Recommended
More Related Content
What's hot
What's hot (20)
Similar to TLV - MySQL Security overview
Similar to TLV - MySQL Security overview (20)
More from Mark Swarbrick
More from Mark Swarbrick (16)
Recently uploaded
Recently uploaded (20)
TLV - MySQL Security overview
- 1. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | How MySQL Security and Enterprise Features Assisting you with GDPR Compliance Mike Frank – MySQL Product Management Director Copyright © 2016, Oracle and/or its affiliates. All rights reserved.
- 6. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Complexity grows Risk Grows 6
- 7. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information” – EU General Data Protection Directive: Protection of Personal Data (GDPR) • Requirements – Continuous Monitoring (Users, Schema, Backups, etc) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) 7
- 8. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Large Fines • GDPR – The greater of 20,000,000 Euros or 4% of annual revenue • PCI – Range from $5,000 to $500,000 • HIPAA – Fines up to $400 to $50k per violation (or per record) Large Losses • $3.62 Million – Average cost of a breach • WW $141 per stolen record – The average per capita cost of data breach was $225 in the United States • Faster the data breach can be identified and contained, the lower the costs. Cost of Regulatory Compliance 8 * Ponemon Institute’s 2017 Cost of Data Breach Study: Global Overview
- 10. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Introduction • The E.U. General Data Protection Regulation (GDPR) comes into effect in May 2018 • GDPR is a European Union “EU”-wide framework • Published May 2016, Enforceable by May 2018 • Fines for GDPR violations are – The greater of 20,000,000 Euros or 4% of annual revenue (R150, A83) • Exact security controls are not specified in the GDPR – WHAT to do – Not HOW to do it Confidential – Oracle Internal 10
- 12. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | EU General Data Protection Regulation (GDPR) • Data privacy as a fundamental right Focus is on 3 Areas • Assessment – Processes, Profiles, Data Sensitivity, Risks • Prevention – Encryption, Anonymization, Access Controls, Separation of Duties • Detection – Auditing, Activity monitoring, Alerting, Reporting Would also suggest there is a 4th Recovery – Disaster recovery - Backup/Restore, HA 12
- 14. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 14 Enterprise Security Architecture ¡ ¡ Workbench ¡ ¡ Enterprise Monitor ¡ Enterprise Encryption ¡ ¡ Firewall ¡ Key Vault ¡ Enterprise Authentication ¡ Network Encryption ¡ Enterprise Audit ¡ Audit Vault ¡ Strong Authentication ¡ Access Controls ¡ Assess ¡ Prevent ¡ Detect ¡ Recover ¡ Enterprise Backup ¡ HA • Innodb Cluster ¡ Thread Pool
- 16. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Assess - MySQL Enterprise Features and GDPR • Assess Risks – MySQL Enterprise Monitor • Account assessment and reporting • Identifies Security Vulnerabilities – discover security holes, advises remediating actions – Advisors provide rules designed to enforce security best practices and alert upon discovering vulnerabilities – MySQL Enterprise Workbench • Discover tables and columns containing “Personal Data” • Data Modeling tool - Reverse Engineering of Data Model to review data stored in the database • Schema Inspector, Table Inspectors – for schema assessment, grant inspection – MySQL Security Best Practices Guidelines 16
- 17. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Enforce MySQL Security Best Practices – Identifies Vulnerabilities – Assesses current setup against security hardening policies • Monitoring & Alerting – User Monitoring – Password Monitoring – Schema Change Monitoring – Backup Monitoring – Configuration Management – Configuration Tuning Advice • Centralized User Management 17 "I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.” Sandi Barr Sr. Software Engineer Schneider Electric
- 18. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Administrative Privileges • Database Privileges • Session Limits and Object Privileges • User privileges – Creating, altering and deleting databases – Creating, altering and deleting tables – Execute INSERT, SELECT, UPDATE, DELETE queries – Create, execute, or delete stored procedures and with what rights – Create or delete indexes Assess MySQL Authorization 18 Security Privilege Management in MySQL Workbench
