Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Using MariaDB TX and MaxScale to meet GDPR - #OPEN18


Published on

The General Data Protection Regulation (GDPR), one of the most important changes in data privacy regulation in 20 years, took effect May 25, 2018. The regulation includes a number of new policies requiring organizations to protect the data privacy of all individuals within the European Union (EU).

MariaDB TX, a complete database solution for any and every enterprise, includes the security features your organization needs to ensure personal data is protected. MariaDB TX supports encryption of data at rest, data in motion, and data in use. MariaDB TX supports auditing of database events, enabling security and compliance monitoring as well as attack forensics. The database proxy supports the pseudonymization of personal data with the data masking filter, configurable on a per-column, per-user basis.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Using MariaDB TX and MaxScale to meet GDPR - #OPEN18

  1. 1. Securing Production Deployments Maria Luisa Raviol Senior Sales Engineer- MariaDB
  2. 2. “The majority of the HTTP attacks were made to PHPMyadmin, a popular MySQL and MariaDB remote management system. Many web content management systems, not to mention WordPress, rely on these these databases. Vulnerable WordPress plugins were also frequently attacked. Mind you, this was on a system that even in honeypot mode hadn't emitted a single packet towards the outside world.” ZDNet - Jan 23rd 2018
  3. 3. GDPR A Matter of Balance
  4. 4. GDPR • It is the harmonization of: – Processes • Process flows • Prevention and reaction procedures – Technological solutions • Encryption • Preudonymisation • Anonymisation • Data Accessibility • Auditing – Compliance • Keep the pace with the regulation
  5. 5. GDPR – The Requirements • Data is protected • Risk protection and prevention • The harmonisation of processes and technology European companies and/or companies located outside EU that handle the data of EU citizens must guarantee:
  6. 6. GDPR – The Processess • Companies need to have deep knowledge their Data Supply Chain • All the W questions need to have an answer • A top-down approach is usually recommended The 5 Ws… …plus one
  7. 7. GDPR – The Technology GDPR says that: • It is mandatory to “implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk including inter alia, as appropriate: the pseudonymisation and encryption of personal data ...” The right technology will help businesses meet the requirements of GDPR both now and in the future Reference: GDPR Art 32
  8. 8. GDPR – The Technology Must prevent: • Unauthorised access to the database • Unauthorised access to all the other database related files (log files, configuration files, passwords…) • Data integrity breach • Untrusted access to the database from the Clients The right technology will help businesses meet the requirements of GDPR both now and in the future
  9. 9. GDPR – The Tecnology How to protect the database: • Firewalling • Autentication • Data in motion encryption • Tablespace encryption • Data at rest encryption • Backup encryption • Auditing The right technology will help businesses meet the requirements of GDPR both now and in the future
  10. 10. GDPR – MariaDB Enterprise Security • Detect and prevent attacks – Access management – Denial of service – SQL Injections • Protect data at rest with encryption – Tablespaces, Individual tables, logs • TSL/SSL Encryption – Protects data in motion • Auditing for Security and Compliance • MaxScale database firewall features • MaxScale selective data masking
  11. 11. MariaDB TX - Security MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  12. 12. MariaDB MaxScale Security Features
  13. 13. MariaDB TX – Firewalling and Data Masking MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  14. 14. MariaDB MaxScale Concept DATABASE SERVERS MASTER SLAVES Binlog Cache Insulates client applications from the complexities of backend database cluster Simplify replication from database to other databases CLIENT PROTOCOL SUPPORT AUTHENTICATION PARSING DATABASE MONITORING LOAD BALANCING & ROUTING QUERY TRANSFORMATION & LOGGING Flexible, easy to write plug-ins for Generic Core MULTI-THREADED E-POLL BASED STATELESS SHARES THE THREAD POOL
  15. 15. MaxScale Firewalling – The Details • A filter installed into the request processing chain. • Rules define what constitutes a match: – wildcard, columns, function, regex, no where clause – when to apply – what users are affected – what statements are affected • The filter mode defines what to do with a match: – allow => whitelist – block => blacklist • limit_queries rule sensible only with blacklisting – match if more than N queries are made within a time period MaxScale Filter Router Database Servers
  16. 16. MaxScale Filtering Rules Database Firewall Filter Allow/Block queries that MATCH A SET OF RULES MATCH RULES FOR SPECIFIED USERS MATCH ON • date/time • a WHERE clause • query type • column match • a wildcard or regular expression or function name Protect against SQL injection Prevent unauthorized data access Prevent data damage QUERY FAILED: 1141 ERROR: Required WHERE/HAVING clause is missing rule safe_select deny no_where_clause on_queries select rule safe_cust_select deny regex '.*from.*customers.*' user %app-user@% match all rules safe_cust_select safe_select DATABASE FIREWALL FILTER SELECT * FROM CUSTOMERS; MaxScale Database Servers 1 2 3
  17. 17. MaxScale Filtering: SQL Injections • What is a SQL Injection? • A kind of web application attack, where user- supplied input comes from: URL – Forms – Other elements – e.g., cookies, HTTP headers and is manipulated so that a vulnerable application executes SQL commands injected by attacker.
