Modern Data Security with MySQL

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Modern Data Security
with MySQL
Vittorio Cioe
MySQL Sr. Sales Consultant
vittorio.cioe@oracle.com

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole discretion of Oracle.
2

Copyright @ 2018 Oracle and/or its affiliates. All rights reserved.
Agenda
• Modern data security
• MySQL Security Capabilities
• MySQL and GDPR
• Conclusion

Modern Data Security

Some time ago: trust based data security

...and the future
came...
data
are
everywhere

Now: need for embedded data security

Complexity grows -> Risk Grows
8

Data Security Cycle
9
ASSESS PREVENT DETECT

MySQL
Security Capabilities

Assess Security Risks
11
Discover
Personal
Data
Scan
Security
Configuration
Privilege
Analysis

MySQL Enterprise Monitor
• Enforce MySQL Security Best Practices
– Identifies Vulnerabilities
– Assesses current setup against security hardening policies
• Monitoring & Alerting
– User Monitoring
– Password Monitoring
– Schema Change Monitoring
– Backup Monitoring
– Configuration Management
– Configuration Tuning Advice
• Centralized User Management
12
"I definitely recommend the MySQL Enterprise
Monitor to DBAs who don't have a ton of
MySQL experience. It makes monitoring
MySQL security, performance and availability
very easy to understand and to act on.”
Sandi Barr
Sr. Software Engineer
Schneider Electric

Assess MySQL Authorization
• Administrative Privileges
• Database Privileges
• Session Limits and Object Privileges
• User privileges
– Creating, altering and deleting databases
– Creating, altering and deleting tables
– Execute INSERT, SELECT, UPDATE, DELETE queries
– Create, execute, or delete stored procedures and with what rights
– Create or delete indexes
13
Security Privilege Management in MySQL Workbench

MySQL Enterprise Authentication
14
• Integrate with Centralized Authentication Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
• PAM (Pluggable Authentication Modules)
– Standard interface (Unix, LDAP, Kerberos, others)
– Windows
• Access native Windows service - Use to Authenticate users using Windows
Active Directory or to a native host
Integrates MySQL with existing
security infrastructures
Integrates MySQL with existing
security infrastructures

MySQL Enterprise Authentication: PAM
• Standard Interface
Unix/Linux
• Proxy Users
15

MySQL Enterprise Authentication: Windows
• Windows Active Directory
• Windows Native Services
16

MySQL Enterprise Authentication: LDAP (new!!)
• Standard Interface
LDAP Authentication
• Proxy Users
17

Assess your data and data model using MySQL Workbench
18

Protect from live threats
19
Protect from
SQL injection
Store Data
Encrypted
Enforce
security roles

MySQL Enterprise Firewall: Overview
20
Inbound
SQL Traffic
Web
Applications
SQL Injection Attack
Via Brower
ALLOW
BLOCK
DETECT
11
22
33
Instance
MySQL Enterprise FirewallInternet

MySQL Enterprise Firewall
• Block SQL Injection Attacks
– Allow: SQL Statements that match Whitelist
– Block: SQL statements that are not on Whitelist
• Intrusion Detection System
– Detect: SQL statements that are not on Whitelist
• SQL Statements execute and alert administrators
21
Select * from employee where id=22
Select * from employee where id=22 or 1=1
Block✖
Allow✔
White List
Applications
Detect & Alert
Intrusion Detection

MySQL Enterprise Firewall
• Real Time Protection
– Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Positive Security Model
• Block Suspicious Traffic
– Out of Policy Transactions detected & blocked
• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
– No changes to application required
22
MySQL Enterprise Firewall monitoring

MySQL Database
Encrypted
Tablespace
Files
Protected
Key
Hacker /
Dishonest OS User
Accesses
Files Directly
Information
Access Blocked
By Encryption
MySQL TDE – Protects against Attacks on Database Files

Key Vault
MySQL Enterprise Transparent Data Encryption
2 Tier Architecture
MySQL Database
Tablespace Keys
MySQL
Server
Plugin &
Services
Infrastructure
InnoDB
Client
Keyring
plugins
• Master Key
• Stored outside the database
• Oracle Key Vault
• SafeNet KeySecure
• KMIP Compliant Key Vault
• Tablespace Key
• Protected by master key
Master Key
Plain Text
Encrypted 2
Encrypted 1

Key Vault High-Level Architecture
Standby
Administration
Console, Alerts,
Reports
Secure Backups
= Credential Files/Other
Wallets
=
Password/phrases
Keystores
= Certificates
Databases
Servers
Middleware
25

MySQL 8.0: Atomicity in Privileges
• Privilege Tables now 100% InnoDB
• User Management DDLs Atomic
– CREATE USER
– ALTER USER
– RENAME USER
– DROP USER
– GRANT
– REVOKE

• Fully Function, Flexible, Properly Architected Roles
• Create and Drop Roles, Grant to Roles
• Grant Roles to Roles, Grant Roles to Users
• Limit Hosts that can use roles, Define Default Roles
• Decide what roles are applicable during a session
• And even visualize Roles with SQL function ROLES_GRAPHML()
MySQL 8.0: Security Roles

