Presentation given at New York MySQL Meetup, Sept 8 2016. Covers how we use Hexatier at Teladoc to provide role-based security and to mask PHI in the database.

1. ©2002-2016 Teladoc, Inc. All rights reserved.
Hexatier at Teladoc
9/8/2016

2. ©2002-2016 Teladoc, Inc. All rights reserved.
2
Hexatier Architecture
• Hexatier is a network proxy process running
on a Linux server, designed to receive and
forward MySQL database connections
• Applications and MySQL clients see the
proxy as a MySQL database. Hexatier
receives the connections, applies rules and
passes approved connections and queries on
to the database

3. ©2002-2016 Teladoc, Inc. All rights reserved.
3
Hexatier Architecture
App
Servers
Desktops
Hexatier
Proxy
(10.240.20.100)
MySQL
Database
App
Servers
Desktops
Hexatier
Proxy
(10.240.20.100)
MySQL
Database
X
Note – As MySQL database
accounts can be configured to
include a host address, the
architecture can be designed
to ensure the proxy cannot
be bypassed. All traffic will
be subject to Hexatier
authority.

4. ©2002-2016 Teladoc, Inc. All rights reserved.
4
Hexatier Capabilities
Hexatier offers three security capabilities in
current use at Teladoc ;
• Table Access Control
• Data Masking
• Activity Auditing

5. ©2002-2016 Teladoc, Inc. All rights reserved.
5
Table Access Control
• Hexatier allows users and groups of users to have
access only to assigned tables.
• Privileges are managed via a series of rules,
applied in a top-down manner to each data
request.
• MySQL privilege grants offer similar capability, but
are managed only at the user level.
• Hexatier’s use of rules and user-groups allows a
form of role-based security to operate, greatly
simplifying security management.

6. ©2002-2016 Teladoc, Inc. All rights reserved.
6
Table Access Control – Users on MySQL
Corresponding Users on Database:
• Users are created on the database with full privileges, relying on Hexatier to apply security.
• This is secure as access is allowed ONLY through Hexatier proxy’s IP address (10.240.20.100)

7. ©2002-2016 Teladoc, Inc. All rights reserved.
7
Table Access Control – Users on Hexatier
Users (inherited from database) :
Users Groups (can contain users or other user groups) :

8. ©2002-2016 Teladoc, Inc. All rights reserved.
8
Table Access Control - Policies
• Ordering of rules is important, most restrictive at the bottom to catch “none of
the above” and block all access. People with no rules assigned have no access.
• Grantee’s can be individual users or pre-defined groups of users ( roles ! )
Policies define table access rules

9. ©2002-2016 Teladoc, Inc. All rights reserved.
9
Table Access Control – Policy Contents
Contents of a Policy :
Users affected by policy
Restrictions can be database, table or column-based
Allowed privileges
Log violations?

10. ©2002-2016 Teladoc, Inc. All rights reserved.
10
Table Access Control - Example using “nyug1”
User “nyug1” defined on database
Usergroup “dw_NYUG_members” created,
user “nyug1” added to group
Usergroup “dw_demo_hexatier_ro” created,
user “dw_NYUG_members” added to group
Note – Up to this point Hexatier
is authorizing no privileges, user
“nyug1” has no privs on the
database. Usergroups are just
logical constructions.

11. ©2002-2016 Teladoc, Inc. All rights reserved.
11
Table Access Control – Policy Example
Goal – set up policy allowing select on database “demo_hexatier”
Who
What
Privs

12. ©2002-2016 Teladoc, Inc. All rights reserved.
Table Access Control
Example using nyug1, effect of policy ;
1) Can see data in database “demo_hexatier”
2) No rows returned when querying database “DW“
3) Unable to update data in database “demo_hexatier”

13. ©2002-2016 Teladoc, Inc. All rights reserved.
What We’ve Just Done
13
Created
user
nyug1
Created logical
group of users
dw_NYUG_members
Created group to relate
policies to user-groups
dw_demo_hexatier_ro
Created policy to
define rules
dw_demo_hexatier_ro
Database
demo_hexatier
Users can be easily moved between user-groups
User-groups can be moved between policies
= Role-Based
Security

14. ©2002-2016 Teladoc, Inc. All rights reserved.
14
Table Access Control – New Role for DML
Create new user group to hold users allowed DML
Create new policy allowing DML, assign above user group to it

15. ©2002-2016 Teladoc, Inc. All rights reserved.
What We’ve Just Done
15
dw_NYUG_members dw_demo_hexatier_ro dw_demo_hexatier_ro demo_hexatier
dw_WashDC_members
Moving users between groups, groups between rules
dw_demo_hexatier_rw dw_demo_hexatier_rw

16. ©2002-2016 Teladoc, Inc. All rights reserved.
16
Data Masking
• Proxy holds rules describing which tables
and columns should have data masked
before being returned to client.
• Rules can be configured and granted
dynamically.
• Different rules can apply to different users
& user-groups.
• Data remains in the clear within database.

17. ©2002-2016 Teladoc, Inc. All rights reserved.
17
Data Masking
Rule below instructs proxy to mask “first_nm”, “last_nm”, “user_nm” and “ssn” from role “dw_NYU_members;
If the data-types of the columns being masked by
the policy are the same, there is great flexibility
in how they are masked.

18. ©2002-2016 Teladoc, Inc. All rights reserved.
18
Effect of Data Masking on “nyug1”
Designated columns masked for “nyug1”
Masked tables remain join-able

19. ©2002-2016 Teladoc, Inc. All rights reserved.
19
Activity Auditing
• Each table access control rule can be set to
write audit records each time it is invoked.
• Each data masking rule can be set to write audit
records each time it is invoked.
• As each security installation will contain a rule to
deny access to any query not matching a
granting rule, auditing this rule records all
attempts to access prohibited data.

20. ©2002-2016 Teladoc, Inc. All rights reserved.
20
Activity Auditing
Audit Record of a Policy Violation :

21. ©2002-2016 Teladoc, Inc. All rights reserved.
21
Performance Benchmarking
Industry-standard TPCC benchmarks were run against
the Hexatier POC deployment with the following
feature combinations enabled;
1. Baseline (proxy bypassed)
2. Hexatier controling table access
3. Hexatier access control and PHI masking
4. Hexatier access control, PHI masking & full
transaction logging

22. ©2002-2016 Teladoc, Inc. All rights reserved.
22
Performance Benchmarking
System Details
• Database
– AWS RDS MySQL, m3xlarge (4 CPU, 15GB ram, prov
io ssd)
• Proxy Server
– AWS EC2 Centos, m4large (2 CPU, 8GB ram, prov io ssd)
# Virtual Users
Transactions
Per Minute
0
100000
200000
300000
400000
500000
600000
700000
800000
900000
1000000
10 20 30 40 50 60 70 80 90 100
Baseline, Proxy Bypassed
Proxy, Table Access
Control, No Masking
Proxy, Table Access
Control, PHI Masking
Proxy, Table Access
Control, PHI Masking, all
transactions logged
Note : Teladoc’s production database
db1a.us1 averages approx. 35,000 TpM
during business hours

23. ©2002-2016 Teladoc, Inc. All rights reserved.
Features in Hexatier not in use currently at Teladoc
23
Can’t speak knowledgably of these, but mentioning anyway;
• Access via query-groups
• Queries can be tracked and “learned” over a given period.
• Once all common queries have been learned, queries outside of this set can
be either prohibited or reported.
• Access limited by ip address
• Any policy can be set to allow access from specific ip addresses only.
• Similar limits possible for known applications, schedules, etc…
• Injection attack detection & reporting