  18. 18. Who Can Be Affected by a SQL Injection? • An Example: • Applications vulnerable to SQL injection: – Incorrect type handling – Incorrectly filtered escape characters – Blind SQL injection – Second order SQL injection SELECT * from customer WHERE id = ? User supplied value for id = 5, injected value is string ‘5 OR 1=1’ SELECT * from customer WHERE id = 5 OR 1=1 This will result in application getting access to entire customer table instead of just the specific customer
  19. 19. SQL Injection according to xkcd Exploits of a Mom :
  20. 20. MaxScale Security – DDoS Protection DDoS Protection MAXIMUM ROWS FILTER • Return zero rows to client if number of rows in result set exceeds configured max limit • Return zero rows to client if the size of result set exceeds configured max size in KB Max Rows Limit = 500 NumRows Returned > MaxRows Limit QUERY FAILED: 1141 ERROR: No rows returned 51 QUERY 4 MaxRowsLimit FILTER Clients NumRows returned = 100032 Database Servers QUERY
  21. 21. MaxScale Security – DDoS Protection • Persistent connections to backend. – When server connections are logically closed, keep them in pool for reuse. • Client connection limitation. – Specify the maximum number of connections for a particular service. maxscale.cnf[SomeServer] ... maxpersistpoolmax=30 [SomeService] ... max_connections=100 maxscale.cnf Max Client Connections per Service Connection pool of configurable size Variable number of connections Client Client Client Client
  22. 22. MaxScale Security – DDoS Protection • Cap the amount that can be returned. – By rows or by size or both – Data will be returned to MaxScale, but MaxScale will not necessarily forward to client. • Limit rate of queries using the firewall. MaxRows Filter Max Rows Limit = 500 NumRows returned = 1000 Query failed: 1141 Error: No rows returned Client Client Client Client firewall.txtrule prevent_overload deny limit_queries 15 5 10 [LimitSize] type=filter module=maxrows max_resultset_rows=500 maxscale.cnf If more than 15 queries are received in 5 seconds, block all queries for 10 seconds.
  23. 23. Security: Data Redaction SELECT Name, creditcardNum, balance FROM customerTbl WHERE id=1001 Name creditcardNum balance --------------------------------------- John Smith xxxxxxxxxx 1201.07 Database Servers Client Data Redaction via Data Masking Masking based on column name • DATABASE NAME, TABLE NAME CLASSIFIER MAY BE PROVIDED – commerceDb.customerTbl.creditcardNum – customerTbl.creditcardNum – credicardNum • COLUMN CAN BE – Fully or partially masked – Obfuscated HIPPA, PCI and GDPR needs
  24. 24. MariaDB TX Data in Motion Encryption
  25. 25. MariaDB TX – Data in Motion Encryption MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  26. 26. Client-MaxScale-MariaDB Encryption Secured Connection SSL between Clients and MaxScale SSL between MaxScale and MariaDB server Secured user access LDAP/GSSAPI for secured single sign-on across OS platforms(windows, linux), applications and databases Client Client Client Client SSL SSL SSL SSL SSL
  27. 27. Client-MariaDB and MariaDB-MariaDB Encryption Secured user access LDAP/GSSAPI for secured single sign-on across OS platforms(windows, linux), applications and databases Client Client SSL SSL Database Servers SSL Secured Connection SSL between Clients and MariaDB SSL between MariaDB Master and Slaves
  28. 28. MariaDB TX Data at Rest Encryption
  29. 29. MariaDB TX – Data at Rest Encryption MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  30. 30. Data-at-rest Encryption • Encrypting: – Tables or tablespaces – Aria Tables – InnoDB Log files – Binary/relay Logs – Temporary files • Independent of encryption capabilities of applications • Based on encryption keys, key ids, key rotation and key versioning • Low performance overhead • Transparent to applications
  31. 31. Key Management Services • Encryption plugin API offers choice – Plugin to implement the data encryption – Manage encryption Keys • MariaDB Server options – Simple Key Management included – Amazon AWS KMS Plugin included – Eperi KMS for on premise key management – optional
  32. 32. MariaDB TX Authentication Plugins
  33. 33. MariaDB TX – Authentication Plugins MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  34. 34. MariaDB comes with two password validation plugins • simple_password_check plugin – Can enforce a minimum password length – guarantee that a password contains at least a specified number of upper and lowercase letters, digits, and punctuation characters • cracklib_password_check plugin – A widely used library – Stop users from choosing easy to guess passwords. It includes checks for not allowing passwords based on the username or a dictionary word etc. Password Validation
  35. 35. • PAM-Authentication Plugin – allows using /etc/shadow and any PAM based Authentication like LDAP • Kerberos-Authentication – as a standardized network authentication protocol is provided GSSAPI based on UNIX and SSPI based on Windows External Authentication Single Sign On is getting mandatory in most Enterprises.
