mysql day paris 2016 - mysql enterprise edition

MySQL Enterprise Edition

Achieve the Highest Levels of Security

Olivier Dasini

MySQL Principal Solutions [email protected]

@freshdaz

mailto:[email protected]

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


MySQL Security

3


Data Breaches

429 Million identities exposed in 2015. 75%Web sites with vulnerabilities. 15% of all websites had a critical vulnerability.

9In 2015, a record of nine mega-breaches were reported.

One worlds largest 191M.

(Mega-breach = more than 10 million records.)

Mobile Vulnerabilities on the rise – up 214%

Infection by SQL Injection still strong.

Malware attacks on databases

Oracle Confidential – Internal/Restricted/Highly Restricted

4

Source: Internet Security Threat Report 2016, Symantec


DBAs are responsible for Database Security • Ensure only users who should get access, can get access

• Limit what users and applications can do

• Limit from where users and applications can access data

• Watch what is happening, and when it happened

• Make sure to back things up securely

• Minimize attack surface

• Ensure encryption keys are protected and managed


DBAs must meetSecurity and Regulatory Compliance• Regulations

– PCI – DSS: Payment Card Data

– HIPAA: Privacy of Health Data

– Sarbanes Oxley: Accuracy of Financial Data

– EU Data Protection Directive: Protection of Personal Data● General Data Protection Regulation (GDPR)● https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

– Data Protection Act (UK): Protection of Personal Data

• Requirements– Continuous Monitoring (Users, Schema, Backups, etc)

– Data Protection (Encryption, Privilege Management, etc.)

– Data Retention (Backups, User Activity, etc.)

– Data Auditing (User activity, etc.)

6

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation


MySQL Enterprise Edition• MySQL Enterprise TDE

– Data-at-Rest Encryption

– Key Management / Security

• MySQL Enterprise Encryption

– Public/Private Key Cryptography

– Asymmetric Encryption

– Digital Signatures, Data Validation

• MySQL Enterprise Firewall

– Block SQL Injection Attacks

– Intrusion Detection

• MySQL Enterprise Audit

– User Activity Auditing, Regulatory Compliance

7

• MySQL Enterprise Monitor

– Changes in Database Configurations, Users Permissions, Database Schema, Passwords

• MySQL Enterprise Backup

– Securing Backups, AES 256 encryption

• MySQL Enterprise Authentication

– External Authentication Modules

– Microsoft AD, Linux PAMs

https://www.youtube.com/watch?v=ypQh9H9Rf9w

https://www.youtube.com/watch?v=ypQh9H9Rf9w


MySQL Enterprise Transparent Data Encryption• Improves Security

– Added Layer– enforces access controls

– Simple to use and manage

• Meets Security and Regulatory Requirements– Fit for cases where encryption is required

• Healthcare, FiServ, Government, etc.

• Secures and Manages Keys– Supports Standard KMIP 1.2 protocols

– Supports Oracle Key Vault and other Key Stores


MySQL Enterprise Transparent Data EncryptionGoals

9

• Data at Rest Encryption – Tablespaces, Disks, Storage, OS File system

• Transparent to applications and users– No application code, schema or data type changes

• Transparent to DBAs– Keys are hidden from DBAs, no configuration changes

• Requires Key Management – Protection, rotation, storage, recovery

Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | 10

MySQL Transparent Data Encryption

Encrypted Tablespace Files

Tablespace Key

Malicious OS User / Hacker

Accesses Files Directly

Information Access BlockedBy Encryption

Master Key


MySQL Enterprise Audit

• Auditing for Security & Compliance– FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, …

• MySQL built-in logging infrastructure:– general log, error log

• MySQL Enterprise Audit– Granularity made for auditing

– Can be modified live

– Contains additional details

– Compatible with Oracle Audit Vault.

https://dev.mysql.com/doc/refman/5.7/en/audit-log.html

Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)

Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)

https://dev.mysql.com/doc/refman/5.7/en/audit-log.html


MySQL Enterprise Audit Work Flow

12


MySQL Enterprise Firewall

• Real Time Protection– Queries analyzed and matched against White List

• Blocks SQL Injection Attacks– Positive Security Model

• Block Suspicious Traffic– Out of Policy Transactions detected & blocked

• Learns White List – Automated creation of approved list of SQL command patterns on a per user basis

• Transparent– No changes to application required

13

MySQL Enterprise Firewall monitoring

Protection from SQL Injection Attacks - #1 Web Application Vulnerability- 77% of Web Sites had vulnerabilities

https://dev.mysql.com/doc/refman/5.7/en/firewall.html

https://dev.mysql.com/doc/refman/5.7/en/firewall.html


MySQL Enterprise Firewall: Operating Modes

14

ALLOW In Whitelist

Blocks SQL Attacks

Allows “Matching” SQL

Table

Table

Table

BLOCK NOT In Whitelist

BLOCK and ALERT

DETECT (IDS) NOT In Whitelist

ALLOW and ALERT

Table

Table

Table

ALLOW – Execute SQL - SQL Matches Whitelist

BLOCK – Block the request- Not in Whitelist

DETECT – Execute SQL & Alert- Not in Whitelist

11

22

33

Table

Table

TableAllows SQL & Alerts


MySQL Enterprise Backup• Online, non-locking backup and recovery

– Complete MySQL instance backup (data and config)

– Partial backup and restore

• Direct Cloud storage backups (S3, etc.)

