature of Mysql release 8.0. MariaDB implemented roles since release 10.0.5.
Attack Prevention
Task | MariaDB | Mysql |
---|---|---|
Encryption of data and data transfers | Encryption of data at rest, secure connections with SSL/TLS. encrypting connections with SSL/TLS | Security keyring. |
Anonymization, pseudonymization of Personal Data. | MaxScale (Commercial) | ProxySql |
Personal Data Access Control | The privilege system, implementing Row-Level Security (RLS) in MariaDB. | Column-level access control through the standard GRANT statement. The same concepts used to implement RLS in MariaDB apply here. |
The encryption of data at rest considered here is database-level, not the full-disk encryption or the application-level possibilities.
Here is an interesting Percona blog post with database encryption examples for both MariaDB and Mysql distributions.
The anonymization or data masking approaches presented here are based on third-party proxy products (project in the case of Mysql). Both leverage query rewrite techniques to mask or obfuscate a previously defined set of columns.
Row-level security is not an out-of-the-box feature but can be implemented with built-in features either on MariaDB or Mysql databases.
Monitoring
Task | MariaDB | Mysql |
---|---|---|
Audit implementation and centralization | Audit plugin, | Enterprise Audit (Commercial) |
Audit event notification | Monyog audit monitoring (Commercial) | Idem |
The audit plugin is available on MariaDB and as part of the commercial Mysql Enterprise distribution. However, the plugin can be loaded on a Mysql database as long as you’re aware of the limitations and compatibility constraints.
Audit event notification and monitoring is – as with all other RDBMs – not a built-in feature. We provide a potentially interesting product but there is no reason audit log monitoring couldn’t be implemented using other log monitoring open source projects, such as the ELK stack.
Conclusion
MariaDB and Mysql are very popular open source database systems with a large user base and active developer communities. As with Postgresql, there are several commercial distributions going with a paid support subscription, per-node model.
We have shown that Mysql and MariaDB, although with certain differences, a set of features and third-party projects to enforce GDPR with ease and a great degree of flexibility.