- 20. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Prevent - MySQL Enterprise Features and GDPR • Prevent Attacks (Articles 32, 83, 28, 26, 5, 20, 27, 30, 64) – MySQL Enterprise Security – Transparent Data Encryption • Includes Key Management • Protects Tablespace via Encryption, Keys via Key Manager/Vault integration – MySQL Enterprise Security – Firewall • MySQL Firewall Statement/User/IP Whitelists, Rules – MySQL Enterprise Security – Authentication • Centralized Authentication Infrastructure – DBA configurable IP whitelisting, Connection Limits, … • Via server level and via per Account IP/Hostname Controls, Account resource limits, – In transit data encryption - • Full support for TLS 1.2 - X509, Certificate Authorities, Exclude Lists, etc. 20
- 21. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | MySQL Database Encrypted Tablespace Files Protected Key Hacker / Dishonest OS User Accesses Files Directly Information Access Blocked By Encryption MySQL Enteprise Transparent Data Encryption Protects against Attacks on Database Files
- 22. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | What is Transparent Data Encryption? • Data at Rest Encryption – Tablespaces, Disks, Storage, OS File system • Transparent to applications and users – No application code, schema or data type changes • Transparent to DBAs – Keys are hidden from DBAs, no configuration changes • Requires Key Management – Protection, rotation, storage, recovery Confidential – Oracle Internal/Restricted/Highly Restricted 22
- 23. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Using MySQL Transparent Data Encryption is EASY SQL • New option in CREATE TABLE ENCRYPTION=“Y” • New SQL : ALTER INSTANCE ROTATE INNODB MASTER KEY Plugin Infrastructure • New plugin type : keyring • Ability to load plugin before InnoDB initialization : --early-plugin-load Keyring plugin • Used to retrieve keys from Key Stores • Over Standardized KMIP protocol InnoDB • Support for encrypted tables • IMPORT/EXPORT of encrypted tables • Support for master key rotation Confidential – Oracle Internal/Restricted/Highly Restricted 23
- 24. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | • KMIP – Key Management Interoperability Protocol (Oasis Standard) • Keys are protected and secure • Enables customers to meet regulatory requirements • KMIP mode tested with the following products – Oracle Key Vault (OKV) – Gemalto Safenet KeySecure – Fornetix Key Orchestration Appliance • Additional Options – New! Encrypted Key Ring File • MySQL 5.7.21 Also – Cloud Key Services • New! features coming with 8.0 GA MySQL Enterprise Transparent Data Encryption KMIP Compliant
- 25. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Overview 25 Inbound SQL Traffic Web Applications SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance MySQL Enterprise FirewallInternet
- 26. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Real Time Protection – Queries analyzed and matched against White List • Blocks SQL Injection Attacks – Block Out of Policy Transactions • Intrusion Detection – Detect and Alert on Out of Policy Transactions • Learns White List – Automated creation of approved list of SQL command patterns on a per user basis • Transparent – No changes to application required • New Feature in 5.7.20 – Firewall Rules – VIA Audit Plugin abort() – Create more general allow/deny firewall rules using JSON syntax. 26 MySQL Enterprise Firewall monitoring
- 28. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Detect - MySQL Enterprise Features and GDPR • Detect(Articles 30, 82, 33) – MySQL Enterprise Security – Audit • Policy-based auditing solution – gather audit log of activity • Use to spot database misuse • Use to prove compliance to GDPR – MySQL Enterprise Security – Firewall • Real-time protection against database specific attacks • Use to alert and/or block nefarious activity – such as personal data leakage 28
- 29. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Focus on MySQL Enterprise Audit • Many regulations or security guidelines – for example GDPR – Mandate recording or auditing of the activities on the Personal Data – Recommend records must be maintained centrally - responsibility of the Controller. – Processors and third-parties must not be able to tamper or destroy the audit records. – In addition to book-keeping, auditing helps in forensic analysis in case of a breach. • MySQL Enterprise Audit data can be – New! Privileged users can access RO via SQL (Often DBA SSH access to server is forbidden) – Maintained in Oracle Audit Vault – certified, Splunk, others – Outputs standard XML or JSON that easily integrate with various 3rd party solutions – Supports encryption (MySQL 5.7.18+) – Can direct security logs to write-once storage, 29
