SlideShare a Scribd company logo

Mysql user-camp-march-11th-2016

Harin Vadodaria
Harin Vadodaria

An Overview of MySQL 5.7 Security Features. Presented in MySQL User Camp's Bangalore Edition on March 11, 2016.

Technology
1 of 30
Download to read offline
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | What’s New in MySQL 5.7 Security Harin Vadodaria, Developer, MySQL Server General Team March 11, 2016
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Program Agenda New Security Features in MySQL 5.7 Questions & Answers 1 2 4
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 5 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management User Management 6 • Password Rotation Policy • Disabling user login • ALTER USER enhancements
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Password Rotation Policy • Through ALTER USER 7 NEVER DEFAULT SPECIFIC • PASSWORD EXPIRE NEVER – If security is not a concern! • PASSWORD EXPIRE DEFAULT – Global Variable : default_password_lifetime • PASSWORD EXPIRE INTERVAL <NUM> DAY – Useful for critical accounts
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Disabling Login for User Accounts • New authentication plugin – mysql_no_login – Just like shell=/bin/false 8 • CREATE USER nologin@localhost IDENTIFIED WITH ‘mysql_no_login’ • Useful for : Proxy users
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | User Management • Enhanced ALTER USER support – Change credentials – Change authentication plugin – Change SSL certificate details – Change resource allocation – Temporarily lock user account • Making server OFFLINE – Allows only SUPER users to connect – Rest of the connections are killed • SUPER Read Only mode – Makes server READ ONLY even for users with SUPER privileges 9
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management User Activity Control 10 • MySQL Firewall • Audit Log Plugin
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Firewall Plugin 11 SELECT info FROM customer WHERE cust_id=123 SELECT info FROM customer WHERE cust_id=123 or 1=1
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Firewall Plugin • Engine – Compares incoming statements with allowed set of statements – Per user configuration • DISABLED, RECORDING, PROTECTING – Statement digest based comparison • Statement Cache – Uses normalized SQL statements • SELECT info FROM customer WHERE cust_id = 123 => SELECT info FROM customer WHERE cust_id = ? – Generates hash from normalized SQL – In memory cache : Faster lookup 12
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Audit Log : Event Filtering 13 • Filtering by account names – SET GLOBAL audit_log_include_account=‘admin@localhost’; – SET GLOBAL audit_log_exclude_account=`auditor@localhost’; • Filtering on connection event – SET GLOBAL audit_log_connection_policy= ERRORS; • Better Instrumentation – audit_log_events – audit_log_events_filterd – audit_log_events_written • Filtering by query status – SET GLOBAL audit_log_statement_policy= ALL;
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 14 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Enhancements in AES encryption • Enterprise Encryption Plugin
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | AES Encryption : Enhanced • Support for more secure block modes – CBC, CFB1, CFB8, CFB128, OFB – Support varies for OpenSSL/yaSSL • Support for longer key size – 196, 256 bits • Controlled via : block_encryption_mode – e.g. “aes-256-cbc”, “aes-256-ofb” • Ported to 5.6 as well. 15
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Enterprise Encryption Plugin • SQL Interface to OpenSSL Functions – Supports RSA/DSA/DH algorithms – Configurable Key Size • Standard PEM format for generated keys – Compatible with external tools • Useful in encrypting selected data 16
