Submit Search
Upload
MySQL Security
•
2 likes
•
1,200 views
Ted Wennmark
Follow
MySQL Security session at MySQL TT in Nordics
Read less
Read more
Technology
Report
Share
Report
Share
1 of 41
Download now
Download to read offline
Recommended
Mysql security 5.7
Mysql security 5.7
Mark Swarbrick
MySQL Router REST API
MySQL Router REST API
Frederic Descamps
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바
NeoClova
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
Kenny Gryp
Recommended
Mysql security 5.7
Mysql security 5.7
Mark Swarbrick
MySQL Router REST API
MySQL Router REST API
Frederic Descamps
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
Blue Teamer
MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바
NeoClova
Application Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
MySQL InnoDB Cluster - New Features in 8.0 Releases - Best Practices
Kenny Gryp
Threat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
MITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
Cloud Security
Cloud Security
AWS User Group Bengaluru
5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
SQL INJECTION
SQL INJECTION
Anoop T
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
Troy Kitch
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
Oracle Architecture
Oracle Architecture
Neeraj Singh
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGate
Bobby Curtis
Oracle Key Vault Overview
Oracle Key Vault Overview
Troy Kitch
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Quest
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
MySQL 8 High Availability with InnoDB Clusters
MySQL 8 High Availability with InnoDB Clusters
Miguel Araújo
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
Application Security
Application Security
Reggie Niccolo Santos
Oracle RAC features on Exadata
Oracle RAC features on Exadata
Anil Nair
MySQL InnoDB Cluster - Advanced Configuration & Operations
MySQL InnoDB Cluster - Advanced Configuration & Operations
Frederic Descamps
Wazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
Mark Swarbrick
MySQL Security
MySQL Security
Mario Beck
More Related Content
What's hot
Threat Modeling Everything
Threat Modeling Everything
Anne Oikarinen
MITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
Cloud Security
Cloud Security
AWS User Group Bengaluru
5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
SQL INJECTION
SQL INJECTION
Anoop T
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
Troy Kitch
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Joseph Holbrook, Chief Learning Officer (CLO)
Oracle Architecture
Oracle Architecture
Neeraj Singh
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGate
Bobby Curtis
Oracle Key Vault Overview
Oracle Key Vault Overview
Troy Kitch
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Netpluz Asia Pte Ltd
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Quest
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
MySQL 8 High Availability with InnoDB Clusters
MySQL 8 High Availability with InnoDB Clusters
Miguel Araújo
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Will Schroeder
Application Security
Application Security
Reggie Niccolo Santos
Oracle RAC features on Exadata
Oracle RAC features on Exadata
Anil Nair
MySQL InnoDB Cluster - Advanced Configuration & Operations
MySQL InnoDB Cluster - Advanced Configuration & Operations
Frederic Descamps
Wazuh Security Platform
Wazuh Security Platform
Pituphong Yavirach
What's hot
(20)
Threat Modeling Everything
Threat Modeling Everything
MITRE ATT&CK Framework
MITRE ATT&CK Framework
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
Cloud Security
Cloud Security
5. Identity and Access Management
5. Identity and Access Management
SQL INJECTION
SQL INJECTION
Introducing Oracle Audit Vault and Database Firewall
Introducing Oracle Audit Vault and Database Firewall
Cloud Security Fundamentals Webinar
Cloud Security Fundamentals Webinar
Oracle Architecture
Oracle Architecture
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGate
Oracle Key Vault Overview
Oracle Key Vault Overview
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Understanding "Red Forest" - The 3-Tier ESAE and Alternative Ways to Protect ...
