Más contenido relacionado
La actualidad más candente (20)
Similar a MySQL 8.0 - Security Features (20)
MySQL 8.0 - Security Features
- 3. Safe harbor statement
The following is intended to outline our general product direction. It is intended for information
purposes only, and may not be incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon in making purchasing decisions.
The development, release, timing, and pricing of any features or functionality described for Oracle’s
products may change and remains at the sole discretion of Oracle Corporation.
3 Copyright © 2019 Oracle and/or its affiliates.
- 7. Security is Priority #1
7
“Keep the organization safe
(cybersecurity/cyber resilience/GDPR
compliance/data protection compliance)”
Copyright © 2019 Oracle and/or its affiliates.
- 9. Security is Priority #1
9
Poor
Configuration
Over Privileged
Account
Weak Access
Control
Weak
Authentication
Weak
Auditing
Lack of Encryption
Poor Credential and
Key Management
Insecure Backup
No
Monitoring
Poorly Coded
Applications
Copyright © 2019 Oracle and/or its affiliates.
- 11. How to secure your databases?
11
• Assess
• Locate vulnerable components and
ensure security control
• Prevent
• Use strong authentication, access
control, encryption etc.
• Detect
• Prepare for the worst – Monitor, Audit,
Alert
• Recover
• Minimize downtime
• Analyze the problem and plug the
hole
Copyright © 2019 Oracle and/or its affiliates.
- 12. 12
Users
Applications
Network Encryption
Granular Access Control
Workbench Database Events Logging
File Based Keyring
High Availability
through
InnoDB Cluster
Assess
Prevent
Detect
Recover
Logical backup through
mysqlpump
Strong Authentication
and Login Policy
Protection against
Brute Force Attack
Copyright © 2019 Oracle and/or its affiliates.
- 13. 13
Users
Applications
Network Encryption
Protection against
Brute Force Attack
Granular Access Control
Workbench
High Availability
Through
InnoDB Cluster
Assess
Prevent
Detect
Recover
Enterprise Authentication
And login policy
Firewall
Enterprise Monitor
Key Vault
Audit Vault
Copyright © 2019 Oracle and/or its affiliates.
Enterprise Backup
Thread pool
Enterprise Audit
- 14. 14
Connection Control Plugin
Granular Access Control
SQL Roles
Password Policies
TLSv1.3 Support
Dynamic Privileges
Resource Control
Transparent Data Encryption
Enterprise Audit Plugin
Enterprise Firewall Plugin
Binary Log Encryption
Redo/Undo Log Encryption
Enterprise Authentication
Enterprise Encryption Plugin Keyring Plugins
OpenSSL FIPS Support
Admin Port
SYSTEM_USER privilege
Partial Revokes
Random Password Generator
Keyring UDFs
MySQL Enterprise Monitor
Secure Backup with MEB
HA Using InnoDB Cluster
Performance Schema
Error Logs
MySQL Workbench
ASSESS
PREVENT
DETECT
RECOVER
Copyright © 2019 Oracle and/or its affiliates.
Data Masking UDFs
- 16. Random Password Generator
New! Creates strong password - Returns the value as result set
Helps secure automation
CREATE USER ‘foo’ IDENTIFIED BY RANDOM PASSWORD;
ALTER USER ‘bar’ IDENTIFIED BY RANDOM PASSWORD;
SET PASSWORD FOR ‘foo’ TO RANDOM;
16 Copyright © 2019 Oracle and/or its affiliates.
- 17. Enterprise Authentication
Integrates with existing authentication infrastructure
- PAM Support
- New! Native LDAP support
- Fast & Flexible
- Supports Windows AD and OpenLDAP
17 Copyright © 2019 Oracle and/or its affiliates.
- 18. MySQL Password Features
New! Dual password support – Helps bridging gap in password propagation: database > application
