Presentation is loading. Please wait.

Presentation is loading. Please wait.

MySQL 8.0 What’s New in Security ?

Published byCassandra Lucas Modified over 6 years ago

Similar presentations

Presentation on theme: "MySQL 8.0 What’s New in Security ?"— Presentation transcript:

1 MySQL 8.0 What’s New in Security ?
This is a Title Slide with Picture and Logo slide ideal for including a partner or product logo with a brief title, subtitle and presenter information. To Replace the LOGO on this sample slide: Right-click the sample LOGO and choose Change Picture. Navigate to the location where the new logo is stored, select desired logo file and click on the Open button to replace the sample logo. The Presented with FPO logo placeholder box can be copy and paste to any of the Title Slides. Mike Frank MySQL PM Director Georgi “Joro” Kodinov MySQL Server Manager

2 Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.

3 Program Agenda 1 Security Challenges New Security Features in MySQL 8 New Security Features in MySQL Enterprise Edition MySQL Security Architecture 2 Today I want to cover 5 areas. First I want to briefly relate at a high level the challenges out there. I won’t spend too much time here – but I do think its important to understand the whys and whats After that I want to give you a high level view of all the solutions we have and how they map together to fill out all the various aspects of security Next I go into some of the details behind the MySQL solutions And finally look at whats new, and where are focus is, and also to hear from you all where your needs lie, to see if were headed in the direction you need, etc. 3 4

4 Mega breaches involving millions of compromised records continue to make headlines. For example:
The Equifax breach revealed the names, Social Security numbers, birth dates, and addresses of almost half of the total U.S. population. Around 400,000 U.K. customers were also reportedly affected. Final findings revealed a total of million exposed records. At SingHealth, Singapore’s largest healthcare group, the nonmedical personal data of 1.5 million patients was reportedly accessed, including their national identification number, address, and date of birth as part of the attack. The stolen data also included the outpatient medical data of 160,000 patients. In March of this year, the athletic wear company Under Armour disclosed that data tied to its fitness app was breached this year, affecting 150 million user accounts. Users' usernames, addresses and passwords were affected In August of this year, British Airways said that names, addresses, addresses, and sensitive payment card details from 380,000 transactions were all compromised. Though people have reached a seeming point of desensitization to news citing a data breach, protecting user data has become increasingly important amid stricter regulation implementation. Companies are no longer just required to announce that their systems have been breached but also pay fines that can reach up to 4 percent of their annual turnover should they deal with the data belonging to European Union (EU) citizens in accordance with the General Data Protection Regulation (GDPR) requirements. Sources

5 Cost of Data Breaches Data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year. In 2017 there were over 1500 data breaches in the United States alone and over 170 million records exposed. A data breach involving more than one million compromised records, is referred to as a mega breach. A mega breach of 1 million records yields an average total cost of $40 million A mega breach of 50 million records yields an average total cost of $350 million While we continue to hear about mega breaches the cost of smaller breaches is also in the millions of dollars. What contributes to these costs is: Detection activities such Forensics & Auditing Services Notification Costs, including communicating with Regulators Legal Costs and regulatory fines Lost business and company reputation Sources of-breaches-and-records-exposed/) Source: Ponemon Institue, 2018

6 Regulatory Compliance
Regulations PCI – DSS: Payment Card Data HIPAA: Privacy of Health Data Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information" FERPA – Student Data EU General Data Protection Directive: Protection of Personal Data (GDPR) Data Protection Act (UK): Protection of Personal Data Requirements Continuous Monitoring (Users, Schema, Backups, etc.) Data Protection (Encryption, Privilege Management, etc.) Data Retention (Backups, User Activity, etc.) Data Auditing (User activity, etc.) So how many in the room are dealing with regulations and guidelines? How many are dealing with multiple. This is just a subset of regulations that your company may need to comply with. The new kid on the block is GDPR. If you deal with the EU – no matter where your company resides – you need to comply to it.