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
MySQL 8 High Availability with InnoDB Clusters
MySQL 8 High Availability with InnoDB Clusters
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active Directory
Application Security
Application Security
Oracle RAC features on Exadata
Oracle RAC features on Exadata
MySQL InnoDB Cluster - Advanced Configuration & Operations
MySQL InnoDB Cluster - Advanced Configuration & Operations
Wazuh Security Platform
Wazuh Security Platform
Similar to MySQL Security
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
Mark Swarbrick
MySQL Security
MySQL Security
Mario Beck
MySQL for Oracle DBAs
MySQL for Oracle DBAs
Mario Beck
Modern Data Security with MySQL
Modern Data Security with MySQL
Vittorio Cioe
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
Geir Høydalsvik
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
Harin Vadodaria
MySQL for Oracle DBAs
MySQL for Oracle DBAs
Ben Krug
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
Georgi Kodinov
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep Dive
Morgan Tocker
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
Olivier DASINI
BGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQL
Georgi Kodinov
MySQL Enterprise Edition - Complete Guide (2019)
MySQL Enterprise Edition - Complete Guide (2019)
Keith Hollman
MySQL Enterprise Portfolio
MySQL Enterprise Portfolio
Abel Flórez
Kscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise Manager
Kellyn Pot'Vin-Gorman
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance Tuning
Mark Swarbrick
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Mark Swarbrick
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners Guide
Courtney Llamas
MySQL London Tech Tour March 2015 - Embedded Database of Choice
MySQL London Tech Tour March 2015 - Embedded Database of Choice
Mark Swarbrick
MySQL enterprise edition
MySQL enterprise edition
Mark Swarbrick
1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivan
Ivan Tu
Similar to MySQL Security
(20)
MySQL Tech Tour 2015 - 5.7 Security
MySQL Tech Tour 2015 - 5.7 Security
MySQL Security
MySQL Security
MySQL for Oracle DBAs
MySQL for Oracle DBAs
Modern Data Security with MySQL
Modern Data Security with MySQL
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
2015: Whats New in MySQL 5.7, At Oracle Open World, November 3rd, 2015
Mysql user-camp-march-11th-2016
Mysql user-camp-march-11th-2016
MySQL for Oracle DBAs
MySQL for Oracle DBAs
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep Dive
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
BGOUG17: Cloudy with a chance of MySQL
BGOUG17: Cloudy with a chance of MySQL
MySQL Enterprise Edition - Complete Guide (2019)
MySQL Enterprise Edition - Complete Guide (2019)
MySQL Enterprise Portfolio
MySQL Enterprise Portfolio
Kscope Not Your Father's Enterprise Manager
Kscope Not Your Father's Enterprise Manager
MySQL Manchester TT - Performance Tuning
MySQL Manchester TT - Performance Tuning
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Netherlands Tech Tour - 06 MySQL Enterprise Monitor
Oracle Enterprise Manager Security: A Practitioners Guide
Oracle Enterprise Manager Security: A Practitioners Guide
MySQL London Tech Tour March 2015 - Embedded Database of Choice
MySQL London Tech Tour March 2015 - Embedded Database of Choice
MySQL enterprise edition
MySQL enterprise edition
1 my sql20151219-kaji_ivan
1 my sql20151219-kaji_ivan
More from Ted Wennmark
MySQL NDB Cluster 8.0
MySQL NDB Cluster 8.0
Ted Wennmark
Upgrade to MySQL 8.0!
Upgrade to MySQL 8.0!
Ted Wennmark
MySQL Performance - Best practices
MySQL Performance - Best practices
Ted Wennmark
01 upgrade to my sql8
01 upgrade to my sql8
Ted Wennmark
MySQL as a Document Store
MySQL as a Document Store
Ted Wennmark
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
Ted Wennmark
MySQL HA
MySQL HA
Ted Wennmark
MySQL Enterprise Backup apr 2016
MySQL Enterprise Backup apr 2016
Ted Wennmark
MySQL 5.7 Replication News
MySQL 5.7 Replication News
Ted Wennmark
MySQL 5.6, news in 5.7 and our HA options
MySQL 5.6, news in 5.7 and our HA options
Ted Wennmark
Introduction to MySQL
Introduction to MySQL
Ted Wennmark
MySQL Fabric - High Availability & Automated Sharding for MySQL
MySQL Fabric - High Availability & Automated Sharding for MySQL
Ted Wennmark
The MySQL Performance Schema & New SYS Schema
The MySQL Performance Schema & New SYS Schema
Ted Wennmark
MySQL Enterprise Monitor
MySQL Enterprise Monitor
Ted Wennmark
MySQL@king
MySQL@king
Ted Wennmark
NoSQL and MySQL
NoSQL and MySQL
Ted Wennmark
What's new in my sql smug
What's new in my sql smug
Ted Wennmark
More from Ted Wennmark
(17)
MySQL NDB Cluster 8.0
MySQL NDB Cluster 8.0
Upgrade to MySQL 8.0!
Upgrade to MySQL 8.0!
