SlideShare a Scribd company logo

Enhancing MySQL Security

V
Vinicius M Grippa

Security is always a challenge when its comes to data. Moreso, regulations like GDPR add a whole new layer on top of it, with rules more and more restrictive to access and manipulate data. Join us in this presentation to check security best practices as well as traditional and new features available for MySQL, including features coming with the new MySQL 8. In this talk, DBAs and sysadmins will walk through the security features available on the OS and MySQL. These features include: SO security SSL ACL TDE Audit Plugin MySQL 8 features (undo, redo, and binlog encryption) New caching_sha2_password Roles Password Management FIPS mode

Technology
1 of 65
Download to read offline
© 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
© 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
© 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
© 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
© 2019 Percona5 OS/Cloud Security
© 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
© 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
© 2019 Percona8 OS/Cloud Security
© 2019 Percona9 OS/Cloud Security
© 2019 Percona10 OS/Cloud Security
© 2019 Percona11 SSL
© 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
© 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
© 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
© 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
© 2019 Percona16 SSL
© 2019 Percona17 Password Management
© 2019 Percona18 Password Management • Password expiration • validate_password plugin
© 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
© 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
© 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
© 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
© 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
© 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
© 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona27 Audit Plugin
© 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
© 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
© 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
© 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
© 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
© 2019 Percona33 Percona Server Encryption Features
© 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
© 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
© 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
© 2019 Percona37 MySQL 8 Features (undo, redo encryption)
© 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
© 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
© 2019 Percona40 Transparent Data Encryption(TDE)
© 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
© 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
© 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
© 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
© 2019 Percona45 caching_sha2_password
© 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
© 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
© 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
© 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
© 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
© 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
© 2019 Percona52 FIPS Mode
© 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
© 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
© 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
© 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
© 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
© 2019 Percona58 Roles
© 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
© 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
© 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
© 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
© 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
© 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64
© 2019 Percona65 Questions?

Recommended

MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바NeoClova
 
Redhat ha cluster with pacemaker
Redhat ha cluster with pacemakerRedhat ha cluster with pacemaker
Redhat ha cluster with pacemakerIndika Dias
 
MySQL Backup & Recovery
MySQL Backup & RecoveryMySQL Backup & Recovery
MySQL Backup & RecoveryMindfire Solutions
 
CICS basic mapping support - session 3
CICS basic mapping support - session 3CICS basic mapping support - session 3
CICS basic mapping support - session 3Srinimf-Slides
 
DBA 3 year Interview Questions
DBA 3 year Interview QuestionsDBA 3 year Interview Questions
DBA 3 year Interview QuestionsNaveen P
 
HOT Understanding this important update optimization
HOT Understanding this important update optimizationHOT Understanding this important update optimization
HOT Understanding this important update optimizationGrant McAlister
 
OOW19 - Killing database sessions
OOW19 - Killing database sessionsOOW19 - Killing database sessions
OOW19 - Killing database sessionsConnor McDonald
 
IBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM
 

Recommended

MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바MySQL Advanced Administrator 2021 - 네오클로바
MySQL Advanced Administrator 2021 - 네오클로바NeoClova
 
Redhat ha cluster with pacemaker
Redhat ha cluster with pacemakerRedhat ha cluster with pacemaker
Redhat ha cluster with pacemakerIndika Dias
 
MySQL Backup & Recovery
MySQL Backup & RecoveryMySQL Backup & Recovery
MySQL Backup & RecoveryMindfire Solutions
 
CICS basic mapping support - session 3
CICS basic mapping support - session 3CICS basic mapping support - session 3
CICS basic mapping support - session 3Srinimf-Slides
 
DBA 3 year Interview Questions
DBA 3 year Interview QuestionsDBA 3 year Interview Questions
DBA 3 year Interview QuestionsNaveen P
 
HOT Understanding this important update optimization
HOT Understanding this important update optimizationHOT Understanding this important update optimization
HOT Understanding this important update optimizationGrant McAlister
 
OOW19 - Killing database sessions
OOW19 - Killing database sessionsOOW19 - Killing database sessions
OOW19 - Killing database sessionsConnor McDonald
 
IBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM DB2 for z/OS Administration Basics
IBM DB2 for z/OS Administration BasicsIBM
 
MySQL ppt
MySQL ppt MySQL ppt
MySQL ppt AtharvaSawant10
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
 
Memory management in Linux
Memory management in LinuxMemory management in Linux
Memory management in LinuxRaghu Udiyar
 
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLBloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLMasahiko Sawada
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
Wintel
WintelWintel
WintelAnandharaj007
 
MySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & ClusterMySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & ClusterKenny Gryp
 
MS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREMS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREDouglas Bernardini
 
Configuring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availabilityConfiguring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availabilitySon Hyojin
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Mydbops
 
MYSQL
MYSQLMYSQL
MYSQLAnkush Jain
 
ACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.pptACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.pptmwti2
 
Configuring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High AvailabilityConfiguring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High AvailabilityLeighton Nelson
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXJulyanto SUTANDANG
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comJean-François Gagné
 
Troubleshooting sql server
Troubleshooting sql serverTroubleshooting sql server
Troubleshooting sql serverAntonios Chatzipavlis
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server zOSCommserver
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practicesEmiliano Fusaglia
 
Active directory backup
Active directory backupActive directory backup
Active directory backupAhmad sohail Kakar
 