7 How to Secure your Databases
Assess Locate Risks and Vulnerabilities, Ensure that necessary security controls are Prevent Using Cryptography, User Controls, Access Controls, etc Detect Still a possibility of a breach – so Audit, Monitor, Alert Recover Ensure service is not interrupted as a result of a security incident Even through the outage of a primary database Forensics – post mortem – fix vulnerability At a high level you need to ASSESS – hopefully pre-production during the design process, but then also continuously check things out to make sure your servers are secure and hardened. The goal – to reduce risks, detect and resolve any vulnerabilities, make sure controls – like user permissions, password and network access policies, encryption requirements. Be DEFENSIVE – and PREVENT – MySQL has encryption, user controls, access controls, … for this . We’ll go into the details in a minute. But even if you’ve performed strong Assessment and Prevention – things could still happen – the sooner you spot an issue, a misuse, a hack, the better. For this you need to act like a security guard – DETECT - watch what’s happening with Audit, Monitor for suspect changes, and get Alerted so you know immediately when suspect activity occurs. Finally – be able to RECOVER – even if the worst happens – say a server gets encrypted and ransomed – or its to complex to safely recover the server from an attack – you need a clean server you can bring online and resume critical services. Then you can go back and look through audit data, logs, and other forensics carefully without tainting a server. You can move forward but still preserve evidence if you need to prosecute. Etc. You may even need to bring back old backups from archive. Backups have many purposes beyond disaster recovery.

8 New Security Features in MySQL 8.0

9 MySQL Security Overview
Authentication Authorization Encryption MySQL Security Firewall Auditing New! Masking/De-Identification Available in & Will be in MySQLaaS as well

10 Feature Request from DBAs
New! MySQL Roles Feature Request from DBAs Improving MySQL Access Controls Introduced in the DMR Easier to manage user and applications rights As standards compliant as practically possible Multiple default roles Can export the role graph in GraphML Now MySQL has Roles So you can assign permissions to roles And then assign users to roles and even roles to roles. This also allows you to define default roles – that happen with the connection OR you can set a role For example – in general keep permissions at a minimal and only escalate by setting a more powerfully permitted role when needed. This also makes it far harder for hacker – as they won’t necessarily know you are using roles etc. Directly Default Role(s) Set of ACLS Indirectly Set Role(s) Set of ACLS

11 SQL Roles Implementation In a Nutshell
A role is basically a user account with login disabled. A memory based hash of flattened privilege sets for each active role 2 new tables: mysql.role_edges and mysql.default_roles 2 new SQL functions: CURRENT_ROLE() and ROLE_GRAPHML() 3 new global privileges: CREATE ROLE, DROP ROLE and ROLE_ADMIN Extensions to: ALTER USER, GRANT/REVOKE, SET and SHOW GRANTS SET [DEFAULT] ROLE

12 SQL Roles Implementation: MySQL Extras
Roles can have an optional host part (not currently used) Pre-roles ACL code is used when there’s no active role(s) Users can be assigned several roles Users can have zero or more default roles Active Roles can be changed – from various assigned roles For example just escalate or change privileges from within an application for certain operations

13 Role Examples Here you can see how roles are Created Granted
How you can use WITH ADMIN option – to allow others to grant same role.

14 MySQL Enterprise Masking and De-Identification New in MySQL 8.0.13 AND 5.7.24!
Data De-identification helps database customers improve security Accelerates compliance for Government – GDPR, CHHS Financial - PCI Healthcare – HIPAA, Clinic Trials Data Reduce IT costs by simplifying sanitizing production data Transforming sensitive data for use in analytics, testing, development, and more

15 NEW! MySQL Enterprise Masking and De-Identification
De-identify, Anonymize Sensitive Data Employee Table "Data Masking is a method to hide sensitive information by replacing real values with substitutes.” ID Last First SSN 1111 Smith John 1112 Templeton Richard Random Data Generation Masked View ID Last First SSN 2874 Smith John XXX-XX-5555 3281 Templeton Richard XXX-XX-4444

16 MySQL Enterprise Masking and De-Identification Data Masking and Random Data Generation
String masking Dictionary based replacement Specific masking SSN Payment card : Strict/Relaxed Random Data Generators Random number within a range Payment card (Luhn check compliant) SSN Dictionary based generation