MySQL Performance - Best practices
MySQL Performance - Best practices
01 upgrade to my sql8
01 upgrade to my sql8
MySQL as a Document Store
MySQL as a Document Store
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
Upgrade to MySQL 5.7 and latest news planned for MySQL 8
MySQL HA
MySQL HA
MySQL Enterprise Backup apr 2016
MySQL Enterprise Backup apr 2016
MySQL 5.7 Replication News
MySQL 5.7 Replication News
MySQL 5.6, news in 5.7 and our HA options
MySQL 5.6, news in 5.7 and our HA options
Introduction to MySQL
Introduction to MySQL
MySQL Fabric - High Availability & Automated Sharding for MySQL
MySQL Fabric - High Availability & Automated Sharding for MySQL
The MySQL Performance Schema & New SYS Schema
The MySQL Performance Schema & New SYS Schema
MySQL Enterprise Monitor
MySQL Enterprise Monitor
MySQL@king
MySQL@king
NoSQL and MySQL
NoSQL and MySQL
What's new in my sql smug
What's new in my sql smug
Recently uploaded
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Alex Barbosa Coqueiro
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
Enterprise Knowledge
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
NavinnSomaal
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Dubai Multi Commodity Centre
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
BookNet Canada
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Zilliz
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Pixlogix Infotech
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Dilum Bandara
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
Addepto
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Lorenzo Miniero
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Slibray Presentation
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
Rizwan Syed
Recently uploaded
(20)
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
MySQL Security
1.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL TT: Security Ted Wennmark, MySQL SC and Cluster specialist, EMEA ted.wennmark@oracle.com
2.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | 43% of companies have experienced a data breach in the past year. Source: Ponemon Institute, 2014 Oracle Confidential – Internal/Restricted/Highly Restricted 2
3.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | • Poor Configurations – Set limits and change default setting • Over Privileged Accounts – Privilege Policies •Weak Authentication – Use Strong Password • Weak Auditing – Compliance & Audit Policies • Lack of Encryption – Data, Back, & Network Encryption • Proper Credential/Key Management – Use mysql_config_editor , Key Vaults • Unsecured Backups – Encrypted Backups • No Monitoring – Security Monitoring, Users, Objects • Poorly Coded Applications – Database Firewall 3 Database Vulnerabilities
4.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Database Attacks • SQL Injection – Prevention: DB Firewall, White List, Input Validation • Buffer Overflow – Prevention: Frequently apply Database Software updates, DB Firewall, White List, Input Validation • Brute Force Attack – Prevention: lock out accounts after a defined number of incorrect attempts. • Network Eavesdropping – Prevention: Require SSL/TLS for all Connections and Transport • Malware – Prevention: Tight Access Controls, Limited Network IP access, Change default settings 4
5.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley: Accuracy of Financial Data – EU Data Protection Directive: Protection of Personal Data – Data Protection Act (UK): Protection of Personal Data • Requirements – Continuous Monitoring (Users, Schema, Backups, etc) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) 5 https://www.mysql.com/why-mysql/white-papers/mysql-pci-data-security-compliance/
6.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | DBA Responsibilities • Ensure only users who should get access, can get access • Limit what users and applications can do • Limit from where users and applications can access data • Watch what is happening, and when it happened • Make sure to back things up securely • Minimize attack surface
7.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Block Threats Auditing Regulatory Compliance Login and Query Activities SSL/TLS Public Key Private Key Digital Signatures Privilege Management Administration Database & Objects Proxy Users MySQL Linux / LDAP Windows AD Custom Oracle Confidential – Internal 7 MySQL Security Overview AuthorizationAuthentication Firewall& Auditing Encryption Security
8.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Authorization • Administrative Privileges • Database Privileges • Session Limits and Object Privileges • Fine grained controls over user privileges – Creating, altering and deleting databases – Creating, altering and deleting tables – Execute INSERT, SELECT, UPDATE, DELETE queries – Create, execute, or delete stored procedures and with what rights – Create or delete indexes 8 Security Privilege Management in MySQL Workbench
9.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Privilege Management • user: user accounts, global privileges columns • db: database-level privileges • tables_priv: Contains table-level privileges • columns_priv: Contains column-level privileges • procs_priv: Contains stored procedure and function privileges • proxies_priv: Contains proxy-user 9
10.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Authentication • Built in Authentication – user table stores users and encrypted passwords • GRANT READ ON *.* TO ted@<ip> REQUIRE X509 – Server authenticates client certificates and force user to use SSL • SHA-256 Password plugin – Default plug-in use SHA-1 for encrypting passwords. • MySQL Enterprise Authentication – Microsoft Active Directory – Linux PAMs (Pluggable Authentication Modules) • Support LDAP and more 10
11.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Password Policies • Accounts without Passwords – Assign passwords to all accounts to prevent unauthorized use • Password Validation Plugin – Enforce Strong Passwords • Password Expiration/Rotation – Require users to reset their password – New global parameter default_password_lifetime in 5.7 (default=360) – mysql.user -> password_lifetime column for per user settings (default NULL) • Account lockout (in v. 5.7) 11
12.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Encryption • SSL/TLS Encryption – Between MySQL clients and Server – Replication: Between Master & Slave – Per connection basis • Data Encryption – AES Encrypt/Decrypt 12 • MySQL Enterprise Encryption – Asymmetric Encrypt/Decrypt – Generate Public Key and Private Keys – Derive Session Keys – Digital Signatures • MySQL Enterprise Backup – Support for encrypted backups
13.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Database Auditing • Auditing for Security & Compliance – FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, … • MySQL built-in logging infrastructure: – general log, error log • MySQL Enterprise Audit – Granularity made for auditing – Can be modified live – Contains additional details – Compatible with Oracle Audit Vault.
