Hexatier - MySQL Role-based Security & Data Masking

1,055 views

Published on

Presentation given at New York MySQL Meetup, Sept 8 2016. Covers how we use Hexatier at Teladoc to provide role-based security and to mask PHI in the database.

Published in: Software
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,055
On SlideShare
0
From Embeds
0
Number of Embeds
847
Actions
Shares
0
Downloads
5
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Hexatier - MySQL Role-based Security & Data Masking

  1. 1. ©2002-2016 Teladoc, Inc. All rights reserved. Hexatier at Teladoc 9/8/2016
  2. 2. ©2002-2016 Teladoc, Inc. All rights reserved. 2 Hexatier Architecture • Hexatier is a network proxy process running on a Linux server, designed to receive and forward MySQL database connections • Applications and MySQL clients see the proxy as a MySQL database. Hexatier receives the connections, applies rules and passes approved connections and queries on to the database
  3. 3. ©2002-2016 Teladoc, Inc. All rights reserved. 3 Hexatier Architecture App Servers Desktops Hexatier Proxy (10.240.20.100) MySQL Database App Servers Desktops Hexatier Proxy (10.240.20.100) MySQL Database X Note – As MySQL database accounts can be configured to include a host address, the architecture can be designed to ensure the proxy cannot be bypassed. All traffic will be subject to Hexatier authority.
  4. 4. ©2002-2016 Teladoc, Inc. All rights reserved. 4 Hexatier Capabilities Hexatier offers three security capabilities in current use at Teladoc ; • Table Access Control • Data Masking • Activity Auditing
  5. 5. ©2002-2016 Teladoc, Inc. All rights reserved. 5 Table Access Control • Hexatier allows users and groups of users to have access only to assigned tables. • Privileges are managed via a series of rules, applied in a top-down manner to each data request. • MySQL privilege grants offer similar capability, but are managed only at the user level. • Hexatier’s use of rules and user-groups allows a form of role-based security to operate, greatly simplifying security management.
  6. 6. ©2002-2016 Teladoc, Inc. All rights reserved. 6 Table Access Control – Users on MySQL Corresponding Users on Database: • Users are created on the database with full privileges, relying on Hexatier to apply security. • This is secure as access is allowed ONLY through Hexatier proxy’s IP address (10.240.20.100)
  7. 7. ©2002-2016 Teladoc, Inc. All rights reserved. 7 Table Access Control – Users on Hexatier Users (inherited from database) : Users Groups (can contain users or other user groups) :
  8. 8. ©2002-2016 Teladoc, Inc. All rights reserved. 8 Table Access Control - Policies • Ordering of rules is important, most restrictive at the bottom to catch “none of the above” and block all access. People with no rules assigned have no access. • Grantee’s can be individual users or pre-defined groups of users ( roles ! ) Policies define table access rules
  9. 9. ©2002-2016 Teladoc, Inc. All rights reserved. 9 Table Access Control – Policy Contents Contents of a Policy : Users affected by policy Restrictions can be database, table or column-based Allowed privileges Log violations?
  10. 10. ©2002-2016 Teladoc, Inc. All rights reserved. 10 Table Access Control - Example using “nyug1” User “nyug1” defined on database Usergroup “dw_NYUG_members” created, user “nyug1” added to group Usergroup “dw_demo_hexatier_ro” created, user “dw_NYUG_members” added to group Note – Up to this point Hexatier is authorizing no privileges, user “nyug1” has no privs on the database. Usergroups are just logical constructions.
  11. 11. ©2002-2016 Teladoc, Inc. All rights reserved. 11 Table Access Control – Policy Example Goal – set up policy allowing select on database “demo_hexatier” Who What Privs
  12. 12. ©2002-2016 Teladoc, Inc. All rights reserved. Table Access Control Example using nyug1, effect of policy ; 1) Can see data in database “demo_hexatier” 2) No rows returned when querying database “DW“ 3) Unable to update data in database “demo_hexatier”