• Incremental backups

• Point-in-time recovery

• Advanced compressed and encryption

• Backup to tape (SBT)

• Backup validation

• Optimistic backups

• Cross-Platform (Windows, Linux, Unix)


MySQL Enterprise Monitor

• Start monitoring MySQL in 10 minutes

• Real-time MySQL performance and availability monitoring

• Visually find & fix problem queries

• Disk monitoring for capacity planning

• Cloud friendly architecture

– No agents required

• Role based access controls

16


MySQL Enterprise Monitor: Backup

• Monitor backup usage and health– Across your entire datacenter

• Drill into backup job details– Allowing for easy backup recovery

• Supports all backup types

• Alerting on significant events– Poor backup performance

– Backup job failures

– Out of date backups


MySQL Enterprise Monitor: Security

• Enforce MySQL Security Best Practices– Identifies vulnerabilities

– Assesses current setup against security hardening policies

• Monitoring and Alerting– User accounts and passwords

– Firewall usage, effectiveness, and red flags

– Backups and data loss security

– Schema changes and tracking

– Configuration changes and tuning advice

• Centralized Secure User Management

18


MySQL Enterprise Encryption

• MySQL encryption functions– Symmetric encryption AES256 (All Editions)

– Public-key / asymmetric cryptography – RSA

• Key management functions– Generate public and private keys

– Key exchange methods: DH

• Sign and verify data functions– Cryptographic hashing for digital signing, verification, & validation – RSA,DSA

19

http://dev.mysql.com/doc/refman/5.7/en/enterprise-encryption.html

http://dev.mysql.com/doc/refman/5.7/en/enterprise-encryption.html


MySQL Enterprise EncryptionEncryption/Decryption within MySQL

20

Sensitive Data Sensitive Data

Private / Public Key Pairs- Generate using MySQL Enterprise Encryption Functions- Use externally generated (e.g. OpenSSL)

EncryptionPublic Key

DecryptionPrivate Key

Encrypted Data


MySQL Enterprise EncryptionApp Encrypts/MySQL Decrypts

21



Encrypted Data

Sensitive Data

Applications

Sensitive Data


MySQL Enterprise EncryptionApp Encrypts / MySQL Stores / MySQL Decrypts

22



Encrypted Data

Sensitive Data Sensitive Data

ApplicationsApplications


MySQL Enterprise Authentication• Built in Authentication

– user table stores users and encrypted passwords

• X.509– Server authenticates client certificates

• MySQL Native, SHA 256 Password plugin– Native uses SHA1 or plugin with SHA-256 hashing and per user salting for user account passwords.

• MySQL Enterprise Authentication– Microsoft Active Directory

– Linux PAMs (Pluggable Authentication Modules)

• Support LDAP and more

• Custom Authentication

Integrates MySQL with existing security

infrastructures and SOPs

Integrates MySQL with existing security

infrastructures and SOPs


MySQL Enterprise Authentication

• PAM (Pluggable Authentication Modules)– Access external authentication methods

– Standard interface (Unix, LDAP, Kerberos, others)

– Proxied and non-proxied users

• Windows– Access native Windows services

– Authenticate users already logged into Windows (Windows Active Directory)

• Pluggable Authentication API


MySQL Enterprise Edition• MySQL Enterprise TDE

– Data-at-Rest Encryption

– Key Management / Security

• MySQL Enterprise Encryption

– Public/Private Key Cryptography

– Asymmetric Encryption

– Digital Signatures, Data Validation

• MySQL Enterprise Firewall

– Block SQL Injection Attacks

– Intrusion Detection

• MySQL Enterprise Audit

– User Activity Auditing, Regulatory Compliance

25

• MySQL Enterprise Monitor

– Changes in Database Configurations, Users Permissions, Database Schema, Passwords

• MySQL Enterprise Backup

– Securing Backups, AES 256 encryption

• MySQL Enterprise Authentication

– External Authentication Modules

– Microsoft AD, Linux PAMs


Thank you!

mysql day paris 2016 - mysql enterprise edition

Technology