MySQL Day Paris 2016 - MySQL Enterprise Edition

MySQL Enterprise Edition
Achieve the Highest Levels of Security
Olivier Dasini
MySQL Principal Solutions Architect
olivier.dasini@oracle.com
@freshdaz

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated
into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing
decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.

MySQL Security
3

Data Breaches
429 Million identities exposed in 2015.
75%
Web sites with vulnerabilities. 15% of all
websites had a critical vulnerability.
9
In 2015, a record of nine mega-
breaches were reported.
One worlds largest 191M.
(Mega-breach = more than 10 million records.)
Mobile Vulnerabilities on the rise – up 214%
Infection by SQL Injection still strong.
Malware attacks on databases
Oracle Confidential – Internal/Restricted/Highly
Restricted
4
Source: Internet Security Threat Report 2016, Symantec

DBAs are responsible for Database Security
• Ensure only users who should get access, can get access
• Limit what users and applications can do
• Limit from where users and applications can access data
• Watch what is happening, and when it happened
• Make sure to back things up securely
• Minimize attack surface
• Ensure encryption keys are protected and managed

DBAs must meet
Security and Regulatory Compliance
• Regulations
– PCI – DSS: Payment Card Data
– HIPAA: Privacy of Health Data
– Sarbanes Oxley: Accuracy of Financial Data
– EU Data Protection Directive: Protection of Personal Data
●
General Data Protection Regulation (GDPR)
●
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
– Data Protection Act (UK): Protection of Personal Data
• Requirements
– Continuous Monitoring (Users, Schema, Backups, etc)
– Data Protection (Encryption, Privilege Management, etc.)
– Data Retention (Backups, User Activity, etc.)
– Data Auditing (User activity, etc.)
6

• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management / Security
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
– User Activity Auditing, Regulatory Compliance
7
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise Authentication
– External Authentication Modules
– Microsoft AD, Linux PAMs
https://www.youtube.com/watch?v=ypQh9H9Rf9w

MySQL Enterprise Transparent Data Encryption
• Improves Security
– Added Layer– enforces access controls
– Simple to use and manage
• Meets Security and Regulatory Requirements
– Fit for cases where encryption is required
• Healthcare, FiServ, Government, etc.
• Secures and Manages Keys
– Supports Standard KMIP 1.2 protocols
– Supports Oracle Key Vault and other Key Stores

MySQL Enterprise Transparent Data Encryption
Goals
9
• Data at Rest Encryption
– Tablespaces, Disks, Storage, OS File system
• Transparent to applications and users
– No application code, schema or data type changes
• Transparent to DBAs
– Keys are hidden from DBAs, no configuration changes
• Requires Key Management
– Protection, rotation, storage, recovery

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 10
MySQL Transparent Data Encryption
Encrypted
Tablespace Files
Tablespace Key
Malicious OS User / Hacker
Accesses Files Directly
Information Access Blocked
By Encryption
Master Key

MySQL Enterprise Audit
• Auditing for Security & Compliance
– FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, …
• MySQL built-in logging infrastructure:
– general log, error log
– Granularity made for auditing
– Can be modified live
– Contains additional details
– Compatible with Oracle Audit Vault.
https://dev.mysql.com/doc/refman/5.7/en/audit-log.html
Adds regulatory compliance to
MySQL applications (HIPAA,
Sarbanes-Oxley, PCI, etc.)
Adds regulatory compliance to
MySQL applications (HIPAA,
Sarbanes-Oxley, PCI, etc.)

MySQL Enterprise Audit Work Flow
12

MySQL Enterprise Firewall
• Real Time Protection
– Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Positive Security Model
• Block Suspicious Traffic
– Out of Policy Transactions detected & blocked
• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
– No changes to application required
13
MySQL Enterprise Firewall monitoring
Protection from SQL Injection Attacks
- #1 Web Application Vulnerability
- 77% of Web Sites had vulnerabilities
https://dev.mysql.com/doc/refman/5.7/en/firewall.html