- Enhanced ALTER USER
- RETAIN CURRENT PASSWORD
- DISCARD OLD PASSWORD
Default! SHA2 with Caching feature
- Secure storage of password hash
- Fast connection using cached password hash
- RSA key based password exchange
18 Copyright © 2019 Oracle and/or its affiliates.
- 19. MySQL Password Features
New! Password History
- Controls password reuse based on
- Number of passwords
- Time
New! Restrict password change in hijacked connections
- Existing password requirement can be enforced
- PASSWORD REQUIRE CURRENT
19 Copyright © 2019 Oracle and/or its affiliates.
- 20. SYSTEM_USER privilege
New! Two user categories: Power users and Regular users
- Allows maintaining separation of duty better
20
• DBAs managing instances
and NOT data
E.g. Uptime, Backup,
High Level Security
• DBAs managing data
• Regular users with
access to part of data
Copyright © 2019 Oracle and/or its affiliates.
- 21. Partial Revokes
Allows creating exception to global grants (Everything except ‘this’ and ‘that’)
- Execute GRANT at global level followed by REVOKE at schema level
GRANT SELECT ON *.* TO `developer`;
REVOKE SELECT ON `hrdb`.* FROM `developer`;
21 Copyright © 2019 Oracle and/or its affiliates.
- 22. SQL Roles
New! Improved access control using roles
- Groups privileges
- Facilitates easier privilege propagation
- Easier to maintain
- Reduces complexity
22 Copyright © 2019 Oracle and/or its affiliates.
- 24. SQL Roles
24 • 2
4
CREATE ROLE <role>GRANT <role> TO <user>REVOKE <role> FROM <user>SET ROLE instance_adminSET ROLE security_admin
GRANT <privs> … TO <role>REVOKE <privs> … FROM <role>
Copyright © 2019 Oracle and/or its affiliates.
- 25. SQL Roles
25 • 2
5
Universal Grants through
mandatory_roles
Copyright © 2019 Oracle and/or its affiliates.
- 26. Communication Security
New! OpenSSL 1.1.1 support
- Latest edition of OpenSSL library
New! TLSv1.3 support
New! Dynamic TLS options
- --ssl-* options can be changed at run time
- ALTER INSTANCE RELOAD TLS
26 Copyright © 2019 Oracle and/or its affiliates.
- 27. Communication Security
New! Dynamic OpenSSL linking
- Allows usage of platform specific enhancements (AES-NI)
- Facilitates TLS library upgrade
- Allows usage of
- FIPS object module
- OpenSSL engines
27 Copyright © 2019 Oracle and/or its affiliates.
- 28. Transparent Data Encryption
What?
- Data at Rest Encryption
- Tablespaces, Audit logs
- New! Binary logs, undo/redo logs
Transparent to applications and users
- No application code or data type changes
Transparent to DBAs
- Keys are hidden from DBAs, no configuration changes
Requires Key Management
- Protection, rotation, storage, recovery
28 Copyright © 2019 Oracle and/or its affiliates.
- 29. Transparent Data Encryption
29
MySQL Server
In-mem store
API Interface
Key Backend
InnoDB
Binary Log
Audit Log
Plugin Service
How?
Keyring Plugin
Copyright © 2019 Oracle and/or its affiliates.
