a 2019 version of the talk.

1. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL 8.0
What’s New in Security ?
Georgi “Joro” Kodinov
MySQL SrvGen Team Lead

2. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, timing, and pricing of any
features or functionality described for Oracle’s products may change and remains at the
sole discretion of Oracle Corporation.

3. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Georgi “Joro” Kodinov, MySQL @ Oracle
 Server General Team Lead
 Works on MySQL since 2006
 Specializes in:
 Security
 Client/server protocol
 Performance monitoring
 Component infrastructure
 Loves history, diverse world cultures, gardening
 A devoted Formula 1 fan (Go, Vettel !)

4. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Program Agenda
Security Challenges
New Security Features in MySQL 8
New Security Features in MySQL Enterprise Edition
MySQL Security Architecture
1
2
3
4
4

5. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 5

6. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Cost of Data Breaches
6
Source: Ponemon Institute, 2018
$1.9M
$2.8M
$4.6M
$6.3M
$0
$1,000,000
$2,000,000
$3,000,000
$4,000,000
$5,000,000
$6,000,000
$7,000,000
Less than 10,000 10,000 to 25,000 25,001 to 50,000 Greater than
50,000
Records
Small to Medium Breaches
$199M
$279M
$325M
$350M
$0
$50,000,000
$100,000,000
$150,000,000
$200,000,000
$250,000,000
$300,000,000
$350,000,000
$400,000,000
20 Million 30 Million 40 Million 50 Million
Records
Mega Breaches

7. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Regulatory Compliance
• Regulations
– PCI – DSS: Payment Card Data
– HIPAA: Privacy of Health Data
– Sarbanes Oxley, GLBA, The USA Patriot Act:
Financial Data, NPI "personally identifiable financial information"
– FERPA – Student Data
– EU General Data Protection Directive: Protection of Personal Data (GDPR)
– Data Protection Act (UK): Protection of Personal Data
• Requirements
– Continuous Monitoring (Users, Schema, Backups, etc.)
– Data Protection (Encryption, Privilege Management, etc.)
– Data Retention (Backups, User Activity, etc.)
– Data Auditing (User activity, etc.)
7

8. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
How to Secure your Databases
Assess
 Locate Risks and Vulnerabilities, Ensure that necessary security controls are
Prevent
 Using Cryptography, User Controls, Access Controls, etc
Detect
 Still a possibility of a breach – so Audit, Monitor, Alert
Recover
 Ensure service is not interrupted as a result of a security incident
 Even through the outage of a primary database
 Forensics – post mortem – fix vulnerability
8

9. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New Security Features in MySQL 8.0
9

10. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 10
MySQL Security Overview Authentication
Authorization
Encryption
Firewall
MySQL Security
Auditing
New! Masking/De-Identification
• Available in 5.7.24 & 8.0.13
• Will be in MySQLaaS as well

11. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New! MySQL Roles
Improving MySQL Access Controls
• Introduced in the 8.0.0 DMR
• Easier to manage user and applications rights
• As standards compliant as practically possible
• Multiple default roles
• Can export the role graph in GraphML
11
Feature Request
from DBAs
Directly
Indirectly
Set Role(s)
Default Role(s)
Set of
ACLS
Set of
ACLS

12. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
SQL Roles Implementation: MySQL Extras
• Roles can have an optional host part (not currently used)
• Pre-roles ACL code is used when there’s no active role(s)
• Users can be assigned several roles
• Users can have zero or more default roles
• Active Roles can be changed – from various assigned roles
– For example just escalate or change privileges from within an application for certain
operations
12

13. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Role Examples
13

14. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Masking and De-Identification
New in MySQL 8.0.13 AND 5.7.24!
• Data De-identification helps database customers improve security
• Accelerates compliance for
– Government – GDPR, CHHS
– Financial - PCI
– Healthcare – HIPAA, Clinic Trials Data
• Reduce IT costs by simplifying sanitizing production data
– Transforming sensitive data for use in analytics, testing, development, and more
14

15. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
NEW! MySQL Enterprise Masking and De-Identification
15
De-identify, Anonymize Sensitive Data
ID Last First SSN
1111 Smith John 555-12-5555
1112 Templeton Richard 444-12-4444
ID Last First SSN
2874 Smith John XXX-XX-
5555
3281 Templeton Richard XXX-XX-
4444
Employee Table
Masked View
"Data Masking is a method to hide
sensitive information by replacing
real values with substitutes.”
Random Data Generation

16. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
• Data Masking
– String masking
– Dictionary based replacement
– Specific masking
• SSN
• Payment card : Strict/Relaxed
• Random Data Generators
– Random number within a range
– Email
– Payment card (Luhn check compliant)
– SSN
– Dictionary based generation
16
MySQL Enterprise Masking and De-Identification
Data Masking and Random Data Generation

17. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Data Masking Examples

18. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Authentication
18
• Integrate with Centralized Authentication Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
Supports
– Windows Active Directory (for windows MySQL servers)
– Linux PAM (Pluggable Authentication Modules)
– New Native LDAP
• Ultra Fast and Flexible
• Works with Windows AD (even on non-windows MySQL servers)
Integrates MySQL with existing
security infrastructures

19. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Authentication: Native LDAP
• Direct Connection over
LDAP Protocol/Ports
• Authentication with
– User and Password
– or SASL
• Customizable for users
and groups
19
Connector
LDAP
Service
Dir
Tree
Port:389
MySQL Native LDAP
Plugin
1) User/Password
Or
2) SASL
2) SASL
SASLD

20. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New! Atomic ACL Statements
• Long standing MySQL issue!
– For Replication, HA, Backups, etc.
• Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary
• Not just a table operation: memory caches need update too
• Applies to statements performing multiple logical operations, e.g.
– CREATE USER u1, u2
– GRANT SELECT ON *.* TO u1, u2
• Uses a custom MDL lock to block ACL related activity
– While altering the ACL caches and tables
20
Feature Request
from DBAs

21. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New! Dynamic Privileges
Provides finer grained administrative level access controls
• Too often SUPER is required for tasks when less privilege is really needed
– Support concept of “least privilege”
• Needed to allow adding administrative access controls
– Now can come with new components
– Examples
• Replication
• HA
• Backup
• Give us your ideas
21
Feature Request
from DBAs

22. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Password Features
• New! Password Management
– Require new passwords not reuse old ones - By number of changes and/or time.
– Password-reuse (aka Password History)
• Policy can be set globally as well as on a per-account basis.
– New in 8.0.13: Can require old password when changing too
• New! SHA2 with Caching. Now Default !
– Strong (when storing) and Fast (when connecting)
• Strong - SHA-256 password hashing (many rounds, random salt, …)
• Fast – Caching: Greatly reduces latency
• New! Seamless RSA password-exchange capabilities (Lowers SSL Costs)
22

23. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL 8.0 TDE
• New! AES 256 encryption of UNDO and REDO Logs
Super Simple to manage - Set
innodb_undo_log_encrypt=ON/OFF
innodb_redo_log_encrypt=ON/OFF
And
ON - Pages written after setting are encrypted
OFF - Pages written after setting are not.
 New in 8.0.13 ! Support for encryption in shared table-spaces
23

24. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New! Security Model For The Cloud: Why ? How ?
• Requirements
– Allow end users to administer their instances without allowing them to “cut the
branch they’re sitting on”
• Problems
– Single “super-user” that’s allowed to do everything
– Some privileges not too granular (e.g. CREATE USER is a global privilege)
• Solution: Create two classes of users: “internal” and “external”
– Internal “super-user” can handle all users (backward compatible)
– External “super-user” can only handle external users

25. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
New! Security Model For the Cloud: The Tools
• SYSTEM_USER global privilege
– When granted to an account allows it to handle all other accounts it’s granted on
– Checked in addition to existing privilege checks.
• Partial revokes
– Problem: One can elevate their own privileges by updating the ACL tables
– Problem: We want global level grants to work for external super users
– Solution: Allow sticky “exceptions” to global grants:
• GRANT SELECT ON *.* TO foo;
• REVOKE SELECT ON mysql.* FROM foo;

26. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Security Architecture

27. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Edition - SECURITY
• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management/Security
• MySQL Enterprise Authentication
– External Authentication Modules
• Microsoft AD, Linux PAMs, LDAP
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
– User Activity Auditing, Regulatory Compliance
• MySQL Data Masking
27
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
– User Activity Auditing, Regulatory Compliance
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise Thread pool
– Attack Hardening

28. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
28
Enterprise
Security Architecture
 Workbench
•Model
•Data
•Audit Data
•User Management
  Enterprise Monitor
•Identifies Vulnerabilities
•Security hardening policies
•Monitoring & Alerting
•User Monitoring
•Password Monitoring
•Schema Change Monitoring
•Backup Monitoring
Data Encryption
•TDE
•Encryption
•PKI
 Firewall
 Enterprise Authentication
•SSO - LDAP, AD, PAM
 Network Encryption
 Enterprise Audit
•Powerful Rules Engine
 Audit Vault
 Strong Authentication
 Access Controls
 Assess
 Prevent
 Detect
 Recover
 Enterprise Backup
•Encrypted
 HA
•Innodb Cluster
Thread Pool
•Attack minimization
 Key Vault
•Protect Keys
 Enterprise
Masking & De-Identification
•Masking
•Substitute/Subset
•Random Formatted Data
•Blacklisted Data

29. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
What is Transparent Data Encryption?
• Data at Rest Encryption
– Tablespaces, Disks, Storage, OS File system
• Transparent to applications and users
– No application code, schema or data type changes
• Transparent to DBAs
– Keys are hidden from DBAs, no configuration changes
• Requires Key Management
– Protection, rotation, storage, recovery
29

30. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Using MySQL Transparent Data Encryption is EASY
SQL
• New option in CREATE TABLE
ENCRYPTION=“Y”
• New SQL: ALTER INSTANCE ROTATE
INNODB MASTER KEY
Plugin Infrastructure
• New plugin type: keyring
• Ability to load plugin before InnoDB
initialization: --early-plugin-load
Keyring plugin
• Used to retrieve keys from Key Stores
• Over Standardized KMIP protocol
InnoDB
• Support for encrypted tables
• IMPORT/EXPORT of encrypted tables
• Support for master key rotation
• New! undo/redo log encryption
30

31. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise TDE: KMIP Compliant
• KMIP – Key Management Interoperability Protocol (Oasis Standard)
• Keys are protected and secure
• Enables customers to meet regulatory requirements
• KMIP mode tested with the following products
– Oracle Key Vault (OKV)
– Gemalto Safenet KeySecure
– Fornetix Key Orchestration Appliance
– Thales Vormetric
31

32. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
The Keyring API: The Big Picture
32
The MySQL ServerPlugins
(Consumers) Keys
Keyring Plugin
(backend)
Key Storage
Keys
Keyring
Plugin
Service
Keyring
Plugin API
Keys
Key
Ring
API Each Key
Has a
Name/ACL

33. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
What is the Keyring API ?
• A uniform infrastructure for handling keys
• Usable by both the server and plugins
• Available in MySQL 5.7 and up as a plugin API and a plugin service
• Fully extensible
• Can be initialized before InnoDB at startup
• Minimum effort to add new backends and consumers
• New! A keyring migration tool to facilitate moving keys across back-ends !
33

34. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Keyring plugins: The Inventory
• Current Consumers
– InnoDB tablespace encryption
– SQL user defined functions (UDF) plugin
– Enterprise Audit
• Current Backends
– Flat file backend (In EE can be encrypted)
– KMIP compliant clients
• Oracle KeyVault
• Gemalto Safenet KeySecure
• Probably more if they support KMIP standards – give it a try.
34

35. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Encryption
• MySQL encryption functions
– Symmetric encryption AES256 (All Editions)
– Public-key / asymmetric cryptography – RSA
• Key management functions
– Generate public and private keys
– Key exchange methods: DH
• Sign and verify data functions
– Cryptographic hashing for digital signing, verification, & validation – RSA,DSA
• New since 8.0.11: MySQL can work in FIPs mode
35

36. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Audit
• Out-of-the-box logging of connections, logins, and query
• User defined policies for filtering, and log rotation
• Dynamically enabled, disabled: no server restart
• XML-based audit stream per Oracle Audit Vault spec
• New! Features in 5.7.21 and in 8.0
– JSON
– Compression
– Encryption
36
Adds regulatory compliance to
MySQL applications
(HIPAA, Sarbanes-Oxley, PCI, etc.)

37. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall
• Real Time Protection
– Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Block Out of Policy Transactions
• Intrusion Detection
– Detect and Alert on Out of Policy Transactions
• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
– No changes to application required
• New! Feature in 5.7.20/8.0 – Combined Firewall/Audit Rules
– Create more general allow/deny firewall rules using JSON syntax – using abort=on
37
MySQL Enterprise Firewall monitoring

38. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall
• New! Feature in 5.7.20 – Combined Firewall/Audit Rules
– Create more general allow/deny firewall rules using JSON syntax – using abort=on
Example - block execution of specific
• SQL statements (insert, update, delete)
• For a specific table (finances.bank_account)
Test rules
• By writing to audit log
• If data as expected change to firewall
– add “abort”
38

39. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Security Direction
• Continuing to focus a great deal on security
• New things are in the works, especially in
these areas:
– TDE / Encryption / Key management
– Masking, Obfuscation, De-identification, Tokenization
– Audit
– Firewall
– Authentication
– Integration to various Oracle Cloud services
– Data masking
39
Customer feedback
and requirements
drive our priorities
Tell us what you want,
need, etc.
Give us problematic
use cases

40. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
40
Enterprise
Security Architecture
 Workbench
•Model
•Data
•Audit Data
•User Management
  Enterprise Monitor
•Identifies Vulnerabilities
•Security hardening policies
•Monitoring & Alerting
•User Monitoring
•Password Monitoring
•Schema Change Monitoring
•Backup Monitoring
Data Encryption
•TDE
•Encryption
•PKI
 Firewall
 Enterprise Authentication
•SSO - LDAP, AD, PAM
 Network Encryption
 Enterprise Audit
•Powerful Rules Engine
 Audit Vault
 Strong Authentication
 Access Controls
 Assess
 Prevent
 Detect
 Recover
 Enterprise Backup
•Encrypted
 HA
•Innodb Cluster
Thread Pool
•Attack minimization
 Key Vault
•Protect Keys
 Enterprise
Masking & De-Identification
•Masking
•Substitute/Subset
•Random Formatted Data
•Blacklisted Data

41. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Edition - SECURITY
• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management/Security
• MySQL Enterprise Authentication
– External Authentication Modules
• Microsoft AD, Linux PAMs, LDAP
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
– User Activity Auditing, Regulatory Compliance
• MySQL Data Masking
41
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
– User Activity Auditing, Regulatory Compliance
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise Thread pool
– Attack Hardening

42. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Security Resources
• http://mysqlserverteam.com/
• http://insidemysql.com/
• https://blogs.oracle.com/mysql
• https://www.mysql.com/why-mysql/#en-0-40
• https://www.mysql.com/why-mysql/presentations/#en-17-40
• https://www.mysql.com/news-and-events/on-demand-webinars/#en-20-
40
• https://www.mysql.com/news-and-events/health-check/
42

43. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. |
Thank you!
43