Skip to main content

Database Access Management

This section provides comprehensive documentation for managing database access using AuthNull. Learn how to secure your database connections, manage access controls, and implement best practices for database security.

Introduction and Architectural Overview

Purpose of Authnull Database Security

Authnul's Database Security solution is engineered to provide robust, granular, and auditable access control to your critical database assets. It establishes a centralized policy enforcement layer that protects databases from unauthorized access and enables secure data handling practices, such as dynamic data masking.

Core Problem Solved

Traditional database security models often rely on disparate authentication mechanisms, static permission sets, and limited visibility into data access patterns. This can lead to overly broad permissions, complex credential management, challenges in meeting compliance mandates (e.g., GDPR, HIPAA, PCI-DSS), and difficulties in dynamically adapting access based on real-time context or risk. Authnull addresses these challenges by externalizing access control and providing a unified platform for policy definition and enforcement.

Key Benefits

  • Centralized Access Management: Define and manage all database access policies from a single interface, irrespective of the backend database types.
  • Granular Authorization: Implement the principle of least privilege by specifying precisely which users (or applications) can access which specific databases, tables, or even views, and what operations (READ, WRITE, EXECUTE) they can perform.
  • Dynamic Data Masking: Protect sensitive data by masking specific fields in query results based on the user's role or policy, without altering the underlying data in the database.
  • Conditional Access: Adapt access rights based on contextual factors such as user location, time of day, or device posture.
  • Improved Auditability: All access requests and policy decisions pass through a centralized point, facilitating comprehensive logging and auditing.
  • Reduced Credential Sprawl: By mapping IAM identities to managed native database connections, the need for direct distribution of sensitive native database credentials can be minimized.

Architectural Components

The Authnull Database Security solution comprises several key components working in concert:

  1. The Authnull Cloud Platform (or Control Plane):

    • This is the web-based management interface where administrators define users, register database agents, create and manage access policies, and monitor activity.
    • It acts as the central "brain" for policy storage and distribution.

  2. The Authnull Database Agent:

    • This is a lightweight software component installed on a Linux host within your environment.
    • The Agent communicates with the Authnull Cloud Platform to fetch the latest policies.
    • It works in tandem with ProxySQL to enforce these policies.

  3. ProxySQL (Integrated Component):

    • ProxySQL is an open-source, high-performance SQL proxy.
    • All database connections from client applications are directed to ProxySQL instead of directly to the database.
    • ProxySQL handles connection pooling, query routing, and is the execution point for tasks like data masking.

  4. Target Database:

    • This is your actual database server containing the data you wish to protect.
    • It continues to operate as usual; Authnull and ProxySQL sit as an intermediary layer.

  5. End-User Applications/Clients:

    • These are any applications, BI tools, or SQL clients that need to access the target database.
    • After Authnull setup, these clients are configured to connect to the ProxySQL listener port.

High-Level Interaction Flow

  1. Admin: Defines an access policy in the Authnull Cloud Platform
  2. Authnull Cloud Platform: Stores the policy and makes it available to the relevant Authnull Database Agent
  3. Authnull Database Agent: Periodically fetches the latest policies and configures ProxySQL
  4. End User: Attempts to connect to the database using their client tool
  5. ProxySQL: Receives the connection request and enforces policies
  6. Policy Enforcement: Allows or denies access based on configured policies
  7. Logging: All activities are logged for auditing purposes

Supported Database Types

Authnull supports integration with various database management systems:

  • Microsoft SQL Server
  • MySQL
  • PostgreSQL
  • Oracle Database
  • MongoDB
  • Other ODBC-compliant databases
  • Amazon (AWS) Aurora
  • Amazon RDS (various engines)
  • InnoDB Cluster & Group Replication
  • NDB Cluster
  • Galera Cluster
  • MariaDB Server
  • Percona Server
  • Percona XtraDB Cluster

Key Features

  • Secure Database Connections: Establish encrypted connections to various database types
  • Role-Based Access Control: Implement fine-grained access controls for database users
  • Audit Logging: Track and monitor all database access activities
  • Multi-Factor Authentication: Add an extra layer of security for database access
  • Session Management: Control and monitor active database sessions

Getting Started

To begin using AuthNull for database access management:

  1. Configure database connections
  2. Set up access policies
  3. Implement authentication methods
  4. Monitor and audit access

For detailed instructions on each of these steps, refer to the specific sections in this documentation.