GDPR, mysql and mariadb
GDPR

In the previous posts, we discussed GDPR and how we could enforce it in the scope of Oracle , SQL Server and Postgresql databases. We now cover the same topic with Mysql and Mariadb databases in mind.

As always, please refer to GDPR Data Security requirements laid down in the initial post. We will continue to walk the same task and activity structure for all RDBMs we cover. Let’s go to the identified GDPR tasks and requireements and then the identified database options, features and/or related products to implement recommendations.

 

 

Risk Assessment

  • Personal Data identification
  • Access, role and privilege analysis
  • Security configuration analysis

Attack Prevention

  • Encryption of data and data transfers
  • Anonimyzation/Pseudonymization of Personal Data
  • Personal Data Access Control

Monitoring

  • Audit implementation and centralization
  • Audit event notification implementation

 

Brief overview of Mysql/MariaDB versions

MariaDB is a fork of the Mysql project born after Oracle acquired Mysql via Sun. Initially Mariadb followed Mysql versions so it was quite easy to see which base release was Mariadb: 5.6, 5.7 and so on. Since version MariaDB version 10.0 however, it’s less obvious to map releases since Mariadb ported features from different mysql releases. The recent Mysql 8.0 adds to this confusion.

Therefore trying to provide a single link to technical resources might be a bit more complicated than for Postgresql, for which we had the latest release in mind (10.0). Covering 2 branches of the same project with different stable releases

Mysql/MariaDB built-in features and tools of the trade

In contrast with our previous reviewed RDBMs (Oracle and SQL Server), Mysql and Mariadb – as is the case of Postgresql – an Open Source project. This post does not compare distribution capabilities nor review the whole set of features offered by each system. The purpose is to review features and tools that help us enforce GDPR recommendations. We will therefore focus on core Mysql / Mariadb features  and open-source extensions and projects for this purpose.

Mysql and MariaDB databases provides the necessary tools and technologies to address each of the above mentioned tasks. Some third-party open source projects come in handy as well for implementing certain GDPR recommendations.

 

Risk Assessment

 

TaskMariaDBMysql
Personal Data IdentificationMysql Workbench, data dictionary views.Idem
Access, role and privilege analysisRoles overviewAccess Privilege System
Security configuration analysisDevAuditIdem

 
While the privilege system is similar in MariaDB and Mysql, the ROLE system if a recent feature of Mysql release 8.0. MariaDB implemented roles since release 10.0.5.

 

Attack Prevention

 

TaskMariaDBMysql
Encryption of data and data transfersEncryption of data at rest, secure connections with SSL/TLS. encrypting connections with SSL/TLSSecurity keyring.
Anonymization, pseudonymization of Personal Data.MaxScale (Commercial)ProxySql
Personal Data Access ControlThe privilege system, implementing Row-Level Security (RLS) in MariaDB.Column-level access control through the standard GRANT statement.
The same concepts used to implement RLS in MariaDB apply here.

 
The encryption of data at rest considered here is database-level, not the full-disk encryption or the application-level possibilities.
Here is an interesting Percona blog post with database encryption examples for both MariaDB and Mysql distributions.
 
The anonymization or data masking approaches presented here are based on third-party proxy products (project in the case of Mysql). Both leverage query rewrite techniques to mask or obfuscate a previously defined set of columns.
 
Row-level security is not an out-of-the-box feature but can be implemented with built-in features either on MariaDB or Mysql databases.

 

Monitoring

 

TaskMariaDBMysql
Audit implementation and centralizationAudit plugin, Enterprise Audit (Commercial)
Audit event notificationMonyog audit monitoring (Commercial)Idem

 

The audit plugin is available on MariaDB and as part of the commercial Mysql Enterprise distribution. However, the plugin can be loaded on a Mysql database as long as you’re aware of the limitations and compatibility constraints.
 
Audit event notification and monitoring is – as with all other RDBMs – not a built-in feature. We provide a potentially interesting product but there is no reason audit log monitoring couldn’t be implemented using other log monitoring open source projects, such as the ELK stack.

Conclusion

MariaDB and Mysql are very popular open source database systems with a large user base and active developer communities. As with Postgresql, there are several commercial distributions going with a paid support subscription, per-node model.

We have shown that Mysql and MariaDB, although with certain differences, a set of features and third-party projects to enforce GDPR with ease and a great degree of flexibility.

 

 

Alexis

Alexis is the founder of Aleph Technologies, a data infrastructure consulting and professional services provider based in Brussels, Belgium.

More Posts - Website

Follow Me:
TwitterLinkedIn