Welcome!

@CloudExpo Authors: Pat Romanski, Liz McMillan, Kong Yang, Jason Bloomberg, Derek Weeks

Related Topics: @CloudExpo, Open Source Cloud, Agile Computing

@CloudExpo: Blog Feed Post

MySQL in the Cloud

Database encryption options and cloud encryption

MySQL is probably the most popular open source database. While there is a wealth of discussion online for MySQL database encryption,doing it right in a cloud computing environment is tricky.

The discussion here is quite long, and contains a lot of interesting details. So if you want a spoiler: it is possible to achieve true confidentiality for your MySQL database today; using the industry best practice which is split-key encryption.

Here’s why.

Cloud encryption for MySQL – Setting your goals

Before talking tech, it’s actually essential to understand what your goals are, and then how they relate to the technical solution for your MySQL database. Sometimes it is hard to get transparency when it comes to what goals are achievable with different techniques.

The classic goals of any information security solution are “CIA”, meaning

  • Confidentiality: your data cannot be read by anyone unauthorized to do so
  • Integrity: your data cannot be changed or falsified without your knowledge
  • Availability: you can get your data whenever you need it, without compromising the “C” and “I” goals above

Looks old school, right? Here is a subtle point, specific to Cloud Computing: people tend to confuse the Confidentiality goal with

No Data Remanence: confidential data does not remain on a disk (in the cloud) after the disk is used

No Data Remanence is a great goal to have, but it is a subset of confidentiality; it’s easier to implement in the cloud, which is why it is perhaps oversold, but it gets you much less.

On the pro side, No Data Remanence does mean that if a cloud provider employee innocently loses your disk during maintenance, no harm is done. On the con side, it does not mean protection from hackers or malicious insiders trying to access your live data storage. Cloud Key Management Cloud Encryption Cloud Database security  risk cubes 300x159 MySQL in the cloud: database encryption options and cloud encryptionFor an independent view on this important issue, see “How to Tell If Your Cloud Provider Can Read Your Data”.

The bottom line: the majority of people considering a MySQL encryption solution in the cloud need full confidentiality, not just a data remanence solution. Only full confidentiality will make you compliant with HIPAA, PCI, SOX, SOC2, EU Data Protection Directives and other standards. Only full confidentiality will protect business and personal data. This point will become clearer as we discuss the techniques for cloud encryption and cloud key management available today.

MySQL and Cloud Encryption

There are several ways to encrypt MySQL databases in the cloud. We’ll discuss three; the first two target the storage “underneath” the MySQL database, while the third relies on the capabilities of the MySQL database itself.

  1. Full Disk Encryption: unsurprisingly, this means that the entire disk used by MySQL for storing the database is encrypted. Some advantages of this approach: it is simple, transparent and less error prone. The likelihood of forgetting some important bit of data unencrypted is small, since you encrypt everything in a sweeping way. Transparency means it works with your application, without changes to application code. A disadvantage is that full disk encryption may be less configurable, since it is “all or nothing”.
  2. Encrypting specific files (which represent tables): this approach takes advantage of the fact that MySQL can be configured so that each DB table gets saved into a separate file. The idea is to encrypt only the files that are considered most sensitive. Some folks label this “Transparent Data Encryption”, in analogy to the Oracle TDE and the Microsoft SQL Server TDE.
  3. Encrypting specific rows, fields or columns in MySQL: the SQL language, as implemented in MySQL, allows your developers to code – quite easily – encryption for specific rows or specific fields. This is obviously the most granular approach. It does require an ability and willingness to write application-level code.

How to compare these techniques? All of them allow you to use standard, well tested encryption techniques, such as AES. They differ as follows.