- 30. Transparent Data Encryption
The journey so far…
- Introduced in MySQL 5.7
-TDE of file-per-table tablespaces in InnoDB
-Audit log encryption
- New! in MySQL 8.0
- Undo/Redo log encryption
- Binary log encryption
- Data dictionary encryption
- General tablespace encryption
-Policy to enforce table encryption
30 Copyright © 2019 Oracle and/or its affiliates.
- 31. Transparent Data Encryption
Supported backends
- KMIP compliant
- Oracle Key Vault, Gemalto KeySecure,
Thales Vormetric Key Management Server,
Fornetix Key Orchestration
- Encrypted File
31 Copyright © 2019 Oracle and/or its affiliates.
- 32. Transparent Data Encryption
Supported backend
- New! Hashicorp vault
- Scalable and available
- Stores, manages and generates secrets
- Accessed through REST APIs over TLS connection
32 Copyright © 2019 Oracle and/or its affiliates.
- 33. Data masking and De-Identification
Wikipedia - “Data masking is the process of hiding original data with random characters or data”
New! Data Masking
- String masking
- Dictionary based replacement
- Payment card : Strict/Relaxed
New! Random Data Generators
- Random number within a range
- Email
- Payment card (Luhn check compliant)
- Dictionary based generation
33 Copyright © 2019 Oracle and/or its affiliates.
- 34. Data masking and De-Identification
String
- Mask within a string : ArthXXXXnt
- Mask beginning and at the end : XXthurDeXX
- Payment Card
- Strict: XXXXXXXXXXXXXXX7395,
- Relaxed: 493812XXXXXXXXX7395
- Dictionary based masking
- gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports
34 Copyright © 2019 Oracle and/or its affiliates.
- 35. Data masking and De-Identification
Random Data Generation
- Random data within range
- gen_range(10000, 20000) => 12503
- Email : kajsm.hamskdk@example.com
- Payment card : 7389026626032990
- Configurable length : 12 to 19 digits
35 Copyright © 2019 Oracle and/or its affiliates.
- 36. Data masking and De-Identification
Dictionary based data generation & blacklists
- Load multiple dictionaries
- Maps dictionary file => dictionary name
- In memory data for faster retrieval
- Generation based on dictionary data
- gen_dictionary(“periodictable”) => Oxygen
- If 007 on the blacklist then substitute
- Blacklisted – 007 – thus randomly substituted from Jobs Dictionary
- gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant”
- Not blacklisted – Administrator – thus passes through
- gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator”
36 Copyright © 2019 Oracle and/or its affiliates.
- 37. MySQL Enterprise Audit
What?
- Out-of-the-box logging of connections, logins and queries
- Highly configurable – user defined filters and log rotation
- New! SQL Access to audit events
- New! Multiple file options
37
{ }
</>
Format
Compression
Encryption
GZIP
- AES-256-CBC
- Uses keyring
Copyright © 2019 Oracle and/or its affiliates.
- 39. MySQL Enterprise Audit
New! Ability to abort queries – Use filter abort
- Configurable – Abort based on
- Query type
- Object
39 Copyright © 2019 Oracle and/or its affiliates.
- 40. MySQL Enterprise Firewall
Statement digest based firewall
- Protects against SQL injection
- Configurable
- Per user
- Operation: LEARN->DETECT->PROTECT
40 Copyright © 2019 Oracle and/or its affiliates.
- 45. SELECT * FROM app2_data1
WHERE id = 10;
SELECT * FROM app1_data1
WHERE id = 10 OR 1 = 1;
PROTECT
45
MySQL Enterprise Firewall
Copyright © 2019 Oracle and/or its affiliates.
- 46. MySQL Enterprise Encryption
46
SQL Interface to OpenSSL Functions
- Supports RSA/DSA/DH algorithms
- Configurable Key Size
Key Generation
- CREATE_ASYMMETRIC_PRIV_KEY &
CREATE_ASYMMETRIC_PUB_KEY
- CREATE_DH_PARAMETERS & ASYMMETRIC_DERIVE
Asymmetric Encryption/Decryption
- ASYMMETRIC_ENCRYPT
- ASYMMETRIC_DECRYPT
Digest Creation : CREATE_DIGEST
Sign & Verify
- ASYMMETRIC_SIGN
- ASYMMETRIC_VERIFY
Copyright © 2019 Oracle and/or its affiliates.
- 47. Security Resources
• MUST READ https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/
• http://mysqlserverteam.com/
• http://insidemysql.com/
• https://blogs.oracle.com/mysql
• https://www.mysql.com/why-mysql/#en-0-40
• https://www.mysql.com/why-mysql/presentations/#en-17-40
• https://www.mysql.com/news-and-events/on-demand-webinars/#en-20-40
• https://www.mysql.com/news-and-events/health-check/
47 Copyright © 2019 Oracle and/or its affiliates.