MySQL Day Paris 2016 - MySQL Enterprise Edition

615 views

Published on

MySQL Enterprise Edition
Achieve the Highest Levels of Security
------------
• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management / Security

• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption

• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation

• MySQL Enterprise Authentication
– External Authentication Modules
– Microsoft AD, Linux PAMs

• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection

• MySQL Enterprise Audit
– User Activity Auditing, Regulatory Compliance

• MySQL Enterprise Monitor
– Changes in Database Configurations, Users Permissions, Database Schema, Passwords

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
615
On SlideShare
0
From Embeds
0
Number of Embeds
460
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

MySQL Day Paris 2016 - MySQL Enterprise Edition

  1. 1. MySQL Enterprise Edition Achieve the Highest Levels of Security Olivier Dasini MySQL Principal Solutions Architect olivier.dasini@oracle.com @freshdaz
  2. 2. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
  3. 3. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Security 3
  4. 4. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Data Breaches 429 Million identities exposed in 2015. 75% Web sites with vulnerabilities. 15% of all websites had a critical vulnerability. 9 In 2015, a record of nine mega- breaches were reported. One worlds largest 191M. (Mega-breach = more than 10 million records.) Mobile Vulnerabilities on the rise – up 214% Infection by SQL Injection still strong. Malware attacks on databases Oracle Confidential – Internal/Restricted/Highly Restricted 4 Source: Internet Security Threat Report 2016, Symantec
  5. 5. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DBAs are responsible for Database Security • Ensure only users who should get access, can get access • Limit what users and applications can do • Limit from where users and applications can access data • Watch what is happening, and when it happened • Make sure to back things up securely • Minimize attack surface • Ensure encryption keys are protected and managed
  6. 6. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | DBAs must meet Security and Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley: Accuracy of Financial Data – EU Data Protection Directive: Protection of Personal Data ● General Data Protection Regulation (GDPR) ● https://en.wikipedia.org/wiki/General_Data_Protection_Regulation – Data Protection Act (UK): Protection of Personal Data • Requirements – Continuous Monitoring (Users, Schema, Backups, etc) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) 6
  7. 7. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition • MySQL Enterprise TDE – Data-at-Rest Encryption – Key Management / Security • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation • MySQL Enterprise Firewall – Block SQL Injection Attacks – Intrusion Detection • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance 7 • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption • MySQL Enterprise Authentication – External Authentication Modules – Microsoft AD, Linux PAMs https://www.youtube.com/watch?v=ypQh9H9Rf9w
  8. 8. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Transparent Data Encryption • Improves Security – Added Layer– enforces access controls – Simple to use and manage • Meets Security and Regulatory Requirements – Fit for cases where encryption is required • Healthcare, FiServ, Government, etc. • Secures and Manages Keys – Supports Standard KMIP 1.2 protocols – Supports Oracle Key Vault and other Key Stores
  9. 9. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Transparent Data Encryption Goals 9 • Data at Rest Encryption – Tablespaces, Disks, Storage, OS File system • Transparent to applications and users – No application code, schema or data type changes • Transparent to DBAs – Keys are hidden from DBAs, no configuration changes • Requires Key Management – Protection, rotation, storage, recovery
  10. 10. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 10 MySQL Transparent Data Encryption Encrypted Tablespace Files Tablespace Key Malicious OS User / Hacker Accesses Files Directly Information Access Blocked By Encryption Master Key
  11. 11. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit • Auditing for Security & Compliance – FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, … • MySQL built-in logging infrastructure: – general log, error log • MySQL Enterprise Audit – Granularity made for auditing – Can be modified live – Contains additional details – Compatible with Oracle Audit Vault. https://dev.mysql.com/doc/refman/5.7/en/audit-log.html Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.) Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)
  12. 12. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit Work Flow 12