17 MySQL Enterprise Masking and De-Identification
Data Masking String data masking Mask a substring within a string : ArthXXXXnt Mask substrings at the beginning and at the end : XXthurDeXX SSN masking : XXXX-XX-1234 Payment Card masking Strict: XXXXXXXXXXXXXXX7395, Relaxed: XXXXXXXXX7395 Dictionary based masking gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports

18 MySQL Enterprise Masking and De-Identification
Random Data Generation Random data within range gen_rnd(10000, 20000) => 12503 Payment card : Configurable length : 12 to 19 digits SSN : US Phone number :

19 MySQL Enterprise Masking and De-Identification
Dictionary based data generation, data blacklists Load multiple dictionaries Maps dictionary file => dictionary name In memory data for faster retrieval Generation based on dictionary data gen_dictionary(“periodictable”) => Oxygen If 007 on the blacklist then substitute otherwise provide random value Blacklisted – 007 – thus randomly substituted from Jobs Dictionary gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant” Not blacklisted – Administrator – thus passes through gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator”

20 Data Masking Examples

21 MySQL Enterprise Authentication
Integrates MySQL with existing security infrastructures Integrate with Centralized Authentication Infrastructure Centralized Account Management Password Policy Management Groups & Roles Supports Windows Active Directory (for windows MySQL servers) Linux PAM (Pluggable Authentication Modules) New Native LDAP Ultra Fast and Flexible Works with Windows AD (even on non-windows MySQL servers) Security is often about manage-ability. Case in point – users and their accounts. Often its easier to manage the users identity in one place. MySQL Supports centralized user repositories with Enterprise Authentication plugins Users have SSO Managers can centrally add users to groups Managers can remove of disable users centrally You can limit user administration across one to many mysql instances You can manage authentication across applications Audit trails have common user identities for tracking all activity together

22 MySQL Enterprise Authentication: Native LDAP
Direct Connection over LDAP Protocol/Ports Authentication with User and Password or SASL Customizable for users and groups Connector 2) SASL 1) User/Password Or 2) SASL SASLD LDAP Service MySQL Port:389 Dir Tree Native LDAP Plugin

23 New! Atomic ACL Statements
Feature Request from DBAs Long standing MySQL issue! For Replication, HA, Backups, etc. Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary Not just a table operation: memory caches need update too Applies to statements performing multiple logical operations, e.g. CREATE USER u1, u2 GRANT SELECT ON *.* TO u1, u2 Uses a custom MDL lock to block ACL related activity While altering the ACL caches and tables Prior to 8.0 many ACLs or Access Controls which appeared in a single statement – were actually executed in multiple parts. With the new ACID based Innodb data dictionary in 8.0 and with other additional efforts – each statement is atomic – it succeeds or it fails. This is great new for standalone – but also very valuable for cleaner replication and HA> So statements creating many users, or granting to many users, etc are atomic now. New locks within 8.0 were created to preserve this atomic feature for the access control statements.

24 New! Dynamic Privileges
Provides finer grained administrative level access controls Too often SUPER is required for tasks when less privilege is really needed Support concept of “least privilege” Needed to allow adding administrative access controls Now can come with new components Examples Replication HA Backup Give us your ideas Feature Request from DBAs

25 Why Dynamic Global Privileges?
How to add a new global privilege (the 5.7 version) Add a column in mysql.user Extend the parser Amend ACL cache code: reading, caching, writing, upgrade, … Add checks for the new privilege Not possible from a plugin ! Abuse of existing privileges (SUPER) ! The SUPER-potent SUPER !

26 How Do Dynamic Privileges Work ?
Provides new component service Can add, remove and check global privileges Only GRANTs are persisted Stored in mysql.global_grants Uses the familiar GRANT <dynamic_acl> ON *.* TO … syntax

27 MySQL Password Features
New! Password Management Require new passwords not reuse old ones - By number of changes and/or time. Password-reuse (aka Password History) Policy can be set globally as well as on a per-account basis. New in : Can require old password when changing too New! SHA2 with Caching. Now Default ! Strong (when storing) and Fast (when connecting) Strong - SHA-256 password hashing (many rounds, random salt, …) Fast – Caching: Greatly reduces latency New! Seamless RSA password-exchange capabilities (Lowers SSL Costs)

