© 2019 Percona1 MySQL e LGPD(Lei Geral de Proteção de Dados) Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB ...
© 2019 Percona2 • Engenheiro de Support na Percona desde 2017. • Trabalhando com MySQL há 7 anos. • Trabalhando com banco ...
© 2019 Percona3 • Fundada em 2006 • +200 engenheiros ao redor do mundo • Ferramentas com +1 bilhão de downloads • Percona ...
© 2019 Percona4 O que é a LGPD?
© 2019 Percona5 • Lei Geral de Proteção de Dados Pessoais, a "GDPR brasileira". • Criada para proteger a liberdade e a pri...
© 2019 Percona6 • O titular Seria o proprietário dos dados, no caso as pessoas físicas. • O controlador É representado pel...
© 2019 Percona7 • Peça-chave no processo de adequação das empresas à LGPD • Demanda por segurança (VPN, Criptografia, Fire...
© 2019 Percona8 Princípios Básicos • Acesso minimo • Isolamento • Audit • Proteção contra invasão • Firewall 8
© 2019 Percona9 Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features...
© 2019 Percona10 OS/Cloud Security
© 2019 Percona11 OS/Cloud Security • Remover serviços que não são usados • Não rodar compiladores • Firewalls • Acesso res...
© 2019 Percona12 OS/Cloud Security • Uso do Amazon Virtual Private Cloud (VPC) • Uso do AWS Identity and Access Management...
© 2019 Percona13 OS/Cloud Security
© 2019 Percona14 OS/Cloud Security
© 2019 Percona15 OS/Cloud Security
© 2019 Percona16 SSL 16
© 2019 Percona17 SSL • Transportar a informação de forma segura • SSL provê esse meio • Default for MySQL 5.7-8.0 or highe...
© 2019 Percona18 | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | |...
© 2019 Percona19 mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIR...
© 2019 Percona20 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only...
© 2019 Percona21 SSL
© 2019 Percona22 Password Management 22
© 2019 Percona23 Password Management • Password expiration • validate_password plugin • Percona LDAP plugin 23
© 2019 Percona24 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to ...
© 2019 Percona25 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sek...
© 2019 Percona26 mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your pas...
© 2019 Percona27 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the ...
© 2019 Percona28 validate_plugin - Instalação # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password ...
© 2019 Percona29 validate_plugin - Validação mysql: root@localhost ((none)) > show global variables like '%plugin%'; +----...
© 2019 Percona30 validate_plugin - Exemplo mysql: root@localhost ((none)) > set global validate_password_length = 6; Query...
© 2019 Percona31 mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819...
© 2019 Percona32 As of MySQL 8.0.14, user accounts are permitted to have dual passwords, designated as primary and seconda...
© 2019 Percona33 Audit Plugin 33
© 2019 Percona34 Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is dif...
© 2019 Percona35 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affect...
© 2019 Percona36 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/...
© 2019 Percona37 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+----...
© 2019 Percona38 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+----...
© 2019 Percona39 Percona Server Encryption Features 39
© 2019 Percona40 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files ...
© 2019 Percona41 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binl...
© 2019 Percona42 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +-----...
© 2019 Percona43 MySQL 8 Features (Undo, Redo Encryption) 43
© 2019 Percona44 MySQL 8 - (Undo, Redo Encryption) • MySQL 8 extends tablespace encryption feature to redo log and undo lo...
© 2019 Percona45 MySQL 8 - (Undo, Redo Encryption) The process is very straightforward, to enable the encryption on the re...
© 2019 Percona46 Transparent Data Encryption (TDE) 46
© 2019 Percona47 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database. • Encryption and dec...
© 2019 Percona48 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var...
© 2019 Percona49 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', '...
© 2019 Percona50 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit n...
© 2019 Percona51 caching_sha2_password 51
© 2019 Percona52 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user a...
© 2019 Percona53 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost i...
© 2019 Percona54 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string f...
© 2019 Percona55 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2us...
© 2019 Percona56 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0...
© 2019 Percona57 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user...
© 2019 Percona58 FIPS Mode 58
© 2019 Percona59 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module...
© 2019 Percona60 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +...
© 2019 Percona61 Example mysql> select md5('GUOB'); +----------------------------------+ | md5('a') | +-------------------...
© 2019 Percona62 Example mysql> show warnings; +---------+-------+--------------------------------------------------------...
© 2019 Percona63 Exemplo mysql> select sha2('GUOB', 256); +---------------------------------------------------------------...
© 2019 Percona64 Roles 64
© 2019 Percona65 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts,...
© 2019 Percona66 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app...
© 2019 Percona67 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'...
© 2019 Percona68 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +----------...
© 2019 Percona69 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at ...
© 2019 Percona70 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html h...
© 2019 Percona71 Any Questions? 71
© 2019 Percona72 We’re Hiring! Percona’s open source database experts are true superheroes, improving database performance...