  13. 13. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Real Time Protection – Queries analyzed and matched against White List • Blocks SQL Injection Attacks – Positive Security Model • Block Suspicious Traffic – Out of Policy Transactions detected & blocked • Learns White List – Automated creation of approved list of SQL command patterns on a per user basis • Transparent – No changes to application required 13 MySQL Enterprise Firewall monitoring Protection from SQL Injection Attacks - #1 Web Application Vulnerability - 77% of Web Sites had vulnerabilities https://dev.mysql.com/doc/refman/5.7/en/firewall.html
  14. 14. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Operating Modes 14 ALLOW In Whitelist Blocks SQL Attacks Allows “Matching” SQL Table Table Table BLOCK NOT In Whitelist BLOCK and ALERT DETECT (IDS) NOT In Whitelist ALLOW and ALERT Table Table Table ALLOW – Execute SQL - SQL Matches Whitelist BLOCK – Block the request - Not in Whitelist DETECT – Execute SQL & Alert - Not in Whitelist 11 22 33 Table Table Table Allows SQL & Alerts
  15. 15. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Backup • Online, non-locking backup and recovery – Complete MySQL instance backup (data and config) – Partial backup and restore • Direct Cloud storage backups (S3, etc.) • Incremental backups • Point-in-time recovery • Advanced compressed and encryption • Backup to tape (SBT) • Backup validation • Optimistic backups • Cross-Platform (Windows, Linux, Unix)
  16. 16. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Start monitoring MySQL in 10 minutes • Real-time MySQL performance and availability monitoring • Visually find & fix problem queries • Disk monitoring for capacity planning • Cloud friendly architecture – No agents required • Role based access controls 16
  17. 17. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor: Backup • Monitor backup usage and health – Across your entire datacenter • Drill into backup job details – Allowing for easy backup recovery • Supports all backup types • Alerting on significant events – Poor backup performance – Backup job failures – Out of date backups
  18. 18. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor: Security • Enforce MySQL Security Best Practices – Identifies vulnerabilities – Assesses current setup against security hardening policies • Monitoring and Alerting – User accounts and passwords – Firewall usage, effectiveness, and red flags – Backups and data loss security – Schema changes and tracking – Configuration changes and tuning advice • Centralized Secure User Management 18
  19. 19. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption • MySQL encryption functions – Symmetric encryption AES256 (All Editions) – Public-key / asymmetric cryptography – RSA • Key management functions – Generate public and private keys – Key exchange methods: DH • Sign and verify data functions – Cryptographic hashing for digital signing, verification, & validation – RSA,DSA 19 http://dev.mysql.com/doc/refman/5.7/en/enterprise-encryption.html
  20. 20. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption Encryption/Decryption within MySQL Sensitive Data Sensitive Data Private / Public Key Pairs - Generate using MySQL Enterprise Encryption Functions - Use externally generated (e.g. OpenSSL) Encryption Public Key Decryption Private Key Encrypted Data
  21. 21. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption App Encrypts/MySQL Decrypts 21 Encryption Public Key Decryption Private Key Encrypted Data Sensitive Data Applications Sensitive Data
  22. 22. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption App Encrypts / MySQL Stores / MySQL Decrypts 22 Encryption Public Key Decryption Private Key Encrypted Data Sensitive Data Sensitive Data ApplicationsApplications
  23. 23. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication • Built in Authentication – user table stores users and encrypted passwords • X.509 – Server authenticates client certificates • MySQL Native, SHA 256 Password plugin – Native uses SHA1 or plugin with SHA-256 hashing and per user salting for user account passwords. • MySQL Enterprise Authentication – Microsoft Active Directory – Linux PAMs (Pluggable Authentication Modules) • Support LDAP and more • Custom Authentication Integrates MySQL with existing security infrastructures and SOPs Integrates MySQL with existing security infrastructures and SOPs
  24. 24. Copyright © 2015, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication • PAM (Pluggable Authentication Modules) – Access external authentication methods – Standard interface (Unix, LDAP, Kerberos, others) – Proxied and non-proxied users • Windows – Access native Windows services – Authenticate users already logged into Windows (Windows Active Directory) • Pluggable Authentication API
  25. 25. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition • MySQL Enterprise TDE – Data-at-Rest Encryption – Key Management / Security • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation • MySQL Enterprise Firewall – Block SQL Injection Attacks – Intrusion Detection • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance 25 • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption • MySQL Enterprise Authentication – External Authentication Modules – Microsoft AD, Linux PAMs
  26. 26. Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Thank you!

×