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Enterprise Encryption Plugin • Creating asymmetric key pair – SET @priv_key_s= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048); – SET @pub_key_s= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key); – SET @priv_key_d= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048); – SET @pub_key_d= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key); • Share public keys across multiple servers 17
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | – Encryption, Digest creation and Signature • SET @enc_text= ASYMMETRIC_ENCRYPT(‘RSA’, ‘FooBar’, @pub_key_d); • SET @text_digest= CREATE_DIGEST(‘SHA512’, ‘FooBar’); • SET @signature= ASYMMETRIC_SIGN(‘RSA’, @text_digest, @priv_key_s, ‘SHA512’); – Decryption, Signature verification • SET @plain_text= ASYMMETRIC_DECRYPT(‘RSA’, @enc_text, @priv_key_d); • SET @text_digest= CREATE_DIGEST(‘SHA512’, @plain_text); • SET @verify= ASYMMETRIC_VERIFY(‘RSA’, @text_digest, @signature, @pub_key_s, ‘SHA512’); Unencrypted Channel Enterprise Encryption Plugin 18
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 19 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Server/Client support for encrypted connection • TLSv1.1/1.2 Support • Enforcing encrypted connections
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Communication Security • Server : Encrypted connections supported by default – Automatic generation of TLS certificates and keys • Enterprise server : At server start-up • Community server : Through mysql_ssl_rsa_setup utility • Clients (libmysql based) : Attempt TLS connection by default • More information in server log about TLS setup phase – CA certificate status – Possible reason for TLS support failure 20
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Communication Security • TLSv1.1/TLSv1.2 Support – New option : –tls-version to control protocol version – Disabled weak ciphers • Multi-state SSL option : --ssl-mode – Modes : DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY – Backwards compatibility with legacy options : --ssl, --ssl-verify-server-cert • Enforcing secure connection – Server : --require-secure-transport – Client : --ssl-mode=REQUIRED/VERIFY_CA/VERIFY_IDENTITY 21
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management Security features at a glance.. 22 • Better access control • Secure packages • Restricted data import/export
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Secure By Default • Motivation – Help avoid users common mistakes which may cause data loss/leakage – Decrease MySQL attack surface – Open to limited and authorized use by default – Low usability impact – Relaxing security must be an explicit and conscious decision 23
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Secure By Default • Stricter Access Control – Single root account + Random password – No anonymous accounts • Packages – No tests and demos with server/client – Separate packages for tests and demos – Stricter permission on deployed files • Data Import/Export restrictions – Restricted to a specific location: Through –secure-file-priv default – Possible to disable data import/export completely 24
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 25 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Removal of legacy hash/encryption methods • Uniform credential storage framework • Tools ref
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring • Removal of Pre-4.1 password support – Insecure way of generating password hash – Upgrade flags & disables such accounts • Password v/s Authentication String – All authentication plugins are treated equally – Removal of PASSWORD column from mysql.user table – Dependency on @@old_password is gone! • Removal of weak encryption functions – ENCODE()/DECODE() are now replaced by AES_ENCRYPT()/AES_DECRYPT() 26
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring • Server installation through --initialize – mysql_install_db deprecated • mysql_upgrade : Not dependent on external libraries! • mysql_secure_install – Now a C program! 27
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Questions & Answers
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 29
Mysql user-camp-march-11th-2016

