mariadb roadshow 2016: secure data management - threats and best practices
TRANSCRIPT
2
CommonThreatstoYourData
OutdatedMariaDBpackages
TheInternet1.
2.
3.
4.
5.
ExcessiveTrust
Applica6ons
LackofVisibility
3
TheInternet• DatabasedrivenWebpagesarecommoditynow• StartedasasmallhostedWebapplica?on,nowbusinesscri?cal• ...Defense● DonotallowTCPconnec?onstoMariaDBfromtheInternetatlarge.
● ConfigureMariaDBtolistenonanetworkinterfacethatisonlyaccessiblefromthehostwhereyourapplica?onruns.
● DesignyourphysicalnetworktoconnecttheapptoMariaDB
● Usebind-addresstobindtoaspecificnetworkinterface
● UseyourOS’sfirewall
4
BestPrac6ce:Encryptsensi6vedata● Encryptsomedataintheapplica?on
○ Non-keydata○ Creditcardnumbers
● EncryptdataintransitusingSSL○ FromclientstoMaxScale○ FromclientstoMariaDB○ BetweenMariaDBreplica?onnodes
● Encryptdataatrestusingadvancedtablespaceencryp?onfunc?onalityinMariaDB10.1○ InnoDBtablespaceencryp?on○ InnoDBredologencryp?on○ Binarylogencryp?on
5
ThreatsfromApplica6ons• DenialofServiceAUackscreatedbyoverloadingapplica?on• SQLqueryinjec?onaUacks• …
Defense● Donotrunyourapplica?ononyourMariaDBServer.● DonotinstallunnecessarypackagesonyourMariaDBServer.● Anoverloadedapplica?oncanusesomuchmemorythatMariaDBcouldslowor
evenbekilledbytheOS.Thisisaneffec?veDDoSaUackvector.● Acompromisedapplica?onorservicecanhavemanyserioussideeffects
○ DiscoveryofMariaDBcreden?als○ Directaccesstodata○ Privilegeescala?on
6
BestPrac6ce:UseaGateway
● CreateaDatabaseFirewall
● Restricttheopera?onsthatclients(applica?ons)areallowedto
perform
● Iden?fyandflagpoten?allydangerousqueries
● Customizerulesaboutwhat’sallowedandwhat’snot
● Implementconnec?onpoolingcapabili?escanprotectagainst
DDoSaUacks
7
ExcessiveTrust• Disgruntledemployees• Mistakesandhumanerror
● DonotusetheMariaDB“root”userforapplica?onaccess.● Grantonlytheprivilegesrequiredbyyourapplica?on.● MinimizetheprivilegesgrantedtotheMariaDBuseraccountsusedbyyourapplica?ons
○ Don’tgrantCREATEorDROPprivileges.○ Don’tgranttheFILEprivilege.○ Don’tgranttheSUPERprivilege.○ Don’tgrantaccesstothemysqldatabase
● Limituserswhohave:○ SSHaccesstoyourMariaDBserver.○ SudoprivilegesonyourMariaDBserver.
● Setthesecure_file_privop?ontoensurethatuserswiththeFILEprivilegecannotwriteorreadMariaDBdataorimportantsystemfiles.
8
BestPrac6ce:ManageMariaDBuseraccountscarefully● Use OS permissions to restrict access to MariaDB data and backups.
● Allow root access to MariaDB only from local clients—no administrative access over the network.
● Use the unix_socket authentication plugin so that only the OS root user can connect as the MariaDB root user.
● Use strong passwords.
○ Enable the cracklib_password_check plugin.
● Use a separate MariaDB user account for each of your applications.
● Allow access from a minimal set of IP addresses.
9
OutdatedMariaDBPackages● LinuxvendorsofendistributeoutdatedversionsofMariaDB
whichlackthemostup-to-datesecurityfixesandfeatures:○ MariaDB10.0inDebian8(Jessie)○ MariaDB5.5inRHEL7
● UseMariaDBEnterprisepackages:○ Updatedwiththemost-recentsecurityfixesandfeatures○ Cri?calsecurityfeaturesenabledbydefault
10
BestPrac6ce:UpdateMariaDBandotherpackages● Stayontopofthemostrecentsecurityfixesbykeepingyour
MariaDBpackagesupdated
● ApplysecurityupdatesdistributedbyyourOSvendor,ashighlightedbyrecentproblemsinglibcandopenssl.
11
LackofVisibility• Applica?onssharethesameuserfordatabaseconnec?ons
• Novisibilityatthedatabasebackendaboutwhichapplica?onisaccessingthedata
• Scriptsdonotusespecificusersorevenusetherootuser• Nochancetoevaluatewhichtooliscausingissues
• DirectaccesstodatabasewithoutusingnamedDBAusers• NowaytotrackwhichDBA/DevOppdidaccessdata
• Requirementtoauditaccesstodataisincreasing• Weneedtoknowwhoisaccessingwhatandwhen
12
BestPrac6ce:NamedUsersandAudit● Usenameduserswheneverpossible
• Dis?nguishbetweentechnicalusers(applica?ons)anddirectaccess(tools,DBA,..)