  13. 13. ©2002-2016 Teladoc, Inc. All rights reserved. What We’ve Just Done 13 Created user nyug1 Created logical group of users dw_NYUG_members Created group to relate policies to user-groups dw_demo_hexatier_ro Created policy to define rules dw_demo_hexatier_ro Database demo_hexatier Users can be easily moved between user-groups User-groups can be moved between policies = Role-Based Security
  14. 14. ©2002-2016 Teladoc, Inc. All rights reserved. 14 Table Access Control – New Role for DML Create new user group to hold users allowed DML Create new policy allowing DML, assign above user group to it
  15. 15. ©2002-2016 Teladoc, Inc. All rights reserved. What We’ve Just Done 15 dw_NYUG_members dw_demo_hexatier_ro dw_demo_hexatier_ro demo_hexatier dw_WashDC_members Moving users between groups, groups between rules dw_demo_hexatier_rw dw_demo_hexatier_rw
  16. 16. ©2002-2016 Teladoc, Inc. All rights reserved. 16 Data Masking • Proxy holds rules describing which tables and columns should have data masked before being returned to client. • Rules can be configured and granted dynamically. • Different rules can apply to different users & user-groups. • Data remains in the clear within database.
  17. 17. ©2002-2016 Teladoc, Inc. All rights reserved. 17 Data Masking Rule below instructs proxy to mask “first_nm”, “last_nm”, “user_nm” and “ssn” from role “dw_NYU_members; If the data-types of the columns being masked by the policy are the same, there is great flexibility in how they are masked.
  18. 18. ©2002-2016 Teladoc, Inc. All rights reserved. 18 Effect of Data Masking on “nyug1” Designated columns masked for “nyug1” Masked tables remain join-able
  19. 19. ©2002-2016 Teladoc, Inc. All rights reserved. 19 Activity Auditing • Each table access control rule can be set to write audit records each time it is invoked. • Each data masking rule can be set to write audit records each time it is invoked. • As each security installation will contain a rule to deny access to any query not matching a granting rule, auditing this rule records all attempts to access prohibited data.
  20. 20. ©2002-2016 Teladoc, Inc. All rights reserved. 20 Activity Auditing Audit Record of a Policy Violation :
  21. 21. ©2002-2016 Teladoc, Inc. All rights reserved. 21 Performance Benchmarking Industry-standard TPCC benchmarks were run against the Hexatier POC deployment with the following feature combinations enabled; 1. Baseline (proxy bypassed) 2. Hexatier controling table access 3. Hexatier access control and PHI masking 4. Hexatier access control, PHI masking & full transaction logging
  22. 22. ©2002-2016 Teladoc, Inc. All rights reserved. 22 Performance Benchmarking System Details • Database – AWS RDS MySQL, m3xlarge (4 CPU, 15GB ram, prov io ssd) • Proxy Server – AWS EC2 Centos, m4large (2 CPU, 8GB ram, prov io ssd) # Virtual Users Transactions Per Minute 0 100000 200000 300000 400000 500000 600000 700000 800000 900000 1000000 10 20 30 40 50 60 70 80 90 100 Baseline, Proxy Bypassed Proxy, Table Access Control, No Masking Proxy, Table Access Control, PHI Masking Proxy, Table Access Control, PHI Masking, all transactions logged Note : Teladoc’s production database db1a.us1 averages approx. 35,000 TpM during business hours
  23. 23. ©2002-2016 Teladoc, Inc. All rights reserved. Features in Hexatier not in use currently at Teladoc 23 Can’t speak knowledgably of these, but mentioning anyway; • Access via query-groups • Queries can be tracked and “learned” over a given period. • Once all common queries have been learned, queries outside of this set can be either prohibited or reported. • Access limited by ip address • Any policy can be set to allow access from specific ip addresses only. • Similar limits possible for known applications, schedules, etc… • Injection attack detection & reporting

×