This topic describes the following security capabilities provided by PolarDB: access control, data transmission encryption, data encryption and decryption, data masking, and security audit.

Access control

PolarDB allows you to configure an IP address whitelist of a cluster to ensure secure access to the cluster. An IP address whitelist of a PolarDB cluster contains the IP addresses and CIDR blocks that are allowed to access the cluster. Only the IP addresses and CIDR blocks that are added to the IP address whitelist can access the PolarDB cluster.

If you want to use Elastic Compute Service (ECS) instances to access a PolarDB cluster, configure a security group with which the ECS instances are associated and add the security group to a whitelist of the PolarDB cluster. This way, the ECS instances in the security group can access the PolarDB cluster.

You can configure IP address whitelists and security groups to provide strict access control for your PolarDB cluster.

For more information, see Configure an IP whitelist and Configure a security group.

Data transmission encryption

PolarDB allows you to enable SSL encryption to improve the security of data transmission. SSL is used to encrypt network connections at the transport layer. This improves the security and integrity of the data that is transmitted.

You can enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) on the applications that require data encryption. For more information, see Configure SSL encryption.

Data encryption and decryption

PolarDB provides the Transparent Data Encryption (TDE) feature to perform real-time I/O encryption and decryption on data files. Before data is written to a disk, the data is encrypted. Then, the data is decrypted when the data is read from the disk and written into the memory. This ensures data security.

For more information, see Configure TDE.

Data masking

If you want to authorize third parties to generate reports, analyze data, perform development and test activities, or perform other database-related operations, you may need to obtain the latest customer data from databases in the production environment in real time. To avoid disclosing personal information, data must be masked before it is provided to third parties.

PolarDB provides the dynamic data masking feature. You can use a PolarDB proxy to mask sensitive data. When your application initiates a data query request, PolarDB masks the sensitive data that is queried before PolarDB returns the data to the application. Before your application queries data, you need to specify only the following information: the database account that is used to query masked data and the name of the database, table, or column that requires data masking. This way, you can obtain the real-time data that is masked by using the dynamic data masking feature. This ensures secure data access.

For more information, see Dynamic data masking.

Security audit

PolarDB provides the SQL Explorer feature. This helps you detect security risks and performance issues for your database by collecting and analyzing the raw SQL logs.

You can query SQL statements and information about these SQL statements. The information includes databases, states, and execution duration. You can also diagnose the health status of SQL statements, troubleshoot performance issues, and analyze business traffic. High-risk SQL statements, SQL injections, new request sources, and other risks can be automatically detected.

For more information, see SQL Explorer.