- 32. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Additional Security Controls Disaster Recovery - ensure availability of end-user data • Backup – MySQL Enterprise Backup • Includes encryption • Support for MySQL TDE – Oracle Cloud MySQL database service includes Backup and Recovery Confidential – Oracle Internal 32
- 33. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Additional Security Controls Disaster Recovery - ensure availability of end-user data • HA – Various options • MySQL InnoDB Cluster – Based on MySQL Group Replication (mulit-master) • Traditional MySQL Replication Topologies Confidential – Oracle Internal 33
- 36. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | New! MySQL Roles Improving MySQL Access Controls • Introduced in the 8.0.0 DMR • Easier to manage user and applications rights • As standards compliant as practically possible • Multiple default roles • Can export the role graph in GraphML 36 Feature Request from DBAs Directly In directly Set Role(s) Default Role(s) Set of ACLS Set of ACLS
- 37. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | New! Atomic ACL Statements • Long standing MySQL issue! – For Replication, HA, Backups, etc. • Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary • Not just a table operation: memory caches need update too • Applies to statements performing multiple logical operations, e.g. – CREATE USER u1, u2 – GRANT SELECT ON *.* TO u1, u2 • Uses a custom MDL lock to block ACL related activity – While altering the ACL caches and tables 37 Feature Request from DBAs
- 38. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | New! Dynamic Privileges Provides finer grained administrative level access controls • Too often super is required for tasks when less privilege is really needed • Needed to allow adding administrative access controls • SUPER privilege split into a set of dynamic privileges, e.g. – SYSTEM_VARIABLES_ADMIN – ROLE_ADMIN – CONNECTION_ADMIN, etc. • Each plugin can now register and use their own unique privileges • All existing MySQL plugins currently using SUPER are updated to add specific privileges, e.g. 38
- 39. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 39 Enterprise Security Architecture ¡ ¡ Workbench • Model • Data • Audit Data • User Management ¡ ¡ Enterprise Monitor • Identifies Vulnerabilities • Security hardening policies • User Monitoring • Password Monitoring • Schema Change Monitoring • Backup Monitoring ¡ Enterprise Encryption • TDE • Encryption • PKI ¡ ¡ Firewall ¡ Key Vault ¡ Enterprise Authentication • SSO - LDAP, AD, PAM ¡ Network Encryption ¡ Enterprise Audit • Powerful Rules Engine ¡ Audit Vault ¡ Strong Authentication ¡ Access Controls ¡ Assess ¡ Prevent ¡ Detect ¡ Recover ¡ Enterprise Backup ¡ HA • Innodb Cluster ¡ Thread Pool
- 40. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Security Direction Continuing to focus in areas such as • TDE / Encryption / Key Management • Masking • Audit • Firewall • Authentication • Integration to various Oracle Cloud Services Confidential – Oracle Internal/Restricted/Highly Restricted 40 Customer feedback and requirements drive our priorities Tell us what you want, need, etc. Give us problematic use cases
- 41. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Security Resources • http://mysqlserverteam.com/ • http://insidemysql.com/ • https://blogs.oracle.com/mysql • https://www.mysql.com/why-mysql/#en-0-40 • https://www.mysql.com/why-mysql/presentations/#en-17-40 • https://www.mysql.com/news-and-events/on-demand-webinars/ #en-20-40 • https://www.mysql.com/news-and-events/health-check/ 41
- 42. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | References • MySQL Enterprise Security • MySQL Enterprise Authentication • MySQL Enterprise Firewall • MySQL Enterprise Transparent Data Encryption • MySQL Enterprise Audit • MySQL Enterprise Backup • MySQL Enteprise Monitor • Encryption Functions • Enterprise Encryption Functions Confidential – Oracle Internal 42