● Ensureregulatorycompliancewithrobustlogging
● Recordconnec?ons,queryexecu?ons,andtablesaccessed● Ac?vateaudi?ngusingtheMariaDBAuditPlugin
o Uselogsforforensicanalysisaferanincident
o Enableediscovery
o Logeithertoafileortosyslog
DetectandPreventAUacks-UnauthorizedAccess-DenialofService-SQLInjec?ons
ProtectDatawithEncryp?onNa?veModeEncryp?onprotectsdataatrest
AuditforForensicsandCompliance
MariaDB10.1
InnoDB/
XtraDB
Aria
BenefitfromCommunityProtec?on
SSLEncryp?onprotectsdatainmo?on
MariaDBEnterpriseSecurity
DetectandPreventAUacks• RoleBasedAccessControl• Passwordmanagementand
valida?onplugin• KeyManagementServices-
AWSorEperiKMS• Blacklistfirewallfilteringin
MaxScale• Authen?ca?onplugin
1. LDAP2. sshpassphrases3. One-?mepasswords(even
withSMSconfirma?on)4. Systemauthen?ca?on5. Combina?onsof
authen?ca?onmodules
ProtectDatawithwithencryp?onNa?veModeEncryp?onprotectsdataatrest
• Everything—alltablespacesandalltables• Individualtables• Everything,excludingindividualtables• Supportforrollingkeys• XtraDB/InnoDBlogfiles• Binarylog
AuditforForensicsandCompliance• Logdatabase
connec?on,queriesandtableaccess
SSL Encryption protects data in motion
BenefitfromCommunityProtec?on• Fasterdetec?onof
vulnerabili?es• BeUerthreatresponse• Securityfeatures
MariaDBEnterpriseSecurity
16
PasswordValida6on
■ Simple_password_checkpluginEnforceaminimumpasswordlengthandtype/numberofcharacterstobeused
■ Cracklib_password_checkplugin
■ Stopusersfromchoosingeasytoguesspasswords.
■ Prohibitweakpasswordsbasedonusernameordic?onaryword
ExternalAuthen6ca6on
SingleSignOnisgeqngmandatoryinmostEnterprises.
■ PAM-Authen6ca6onPluginallowsusing/etc/shadowandanyPAMbasedauthen?ca?onlikeLDAP
■ Kerberos-Authen6ca6onasastandardizednetworkauthen?ca?onprotocolisprovidedGSSAPIbasedonUNIXandSSPIbasedonWindows
Authen6ca6on
17
ThreatProtec6onwiththeDatabaseFirewall
HowitWorks§ BlockorAllowqueriesthat
• matchasetofrules• matchingrulesforspecifiedusers• matchcertainpaUerns
§ Mul?pleorderedrules§ Matchon
• date/?me• aWHEREclause• Querytype• Columnmatch• awildcardorregularexpression
ProtectagainstSQLinjec6onPreventunauthorizeddataaccessPreventdatadamage
Query
FirewallFilter
SelectfromcustomerWhereid=5:SELECT*FROMCUSTOMERS;
MaxScale
1 3
2
Client
Queryfailed:1141Error:RequiredWHERE/HAVINGclauseismissing
Error
SQL
18
DenialofServiceacackprotec6on■ MariaDBMaxScalePersistentConnec?ons■ Connec?onpoolingprotectsagainstconnec?onsurges■ Cachetheconnec?onsfromMaxScaletothedatabaseserver■ Ratelimita?on■ Clientmul?plexing
19
SecuredConnec6ons
■ SSLConnec?onsbasedontheTLSv1.2Protocol
■ BetweenMariaDBConnectorsandServer
■ BetweenMariaDBConnectorsandMaxScale
■ SSLcanalsobeenabledforthereplica?onchannel
Encryp6onFunc6ons
■ Selec?veData-In-UseEncryp?on
■ Applica?oncontrolofdataencryp?on
■ BasedontheAES(AdvancedEncryp?onStandard)orDES(DataEncryp?onStandard)algorithm
Encryp6onforDatainMo6on
20
Data-at-RestEncryp6on
■ Tableortablesspaces
■ Logfiles
■ Independentofencryp?oncapabili?esofapplica?ons
■ Basedonencryp?onkeys,keyids,keyrota?onandkeyversioning
KeyManagementServices
■ Encryp?onpluginAPIofferschoiceo Plugintoimplementthedata
encryp?ono Manageencryp?onKeys
■ MariaDBEnterpriseop?onso SimleKeyManagementincludedo AmazonAWSKMSPluginincludedo EperiKMSforonpremisekey
management-op?onal
Encryp6onforDataatRest
21
Audi6ngforSecurityandCompliance
■ Logs server activity o Who connected to the
server o Source of connection o Queries executed o Tables touched
■ File based or syslog based logging
MariaDBAuditPlugin
Connection
Query
Object
Connect Disconnect
Failed Connect
DDL DML+TCL
DCL
Database Tables
Timestamp Host User
Session
MariaDBSecurityGetsStrongerAlltheTime
22
MariaDBUserCommunity
▪ Quicklyiden?fiesnewthreats▪ Reportsvulnerabili?es▪ Createssolu?ons▪ Contributesfeatures
23
GETSTARTED:MariaDBSecurityAudit
Evaluateandaddressdatabasesecuritypolicies,technologies,andprac6ces
■ Reviewofyourdatabasesecurityneedsandrequirements■ Accesscontrolassessment■ AutomatedaUackprotec?onreview■ Encryp?ontoolsandprac?ces■ Forensiccapabili?esreview■ Ongoingcomplianceandsecurityplanning
FullyleverageMariaDB’ssecurity
capabili6es
Reducelegal,financial,andbrand
reputa6onrisk