MariaDB has the most comprehensive set of security of features available in an enterprise open source database, rivaling those of proprietary databases. In this session, MariaDB's Anders Karlsson explores some advanced security capabilities, including the built-in database firewall and data masking, both needed to fully protect personally identifiable and/or sensitive personal information (PII/SPI). He then takes a look at the new security features in MariaDB Server 10.4, from client-side encryption to password-crack detection.
Using advanced security and data-protection features
1. Advanced Security
Features in MariaDB
Anders Karlsson
Principal Sales Engineer
MariaDB Corporation
Prepared by
Ulrich Moser
Senior Trainer & Consultant
MariaDB Corporation
2. Agenda
• Introduction to security?
• MariaDB Server Security features
• MariaDB MaxScale Security features
• Security Best Practices
• Questions and Answers
8. SQL Injection – How a 20 year old boy
could break into some very big companies
● Heartland Payment Systems
○ 130 million Card Numbers lost
● Carrefour
○ 2 million Card Numbers lost
● Discover
○ 800.000 Diners Card Numbers lost
The above hacker attacks caused damages both in financial terms as well as in
terms of goodwill and reputation
Do you want to avoid being the next company on this list?
Albert
Gonzales
10. MariaDB Server - Secure configuration
# Do not follow symbolic links
symbolic_links = 0
# Reject LOAD DATA LOCAL INFILE
local_infile = 0
# Explicitly define an exchange directory for LOAD DATA and
# SELECT … INTO OUTFILE
secure_file_priv = /path/to/secure/dir
# Use only IP addresses and do not resolve hostnames
skip_name_resolve = 1
11. MariaDB Server – Roles and Privileges
Features
Roles bundle Privileges based on Duties
of the User
Roles may be hierarchical
Privileges can be Restricted
REVOKE individual privileges
Best Practices
Define Roles by Need To Know Principle
GRANT Roles instead of Privileges
Always set DEFAULT ROLE
Provision just one Role to a User
Use Separate Application Roles for
Upgrade and normal Operation
12. MariaDB Server - Password policy
MariaDB supports password quality checks through plugins
Simple Password Check
Cracklib Password Check
Password Expiration (new in 10.4)
simple_password_check_minimal_length = 8
simple_password_check_digits = 1
simple_password_check_letters_same_case = 1
simple_password_check_other_characters = 1
13. MariaDB Server - Audit log
• Log Activities on the MariaDB Server
• Analyse AUDIT Events with Standard
Logfile Analyzers
• Include AUDIT Log into SIEM
14. MariaDB Server - Data At Rest Encryption
• Encrypting data on disk
• Tablespace
• Binary Logs
• Backups
15. MariaDB Server - Data at Rest Encryption
• Open Source Encryption Solution
• Developed by eperi in Cooperation with the
Federal Office for Information Security
• Easy to setup
• Key Management with
• Local Key Files
• AWS Key Management
• eperi Key Management and Gateway
16. MariaDB Platform - Encrypted Connections
• Encryption can be enabled for
• Client Connections
• Backend Connections
• Master-Slave Connections
• Clients can be Authenticated by X.509
Certificates (TLS Authentication)
• Encrypted Client Connection can be defined
per User – Host combination
Client MaxScale
MariaDB
Server
Master/Slave
MariaDB
ClusterColumn
Store
17. MariaDB Platform - Authentication
Secure Authentication Methods
PAM Authentication using any of the PAM configurable method like
Radius
SecurID
One Time Password
Kerberos through GSSAPI
Stronger password hash using ed25519 Elliptic Curve Digital
Signature Algorithm (ECDSA)
ed25519
GSSAPI
PAM
19. MariaDB MaxScale - Database firewall
• Blacklist and Whitelist support
• Multiple rules may match
• The first matching rule will be applied
• Rules are defined in a simple text file
• Rules can use wildcards and regular
expressions
Rules File
block deletes
without where
DELETE FROM t1;
20. MariaDB MaxScale - Data Masking and
Obfuscation
• Masking of sensitive data
• Obfuscating data, e.g. when using
data from production for testing
• Masking and obfuscation rules are
defined in a rules file
• Rules are in JSON syntax
22. Common Vulnerabilities and Exposures
● Follow CVEs closely
● Update software and hardware accordingly
● Subscribe to relevant notifications
○ MariaDB Notifications
● Understand the issues
○ Not all issues might be relevant to you
○ Knowledge is the best way to prevent panic!
● The Mitre corporation keeps track of CVE's
○ https://cve.mitre.org/
23. The server environment
● Typically you do not want access to MariaDB directly from the internet
○ Use a "jump box" if outside access is necessary
● Configure your network appropriately
● Listen only on the network interface that is relevant
● Use a firewall
● Be careful with the design of the physical network
● Encrypt traffic
○ Use ssh, ssh tunnels, ssl / tls connections (preferably 1.2) etc.
○ Don't use unencrypted means of communication such as telnet
24. Auditing – Keep track of who is doing what
● Audit on as many levels as possible
● Audit internal as well as external users
● Save audit trails
● Make sure that audit data can be managed
○ Ensure that it can be searched
○ Ensure that you can extract relevant data
25. Protection from excessive trust
● Give users access on an as needed basis
● Do NOT grant users higher levels of access than necessary
○ No root level access
● Do not give users access to data they don't need
○ Mistakes can happen!
● Encrypt data wherever possible
○ Manage encryption keys in a safe, responsible way
26. Conclusion
• IT Security is very important and all aspects of IT needs security
• Follow best practices and security standards
• MariaDB Platform provides a full range of security features
• Data at rest encryption
• Data in motion encryption
• Certificate based authentication
• Database Firewall and Data Masking
• And more