Why do I spend time blogging about security frameworks? Because, although there are some resources available on the Web, none apply to Percona XtraDB Cluster (PXC) directly. Actually, I rarely encounter a MySQL setup where SELinux is enforced and never when Percona XtraDB Cluster (PXC) or another Galera replication implementation is used. As we’ll see, there are good reasons for that. I originally thought this post would be a simple “how to” but it ended up with a push request to modify the SST script and a few other surprises.

Some context

These days, with all the major security breaches of the last few years, the importance of security in IT cannot be highlighted enough. For that reason, …

To quote book of all knowledge:

In cryptography, a brute-force attack consists of an attacker trying many
passwords or passphrases with the hope of eventually guessing correctly.
The attacker systematically checks all possible passwords and passphrases
until the correct one is found.

…

Join Percona Chief Evangelist Colin Charles as he covers happenings, gives pointers and provides musings on the open source database community.

Much of last week, there was a lot of talk around this article: New research shows 75% of ‘open’ Redis servers infected. It turns out, it helps that one should always read beyond the headlines because they tend to be more sensationalist than you would expect. From the author of Redis, I highly recommend reading Clarifications on the Incapsula Redis security report, because it turns out that in this case, it is beyond the headline. The content is also suspect. Antirez had to write this to help the press (we totally need to help keep reportage accurate).

Not to depart from the Redis world just yet, but …

Let them stay together.

In the last YEARS, I have seen quite often that users, when installing a product such as PXC, instead of spending five minutes to understand what to do just run

iptables -F

  and save.

In short, they remove any rules for their firewall.

With this post, I want to show you how easy it can be to do the right thing instead of putting your server at risk. I’ll show you how a slightly more complex setup like PXC (compared to MySQL), can be easily achieved without risky shortcuts.

iptables is the utility used to manage the chains of rules used by the Linux kernel firewall, which is your basic security tool.
Linux comes with a wonderful firewall built into the kernel. As an administrator, you can configure this firewall with interfaces like ipchains  — which we are not going to cover — and iptables, which we shall talk about.

iptables is …

Building extremely deep monitoring as a SaaS product has a drawback: we capture too much data for some customers’ compliance requirements. As a result, some companies have been unable to deploy us, or have had to redact data before sending it to our cloud platform. To address this, we built the Sensitive Data Vault, a highly secure, completely on-premises storage module for the most critically private data that must never leave the customer’s firewall.

What is it?

The VividCortex Sensitive Data Vault is a new component of the overall VividCortex solution that you deploy inside your firewall. It ensures that the data never leaves your servers and never enters the VividCortex cloud environment. It consists of:

• a Go service that the VividCortex collector agent communicates with
• a customer-maintained MySQL or PostgreSQL database that the Go application uses
…

Percona announces the GA release of Percona Server for MySQL 5.7.22-22 on on May 31, 2018. Download the latest version from the Percona web site or the Percona Software Repositories. You can also run Docker containers from the images in the Docker Hub repository.

Based on MySQL 5.7.22, including all the bug fixes in it, Percona Server for MySQL 5.7.22-22 is the current GA release in the Percona Server for MySQL 5.7 series. Percona …

The MariaDB Foundation is pleased to announce the availability of MariaDB 10.2.15, the latest stable release in the MariaDB 10.2 series, and MariaDB Connector/J 2.2.4, the latest stable release in the MariaDB Connector/J 2.2 series. See the release notes and changelogs for details. Download MariaDB 10.2.15 Release Notes Changelog What is MariaDB 10.2? MariaDB APT […]

The post MariaDB 10.2.15 and MariaDB Connector/J 2.2.4 now available appeared first on MariaDB.org.

Encryption is a very important form of security and It’s becoming a standard from a compliance perspective to ensure PCI, PII and HIPPA compliances. Encryption needs to be performed for Data at Rest, Data over Wire.

Data At Rest:

• Until 5.6, To encrypt the MySQL data files, Only disk level encryption possible (Gazzang, Luks)
• From 5.7.11 MySQL added a feature for tablespace encryption. Which encrypts only the …

The MariaDB Foundation is pleased to announce the availability of MariaDB 10.0.35, MariaDB Galera Cluster 5.5.60 as well as MariaDB Connector/C 3.0.4, all stable releases. See the release notes and changelogs for details. Download MariaDB 10.0.35 Release Notes Changelog What is MariaDB 10.0? MariaDB APT and YUM Repository Configuration Generator Download MariaDB Galera Cluster 5.5.60 […]

The post MariaDB 10.0.35, MariaDB Galera Cluster 5.5.60 and MariaDB Connector C 3.0.4 now available appeared first on MariaDB.org.

This blog post describes how to keep sensitive data secure on slave servers in a MySQL async replication setup.

Almost every web application has a sensitive data: passwords, SNN, credit cards, emails, etc. Splitting the database to secure and “public” parts allows for restricting user and application parts access to sensitive data.

Field encryption

This is based on MySQL encryption functions or on client-side encryption when the authorized user knows a secret, but encrypted data is distributed to all slaves.

• If possible, use hashes with a big enough salt, and do not store real sensitive …