  1. Configurability: the latter option (#3) is obviously the most configurable, followed by file-level encryption (#2). For example, if each MySQL row represents a user, you could encrypt each user’s personal data with a different encryption key, for maximum security. The other side of configurability is complexity, requiring either developers to write code or sys-admins to configure options.
  2. Performance: on MySQL, full disk encryption is usually the best for performance. Of course it depends on which encryption engine you use, so let’s take a concrete comparison of open source encryption engines. For Linux, a well-known file-level encryption engine is ecryptfs; while a well-known engine for full disk encryption is cryptsetup/dmcrypt. Third party comparisons are available on the web, for example here. Based on such objective data, it seems we have a perhaps counter-intuitive result: encrypting “only some files” on MySQL may cause a significant hit on performance compared with full disk encryption. Of course, mileage will vary depending on your specific circumstance.
  3. Simplicity of Security: simplicity really depends on what you need. If you need to separate e.g. each user’s specific line item with a different encryption key, you should go for encrypting specific rows. If you are satisfied with a more sweeping approach, full disk encryption does have the advantage of simplicity (it’s hard to forget something important when you encrypt everything), while with file-level encryption you have to be sure of what you are doing (did you encrypt just the table, or also its related indices, journals and the configuration files?).
  4. Finely granular authorization and access: both full disk and file-level encryption allow you to use your operating system’s authorization and access, so they are similar in this respect. On Linux, you can manage ownership of database tables whether you are using the full-disk or file-level approach. On the other hand, row-level and field-level encryption allow you to be much more fine granular, depending on your user-management techniques and what your developers can code.

MySQL and Cloud Key Management

The entire industry accepts that Cloud Key Management is critical to the quality of security and encryption in the cloud. The question becomes “who do I trust?” Who can a cloud customer trust with the encryption keys?

One option is to store the keys in the cloud, either on the same cloud infrastructure you use for your data, or with a dedicated key management vendor. As noted by independent security analysts, you trust that the chosen vendor would keep your keys safe and won’t read your data. But recent security incidents highlight the obvious – security providers are themselves exposed to attacks. Recent examples include the VeriSign hack, and the RSA hack.

This discussion really goes to the heart of the Confidentiality issue we raised above. If you are satisfied with No Data Remanence, you can trust cloud providers or security providers. If you need confidentiality or compliance, you simply cannot. Bottom line: never trust anyone with your encryption keys!

An alternative to trusting a provider with your encryption keys is to store the keys back at the enterprise. That approach is tough for many MySQL users; the open source community thrives on its flexibility. Many users of MySQL in the cloud want a pure cloud model, without being tied down to a specific hardware configuration. A physical server deployment – back in the data center – results in an expensive solution in terms of software licenses, operational overhead, and the loss of important cloud advantages (such as scalability and elasticity).

Ideally, you need a solution that works 100% in the cloud, works with the major Cloud Encryption approaches noted above (an API is essential for supporting #3), has low management overhead, and yet leaves control in your hands.

Best practice is split-key encryption. The technique works in the cloud, yet gives you a “master key” which provides true control (that master key is your half of the “split” key). The result is – you trust no one. As noted by independent cloud experts, by protecting the keys to the kingdom using split-key encryption you can effectively eliminate the concern that keys cannot be secured adequately.

You should also make sure to use an implementation of split-key encryption that enables all the major Cloud Encryption approaches. The implementation you choose should

  • Have a cloud-ready API (application programming interface)
  • Be integrated out-of-the-box with some of the approaches
  • Be future-compatible in the sense that it works not just with MySQL, but also with other necessary pieces of your environment. For example, encrypting file systems and file servers is often also needed in a solution using MySQL

Achieving confidentiality for MySQL implementations in the cloud is possible today.

