MySQL 8.0 - Security Features

Harin Vadodaria
Principal MTS
SrvGen, MySQL Engineering
November 12, 2019
Securing MySQL
2 Copyright © 2019 Oracle and/or its affiliates.

Safe harbor statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.

Security Challenges
Program agenda
1
2
3
MySQL Security Architecture
Security Features in MySQL 8.0

Security Challenges
Program agenda
1
2
3

6
Why should you care?
Copyright © 2019 Oracle and/or its affiliates.

Security is Priority #1
7
“Keep the organization safe
(cybersecurity/cyber resilience/GDPR
compliance/data protection compliance)”

Security is Priority #1
9
Poor
Configuration
Over Privileged
Account
Weak Access
Control
Weak
Authentication
Weak
Auditing
Lack of Encryption
Poor Credential and
Key Management
Insecure Backup
No
Monitoring
Poorly Coded
Applications

Security Challenges
Program agenda
1
2
3

How to secure your databases?
11
• Assess
• Locate vulnerable components and
ensure security control
• Prevent
• Use strong authentication, access
control, encryption etc.
• Detect
• Prepare for the worst – Monitor, Audit,
Alert
• Recover
• Minimize downtime
• Analyze the problem and plug the
hole

12
Users
Applications
 Network Encryption
 Granular Access Control
  Workbench  Database Events Logging
 File Based Keyring
 High Availability
through
InnoDB Cluster
 Assess
 Prevent
 Detect
 Recover
 Logical backup through
mysqlpump
 Strong Authentication
and Login Policy
 Protection against
Brute Force Attack

13
Users
Applications
 Network Encryption
 Protection against
Brute Force Attack
 Granular Access Control
  Workbench
 High Availability
Through
InnoDB Cluster
 Assess
 Prevent
 Detect
 Recover
 Enterprise Authentication
And login policy
  Firewall
  Enterprise Monitor
 Key Vault
 Audit Vault
 Enterprise Backup
 Thread pool
  Enterprise Audit

14
Connection Control Plugin
Granular Access Control
SQL Roles
Password Policies
TLSv1.3 Support
Dynamic Privileges
Resource Control
Transparent Data Encryption
Enterprise Audit Plugin
Enterprise Firewall Plugin
Binary Log Encryption
Redo/Undo Log Encryption
Enterprise Authentication
Enterprise Encryption Plugin Keyring Plugins
OpenSSL FIPS Support
Admin Port
SYSTEM_USER privilege
Partial Revokes
Random Password Generator
Keyring UDFs
MySQL Enterprise Monitor
Secure Backup with MEB
HA Using InnoDB Cluster
Performance Schema
Error Logs
MySQL Workbench
ASSESS
PREVENT
DETECT
RECOVER
Data Masking UDFs

Security Challenges
Program agenda
1
2
3

Random Password Generator
New! Creates strong password - Returns the value as result set
Helps secure automation
CREATE USER ‘foo’ IDENTIFIED BY RANDOM PASSWORD;
ALTER USER ‘bar’ IDENTIFIED BY RANDOM PASSWORD;
SET PASSWORD FOR ‘foo’ TO RANDOM;

Enterprise Authentication
Integrates with existing authentication infrastructure
- PAM Support
- New! Native LDAP support
- Fast & Flexible
- Supports Windows AD and OpenLDAP

MySQL Password Features
New! Dual password support – Helps bridging gap in password propagation: database > application
- Enhanced ALTER USER
- RETAIN CURRENT PASSWORD
- DISCARD OLD PASSWORD
Default! SHA2 with Caching feature
- Secure storage of password hash
- Fast connection using cached password hash
- RSA key based password exchange

MySQL Password Features
New! Password History
- Controls password reuse based on
- Number of passwords
- Time
New! Restrict password change in hijacked connections
- Existing password requirement can be enforced
- PASSWORD REQUIRE CURRENT

SYSTEM_USER privilege
New! Two user categories: Power users and Regular users
- Allows maintaining separation of duty better
20
• DBAs managing instances
and NOT data
E.g. Uptime, Backup,
High Level Security
• DBAs managing data
• Regular users with
access to part of data

Partial Revokes
Allows creating exception to global grants (Everything except ‘this’ and ‘that’)
- Execute GRANT at global level followed by REVOKE at schema level
GRANT SELECT ON *.* TO `developer`;
REVOKE SELECT ON `hrdb`.* FROM `developer`;

SQL Roles
New! Improved access control using roles
- Groups privileges
- Facilitates easier privilege propagation
- Easier to maintain
- Reduces complexity

SQL Roles

SQL Roles
24 • 2
4
CREATE ROLE <role>GRANT <role> TO <user>REVOKE <role> FROM <user>SET ROLE instance_adminSET ROLE security_admin
GRANT <privs> … TO <role>REVOKE <privs> … FROM <role>

