Sep
23
2022
--

Keep Your Data Safe with Percona

Keep Your Data Safe with Percona

Keep Your Data Safe with PerconaSeptember was and is an extremely fruitful month (especially for the black-hat hackers) for news about data leaks and breaches:

  1. Uber suffers computer system breach, alerts authorities
  2. GTA 6 source code and videos leaked after Rockstar Games hack
  3. Revolut breach: personal and banking data exposed

In this blog post, we want to remind you how to keep your data safe when running your favorite open source databases.

Network exposure

Search engines like Shodan are an easy way to search for publicly available databases. Over 3.6 million MySQL servers found exposed on the Internet.

The best practice here is to run database servers in the isolated private network, even from the rest of your corporate network. In this case, you have a low risk of exposure even in the case of server misconfiguration.

If for some reason you run your database on the server in a public network, you still can avoid network exposure:

  • Bind your server to the localhost or private IP address of the server

For example, for MySQL use bind-address option in your my.cnf:

bind-address = 192.168.0.123

  • Configure your firewall to block access through a public network interface on the operating system

Users and passwords

To complement the network exposure story, ensure that your users cannot connect from just any IP address. Taking MySQL as an example, the following GRANT command allows to connect from one of the private networks only:

GRANT ALL ON db1.* TO 'perconaAdmin'@'192.168.0.0/255.255.0.0';

MySQL also has an auth_socket plugin, that controls the connection to the database through Unix sockets. Read more in this blog post: Use MySQL Without a Password (and Still be Secure).

Minimize the risk and do not use default usernames and passwords. SecList is a good example of bad choices for passwords: MySQL, PostgreSQL, and a misc list. Percona Platform provides users with Advisors (read more below) that preemptively check for misconfigured grants, weak passwords, and more.

So now we agree that a strong password is a must. Did you know that you can enforce it? This Percona post talks about Improving MySQL Password Security with Validation Plugin that performs such enforcement.

A strong password is set, great! To make your system even more resilient to security risks, it is recommended to have a password rotation policy. This policy can be manually executed, but also can be automated through various integrations, like LDAP, KMIP, HashiCorp Vault, and many more. For example, this document describes how Percona Server for MongoDB can work with LDAP.

Encryption

There are two types of encryption when you talk about databases and ideally, you’re going to use both of them:

  1. Transport encryption – secure the traffic between client and server and between cluster nodes
  2. Data-at-rest encryption (or Transparent Data Encryption – TDE) – encrypt the data on a disk to prevent unauthorized access

Transport

With an unencrypted connection between the client and the server, someone with access to the network could watch all your traffic and steal the credentials and sensitive data. We recommend enabling network encryption by default. Read the following blog posts highlighting the details:

Data-at-rest

Someone can get access to the physical disk or a network block storage and read the data. To mitigate this risk, you can encrypt the data on the disk. It can be done on the file system, block storage level, and with the database storage engine itself.

Tools like fscrypt or in-built encryption in ZFS can help with file system encryption. Public clouds provide built-in encryption for their network storage solutions (ex AWS EBS, GCP). Private storage solutions, like Ceph, also come with the support of data-at-rest encryption on the block level.

Percona takes security seriously, which is why we recommend enabling data-at-rest encryption by default, especially for production workloads. Percona Server for MySQL and Percona Server for MongoDB provides you with a wide variety of options to perform TDE on the database level.

Preventive measures

Mistakes and misconfiguration can happen and it would be cool if there was a mechanism to alert you about issues before it is too late. Guess what – we have it! 

Percona Monitoring and Management (PMM) comes with Advisors which are the checks that identify potential security threats, vulnerabilities, data loss or data corruption, and other issues. Advisors are the software representation of the years of Percona’s expertise in database security and performance.

By connecting PMM to Percona Platform, users can get more sophisticated Advisors for free, whereas our paid customers are getting even deeper database checks, which discover various misconfiguration or non-compliance gems.

Learn more about Percona Platform with PMM on our website and check if your databases are secured and fine-tuned right away.

If you still believe you need more help, please let us know through our Community Forums or contact the Percona team directly.

Sep
24
2018
--

Yubico’s new security keys now support FIDO2

Yubico, the company behind the popular Yubikey security keys, today announced the launch of its 5 Series keys. The company argues that these new keys, which start at $45, are the first multi-protocol securities keys that support the FIDO2 standard. With this, Yubico argues, the company will be able to replace password-based authentication, which is often a hassle and unsecure, with stronger hardware-based authentication.

“Innovation is core to all we do, from the launch of the original YubiKey ten years ago, to the concept of one authentication device across multiple services, and today as we are accelerating into the passwordless era,” said Stina Ehrensvard, the CEO and founder of Yubico in today’s announcement. “The YubiKey 5 Series can deliver single-factor, two-factor, or multi-factor secure login, supporting many different uses cases on different platforms for different verticals with a variety of authentication scenarios.”

The company made the announcement ahead of Microsoft’s Ignite conference this week, where Microsoft, too, is expected to make a number of security announcements around the future of passwords.

“Passwordless login brings a monumental change to how business users and consumers will securely log in to applications and services,” said Alex Simons, the corporate vice president of Microsoft’s Identity Division. “With FIDO2, Microsoft is working to remove the dependency on password-based logins, with support from devices like the YubiKey 5.”

For the most part, the new keys looks very much like the existing ones, but new to the series is the YubiKey 5 NFC, which combines supports all of the major security protocols over both USB and NFC — and the addition of NFC makes it a better option for those who want to use the same key on they desktops, laptops and mobile phones or tablets.

Supported protocols, in addition to FIDO2, include FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP, and Challenge-Response.

The new keys will come in all of the standard Yubico form factors, including the large USB-A key with NFC support, as well as smaller versions and those for USB-C devices.

In its press release, Yubico stresses that its keys are manufactured and programmed in the USA and Sweden. The fact that it’s saying that is no accident, given that Google recently launched its own take on security keys (after years of recommending Yubikeys). Google’s keys, however, are being built by a Chinese company and while Google is building its own firmware for them, there are plenty of sceptics out there who aren’t exactly waiting for a key that was manufactured in China.

May
11
2017
--

Trusona develops passwordless access for Salesforce

 Last week, to commemorate World Password Day — yes, there really is such a thing — we ran my 2015 article called Kill the password, my treatise on the myriad problems associated with passwords. Trusona, a company trying to transform identity, announced today that it is releasing support for passwordless entry on Salesforce.com. Hey, it’s a start. The trouble with the password… Read More

Jul
25
2016
--

Dashlane brings an enterprise password management tool to mobile devices

Dashlane Logo The popular password management utility Dashlane is going after the larger enterprise market today with the announcement of a new tool that will allow mobile employees to switch access between both their personal passwords, as well as those assigned to them by their workplace, in the company’s mobile app. The tool, which is known as “Spaces,” first launched on the desktop… Read More

May
25
2016
--

Password management startup Dashlane, now with 5M users, raises $22.5M led by TransUnion

cyber-security-data-sharing Dashlane, the New York startup that provides a platform for users to manage their passwords and online identities across multiple sites and apps, has raised a further $22.5 million in funding and picked up a key strategic investor and partner in the process. TransUnion, a credit monitoring and ID protection company, led a Series C round, and it will use the deal to develop services with… Read More

Powered by WordPress | Theme: Aeros 2.0 by TheBuckmaker.com