MySQL Enterprise Firewall: Operating Modes
14
ALLOW
In Whitelist
Blocks SQL Attacks
Allows “Matching” SQL
Table
Table
Table
BLOCK
NOT In Whitelist
BLOCK and ALERT
DETECT (IDS)
NOT In Whitelist
ALLOW and ALERT
Table
Table
Table
ALLOW – Execute SQL
- SQL Matches Whitelist
BLOCK – Block the request
- Not in Whitelist
DETECT – Execute SQL & Alert
- Not in Whitelist
11
22
33
Table
Table
Table
Allows SQL & Alerts

MySQL Enterprise Backup
• Online, non-locking backup and recovery
– Complete MySQL instance backup (data and config)
– Partial backup and restore
• Direct Cloud storage backups (S3, etc.)
• Incremental backups
• Point-in-time recovery
• Advanced compressed and encryption
• Backup to tape (SBT)
• Backup validation
• Optimistic backups
• Cross-Platform (Windows, Linux, Unix)

MySQL Enterprise Monitor
• Start monitoring MySQL in 10 minutes
• Real-time MySQL performance and
availability monitoring
• Visually find & fix problem queries
• Disk monitoring for capacity planning
• Cloud friendly architecture
– No agents required
• Role based access controls
16

MySQL Enterprise Monitor: Backup
• Monitor backup usage and health
– Across your entire datacenter
• Drill into backup job details
– Allowing for easy backup recovery
• Supports all backup types
• Alerting on significant events
– Poor backup performance
– Backup job failures
– Out of date backups

MySQL Enterprise Monitor: Security
• Enforce MySQL Security Best Practices
– Identifies vulnerabilities
– Assesses current setup against security hardening
policies
• Monitoring and Alerting
– User accounts and passwords
– Firewall usage, effectiveness, and red flags
– Backups and data loss security
– Schema changes and tracking
– Configuration changes and tuning advice
• Centralized Secure User Management
18

MySQL Enterprise Encryption
• MySQL encryption functions
– Symmetric encryption AES256 (All Editions)
– Public-key / asymmetric cryptography – RSA
• Key management functions
– Generate public and private keys
– Key exchange methods: DH
• Sign and verify data functions
– Cryptographic hashing for digital signing, verification, & validation – RSA,DSA
19
http://dev.mysql.com/doc/refman/5.7/en/enterprise-encryption.html

Encryption/Decryption within MySQL
Sensitive Data Sensitive Data
Private / Public Key Pairs
- Generate using MySQL Enterprise Encryption Functions
- Use externally generated (e.g. OpenSSL)
Encryption
Public Key
Decryption
Private Key
Encrypted
Data

App Encrypts/MySQL Decrypts
21
Encryption
Public Key
Decryption
Private Key
Encrypted
Data
Sensitive Data
Applications
Sensitive Data

App Encrypts / MySQL Stores / MySQL Decrypts
22
Encryption
Public Key
Decryption
Private Key
Encrypted
Data
Sensitive Data Sensitive Data
ApplicationsApplications

MySQL Enterprise Authentication
• Built in Authentication
– user table stores users and encrypted passwords
• X.509
– Server authenticates client certificates
• MySQL Native, SHA 256 Password plugin
– Native uses SHA1 or plugin with SHA-256 hashing and per user salting for user account passwords.
– Microsoft Active Directory
– Linux PAMs (Pluggable Authentication Modules)
• Support LDAP and more
• Custom Authentication
Integrates MySQL with
existing security
infrastructures and SOPs
Integrates MySQL with
existing security
infrastructures and SOPs

MySQL Enterprise Authentication
• PAM (Pluggable Authentication Modules)
– Access external authentication methods
– Standard interface (Unix, LDAP, Kerberos, others)
– Proxied and non-proxied users
• Windows
– Access native Windows services
– Authenticate users already logged into Windows
(Windows Active Directory)
• Pluggable Authentication API

• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management / Security
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
– User Activity Auditing, Regulatory Compliance
25
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
– External Authentication Modules
– Microsoft AD, Linux PAMs

Thank you!

MySQL Day Paris 2016 - MySQL Enterprise Edition

MySQL Day Paris 2016 - MySQL Enterprise Edition

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to MySQL Day Paris 2016 - MySQL Enterprise Edition (20)

More from Olivier DASINI (15)

Recently uploaded (20)

MySQL Day Paris 2016 - MySQL Enterprise Edition