MySQL Security Best Practises

Copyright © 2014, Oracle and/or its aﬃliates. All rights reserved. |
MySQL Security: Best PracGces

Mark Swarbrick
Principle Presales Consultant Uk&I

Safe Harbor Statement
The following is intended to outline our general product direcGon. It is intended for
informaGon purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or funcGonality, and should not be relied upon
in making purchasing decisions. The development, release, and Gming of any features or
funcGonality described for Oracle’s products remains at the sole discreGon of Oracle.
ConﬁdenGal – Oracle Internal/Restricted/Highly Restricted 2

43%
of companies have experienced a
data breach in the past year.
Source: Ponemon InsGtute, 2014
Oracle ConﬁdenGal – Internal/Restricted/Highly Restricted 3

Mega Breaches
552 Million idenGGes
exposed in 2013. 493%
increase over previous year 77% Web sites with vulnerabiliGes.
1-in-8 of all websites had a
criGcal vulnerability.
8
Breaches that exposed
more than 10 million
records in 2013.
Total Breaches increased
62% in 2013
Oracle ConﬁdenGal – Internal/Restricted/Highly Restricted 4
Source: Internet Security Threat Report 2014, Symantec

•  Poor ConﬁguraGons
– Set controls and change default se_ng
•  Over Privileged Accounts
– Privilege Policies
•  Weak Access Control
– Dedicated AdministraGve Accounts
•  Weak AuthenGcaGon
– Strong Password Enforcement
•  Weak AudiGng
– Compliance & Audit Policies
•  Lack of EncrypGon
– Data, Backup, & Network EncrypGon
•  Proper CredenGal & Key Management
– Use mysql_conﬁg_editor , Key Vaults
•  Unsecured Backups
– Encrypted Backups
•  No Monitoring
– Security Monitoring, Users, Objects
•  Poorly Coded ApplicaGons
– Database Firewall
5
Database VulnerabiliGes

Database Aiacks
•  SQL InjecGon
–  PrevenGon: DB Firewall, White List, Input ValidaGon
•  Buffer Overflow
–  PrevenGon: Frequently apply Database Solware updates, DB Firewall, White List, Input ValidaGon
•  Brute Force Aiack
–  PrevenGon: lock out accounts aler a defined number of incorrect aiempts.
•  Network Eavesdropping
–  PrevenGon: Require SSL/TLS for all ConnecGons and Transport
•  Malware
–  PrevenGon: Tight Access Controls, Limited Network IP access, Change default se_ngs, EncrypGon

6

Database Malicious AcGons
•  InformaGon Disclosure: Obtain credit card and other personal informaGon
–  Defense: EncrypGon – Data and Network, Tighter Access Controls
•  Denial of Service: Run resource intensive queries
–  Defense: Resource Usage Limits – Set various limits – Max ConnecGons, Sessions, Timeouts, …
•  ElevaGon of Privilege: Retrieve and use administrator credenGals
–  Defense: Stronger authenGcaGon, Access Controls, AudiGng
•  Spooﬁng: Retrieve and use other credenGals
–  Defense: Stronger account and password policies
•  Tampering: Change data in the database, Delete transacGon records
•  Defense: Tighter Access Controls, AudiGng, Monitoring, Backups
7

Regulatory Compliance
•  RegulaGons
–  PCI – DSS: Payment Card Data
–  HIPAA: Privacy of Health Data
–  Sarbanes Oxley: Accuracy of Financial Data
–  EU Data ProtecGon DirecGve: ProtecGon of Personal Data
–  Data ProtecGon Act (UK): ProtecGon of Personal Data
•  Requirements
–  ConGnuous Monitoring (Users, Schema, Backups, etc)
–  Data ProtecGon (EncrypGon, Privilege Management, etc.)
–  Data RetenGon (Backups, User AcGvity, etc.)
–  Data AudiGng (User acGvity, etc.)
8

PCI-DSS
•  Requirement 2: Secure ConﬁguraGons, Security Se_ngs & Patching
–  Not Using Vendor Default Passwords and Security Se_ngs
•  Requirement 3: ProtecGng Cardholder Data – Strong Cryptography
–  Protect Stored Cardholder Data
–  Protect EncrypGon Keys
•  Requirement 6: Up to Date Patching and Secure Systems
–  Develop and Maintain Secure Systems and ApplicaGons
•  Requirement 7: User Access and AuthorizaGon
–  Restrict Access to Cardholder Data by Need to Know
•  Requirement 8: IdenGty and Access Management
–  IdenGfy and AuthenGcate Access to System Components
•  Requirement 10: Monitoring, Tracking and AudiGng
–  Track and Monitor Access to Cardholder Data
9

White Paper

A Guide to MySQL
and PCI Compliance

DBA ResponsibiliGes
•  Ensure only users who should get access, can get access
•  Limit what users and applicaGons can do
•  Limit from where users and applicaGons can access data
•  Watch what is happening, and when it happened
•  Make sure to back things up securely
•  Minimize aiack surface
•  Ensure encrypGon keys are protected and managed