Recommended

MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
MySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMark Swarbrick
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7 Mark Swarbrick
 
MySQL 5.7 + Java
MySQL 5.7 + JavaMySQL 5.7 + Java
MySQL 5.7 + JavaMark Swarbrick
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsMario Beck
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 
MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)Ramana Yeruva
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 

Recommended

MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 SecurityMark Swarbrick
 
MySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMySQL Tech Tour 2015 - Manage & Tune
MySQL Tech Tour 2015 - Manage & TuneMark Swarbrick
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7 Mark Swarbrick
 
MySQL 5.7 + Java
MySQL 5.7 + JavaMySQL 5.7 + Java
MySQL 5.7 + JavaMark Swarbrick
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsMario Beck
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 
MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)MySQL in OPC(Oracle Public Cloud)
MySQL in OPC(Oracle Public Cloud)Ramana Yeruva
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
MySQL Community and Commercial Edition
MySQL Community and Commercial EditionMySQL Community and Commercial Edition
MySQL Community and Commercial EditionMario Beck
 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityGeorgi Kodinov
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise MonitorMario Beck
 
MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015Mario Beck
 
MySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats newMySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats newMark Swarbrick
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
OUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQLOUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQLGeorgi Kodinov
 
TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"Ryusuke Kajiyama
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQLMySQL Brasil
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinOlivier DASINI
 
Oracle VM - the Heart of Oracle Cloud
Oracle VM - the Heart of Oracle CloudOracle VM - the Heart of Oracle Cloud
Oracle VM - the Heart of Oracle CloudSai Janakiram Penumuru
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Sumit Gupta
 
Introduction to MySQL
Introduction to MySQLIntroduction to MySQL
Introduction to MySQLTed Wennmark
 
MySQL Manchester TT - Security
MySQL Manchester TT - SecurityMySQL Manchester TT - Security
MySQL Manchester TT - SecurityMark Swarbrick
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMorgan Tocker
 
TWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RCTWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RCRyusuke Kajiyama
 
MySQL Cloud Service
MySQL Cloud ServiceMySQL Cloud Service
MySQL Cloud ServiceMario Beck
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Kellyn Pot'Vin-Gorman
 
MySQL 5.7 Replication News
MySQL 5.7 Replication News MySQL 5.7 Replication News
MySQL 5.7 Replication News Ted Wennmark
 
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 Geir Høydalsvik
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 

More Related Content

What's hot

MySQL Community and Commercial Edition
MySQL Community and Commercial EditionMySQL Community and Commercial Edition
MySQL Community and Commercial EditionMario Beck
 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityGeorgi Kodinov
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise MonitorMario Beck
 
MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015Mario Beck
 
MySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats newMySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats newMark Swarbrick
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...Olivier DASINI
 
OUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQLOUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQLGeorgi Kodinov
 
TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"Ryusuke Kajiyama
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQLMySQL Brasil
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinOlivier DASINI
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Sumit Gupta
 
Introduction to MySQL
Introduction to MySQLIntroduction to MySQL
Introduction to MySQLTed Wennmark
 
MySQL Manchester TT - Security
MySQL Manchester TT - SecurityMySQL Manchester TT - Security
MySQL Manchester TT - SecurityMark Swarbrick
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMorgan Tocker
 
TWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RCTWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RCRyusuke Kajiyama
 
MySQL Cloud Service
MySQL Cloud ServiceMySQL Cloud Service
MySQL Cloud ServiceMario Beck
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Kellyn Pot'Vin-Gorman
 
MySQL 5.7 Replication News
MySQL 5.7 Replication News MySQL 5.7 Replication News
MySQL 5.7 Replication News Ted Wennmark
 

What's hot (20)

MySQL Community and Commercial Edition
MySQL Community and Commercial EditionMySQL Community and Commercial Edition
MySQL Community and Commercial Edition
 
Pl17: MySQL 8.0: security
Pl17: MySQL 8.0: securityPl17: MySQL 8.0: security
Pl17: MySQL 8.0: security
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
MySQL Enterprise Monitor
MySQL Enterprise MonitorMySQL Enterprise Monitor
MySQL Enterprise Monitor
 
MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015MySQL 5.7: What's New, Nov. 2015
MySQL 5.7: What's New, Nov. 2015
 
MySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats newMySQL Tech Tour 2015 - 5.7 Whats new
MySQL Tech Tour 2015 - 5.7 Whats new
 
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
MySQL Day Paris 2018 - MySQL InnoDB Cluster; A complete High Availability sol...
 
OUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQLOUGLS 2016: How profiling works in MySQL
OUGLS 2016: How profiling works in MySQL
 
TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"TWJUG August, MySQL JDBC Driver "Connector/J"
TWJUG August, MySQL JDBC Driver "Connector/J"
 
5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL5 razões estratégicas para usar MySQL
5 razões estratégicas para usar MySQL
 
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the DolphinMySQL Day Paris 2018 - Introduction & The State of the Dolphin
MySQL Day Paris 2018 - Introduction & The State of the Dolphin
 
Oracle VM - the Heart of Oracle Cloud
Oracle VM - the Heart of Oracle CloudOracle VM - the Heart of Oracle Cloud
Oracle VM - the Heart of Oracle Cloud
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
 
Introduction to MySQL
Introduction to MySQLIntroduction to MySQL
Introduction to MySQL
 
MySQL Manchester TT - Security
MySQL Manchester TT - SecurityMySQL Manchester TT - Security
MySQL Manchester TT - Security
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep Dive
 
TWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RCTWJUG August, What's new in MySQL 5.7 RC
TWJUG August, What's new in MySQL 5.7 RC
 
MySQL Cloud Service
MySQL Cloud ServiceMySQL Cloud Service
MySQL Cloud Service
 
Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!Oracle EM12c Release 4 New Features!
Oracle EM12c Release 4 New Features!
 
MySQL 5.7 Replication News
MySQL 5.7 Replication News MySQL 5.7 Replication News
MySQL 5.7 Replication News
 

Similar to Mysql user-camp-march-11th-2016

2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 Geir Høydalsvik
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAsBen Krug
 
Netherlands Tech Tour 02 - MySQL Fabric
Netherlands Tech Tour 02 - MySQL FabricNetherlands Tech Tour 02 - MySQL Fabric
Netherlands Tech Tour 02 - MySQL FabricMark Swarbrick
 
1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivan1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivanIvan Tu
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeGeorgi Kodinov
 
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMark Swarbrick
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)Mario Beck
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruMarketingArrowECS_CZ
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceOlivier DASINI
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
Basic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsBasic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsSveta Smirnova
 
MySQL Enterprise Portfolio
MySQL Enterprise PortfolioMySQL Enterprise Portfolio
MySQL Enterprise PortfolioAbel Flórez
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
MySQL & Oracle Linux Keynote at Open Source India 2014
MySQL & Oracle Linux Keynote at Open Source India 2014MySQL & Oracle Linux Keynote at Open Source India 2014
MySQL & Oracle Linux Keynote at Open Source India 2014Sanjay Manwani
 
MySQL :What's New #GIDS16
MySQL :What's New #GIDS16MySQL :What's New #GIDS16
MySQL :What's New #GIDS16Sanjay Manwani
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka SecurityDataWorks Summit
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesDave Stokes
 
MySQL Web Reference Architecture
MySQL Web Reference Architecture MySQL Web Reference Architecture
MySQL Web Reference Architecture Ricky Setyawan
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyPythian
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Brasil
 

Similar to Mysql user-camp-march-11th-2016 (20)

2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015 2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
 
MySQL for Oracle DBAs
MySQL for Oracle DBAsMySQL for Oracle DBAs
MySQL for Oracle DBAs
 
Netherlands Tech Tour 02 - MySQL Fabric
Netherlands Tech Tour 02 - MySQL FabricNetherlands Tech Tour 02 - MySQL Fabric
Netherlands Tech Tour 02 - MySQL Fabric
 
1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivan1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivan
 
OUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source CodeOUGLS 2016: Guided Tour On The MySQL Source Code
OUGLS 2016: Guided Tour On The MySQL Source Code
 
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance TuningMySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance Tuning
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)
 
Představení Oracle SPARC Miniclusteru
Představení Oracle SPARC MiniclusteruPředstavení Oracle SPARC Miniclusteru
Představení Oracle SPARC Miniclusteru
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
Basic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAsBasic MySQL Troubleshooting for Oracle DBAs
Basic MySQL Troubleshooting for Oracle DBAs
 
MySQL Enterprise Portfolio
MySQL Enterprise PortfolioMySQL Enterprise Portfolio
MySQL Enterprise Portfolio
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
MySQL & Oracle Linux Keynote at Open Source India 2014
MySQL & Oracle Linux Keynote at Open Source India 2014MySQL & Oracle Linux Keynote at Open Source India 2014
MySQL & Oracle Linux Keynote at Open Source India 2014
 