14.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Database Firewall • SQL Injection: #1 Web Application Vulnerability – 77% of Web Sites had vulnerabilities – 1 in 8 critical vulnerabilities • MySQL Enterprise Firewall – Monitor database statements in real-time – Automatic White List “rules” generation for any application – Out of policy database transactions detected and blocked 14
15.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal 15 MySQL Database Hardening User Management • Remove Extra Accounts • Grant Minimal Privileges • Audit users and privileges Configuration • Firewall • Auditing and Logging • Limit Network Access • Monitor changes Installation • Mysql_secure_installation • Keep MySQL up to date − MySQL Installer for Windows − Yum/Apt Repository Backups • Monitor Backups • Encrypt Backups Encryption • SSL/TLS for Secure Connections • Data Encryption (AES, RSA) Passwords • Strong Password Policy • Hashing, Expiration • Password Validation Plugin
16.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL 5.7 Linux Packages - Security Improvements • Test/Demo database has been removed – Now in separate packages (prod/dev) • Anonymous account creation is removed. • Creation of single root account – local host only • Default installation ensures encrypted communication by default – Automatic generation of SSL/RSA Certs/Keys • For EE : At server startup if options Certs/Keys were not set • For CE : Through new mysql_ssl_rsa_setup utility • Automatic detection of SSL Certs/Keys • Client attempts secure TLS connection by default 16 MySQL Installer for Windows includes various Security Setup and Hardening Steps
17.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Database Hardening: Installation • MySQL_Secure_Installation / MySQL Installer for Windows – Set a strong password for root account – Remove root accounts that are accessible from outside the local host – Remove anonymous-user accounts – Remove the test database • Which by default can be accessed by all users • Including Anonymous Users • Keep MySQL up to date – Repos – YUM/APT/SUSE – MySQL Installer for Windows 17
18.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Software Updates - Database and OS Maintenance • Maintaining security requires keeping Operating System and MySQL security patches up to date. – May require a restart (mysql or operating system) to take effect. • To enable seamless upgrades consider MySQL Replication – Allows for changes to be performed in a rolling fashion • Best practice to upgrade slaves first – MySQL 5.6 and above supports GTID-based replication • Provides for simple rolling upgrades • Follow OS vendor specific hardening Guidelines – For example • http://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html 18
19.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Database Hardening: Configuration • Audit Activity – Use Enterprise Audit – Alt. Transiently enable Query Logging – Monitor and Inspect regularly • Disable or Limit Remote Access – If local “skip-networking” or bind- address=127.0.0.1 – If Remote access then limit hosts/IP • Change root username 19 • Disable unauthorized reading from local files – Disable LOAD DATA LOCAL INFILE • Run MySQL on non default port – More difficult to find database • Limit MySQL OS User • Use InnoDB • Enable SSL
20.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Database Hardening: Backups • Backups are Business Critical – Used to restore after attack – Migrate, move or clone server – Part of Audit Trail • Regularly Scheduled Backups • Monitor Backups • Encrypt Backups • Do not forget about Recovery plans 20
21.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition • MySQL Enterprise Authentication – External Authentication Modules • Microsoft AD, Linux PAMs • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation • MySQL Enterprise Firewall – Query Monitoring, White List Matching, • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance 21 • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption
22.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Enforce MySQL Security Best Practices – Identifies Vulnerabilties – Assesses current setup against security hardening policies • Monitoring & Alerting – User Monitoring – Password Monitoring – Schema Change Monitoring – Backup Monitoring • Configuration Management – Configuration Tuning Advice • Centralized User Management 22 "I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.” Sandi Barr Sr. Software Engineer Schneider Electric
23.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Oracle Enterprise Manager for MySQL 23 Performance Security Availability • Availability monitoring • Performance monitoring • Configuration monitoring • All available metrics collected – Allowing for custom threshold based incident reports • MySQL auto-detection
24.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Real Time Protection – Queries analyzed and matched against White List • Blocks SQL Injection Attacks – Positive Security Model • Block Suspicious Traffic – Out of Policy Transactions detected & blocked • Learns White List – Automated creation of approved list of SQL command patterns on a per user basis • Transparent – No changes to application required 24 MySQL Enterprise Firewall monitoring