Detect suspicious events
28
Audit live
events
Watch live
queries
Disaster
Recovery

MySQL Enterprise Audit - Work Flow
29

Focus on MySQL EE Audit
• GDPR
– Mandates recording or auditing of the activities on the Personal Data
– Recommends records must be maintained centrally
• Under the responsibility of the Controller.
– Processors and third-parties must not be able to tamper or destroy the audit records.
– In addition to book-keeping, auditing helps in forensic analysis in case of a breach.
• MySQL Enterprise Audit Audit data can be
– Maintained in Oracle Audit Value – certified
– Outputs standard XML or JSON that easily integrate with various 3rd
party solutions
– Supports encryption
– Can direct security logs to write-once storage
30

Review Audit Data With Workbench EE

Enterprise Query Analyzer
• Real-time query performance
• Visual correlation graphs
• Find & fix expensive queries
• Detailed query statistics
• Query Response Time index (QRTi)
“With the MySQL Query Analyzer, we were able to identify and analyze
problematic SQL code, and triple our database performance. More
importantly, we were able to accomplish this in three days, rather than
taking weeks.”
Keith Souhrada
Software Development Engineer
Big Fish Games

MySQL Enterprise Backup
• Online, non-locking backup and recovery
– Complete MySQL instance backup (data and config)
– Partial backup and restore
• Direct Cloud storage backups
– Oracle Storage Cloud, S3, etc.
• Incremental backups
• Point-in-time recovery
• Advanced compressed and encryption
• Backup to tape (SBT)
• Optimistic backups
• Cross-Platform (Windows, Linux, Unix)

InnoDB Cluster
34
App Servers with
MySQL Router
MySQL Group Replication
MySQL Shell
Setup, Manage,
Orchestrate
“High Availability becomes a core
first class feature of MySQL!”

Additional Security Controls
Hashing, Signing, Encryption Functions
– Symmetric Encryption – AES
– Hashing – SHA-2, SHA-1
– Asymmetric Public Key Encryption (RSA)
– Asymmetric Private Key Decryption (RSA)
– Generate Public/Private Key (RSA, DSA, DH)
– Derive Symmetric Keys from Public and Private Key pairs (DH)
– Digitally Sign Data (RSA, DSA)
– Verify Data Signature (RSA, DSA)
– Validation Data Authenticity (RSA, DSA)
Confidential – Oracle Internal 35

MySQL and GDPR

EU General Data Protection Regulation (GDPR)
• Data privacy as a fundamental right
• Defines Data protection responsibilities, baselines, principles
• Provides Enforcement Powers
Focus is on 3 Areas
• Assessment – Processes, Profiles, Data Sensitivity, Ricks
• Prevention – Encryption, Anonymization, Access Controls, Separation of Duties
• Detection – Auditing, Activity monitoring, Alerting, Reporting
37

GDPR and MySQL
• We can’t be entirely prescriptive
• We have many things that can be applied towards attaining compliance
– Assessment: MySQL Enterprise Monitor, MySQL Workbench EE, MySQL Security Best
Practices Guidelines
– Prevention: MySQL Transparent Data Encryption, MySQL Enterprise Firewall, DBA
configurable IP whitelisting, Connection Limits, In transit data encryption, Granular
access controls
– Detection: MySQL Enterprise Firewall, MySQL Enterprise Audit, MySQL Workbench
EE, MySQL Enterprise Monitor
38

Conclusion

40
Takeaway:
MySQL Enterprise
Security Architecture
 Workbench
• Model
• Data
• Audit Data
• User Management
  Enterprise Monitor
• Identifies Vulnerabilities
• Security hardening policies
• Monitoring & Alerting
• User Monitoring
• Password Monitoring
• Schema Change Monitoring
• Backup Monitoring
 Data Encryption
• TDE
• Encryption
• PKI
 Firewall
 Key Vault
 Enterprise Authentication
• SSO - LDAP, AD, PAM
 Network Encryption
 Enterprise Audit
• Powerful Rules Engine
 Audit Vault
 Strong Authentication
 Access Controls
 Assess
 Prevent
 Detect
 Recover
 Enterprise Backup
• Encrypted
 HA
• Innodb Cluster
 Thread Pool
• Attack minimization

References
Confidential – Oracle Internal 41
• Home page EU GDPR
– http://www.eugdpr.org/
• MySQL Enterprise
– https://www.mysql.com/products/enterprise/
• MySQL PCI DSS
– https://www.mysql.com/it/why-mysql/white-papers/mysql-pci-data-security-complia
nce/
• MySQL Security Best Practices
– https://www.mysql.com/it/why-mysql/presentations/mysql-security-best-practices/

Modern Data Security with MySQL

Modern Data Security with MySQL

More Related Content

What's hot

Similar to Modern Data Security with MySQL

More from Vittorio Cioe

Recently uploaded

Modern Data Security with MySQL