MySQL :What's New #GIDS16
MySQL :What's New #GIDS16MySQL :What's New #GIDS16
MySQL :What's New #GIDS16
 
Visualizing Kafka Security
Visualizing Kafka SecurityVisualizing Kafka Security
Visualizing Kafka Security
 
RMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New FeaturesRMOUG MySQL 5.7 New Features
RMOUG MySQL 5.7 New Features
 
MySQL Web Reference Architecture
MySQL Web Reference Architecture MySQL Web Reference Architecture
MySQL Web Reference Architecture
 
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing DifferentlyOracle Database Security: Top 10 Things You Could & Should Be Doing Differently
Oracle Database Security: Top 10 Things You Could & Should Be Doing Differently
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition Portfolio
 

Recently uploaded

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Mysql user-camp-march-11th-2016

  • 1.
  • 2. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | What’s New in MySQL 5.7 Security Harin Vadodaria, Developer, MySQL Server General Team March 11, 2016
  • 3. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 3
  • 4. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Program Agenda New Security Features in MySQL 5.7 Questions & Answers 1 2 4
  • 5. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 5 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management
  • 6. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management User Management 6 • Password Rotation Policy • Disabling user login • ALTER USER enhancements
  • 7. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Password Rotation Policy • Through ALTER USER 7 NEVER DEFAULT SPECIFIC • PASSWORD EXPIRE NEVER – If security is not a concern! • PASSWORD EXPIRE DEFAULT – Global Variable : default_password_lifetime • PASSWORD EXPIRE INTERVAL <NUM> DAY – Useful for critical accounts
  • 8. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Disabling Login for User Accounts • New authentication plugin – mysql_no_login – Just like shell=/bin/false 8 • CREATE USER nologin@localhost IDENTIFIED WITH ‘mysql_no_login’ • Useful for : Proxy users
  • 9. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | User Management • Enhanced ALTER USER support – Change credentials – Change authentication plugin – Change SSL certificate details – Change resource allocation – Temporarily lock user account • Making server OFFLINE – Allows only SUPER users to connect – Rest of the connections are killed • SUPER Read Only mode – Makes server READ ONLY even for users with SUPER privileges 9
  • 10. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management User Activity Control 10 • MySQL Firewall • Audit Log Plugin
  • 11. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Firewall Plugin 11 SELECT info FROM customer WHERE cust_id=123 SELECT info FROM customer WHERE cust_id=123 or 1=1
  • 12. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Firewall Plugin • Engine – Compares incoming statements with allowed set of statements – Per user configuration • DISABLED, RECORDING, PROTECTING – Statement digest based comparison • Statement Cache – Uses normalized SQL statements • SELECT info FROM customer WHERE cust_id = 123 => SELECT info FROM customer WHERE cust_id = ? – Generates hash from normalized SQL – In memory cache : Faster lookup 12
  • 13. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Audit Log : Event Filtering 13 • Filtering by account names – SET GLOBAL audit_log_include_account=‘admin@localhost’; – SET GLOBAL audit_log_exclude_account=`auditor@localhost’; • Filtering on connection event – SET GLOBAL audit_log_connection_policy= ERRORS; • Better Instrumentation – audit_log_events – audit_log_events_filterd – audit_log_events_written • Filtering by query status – SET GLOBAL audit_log_statement_policy= ALL;
  • 14. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 14 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Enhancements in AES encryption • Enterprise Encryption Plugin
  • 15. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | AES Encryption : Enhanced • Support for more secure block modes – CBC, CFB1, CFB8, CFB128, OFB – Support varies for OpenSSL/yaSSL • Support for longer key size – 196, 256 bits • Controlled via : block_encryption_mode – e.g. “aes-256-cbc”, “aes-256-ofb” • Ported to 5.6 as well. 15
  • 16. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Enterprise Encryption Plugin • SQL Interface to OpenSSL Functions – Supports RSA/DSA/DH algorithms – Configurable Key Size • Standard PEM format for generated keys – Compatible with external tools • Useful in encrypting selected data 16