Copyright © 2014, Oracle and/or its aﬃliates. All rights reserved. | Oracle ConﬁdenGal – Internal 11
MySQL Security Overview
AuthenGcaGon
AuthorizaGon
EncrypGon
Firewall
MySQL Security
AudiGng

Block Threats
AudiGng
Regulatory Compliance
Login and Query AcGviGes
SSL/TLS
Public/Private Key
Transparent EncrypGon
Key Management
Privilege Management
AdministraGon
Database & Objects
Proxy Users
MySQL
Linux / LDAP
Windows AD
Custom

Oracle ConﬁdenGal – Internal 12
MySQL Security Overview
AuthorizaGon AuthenGcaGon
Firewall &
AudiGng
EncrypGon

Security

MySQL AuthorizaGon
•  AdministraGve Privileges
•  Database Privileges
•  Session Limits and Object Privileges
•  Fine grained controls over user privileges
– CreaGng, altering and deleGng databases
– CreaGng, altering and deleGng tables
– Execute INSERT, SELECT, UPDATE, DELETE queries
– Create, execute, or delete stored procedures and with what rights
– Create or delete indexes
13
Security Privilege Management in MySQL Workbench

MySQL AuthenGcaGon
•  Built in AuthenGcaGon
–  user table stores users and encrypted passwords
•  X.509
–  Server authenGcates client cerGﬁcates
•  MySQL NaGve, SHA 256 Password plugin
–  NaGve uses SHA1 or plugin with SHA-256 hashing and per user salGng for user account passwords.
•  MySQL Enterprise AuthenGcaGon
–  Microsol AcGve Directory
–  Linux PAMs (Pluggable AuthenGcaGon Modules)
•  Support LDAP and more
•  Custom AuthenGcaGon
14

MySQL Password Policies
•  Accounts without Passwords
– Assign passwords to all accounts to prevent unauthorized use
•  Password ValidaGon Plugin
– Enforce Strong Passwords
•  Password ExpiraGon/RotaGon
– Require users to reset their password
•  Account lockout (in v. 5.7)
15

MySQL EncrypGon
•  SSL/TLS EncrypGon
– Between MySQL clients and Server
– ReplicaGon: Between Master & Slave
•  Data EncrypGon
– AES Encrypt/Decrypt
•  MySQL Enterprise TDE
– Transparent Data Enc rypGon
– Key Management (KMIP)
16
•  MySQL Enterprise EncrypGon
– Asymmetric Encrypt/Decrypt
– Generate Public Key and Private Keys
– Derive Session Keys
– Digital Signatures
•  MySQL Enterprise Backup
– AES Encrypt/Decrypt

Database Firewall
•  SQL InjecGon Aiacks
– #1 Web ApplicaGon Vulnerability
– 77% of Web Sites had vulnerabiliGes
•  MySQL Enterprise Firewall
– Monitor database statements in real-Gme
– AutomaGc White List “rules” generaGon for any applicaGon
– Block SQL InjecGon Aiacks
– Intrusion DetecGon System
17

Database AudiGng
• AudiGng for Security & Compliance
– FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, …
• MySQL built-in logging infrastructure:
– general log, error log
• MySQL Enterprise Audit
– Granularity made for audiGng
– Can be modiﬁed live
– Contains addiGonal details
– CompaGble with Oracle Audit Vault.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenGal – Internal 19
MySQL Database Hardening
User Management
•  Remove Extra Accounts
•  Grant Minimal Privileges
•  Audit users and privileges
ConfiguraGon
•  Firewall
•  AudiGng and Logging
•  Limit Network Access
•  Monitor changes
InstallaGon
•  Mysql_secure_installaGon
•  Keep MySQL up to date
•  MySQL Installer for Windows
•  Yum/Apt Repository

Backups
•  Monitor Backups
•  Encrypt Backups
EncrypGon
•  SSL/TLS for Secure
ConnecGons
•  Data EncrypGon (AES, RSA)
•  TDE
Passwords
•  Strong Password Policy
•  Hashing, ExpiraGon
•  Password ValidaGon Plugin

MySQL 5.7 Linux Packages - Security Improvements
•  Test/Demo database has been removed
–  Now in separate packages
•  Anonymous account creaGon is removed.
•  CreaGon of single root account – local host only
•  Default installaGon ensures encrypted
communicaGon by default
–  AutomaGc generaGon of SSL/RSA Certs/Keys
•  For EE : At server startup if opGons Certs/Keys were not set
•  For CE : Through new mysql_ssl_rsa_setup uGlity
•  AutomaGc detecGon of SSL Certs/Keys
20
•  Client aiempts secure TLS connecGon by default
•  Compile Gme restricGon over locaGon used for
data import/export operaGons
•  Ensures locaGon has restricted access
•  Only mysql user and group
•  Supports disabling data import/export
•  Set secure-ﬁle-priv to empty string

