O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

DevTalks.ro 2019 What's New in MySQL 8.0 Security

a 2019 version of the talk.

  • Entre para ver os comentários

DevTalks.ro 2019 What's New in MySQL 8.0 Security

  1. 1. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL 8.0 What’s New in Security ? Georgi “Joro” Kodinov MySQL SrvGen Team Lead
  2. 2. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation.
  3. 3. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Georgi “Joro” Kodinov, MySQL @ Oracle  Server General Team Lead  Works on MySQL since 2006  Specializes in:  Security  Client/server protocol  Performance monitoring  Component infrastructure  Loves history, diverse world cultures, gardening  A devoted Formula 1 fan (Go, Vettel !)
  4. 4. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Program Agenda Security Challenges New Security Features in MySQL 8 New Security Features in MySQL Enterprise Edition MySQL Security Architecture 1 2 3 4 4
  5. 5. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 5
  6. 6. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Cost of Data Breaches 6 Source: Ponemon Institute, 2018 $1.9M $2.8M $4.6M $6.3M $0 $1,000,000 $2,000,000 $3,000,000 $4,000,000 $5,000,000 $6,000,000 $7,000,000 Less than 10,000 10,000 to 25,000 25,001 to 50,000 Greater than 50,000 Records Small to Medium Breaches $199M $279M $325M $350M $0 $50,000,000 $100,000,000 $150,000,000 $200,000,000 $250,000,000 $300,000,000 $350,000,000 $400,000,000 20 Million 30 Million 40 Million 50 Million Records Mega Breaches
  7. 7. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information" – FERPA – Student Data – EU General Data Protection Directive: Protection of Personal Data (GDPR) – Data Protection Act (UK): Protection of Personal Data • Requirements – Continuous Monitoring (Users, Schema, Backups, etc.) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) 7
  8. 8. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | How to Secure your Databases Assess  Locate Risks and Vulnerabilities, Ensure that necessary security controls are Prevent  Using Cryptography, User Controls, Access Controls, etc Detect  Still a possibility of a breach – so Audit, Monitor, Alert Recover  Ensure service is not interrupted as a result of a security incident  Even through the outage of a primary database  Forensics – post mortem – fix vulnerability 8
  9. 9. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New Security Features in MySQL 8.0 9
  10. 10. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 10 MySQL Security Overview Authentication Authorization Encryption Firewall MySQL Security Auditing New! Masking/De-Identification • Available in 5.7.24 & 8.0.13 • Will be in MySQLaaS as well
  11. 11. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New! MySQL Roles Improving MySQL Access Controls • Introduced in the 8.0.0 DMR • Easier to manage user and applications rights • As standards compliant as practically possible • Multiple default roles • Can export the role graph in GraphML 11 Feature Request from DBAs Directly Indirectly Set Role(s) Default Role(s) Set of ACLS Set of ACLS
  12. 12. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | SQL Roles Implementation: MySQL Extras • Roles can have an optional host part (not currently used) • Pre-roles ACL code is used when there’s no active role(s) • Users can be assigned several roles • Users can have zero or more default roles • Active Roles can be changed – from various assigned roles – For example just escalate or change privileges from within an application for certain operations 12
  13. 13. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Role Examples 13
  14. 14. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Masking and De-Identification New in MySQL 8.0.13 AND 5.7.24! • Data De-identification helps database customers improve security • Accelerates compliance for – Government – GDPR, CHHS – Financial - PCI – Healthcare – HIPAA, Clinic Trials Data • Reduce IT costs by simplifying sanitizing production data – Transforming sensitive data for use in analytics, testing, development, and more 14
  15. 15. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | NEW! MySQL Enterprise Masking and De-Identification 15 De-identify, Anonymize Sensitive Data ID Last First SSN 1111 Smith John 555-12-5555 1112 Templeton Richard 444-12-4444 ID Last First SSN 2874 Smith John XXX-XX- 5555 3281 Templeton Richard XXX-XX- 4444 Employee Table Masked View "Data Masking is a method to hide sensitive information by replacing real values with substitutes.” Random Data Generation
  16. 16. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | • Data Masking – String masking – Dictionary based replacement – Specific masking • SSN • Payment card : Strict/Relaxed • Random Data Generators – Random number within a range – Email – Payment card (Luhn check compliant) – SSN – Dictionary based generation 16 MySQL Enterprise Masking and De-Identification Data Masking and Random Data Generation
  17. 17. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Data Masking Examples
  18. 18. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication 18 • Integrate with Centralized Authentication Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles Supports – Windows Active Directory (for windows MySQL servers) – Linux PAM (Pluggable Authentication Modules) – New Native LDAP • Ultra Fast and Flexible • Works with Windows AD (even on non-windows MySQL servers) Integrates MySQL with existing security infrastructures
  19. 19. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication: Native LDAP • Direct Connection over LDAP Protocol/Ports • Authentication with – User and Password – or SASL • Customizable for users and groups 19 Connector LDAP Service Dir Tree Port:389 MySQL Native LDAP Plugin 1) User/Password Or 2) SASL 2) SASL SASLD