More Stories By Gilad Parann-Nissany

Gilad Parann-Nissany, Founder and CEO at Porticor is a pioneer of Cloud Computing. He has built SaaS Clouds for medium and small enterprises at SAP (CTO Small Business); contributing to several SAP products and reaching more than 8 million users. Recently he has created a consumer Cloud at G.ho.st - a cloud operating system that delighted hundreds of thousands of users while providing browser-based and mobile access to data, people and a variety of cloud-based applications. He is now CEO of Porticor, a leader in Virtual Privacy and Cloud Security.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know that not all workloads are suitable for cloud. You know that you want the kind of ease of use and scalability that you get with public cloud, but your applications are architected in a way that makes the public cloud a non-starter. You’re looking at private cloud solutions based on hyperconverged infrastructure, but you’re concerned with the limits inherent in those technologies.
SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organi...
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
It is ironic, but perhaps not unexpected, that many organizations who want the benefits of using an Agile approach to deliver software use a waterfall approach to adopting Agile practices: they form plans, they set milestones, and they measure progress by how many teams they have engaged. Old habits die hard, but like most waterfall software projects, most waterfall-style Agile adoption efforts fail to produce the results desired. The problem is that to get the results they want, they have to ch...
"We focus on composable infrastructure. Composable infrastructure has been named by companies like Gartner as the evolution of the IT infrastructure where everything is now driven by software," explained Bruno Andrade, CEO and Founder of HTBase, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Wooed by the promise of faster innovation, lower TCO, and greater agility, businesses of every shape and size have embraced the cloud at every layer of the IT stack – from apps to file sharing to infrastructure. The typical organization currently uses more than a dozen sanctioned cloud apps and will shift more than half of all workloads to the cloud by 2018. Such cloud investments have delivered measurable benefits. But they’ve also resulted in some unintended side-effects: complexity and risk. ...
In 2014, Amazon announced a new form of compute called Lambda. We didn't know it at the time, but this represented a fundamental shift in what we expect from cloud computing. Now, all of the major cloud computing vendors want to take part in this disruptive technology. In his session at 20th Cloud Expo, Doug Vanderweide, an instructor at Linux Academy, discussed why major players like AWS, Microsoft Azure, IBM Bluemix, and Google Cloud Platform are all trying to sidestep VMs and containers wit...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
No hype cycles or predictions of zillions of things here. IoT is big. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, Associate Partner at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He discussed the evaluation of communication standards and IoT messaging protocols, data analytics considerations, edge-to-cloud tec...
New competitors, disruptive technologies, and growing expectations are pushing every business to both adopt and deliver new digital services. This ‘Digital Transformation’ demands rapid delivery and continuous iteration of new competitive services via multiple channels, which in turn demands new service delivery techniques – including DevOps. In this power panel at @DevOpsSummit 20th Cloud Expo, moderated by DevOps Conference Co-Chair Andi Mann, panelists examined how DevOps helps to meet the de...
When growing capacity and power in the data center, the architectural trade-offs between server scale-up vs. scale-out continue to be debated. Both approaches are valid: scale-out adds multiple, smaller servers running in a distributed computing model, while scale-up adds fewer, more powerful servers that are capable of running larger workloads. It’s worth noting that there are additional, unique advantages that scale-up architectures offer. One big advantage is large memory and compute capacity...
"When we talk about cloud without compromise what we're talking about is that when people think about 'I need the flexibility of the cloud' - it's the ability to create applications and run them in a cloud environment that's far more flexible,” explained Matthew Finnie, CTO of Interoute, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The taxi industry never saw Uber coming. Startups are a threat to incumbents like never before, and a major enabler for startups is that they are instantly “cloud ready.” If innovation moves at the pace of IT, then your company is in trouble. Why? Because your data center will not keep up with frenetic pace AWS, Microsoft and Google are rolling out new capabilities. In his session at 20th Cloud Expo, Don Browning, VP of Cloud Architecture at Turner, posited that disruption is inevitable for comp...
SYS-CON Events announced today that Datanami has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datanami is a communication channel dedicated to providing insight, analysis and up-to-the-minute information about emerging trends and solutions in Big Data. The publication sheds light on all cutting-edge technologies including networking, storage and applications, and thei...
"We are a monitoring company. We work with Salesforce, BBC, and quite a few other big logos. We basically provide monitoring for them, structure for their cloud services and we fit into the DevOps world" explained David Gildeh, Co-founder and CEO of Outlyer, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Silicon India has been named “Media Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Published in Silicon Valley, Silicon India magazine is the premiere platform for CIOs to discuss their innovative enterprise solutions and allows IT vendors to learn about new solutions that can help grow their business.
Join us at Cloud Expo June 6-8 to find out how to securely connect your cloud app to any cloud or on-premises data source – without complex firewall changes. More users are demanding access to on-premises data from their cloud applications. It’s no longer a “nice-to-have” but an important differentiator that drives competitive advantages. It’s the new “must have” in the hybrid era. Users want capabilities that give them a unified view of the data to get closer to customers and grow business. The...
The Internet giants are fully embracing AI. All the services they offer to their customers are aimed at drawing a map of the world with the data they get. The AIs from these companies are used to build disruptive approaches that cannot be used by established enterprises, which are threatened by these disruptions. However, most leaders underestimate the effect this will have on their businesses. In his session at 21st Cloud Expo, Rene Buest, Director Market Research & Technology Evangelism at Ara...