25.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Block SQL Injection Attacks – Allow: SQL Statements that match Whitelist – Block: SQL statements that are not on Whitelist • Intrusion Detection System – Detect: SQL statements that are not on Whitelist • SQL Statements execute and alert administrators 25 Select *.* from employee where id=22 Select *.* from employee where id=22 or 1=1 Block✖ Allow✔ White List Applications Detect & Alert Intrusion Detection
26.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Overview 26 Inbound SQL Traffic Web Applications SQL Injection Attack Via Brower ALLOW BLOCK DETECT 1 2 3 Instance MySQL Enterprise FirewallInternet
27.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | 27 Receive SQL from client Digest into parser tokens Firewall Store SQL digest in Firewall whitelist Check user Firewall mode Detect or protect mode In whitelist? Execute SQL Send Firewall alert to error log Reject SQL Recording Yes Detect Protect Off MySQL Enterprise Firewall Workflow No Protect or Detect
28.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall Details • Firewall operation is turned on at a per user level • Per User States are –RECORDING –PROTECTING –DETECTING –OFF 28
29.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | 29 MySQL Enterprise Firewall: Per User Whitelists
30.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: What happens when SQL is blocked in Protect Mode? • The client application gets an ERROR mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE; ERROR 1045 (28000): Statement was blocked by Firewall mysql> SHOW DATABASES; ERROR 1045 (28000): Statement was blocked by Firewall mysql> TRUNCATE TABLE mysql.user; ERROR 1045 (28000): Statement was blocked by Firewall • Reported to the Error Log • Increment Counter 30
31.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Monitoring Firewall Status Counters 31
32.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Whitelist Example • mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost= 'wpuser@localhost'; +------------------+----------------------------------------------------------------------------------+ | userhost | substr(rule,1,80) | +------------------+----------------------------------------------------------------------------------+ | wpuser@localhost | SELECT * FROM `wp_posts` WHERE `ID` = ? LIMIT ? | | wpuser@localhost | SELECT `option_value` FROM `wp_options` WHERE `option_name` = ? LIMIT ? | | wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . `ID` = ? AND | ... | wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE `ID` = ? | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | +------------------+----------------------------------------------------------------------------------+ 32
33.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication 33 • Integrate with Centralized Authentication Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles • PAM (Pluggable Authentication Modules) – Standard interface (Unix, LDAP, Kerberos, others) – Windows • Access native Windows service - Use to Authenticate users using Windows Active Directory or to a native host Integrates MySQL with existing security infrastructures
34.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication: PAM • Standard Interface – LDAP – Unix/Linux • Proxy Users 34
35.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication: Windows •Windows Active Directory •Windows Native Services 35
36.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption • MySQL encryption functions – Symmetric encryption AES256 (All Editions) – Public-key / asymmetric cryptography – RSA • Key management functions – Generate public and private keys – Key exchange methods: DH • Sign and verify data functions – Cryptographic hashing for digital signing, verification, & validation – RSA,DSA 36
37.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit • Out-of-the-box logging of connections, logins, and query • User defined policies for filtering, and log rotation • Dynamically enabled, disabled: no server restart • XML-based audit stream per Oracle Audit Vault spec 37 Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)
38.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit 38 2. User Joe connects and runs a query 1. DBA enables Audit plugin 3. Joe’s connection & query logged
39.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Backup • Online Backup for InnoDB (scriptable interface) • Full, Incremental, Partial Backups (with compression) • Strong Encryption (AES 256) • Point in Time, Full, Partial Recovery options • Metadata on status, progress, history • Scales – High Performance/Unlimited Database Size • Windows, Linux, Unix • Certified with Oracle Secure Backup, NetBackup, Tivoli, others 39
40.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Oracle Audit Vault and Database Firewall • Oracle DB Firewall – Oracle, MySQL, SQL Server, IBM DB2, Sybase – Activity Monitoring & Logging – White List, Black List, Exception List • Audit Vault – Built-in Compliance Reports – External storage for audit archive 40
41.
Copyright © 2014,
Oracle and/or its affiliates. All rights reserved. | Thank You
Download now