  20. 20. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New! Atomic ACL Statements • Long standing MySQL issue! – For Replication, HA, Backups, etc. • Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary • Not just a table operation: memory caches need update too • Applies to statements performing multiple logical operations, e.g. – CREATE USER u1, u2 – GRANT SELECT ON *.* TO u1, u2 • Uses a custom MDL lock to block ACL related activity – While altering the ACL caches and tables 20 Feature Request from DBAs
  21. 21. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New! Dynamic Privileges Provides finer grained administrative level access controls • Too often SUPER is required for tasks when less privilege is really needed – Support concept of “least privilege” • Needed to allow adding administrative access controls – Now can come with new components – Examples • Replication • HA • Backup • Give us your ideas 21 Feature Request from DBAs
  22. 22. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Password Features • New! Password Management – Require new passwords not reuse old ones - By number of changes and/or time. – Password-reuse (aka Password History) • Policy can be set globally as well as on a per-account basis. – New in 8.0.13: Can require old password when changing too • New! SHA2 with Caching. Now Default ! – Strong (when storing) and Fast (when connecting) • Strong - SHA-256 password hashing (many rounds, random salt, …) • Fast – Caching: Greatly reduces latency • New! Seamless RSA password-exchange capabilities (Lowers SSL Costs) 22
  23. 23. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL 8.0 TDE • New! AES 256 encryption of UNDO and REDO Logs Super Simple to manage - Set innodb_undo_log_encrypt=ON/OFF innodb_redo_log_encrypt=ON/OFF And ON - Pages written after setting are encrypted OFF - Pages written after setting are not.  New in 8.0.13 ! Support for encryption in shared table-spaces 23
  24. 24. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New! Security Model For The Cloud: Why ? How ? • Requirements – Allow end users to administer their instances without allowing them to “cut the branch they’re sitting on” • Problems – Single “super-user” that’s allowed to do everything – Some privileges not too granular (e.g. CREATE USER is a global privilege) • Solution: Create two classes of users: “internal” and “external” – Internal “super-user” can handle all users (backward compatible) – External “super-user” can only handle external users
  25. 25. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | New! Security Model For the Cloud: The Tools • SYSTEM_USER global privilege – When granted to an account allows it to handle all other accounts it’s granted on – Checked in addition to existing privilege checks. • Partial revokes – Problem: One can elevate their own privileges by updating the ACL tables – Problem: We want global level grants to work for external super users – Solution: Allow sticky “exceptions” to global grants: • GRANT SELECT ON *.* TO foo; • REVOKE SELECT ON mysql.* FROM foo;
  26. 26. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Security Architecture
  27. 27. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition - SECURITY • MySQL Enterprise TDE – Data-at-Rest Encryption – Key Management/Security • MySQL Enterprise Authentication – External Authentication Modules • Microsoft AD, Linux PAMs, LDAP • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation – User Activity Auditing, Regulatory Compliance • MySQL Data Masking 27 • MySQL Enterprise Firewall – Block SQL Injection Attacks – Intrusion Detection • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption • MySQL Enterprise Thread pool – Attack Hardening
  28. 28. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 28 Enterprise Security Architecture  Workbench •Model •Data •Audit Data •User Management   Enterprise Monitor •Identifies Vulnerabilities •Security hardening policies •Monitoring & Alerting •User Monitoring •Password Monitoring •Schema Change Monitoring •Backup Monitoring Data Encryption •TDE •Encryption •PKI  Firewall  Enterprise Authentication •SSO - LDAP, AD, PAM  Network Encryption  Enterprise Audit •Powerful Rules Engine  Audit Vault  Strong Authentication  Access Controls  Assess  Prevent  Detect  Recover  Enterprise Backup •Encrypted  HA •Innodb Cluster Thread Pool •Attack minimization  Key Vault •Protect Keys  Enterprise Masking & De-Identification •Masking •Substitute/Subset •Random Formatted Data •Blacklisted Data
  29. 29. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | What is Transparent Data Encryption? • Data at Rest Encryption – Tablespaces, Disks, Storage, OS File system • Transparent to applications and users – No application code, schema or data type changes • Transparent to DBAs – Keys are hidden from DBAs, no configuration changes • Requires Key Management – Protection, rotation, storage, recovery 29
  30. 30. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Using MySQL Transparent Data Encryption is EASY SQL • New option in CREATE TABLE ENCRYPTION=“Y” • New SQL: ALTER INSTANCE ROTATE INNODB MASTER KEY Plugin Infrastructure • New plugin type: keyring • Ability to load plugin before InnoDB initialization: --early-plugin-load Keyring plugin • Used to retrieve keys from Key Stores • Over Standardized KMIP protocol InnoDB • Support for encrypted tables • IMPORT/EXPORT of encrypted tables • Support for master key rotation • New! undo/redo log encryption 30
