Security and compliance
Protection against unauthorized access
IBM Cloud® Databases for MySQL use the following methods to protect data in transit or in storage.
- All Databases for MySQL connections use TLS/SSL encryption for data in transit. The current supported version of this encryption is TLS 1.2.
- Access to the Account, Management Console UI, and API is secured through Identity and Access Management (IAM).
- Access to the database is secured through the standard access controls provided by the database. These access controls are configured to require valid database-level credentials that are obtainable only through prior access to the database or through our Management Console UI or API.
- All Databases for MySQL storage is provided on storage encrypted with LUKS using AES-256. The default keys are managed by Key Protect. Bring-your-own-key (BYOK) for encryption is also available through Key Protect integration.
- IP allowlisting - All deployments support allowlisting IP addresses to restrict access to the service.
- Public and private networking - Databases for MySQL is integrated with Service endpoints. You can select whether to use connections over the public network, the IBM Cloud internal network, or both.
- Dedicated Cores - Allocating dedicated cores to your deployment introduces hypervisor-level isolation to your database instance, by using isolated virtual machines to ensure that your data processing remains separated from other customers. It also provides a minimum number of CPUs to your deployment. Deployments with dedicated cores in the same Resource Group and IBM Cloud Region might share a virtual machine.
- Do not grant the PROCESS or SUPER privilege to nonadministrative
users.
mysqld
reserves an extra connection for users who have the SUPER privilege so that a MySQL root user can log in and check server activity even if all normal connections are in use. - The SUPER privilege can be used to terminate client connections, change server operation by changing the value of system variables, and control replication servers. For more information, see MySQL's Making MySQL secure against attackers documentation.
Data resilience
- Backups are included in the service. Databases for MySQL backups are located in IBM Cloud Object Storage and are also encrypted.
- Databases for MySQL deployments are configured with replication. Deployments contain a cluster with three data members. All members contain a copy of your data through semisynchronous replication, with a distributed consensus mechanism to maintain cluster state and handle failovers.
- If you deploy to an IBM Cloud Single-Zone Region (SZR), each database member is on a different host in the data center.
- If you deploy to an IBM Cloud Multi-Zone Region (MZR), the members are spread over the region's availability zone locations.