SQL Roles
25 • 2
5
Universal Grants through
mandatory_roles

Communication Security
New! OpenSSL 1.1.1 support
- Latest edition of OpenSSL library
New! TLSv1.3 support
New! Dynamic TLS options
- --ssl-* options can be changed at run time
- ALTER INSTANCE RELOAD TLS

Communication Security
New! Dynamic OpenSSL linking
- Allows usage of platform specific enhancements (AES-NI)
- Facilitates TLS library upgrade
- Allows usage of
- FIPS object module
- OpenSSL engines

What?
- Data at Rest Encryption
- Tablespaces, Audit logs
- New! Binary logs, undo/redo logs
Transparent to applications and users
- No application code or data type changes
Transparent to DBAs
- Keys are hidden from DBAs, no configuration changes
Requires Key Management
- Protection, rotation, storage, recovery

29
MySQL Server
In-mem store
API Interface
Key Backend
InnoDB
Binary Log
Audit Log
Plugin Service
How?
Keyring Plugin

The journey so far…
- Introduced in MySQL 5.7
-TDE of file-per-table tablespaces in InnoDB
-Audit log encryption
- New! in MySQL 8.0
- Undo/Redo log encryption
- Binary log encryption
- Data dictionary encryption
- General tablespace encryption
-Policy to enforce table encryption

Supported backends
- KMIP compliant
- Oracle Key Vault, Gemalto KeySecure,
Thales Vormetric Key Management Server,
Fornetix Key Orchestration
- Encrypted File

Supported backend
- New! Hashicorp vault
- Scalable and available
- Stores, manages and generates secrets
- Accessed through REST APIs over TLS connection

Data masking and De-Identification
Wikipedia - “Data masking is the process of hiding original data with random characters or data”
New! Data Masking
- String masking
- Dictionary based replacement
- Payment card : Strict/Relaxed
New! Random Data Generators
- Random number within a range
- Email
- Payment card (Luhn check compliant)
- Dictionary based generation

String
- Mask within a string : ArthXXXXnt
- Mask beginning and at the end : XXthurDeXX
- Payment Card
- Strict: XXXXXXXXXXXXXXX7395,
- Relaxed: 493812XXXXXXXXX7395
- Dictionary based masking
- gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports

Random Data Generation
- Random data within range
- gen_range(10000, 20000) => 12503
- Email : kajsm.hamskdk@example.com
- Payment card : 7389026626032990
- Configurable length : 12 to 19 digits

Dictionary based data generation & blacklists
- Load multiple dictionaries
- Maps dictionary file => dictionary name
- In memory data for faster retrieval
- Generation based on dictionary data
- gen_dictionary(“periodictable”) => Oxygen
- If 007 on the blacklist then substitute
- Blacklisted – 007 – thus randomly substituted from Jobs Dictionary
- gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant”
- Not blacklisted – Administrator – thus passes through
- gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator”

MySQL Enterprise Audit
What?
- Out-of-the-box logging of connections, logins and queries
- Highly configurable – user defined filters and log rotation
- New! SQL Access to audit events
- New! Multiple file options
37
{ }
</>
Format
Compression
Encryption
GZIP
- AES-256-CBC
- Uses keyring

New! Ability to abort queries – Use filter abort
- Configurable – Abort based on
- Query type
- Object

MySQL Enterprise Firewall
Statement digest based firewall
- Protects against SQL injection
- Configurable
- Per user
- Operation: LEARN->DETECT->PROTECT

41
SELECT * FROM app1_data1
WHERE id = 10;

42
WHERE id = 10;
LEARN

43
WHERE id = 10;
LEARN
WHERE id = 10;

44
DETECT
WHERE id = 10;

WHERE id = 10;
WHERE id = 10 OR 1 = 1;
PROTECT
45

MySQL Enterprise Encryption
46
SQL Interface to OpenSSL Functions
- Supports RSA/DSA/DH algorithms
- Configurable Key Size
Key Generation
- CREATE_ASYMMETRIC_PRIV_KEY &
CREATE_ASYMMETRIC_PUB_KEY
- CREATE_DH_PARAMETERS & ASYMMETRIC_DERIVE
Asymmetric Encryption/Decryption
- ASYMMETRIC_ENCRYPT
- ASYMMETRIC_DECRYPT
Digest Creation : CREATE_DIGEST
Sign & Verify
- ASYMMETRIC_SIGN
- ASYMMETRIC_VERIFY

Security Resources
• MUST READ https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/
• http://mysqlserverteam.com/
• http://insidemysql.com/
• https://blogs.oracle.com/mysql
• https://www.mysql.com/why-mysql/#en-0-40
• https://www.mysql.com/why-mysql/presentations/#en-17-40
• https://www.mysql.com/news-and-events/on-demand-webinars/#en-20-40
• https://www.mysql.com/news-and-events/health-check/

Questions

Thank you

MySQL 8.0 - Security Features

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a MySQL 8.0 - Security Features

Similar a MySQL 8.0 - Security Features (20)

Último

Último (20)

MySQL 8.0 - Security Features