28 MySQL Password Policies – Review
Accounts without Passwords Assign passwords to all accounts to prevent unauthorized use Password Validation Plugin Enforce Strong Passwords Password Expiration/Rotation Require users to reset their password Account lockout (in v. 5.7) Password Retry Rules (in v ) New! Password History (in v. 8.0) Weak Password make a hackers life easy. Longer and more Complex and changing often Make it more difficult

29 New! OpenSSL Dynamically Linked / FIPS Module Support
Dynamically Linked in 8.0 CAN Use optimized OpenSSL Libraries (use AES-NI acceleration) Be patched without MySQL Upgrade Run with OpenSSL FIPS Object Module Meeting US Federal Requirements Provides confidentiality, integrity and message digest services. Leverage OpenSSL engines (HSMs etc) Moves cryptography off CPU - dedicated cryptography devices Meeting more stringent security requirements May improve performance

30 MySQL 8.0 TDE New! AES 256 encryption of UNDO and REDO Logs
Super Simple to manage - Set innodb_undo_log_encrypt=ON/OFF  innodb_redo_log_encrypt=ON/OFF And ON - Pages written after setting are encrypted OFF - Pages written after setting are not. New in ! Support for encryption in shared table-spaces

31 MySQL Security Architecture

32 MySQL Enterprise Edition - SECURITY
MySQL Enterprise TDE Data-at-Rest Encryption Key Management/Security MySQL Enterprise Authentication External Authentication Modules Microsoft AD, Linux PAMs, LDAP MySQL Enterprise Encryption Public/Private Key Cryptography Asymmetric Encryption Digital Signatures, Data Validation User Activity Auditing, Regulatory Compliance MySQL Data Masking MySQL Enterprise Firewall Block SQL Injection Attacks Intrusion Detection MySQL Enterprise Audit User Activity Auditing, Regulatory Compliance MySQL Enterprise Monitor Changes in Database Configurations, Users Permissions, Database Schema, Passwords MySQL Enterprise Backup Securing Backups, AES 256 encryption MySQL Enterprise Thread pool Attack Hardening Within the MySQL Enterprise Edition “Security” we have TDE – transparent data encryption (I’ll go more into this) – in a nutshell it uses encryption and secured keys to protect your data – with zero change to your applications. Next with have Authentication – providing integration with external Identity Servers like Microsoft Active directory, LDAP, and Linux PAMs In enterprise we provide full access to standard PKI (Public Key, Asymmetric Cryptography) functions for integration across your applications – so you can implement fine grained encryption for very sensitive data. A firewall to block the bad guys. Although SQL injection is very preventable at the application level – it extremely difficult to continuously determine if applications are constructed properly. And SQL inject attacks are simple to construction. Firewalls go a long way to protection from these attacks. Audit to watch what’s happening – esp. with sensitive data and tables, esp. with powerful admins and users. MEM – MySQL Enterprise Monitor – continuous best practice assessment. Spots weak security setup, advises on changes, then monitors to make sure things stay setup securely, and alerts when things need your attention. Backup – with encryption to make sure your data isn’t stolen via backup image theft, that you can recover from attacks And finally Thread pool – to minimalize DOS and other attacks attemption to overwhelm mysql connections. So – lets take a visual look at how this is put together from Architectural Stand point. Now lets dive down a bit into a few of these security technologies.

33 Enterprise Security Architecture
 Enterprise Authentication SSO - LDAP, AD, PAM Enterprise Masking & De-Identification Masking Substitute/Subset Random Formatted Data Blacklisted Data  Workbench Model Data Audit Data User Management  Access Controls   Enterprise Monitor Identifies Vulnerabilities Security hardening policies Monitoring & Alerting User Monitoring Password Monitoring Schema Change Monitoring Backup Monitoring  Firewall  Network Encryption  Strong Authentication Thread Pool Attack minimization Key Vault Protect Keys  Enterprise Audit Powerful Rules Engine Data Encryption TDE Encryption PKI  Assess  Prevent  Detect  Recover  Audit Vault  Enterprise Backup Encrypted  HA Innodb Cluster