  36. 36. MariaDB PAM Authentication GSS-API on Linux • Red Hat Directory Server • OpenLDAP SSPI on Windows • Active DirectoryKDC Client MariaDB 2 3 4 1 Ticket request Service ticket Here is my service ticket, authenticate me Client / server session
  37. 37. MariaDB Role Based Access Control Database Tables MariaDB 10 Role: DBA Permissions: • Update Schema • View Statistics • Create Database
  38. 38. MariaDB TX Auditing
  39. 39. MariaDB TX – Auditing MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  40. 40. MariaDB Audit Plugin • Logs server activity – Who connected to the server – Source of connection – Queries executed – Tables touched • File based or syslog based logging • Monyog Audit log file filtering Auditing for Security and Compliance Connection Disconnect Connect Failed Connect Timestamp Host User SessionQuery DML + TCL DDL DCL Object Tables Database
  41. 41. MariaDB TX Per User Limit
  42. 42. MariaDB TX – Per User Limit MaxScale Client - MaxScale MaxScale - MariaDB Client - MariaDB MariaDB - MariaDB
  43. 43. New User Management Functions • MAX_*_PER_HOUR – Create_User can limit the number of queries, updates or connections per hour. • MAX_USER_ CONNECTIONS – limits the number of simultaneous connections • MAX_STATEMENT_TIME – any query (excluding stored procedures) taking longer than the value of max_statement_time (specified in seconds) to execute will be aborted. This can be set globally, by session, as well as per user and per query • SHOW CREATE USER – is useful way to see the command required to create a user for auditing or the creation of similar accounts.
  44. 44. New User Management Functions • Examples: – CREATE USER foo2@test IDENTIFIED BY 'password'; CREATE USER 'foo4'@'test' REQUIRE ISSUER 'foo_issuer' SUBJECT 'foo_subject' CIPHER 'text' CREATE USER foo WITH MAX_QUERIES_PER_HOUR 10 MAX_UPDATES_PER_HOUR 20 MAX_CONNECTIONS_PER_HOUR 30 MAX_USER_CONNECTIONS 40;
  45. 45. Security threats best practices
  46. 46. Threats Viruses Hacker attacks Software spoofing Defense • Do not allow TCP connections to MariaDB from the Internet at large. • Configure MariaDB to listen on a network interface that is only accessible from the host where your application runs. • Design your physical network to connect the app to MariaDB or MaxScale • Use bind-address to bind to a specific network interface • Use your OS’s firewall • Keep your OS patched The Internet
  47. 47. Threats Denial of Service Attacks created by overloading application SQL query injection attacks Defense • Do not run your application on your MariaDB Server. • Do not install unnecessary packages on your MariaDB Server. • An overloaded application can use so much memory that MariaDB could slow or even be killed by the OS. This is an effective DDoS attack vector. • A compromised application or service can have many serious side effects – Discovery of MariaDB credentials – Direct access to data – Privilege escalation Applications
  48. 48. Threats Disgruntled employees Mistakes and human error Defense • Limit users who have: – SSH access to your MariaDB server. – Sudo privileges on your MariaDB server. • Set the secure_file_priv option to ensure that users with the FILE privilege cannot write or read MariaDB data or important system files. • Do not run MariaDB process (mysqld) as root • Avoid wide hostname wildcards (“%”), use specific host names / IP addresses Excessive Trust
  49. 49. Threats Defense • Do not use the MariaDB “root” user for application access. • Grant only the privileges required by your application. • Minimize the privileges granted to the MariaDB user accounts used by your applications – Don’t grant CREATE or DROP privileges. – Don’t grant the FILE privilege. – Don’t grant the SUPER privilege. – Don’t grant access to the mysql database Excessive Trust Disgruntled employees Mistakes and human error
  50. 50. MariaDB Security Gets Stronger All the Time MariaDB User Community Quickly identifies new threats Creates solutions Reports vulnerabilities Contributes features
  51. 51. Thank You