MySQL Installer for Windows includes various Security Setup and Hardening Steps

MySQL Enterprise EdiGon
•  MySQL Enterprise AuthenGcaGon
–  External AuthenGcaGon Modules
•  Microsol AD, Linux PAMs
•  MySQL Enterprise EncrypGon
–  Public/Private Key Cryptography
–  Asymmetric EncrypGon
–  Digital Signatures, Data ValidaGon
•  MySQL Enterprise Firewall
–  Block SQL InjecGon Aiacks
–  Intrusion DetecGon
•  MySQL Enterprise Audit
–  User AcGvity AudiGng, Regulatory Compliance
21
•  MySQL Enterprise Monitor
–  Changes in Database ConﬁguraGons, Users
Permissions, Database Schema, Passwords
•  MySQL Enterprise Backup
–  Securing Backups, AES 256 encrypGon
•  MySQL Enterprise TDE
–  AES 256 encrypGon
–  Key Management

MySQL Enterprise Monitor
•  Enforce MySQL Security Best PracGces
–  IdenGfies VulnerabilGes
–  Assesses current setup against security hardening policies
•  Monitoring & AlerGng
–  User Monitoring
–  Password Monitoring
–  Schema Change Monitoring
–  Backup Monitoring
–  ConfiguraGon Management
–  ConfiguraGon Tuning Advice
•  Centralized User Management
22
"I definitely recommend the MySQL Enterprise
Monitor to DBAs who don't have a ton of MySQL
experience. It makes monitoring MySQL security,
performance and availability very easy to
understand and to act on.”
Sandi Barr
Sr. Solware Engineer
Schneider Electric

MySQL Enterprise Firewall
•  Block SQL InjecGon Aiacks
– Allow: SQL Statements that match Whitelist
– Block: SQL statements that are not on Whitelist
•  Intrusion DetecGon System
– Detect: SQL statements that are not on Whitelist
•  SQL Statements execute and alert administrators

23
Select *.* from employee where id=22
Select *.* from employee where id=22 or 1=1
Block ✖
Allow ✔
White List
Applica6ons
Detect & Alert
Intrusion DetecGon

MySQL Enterprise AuthenGcaGon
24
•  Integrate with Centralized AuthenGcaGon Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
•  PAM (Pluggable AuthenGcaGon Modules)
– Standard interface (Unix, LDAP, Kerberos, others)
– Windows
•  Access naGve Windows service - Use to AuthenGcate users using Windows
AcGve Directory or to a naGve host
Integrates MySQL with exisGng
security infrastructures

MySQL Enterprise EncrypGon
•  MySQL encrypGon funcGons
– Symmetric encrypGon AES256 (All EdiGons)
– Public-key / asymmetric cryptography – RSA
•  Key management funcGons
– Generate public and private keys
– Key exchange methods: DH
•  Sign and verify data funcGons
– Cryptographic hashing for digital signing, veriﬁcaGon, & validaGon – RSA,DSA
25

Database AudiGng
•  “Trust but verify" approach to security
– Ensure users with strong privileges don’t misuse those privileges
•  Business Audit – Data Validity
– Here’s proof my database data is accurate/correct
– Prove no tampering to data has occurred
•  Forensic analysis – as a component of any defense-in-depth strategy
– ProacGve - Am being / Was hacked
– ReacGve – How were we hacked, what was changed, taken, etc.
26
Maintaining an audit trail is an essenGal security best pracGce

MySQL Enterprise Audit
•  Out-of-the-box logging of connecGons, logins, and query
•  Simple to ﬁne grained policies for ﬁltering, and log rotaGon
•  Dynamically enabled, disabled: no server restart
•  XML-based audit stream
– Send data to a remote server / audit data vault
•  Oracle Audit Vault
•  Splunk, etc.
27
Adds “regulatory compliance”
to MySQL applicaGons
(HIPAA, Sarbanes-Oxley, PCI, etc.)

MySQL Enterprise Backup
•  Online Backup for InnoDB (scriptable interface)
•  Full, Incremental, ParGal Backups (with compression)
•  Strong EncrypGon (AES 256)
•  Point in Time, Full, ParGal Recovery opGons
•  Metadata on status, progress, history
•  Scales – High Performance/Unlimited Database Size
•  Windows, Linux, Unix
•  CerGﬁed with Oracle Secure Backup, NetBackup, Tivoli, others
28

MySQL Enterprise Oracle CerGﬁcaGons
• Oracle Enterprise Manager for
MySQL
• Oracle Linux (w/DRBD stack)
• Oracle VM
• Oracle Solaris
•  Oracle Solaris Clustering
•  Oracle Clusterware
• Oracle Audit Vault and Database Firewall
• Oracle Secure Backup
• Oracle Fusion Middleware
• Oracle GoldenGate
• My Oracle Support

MySQL integrates into your Oracle environment
29

Oracle Audit Vault and Database Firewall
•  Oracle DB Firewall
– Oracle, MySQL, SQL Server, IBM DB2, Sybase
– AcGvity Monitoring & Logging
– White List, Black List, ExcepGon List
•  Audit Vault
– Built-in Compliance Reports
– External storage for audit archive
30

Thank You

MySQL Security Best Practises

More Related Content

What's hot

Viewers also liked

Similar to MySQL Security Best Practises

More from Mark Swarbrick

Recently uploaded

MySQL Security Best Practises