  31. 31. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise TDE: KMIP Compliant • KMIP – Key Management Interoperability Protocol (Oasis Standard) • Keys are protected and secure • Enables customers to meet regulatory requirements • KMIP mode tested with the following products – Oracle Key Vault (OKV) – Gemalto Safenet KeySecure – Fornetix Key Orchestration Appliance – Thales Vormetric 31
  32. 32. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | The Keyring API: The Big Picture 32 The MySQL ServerPlugins (Consumers) Keys Keyring Plugin (backend) Key Storage Keys Keyring Plugin Service Keyring Plugin API Keys Key Ring API Each Key Has a Name/ACL
  33. 33. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | What is the Keyring API ? • A uniform infrastructure for handling keys • Usable by both the server and plugins • Available in MySQL 5.7 and up as a plugin API and a plugin service • Fully extensible • Can be initialized before InnoDB at startup • Minimum effort to add new backends and consumers • New! A keyring migration tool to facilitate moving keys across back-ends ! 33
  34. 34. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Keyring plugins: The Inventory • Current Consumers – InnoDB tablespace encryption – SQL user defined functions (UDF) plugin – Enterprise Audit • Current Backends – Flat file backend (In EE can be encrypted) – KMIP compliant clients • Oracle KeyVault • Gemalto Safenet KeySecure • Probably more if they support KMIP standards – give it a try. 34
  35. 35. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Encryption • MySQL encryption functions – Symmetric encryption AES256 (All Editions) – Public-key / asymmetric cryptography – RSA • Key management functions – Generate public and private keys – Key exchange methods: DH • Sign and verify data functions – Cryptographic hashing for digital signing, verification, & validation – RSA,DSA • New since 8.0.11: MySQL can work in FIPs mode 35
  36. 36. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit • Out-of-the-box logging of connections, logins, and query • User defined policies for filtering, and log rotation • Dynamically enabled, disabled: no server restart • XML-based audit stream per Oracle Audit Vault spec • New! Features in 5.7.21 and in 8.0 – JSON – Compression – Encryption 36 Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.)
  37. 37. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Real Time Protection – Queries analyzed and matched against White List • Blocks SQL Injection Attacks – Block Out of Policy Transactions • Intrusion Detection – Detect and Alert on Out of Policy Transactions • Learns White List – Automated creation of approved list of SQL command patterns on a per user basis • Transparent – No changes to application required • New! Feature in 5.7.20/8.0 – Combined Firewall/Audit Rules – Create more general allow/deny firewall rules using JSON syntax – using abort=on 37 MySQL Enterprise Firewall monitoring
  38. 38. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • New! Feature in 5.7.20 – Combined Firewall/Audit Rules – Create more general allow/deny firewall rules using JSON syntax – using abort=on Example - block execution of specific • SQL statements (insert, update, delete) • For a specific table (finances.bank_account) Test rules • By writing to audit log • If data as expected change to firewall – add “abort” 38
  39. 39. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Security Direction • Continuing to focus a great deal on security • New things are in the works, especially in these areas: – TDE / Encryption / Key management – Masking, Obfuscation, De-identification, Tokenization – Audit – Firewall – Authentication – Integration to various Oracle Cloud services – Data masking 39 Customer feedback and requirements drive our priorities Tell us what you want, need, etc. Give us problematic use cases
  40. 40. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | 40 Enterprise Security Architecture  Workbench •Model •Data •Audit Data •User Management   Enterprise Monitor •Identifies Vulnerabilities •Security hardening policies •Monitoring & Alerting •User Monitoring •Password Monitoring •Schema Change Monitoring •Backup Monitoring Data Encryption •TDE •Encryption •PKI  Firewall  Enterprise Authentication •SSO - LDAP, AD, PAM  Network Encryption  Enterprise Audit •Powerful Rules Engine  Audit Vault  Strong Authentication  Access Controls  Assess  Prevent  Detect  Recover  Enterprise Backup •Encrypted  HA •Innodb Cluster Thread Pool •Attack minimization  Key Vault •Protect Keys  Enterprise Masking & De-Identification •Masking •Substitute/Subset •Random Formatted Data •Blacklisted Data
  41. 41. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition - SECURITY • MySQL Enterprise TDE – Data-at-Rest Encryption – Key Management/Security • MySQL Enterprise Authentication – External Authentication Modules • Microsoft AD, Linux PAMs, LDAP • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation – User Activity Auditing, Regulatory Compliance • MySQL Data Masking 41 • MySQL Enterprise Firewall – Block SQL Injection Attacks – Intrusion Detection • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption • MySQL Enterprise Thread pool – Attack Hardening
  42. 42. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Security Resources • http://mysqlserverteam.com/ • http://insidemysql.com/ • https://blogs.oracle.com/mysql • https://www.mysql.com/why-mysql/#en-0-40 • https://www.mysql.com/why-mysql/presentations/#en-17-40 • https://www.mysql.com/news-and-events/on-demand-webinars/#en-20- 40 • https://www.mysql.com/news-and-events/health-check/ 42
  43. 43. Copyright © 2019, Oracle and/or its affiliates. All rights reserved. | Thank you! 43

×