34 What is Transparent Data Encryption?
Data at Rest Encryption Tablespaces, Disks, Storage, OS File system Transparent to applications and users No application code, schema or data type changes Transparent to DBAs Keys are hidden from DBAs, no configuration changes Requires Key Management Protection, rotation, storage, recovery Transparent Data Encryption – enforces database security by removing alternative routes to the database outside of a MySQL database Connection. So this means to files that MySQL uses – data in tables is in tablespaces and is stored in files. Too often these files can be copied and data accessed – by powerful os user on the file system, by getting to disk or other storage. Encrypted files with secured keys – don’t expose data. Transparent – in that for a DATABASE user and DATABASE applications – they don’t know encryption is going on. No calls to decryption functions, no access to keys, etc. Additionally – the goal is to minimize who has access to the keys – like the DBA Finally – if keys are lost or stolen – the data is lost or stolen. Key management is core to effective encryption. Lose keys lose data, expose keys, expose data, etc TDE solves many data compliance issues – where data encryption is required. And its fast – most don’t notice the addition of encryption. Buffered data is already decrypted and ready to server. Expect low single digit impact.

35 MySQL Transparent Data Encryption
Tablespace Key Accesses Files Directly IF Hackers get into OS – can’t login can connect to mysql, if they steal tablespace files – they are encrypted and protected. Encrypted Database Files Information Access Blocked By Encryption Malicious OS User / Hacker Master Key

36 Using MySQL Transparent Data Encryption is EASY
Plugin Infrastructure New plugin type: keyring Ability to load plugin before InnoDB initialization: --early-plugin-load SQL New option in CREATE TABLE ENCRYPTION=“Y” New SQL: ALTER INSTANCE ROTATE INNODB MASTER KEY Complexity is the enemy of security. So we worked hard to keep things SIMPLE You load the plugin of your choice You can create an new table as encrypted. Could can alter an existing table to be encrypted. Key rotation is trivial and happens in less than a second. Additionally we have support for TDE for TTS transportable tablespace files so you can export and import and keep data encrypted And MySQL Enterprise Backup support backup and recovery of encrypted data. (even for many years of archive) Keyring plugin Used to retrieve keys from Key Stores Over Standardized KMIP protocol InnoDB Support for encrypted tables IMPORT/EXPORT of encrypted tables Support for master key rotation New! undo/redo log encryption

37 MySQL Enterprise TDE: KMIP Compliant
KMIP – Key Management Interoperability Protocol (Oasis Standard) Keys are protected and secure Enables customers to meet regulatory requirements KMIP mode tested with the following products Oracle Key Vault (OKV) Gemalto Safenet KeySecure Fornetix Key Orchestration Appliance Thales Vormetric – best is kmip key management plugin – It’s a standard that is supported by OKV, Gemalto KeySecure, Fornetix or other KMIP compliance servers Also - as of AWS KMS is supported and more are coming (OPC KMS).

38 The Keyring API: The Big Picture
Keyring Plugin API The MySQL Server Plugins (Consumers) Keyring Plugin (backend) Keys Key Ring API Keys Each Key Has a Name/ACL Keys Keyring Plugin Service Key Storage

39 What is the Keyring API ? A uniform infrastructure for handling keys
Usable by both the server and plugins Available in MySQL 5.7 and up as a plugin API and a plugin service Fully extensible Can be initialized before InnoDB at startup Minimum effort to add new backends and consumers New! A keyring migration tool to facilitate moving keys across back-ends !

40 Keyring plugins: The Inventory
Current Consumers InnoDB tablespace encryption SQL user defined functions (UDF) plugin Enterprise Audit Current Backends Flat file backend (In EE can be encrypted) KMIP compliant clients Oracle KeyVault Gemalto Safenet KeySecure Probably more if they support KMIP standards – give it a try.

41 MySQL Enterprise Encryption
MySQL encryption functions Symmetric encryption AES256 (All Editions) Public-key / asymmetric cryptography – RSA Key management functions Generate public and private keys Key exchange methods: DH Sign and verify data functions Cryptographic hashing for digital signing, verification, & validation – RSA,DSA New since : MySQL can work in FIPs mode MySQL includes a variety of encryption functions Standard symmetric – where one key encrypts and decrypts Asymmetric – which make use of public key cryptography Here more secure schemes can be used to allow encryption with public keys in applications without allowing decryption – unless the app has the private key. This can be far safer – limiting the capability of apps by removing decryption keys. Various functions for use to sign data so its immutable, verifiable, where changes can be detected. All interoperable with standard openssl libraries.