  • 17. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Enterprise Encryption Plugin • Creating asymmetric key pair – SET @priv_key_s= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048); – SET @pub_key_s= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key); – SET @priv_key_d= CREATE_ASYMMETRIC_PRIV_KEY(‘RSA’, 2048); – SET @pub_key_d= CREATE_ASYMMETRIC_PUB_KEY(‘RSA’, @priv_key); • Share public keys across multiple servers 17
  • 18. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | – Encryption, Digest creation and Signature • SET @enc_text= ASYMMETRIC_ENCRYPT(‘RSA’, ‘FooBar’, @pub_key_d); • SET @text_digest= CREATE_DIGEST(‘SHA512’, ‘FooBar’); • SET @signature= ASYMMETRIC_SIGN(‘RSA’, @text_digest, @priv_key_s, ‘SHA512’); – Decryption, Signature verification • SET @plain_text= ASYMMETRIC_DECRYPT(‘RSA’, @enc_text, @priv_key_d); • SET @text_digest= CREATE_DIGEST(‘SHA512’, @plain_text); • SET @verify= ASYMMETRIC_VERIFY(‘RSA’, @text_digest, @signature, @pub_key_s, ‘SHA512’); Unencrypted Channel Enterprise Encryption Plugin 18
  • 19. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 19 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Server/Client support for encrypted connection • TLSv1.1/1.2 Support • Enforcing encrypted connections
  • 20. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Communication Security • Server : Encrypted connections supported by default – Automatic generation of TLS certificates and keys • Enterprise server : At server start-up • Community server : Through mysql_ssl_rsa_setup utility • Clients (libmysql based) : Attempt TLS connection by default • More information in server log about TLS setup phase – CA certificate status – Possible reason for TLS support failure 20
  • 21. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Communication Security • TLSv1.1/TLSv1.2 Support – New option : –tls-version to control protocol version – Disabled weak ciphers • Multi-state SSL option : --ssl-mode – Modes : DISABLED, PREFERRED, REQUIRED, VERIFY_CA, VERIFY_IDENTITY – Backwards compatibility with legacy options : --ssl, --ssl-verify-server-cert • Enforcing secure connection – Server : --require-secure-transport – Client : --ssl-mode=REQUIRED/VERIFY_CA/VERIFY_IDENTITY 21
  • 22. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management Security features at a glance.. 22 • Better access control • Secure packages • Restricted data import/export
  • 23. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Secure By Default • Motivation – Help avoid users common mistakes which may cause data loss/leakage – Decrease MySQL attack surface – Open to limited and authorized use by default – Low usability impact – Relaxing security must be an explicit and conscious decision 23
  • 24. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Secure By Default • Stricter Access Control – Single root account + Random password – No anonymous accounts • Packages – No tests and demos with server/client – Separate packages for tests and demos – Stricter permission on deployed files • Data Import/Export restrictions – Restricted to a specific location: Through –secure-file-priv default – Possible to disable data import/export completely 24
  • 25. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Security features at a glance.. 25 Code Refactoring Secure By Default Communication Security Encryption User Activity Control User Management • Removal of legacy hash/encryption methods • Uniform credential storage framework • Tools ref
  • 26. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring • Removal of Pre-4.1 password support – Insecure way of generating password hash – Upgrade flags & disables such accounts • Password v/s Authentication String – All authentication plugins are treated equally – Removal of PASSWORD column from mysql.user table – Dependency on @@old_password is gone! • Removal of weak encryption functions – ENCODE()/DECODE() are now replaced by AES_ENCRYPT()/AES_DECRYPT() 26
  • 27. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Code Refactoring • Server installation through --initialize – mysql_install_db deprecated • mysql_upgrade : Not dependent on external libraries! • mysql_secure_install – Now a C program! 27
  • 28. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Questions & Answers
  • 29. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 29