CAP protects MySQL database

Keywords:

MySQL, Multi-protocol, Tokenization

The context:

A financial services company has a requirement to audit all access to a MySQL database and the need to mask some database fields (credit card numbers) for all ad-hoc SQL query users.

The solution:

Using CAP, the MySQL server was proxied and all SQL requests to the database are monitored and logged. Sensitive fields are hashed with an SHA-1 hash for all users (except the payment system itself).

Deployment diagram:

Why CAP:

CAP is capable of interacting with a vast array of data sources, protocols and APIs out of the box. In this case, the MySQL access protocol is publicly documented and easily implemented with the CAP Multi-Protocol engine.

The story:

The company approached TomorrowX about protecting MySQL after hearing about the multi-protocol capability. A small project was launched to break down the MySQL protocol and provide data stream readers for some of the more obscure MySQL data types.

With excellent open source documentation for the MySQL access protocol, the capability to proxy this protocol was completed within a few days.

Placing CAP at the network level for database access did come with some performance concerns, so stress tests were run to ensure that the performance would not be significantly impacted. Using existing hardware and placing the CAP instance co-located on the same machine as the MySQL server itself, resulted in minimal impact on queries (typically in the single digit milliseconds range). The CAP Agent would simply pass along the query, log any that accessed sensitive tables and block any requests to DROP a list of important tables. All query responses are equally just returned, except for the table containing credit card numbers.

When a user (non-system) issues a query against the table that contains credit card information, the credit card number is hashed and replaced in the query result using the SHA1 algorithm and the resulting value returned to the user. This ensures the ability to search for accounts with identical card numbers, yet ensures that the people running SQL queries are unable to access or export any card numbers. The actual payment system itself will however receive the correct card number.

Rules blocks and components used:

Multi-Protocol Engine

String manipulation

SHA hash