42 MySQL Enterprise Audit
Out-of-the-box logging of connections, logins, and query User defined policies for filtering, and log rotation Dynamically enabled, disabled: no server restart XML-based audit stream per Oracle Audit Vault spec New! Features in and in 8.0 JSON Compression Encryption Auditing is a key security tool – gives you the who what when from where and how MySQL Enterprise Audit is simple to install. Allows DBAs to define course to very fine grained auditing rules. The key to auditing is to watch sensitive things closely and fine tune your rules. Auditing everything isn’t necessarily preferred. It really depends on what you are auditing etc. And with you can Compress – to reduce audit file sizes Encrypt – to protect the data in the audit trails Chose JSON formats Get Access from SQL – like tail calls – so Audit data can be reviewed w/o getting on the OS. Standard tools can be used to decrypt and uncompress the audit data files – so will interwork with other audit vaults, audit repos Audit works with Oracle Audit Vault – but there are many options for centrally archiving audit data. Audit includes a full suite of features – to roll files, force auditing always – mysql won’t run if auditing isn’t enabled, etc. Or it can be turned on and rules tuned if you are looking for specific suspect activity. Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)

43 MySQL Enterprise Firewall
Real Time Protection Queries analyzed and matched against White List Blocks SQL Injection Attacks Block Out of Policy Transactions Intrusion Detection Detect and Alert on Out of Policy Transactions Learns White List Automated creation of approved list of SQL command patterns on a per user basis Transparent No changes to application required New! Feature in /8.0 – Combined Firewall/Audit Rules Create more general allow/deny firewall rules using JSON syntax – using abort=on To this day SQL inject is one of the top attacks MySQL Enterprise Firewall can stop those attacks Simply turn on learning mode for a user and automatically build your white list Change over to alert mode to confirm you don’t have any false positives (that is no false alarms) Once things look good – switch to full on block mode. In add more general rules to block attacks by type, user, ip etc etc. And you can decide on alerting or blocking per rule. MySQL Enterprise Firewall monitoring

44 MySQL Enterprise Firewall
New! Feature in – Combined Firewall/Audit Rules Create more general allow/deny firewall rules using JSON syntax – using abort=on Example - block execution of specific SQL statements (insert, update, delete) For a specific table (finances.bank_account) Test rules By writing to audit log If data as expected change to firewall add “abort”

45 Customer feedback and requirements drive our priorities
Security Direction Continuing to focus a great deal on security New things are in the works, especially in these areas: TDE / Encryption / Key management Masking, Obfuscation, De-identification, Tokenization Audit Firewall Authentication Integration to various Oracle Cloud services Data masking Customer feedback and requirements drive our priorities Tell us what you want, need, etc. Give us problematic use cases We are always looking for feedback related to security requirements. We’ve added many new things in account and password policies to meet customer requests over the last few years. Or if you have a regulatory requirement and can’t quite see if there’s something to meeting it – please ask. We may have it, or maybe we need to have it. Also the more we know about what you need the better. Often requests come in the form of a solution – without the problem. But as well all know often there’s more than one way to solve a problem - or maybe we’ve already solved things – just some other way that’s not obvious. Regarding TDE – MySQL 8.0 has already added redo and undo log encryption and were working on encrypting additional files (binlog, DD tables) New Ultra Fast and secure SHA256 protocol Openssl fips module support for govt folks. Again we’re looking for feedback - what do you developers want, what would your dba’s like to have?