Mysql database
Mysql databaseMysql database
Mysql databaseArshikhan08
 
Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPDVinicius M Grippa
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019Yashada Jadhav
 

More Related Content

What's hot

44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensicsJared Atkinson
 
Memory management in Linux
Memory management in LinuxMemory management in Linux
Memory management in LinuxRaghu Udiyar
 
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLBloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLMasahiko Sawada
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux KernelAdrian Huang
 
MySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & ClusterMySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & ClusterKenny Gryp
 
Configuring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availabilityConfiguring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availabilitySon Hyojin
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Mydbops
 
ACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.pptACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.pptmwti2
 
Configuring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High AvailabilityConfiguring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High AvailabilityLeighton Nelson
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXJulyanto SUTANDANG
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comJean-François Gagné
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server zOSCommserver
 

What's hot (20)

MySQL ppt
MySQL ppt MySQL ppt
MySQL ppt
 
44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics44CON London 2015: NTFS Analysis with PowerForensics
44CON London 2015: NTFS Analysis with PowerForensics
 
Memory management in Linux
Memory management in LinuxMemory management in Linux
Memory management in Linux
 
Bloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQLBloat and Fragmentation in PostgreSQL
Bloat and Fragmentation in PostgreSQL
 
Slab Allocator in Linux Kernel
Slab Allocator in Linux KernelSlab Allocator in Linux Kernel
Slab Allocator in Linux Kernel
 
Wintel
WintelWintel
Wintel
 
MySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & ClusterMySQL Database Architectures - InnoDB ReplicaSet & Cluster
MySQL Database Architectures - InnoDB ReplicaSet & Cluster
 
MS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTUREMS-SQL SERVER ARCHITECTURE
MS-SQL SERVER ARCHITECTURE
 
Configuring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availabilityConfiguring oracle enterprise manager cloud control 12 c for high availability
Configuring oracle enterprise manager cloud control 12 c for high availability
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.
 
MYSQL
MYSQLMYSQL
MYSQL
 
ACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.pptACTIVE-DIRECTORY.ppt
ACTIVE-DIRECTORY.ppt
 
Configuring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High AvailabilityConfiguring Oracle Enterprise Manager Cloud Control 12c for High Availability
Configuring Oracle Enterprise Manager Cloud Control 12c for High Availability
 
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIXHigh Availability and Disaster Recovery in PostgreSQL - EQUNIX
High Availability and Disaster Recovery in PostgreSQL - EQUNIX
 
MySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.comMySQL Parallel Replication by Booking.com
MySQL Parallel Replication by Booking.com
 
Troubleshooting sql server
Troubleshooting sql serverTroubleshooting sql server
Troubleshooting sql server
 
Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server Integrated Intrusion Detection Services for z/OS Communications Server
Integrated Intrusion Detection Services for z/OS Communications Server
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
 
Active directory backup
Active directory backupActive directory backup
Active directory backup
 
Mysql database
Mysql databaseMysql database
Mysql database
 

Similar to Enhancing MySQL Security

MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019Yashada Jadhav
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityVinicius M Grippa
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLMarcelo Altmann
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19Alkin Tezuysal
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLMarcelo Altmann
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMarcelo Altmann
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataColin Charles
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...NETWAYS
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?Alkin Tezuysal
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebAlkin Tezuysal
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...Geir Høydalsvik
 

Similar to Enhancing MySQL Security (20)

Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL Security
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL Security
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXC
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de seguranca
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysql
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 

More from Vinicius M Grippa

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfVinicius M Grippa
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxVinicius M Grippa
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performanceVinicius M Grippa
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerVinicius M Grippa
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphsVinicius M Grippa
 

More from Vinicius M Grippa (6)

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptx
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performance
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to consider
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphs
 
K8s - Setting up minikube
K8s - Setting up minikubeK8s - Setting up minikube
K8s - Setting up minikube
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 

Enhancing MySQL Security

  • 1. © 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
  • 2. © 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
  • 3. © 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
  • 4. © 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
  • 6. © 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
  • 7. © 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
  • 12. © 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
  • 13. © 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
  • 14. © 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
  • 15. © 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
  • 18. © 2019 Percona18 Password Management • Password expiration • validate_password plugin
  • 19. © 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
  • 20. © 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
  • 21. © 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
  • 22. © 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
  • 23. © 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
  • 24. © 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
  • 25. © 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
  • 26. © 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
  • 28. © 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
  • 29. © 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
  • 30. © 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
  • 31. © 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
  • 32. © 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
  • 33. © 2019 Percona33 Percona Server Encryption Features
  • 34. © 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
  • 35. © 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
  • 36. © 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
  • 37. © 2019 Percona37 MySQL 8 Features (undo, redo encryption)
  • 38. © 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
  • 39. © 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
  • 40. © 2019 Percona40 Transparent Data Encryption(TDE)
  • 41. © 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
  • 42. © 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
  • 43. © 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
  • 44. © 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
  • 46. © 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
  • 47. © 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
  • 48. © 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
  • 49. © 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
  • 50. © 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
  • 51. © 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
  • 53. © 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
  • 54. © 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
  • 55. © 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
  • 56. © 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
  • 57. © 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
  • 59. © 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
  • 60. © 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
  • 61. © 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
  • 62. © 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
  • 63. © 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
  • 64. © 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64