46 Enterprise Security Architecture
 Enterprise Authentication SSO - LDAP, AD, PAM Enterprise Masking & De-Identification Masking Substitute/Subset Random Formatted Data Blacklisted Data  Workbench Model Data Audit Data User Management  Access Controls   Enterprise Monitor Identifies Vulnerabilities Security hardening policies Monitoring & Alerting User Monitoring Password Monitoring Schema Change Monitoring Backup Monitoring  Firewall  Network Encryption  Strong Authentication Thread Pool Attack minimization Key Vault Protect Keys  Enterprise Audit Powerful Rules Engine Data Encryption TDE Encryption PKI  Assess  Prevent  Detect  Recover  Audit Vault  Enterprise Backup Encrypted  HA Innodb Cluster

47 MySQL Enterprise Edition - SECURITY
MySQL Enterprise TDE Data-at-Rest Encryption Key Management/Security MySQL Enterprise Authentication External Authentication Modules Microsoft AD, Linux PAMs, LDAP MySQL Enterprise Encryption Public/Private Key Cryptography Asymmetric Encryption Digital Signatures, Data Validation User Activity Auditing, Regulatory Compliance MySQL Data Masking MySQL Enterprise Firewall Block SQL Injection Attacks Intrusion Detection MySQL Enterprise Audit User Activity Auditing, Regulatory Compliance MySQL Enterprise Monitor Changes in Database Configurations, Users Permissions, Database Schema, Passwords MySQL Enterprise Backup Securing Backups, AES 256 encryption MySQL Enterprise Thread pool Attack Hardening Within the MySQL Enterprise Edition “Security” we have TDE – transparent data encryption (I’ll go more into this) – in a nutshell it uses encryption and secured keys to protect your data – with zero change to your applications. Next with have Authentication – providing integration with external Identity Servers like Microsoft Active directory, LDAP, and Linux PAMs In enterprise we provide full access to standard PKI (Public Key, Asymmetric Cryptography) functions for integration across your applications – so you can implement fine grained encryption for very sensitive data. A firewall to block the bad guys. Although SQL injection is very preventable at the application level – it extremely difficult to continuously determine if applications are constructed properly. And SQL inject attacks are simple to construction. Firewalls go a long way to protection from these attacks. Audit to watch what’s happening – esp. with sensitive data and tables, esp. with powerful admins and users. MEM – MySQL Enterprise Monitor – continuous best practice assessment. Spots weak security setup, advises on changes, then monitors to make sure things stay setup securely, and alerts when things need your attention. Backup – with encryption to make sure your data isn’t stolen via backup image theft, that you can recover from attacks And finally Thread pool – to minimalize DOS and other attacks attemption to overwhelm mysql connections. So – lets take a visual look at how this is put together from Architectural Stand point. Now lets dive down a bit into a few of these security technologies.

48 Security Resources http://mysqlserverteam.com/ http://insidemysql.com/
40 Finally I want to leave you with some links – do you know where to find things. The mysql server team blogs frequently on security We have various white papers – many specific – for example on PCI or GDPR and MySQL And we are happy to run a health check with you and can focus on security.

49 Thank you!

50

Download ppt "MySQL 8.0 What’s New in Security ?"

Similar presentations

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.

An investigation into the security features of Oracle 10g R2 Enterprise Edition Supervisor: Mr J Ebden.
Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.

Oracle Database 12c Data Protection and Multitenancy on Oracle Solaris 11 Xiaosong Zhu Senior Software Engineer Copyright © 2014, Oracle and/or its affiliates.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.

A Comprehensive Solution Team Mag 5 Valerie B., Derek C., Jimmy C., Julia M., Mark Z.
Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.

Hands-On Microsoft Windows Server 2008 Chapter 1 Introduction to Windows Server 2008.
This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.

This presentation will guide you though the initial stages of installation, through to producing your first report Click your mouse to advance the presentation.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.

Oracle Application Express 3.0 Joel R. Kallman Software Development Manager.
SEC835 Practical aspects of security implementation Part 1.

SEC835 Practical aspects of security implementation Part 1.
ArcGIS Server for Administrators

ArcGIS Server for Administrators
Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.

Lecture 19 Page 1 CS 236 Online 16. Account Monitoring and Control Why it’s important: –Inactive accounts are often attacker’s path into your system –Nobody’s.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.

NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.

Workforce Scheduling Release 5.0 for Windows Implementation Overview OWS Development Team.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Role Of Network IDS in Network Perimeter Defense.

Role Of Network IDS in Network Perimeter Defense.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,

Similar presentations

Ads by Google