Post on 21-Jan-2018
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQL8.0:What’sNewinSecurityMikeFrank PMDirectorGeorgi“Joro”Kodinov MySQLServerManager
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecXon.ItisintendedforinformaXonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncXonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andXmingofanyfeaturesorfuncXonalitydescribedforOracle’sproductsremainsatthesolediscreXonofOracle.
2
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
ProgramAgenda
SecurityChallenges
MySQLSecuritySoluXons
TheDetails
NewSecurityFeaturesinMySQL8
NewSecurityFeaturesinMySQLEnterpriseEdiXon
1
2
3
4
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 3
5
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
89%ofOrganizaXonsExperiencedDataBreaches,AccordingtoNewPonemonReportSource:SixthAnnualBenchmarkStudyonPrivacy&SecurityofHealthcareData,conductedbyPonemonInsXtute
OracleConfidenXal–Internal/Restricted/HighlyRestricted 4
66%ofthelargestbusinessesintheUKhavesufferedacyberafackordatabreachwithinthepasttwelvemonthsSource:UKgovernment'sCyberSecurityBreachesSurvey2016
25%experiencearepeatedbreachatleastoneamonthSource:UKgovernment'sCyberSecurityBreachesSurvey2016
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MegaBreaches
429MillionidenXXesexposedin2015.
75%WebsiteswithvulnerabiliXes.15%ofallwebsiteshadacriXcalvulnerability.
9In2015,arecordofninemega-breacheswerereported.
Oneworldslargest191M.(Mega-breach=morethan10millionrecords.)
MobileVulnerabiliXesontherise–up214%
InfecXonbySQLInjecXonsXllstrong.
Malwareafacksondatabases
OracleConfidenXal–Internal/Restricted/HighlyRestricted 5
Source:InternetSecurityThreatReport2016,Symantec
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
RegulatoryCompliance• RegulaXons
– PCI–DSS:PaymentCardData– HIPAA:PrivacyofHealthData– SarbanesOxley,GLBA,TheUSAPatriotAct:
FinancialData,NPI"personallyidenXfiablefinancialinformaXon"– FERPA–StudentData– EUGeneralDataProtecXonDirecXve:ProtecXonofPersonalData(GDPR)– DataProtecXonAct(UK):ProtecXonofPersonalData
• Requirements– ConXnuousMonitoring(Users,Schema,Backups,etc)– DataProtecXon(EncrypXon,PrivilegeManagement,etc.)– DataRetenXon(Backups,UserAcXvity,etc.)– DataAudiXng(UseracXvity,etc.)
7
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
• GDPR– Thegreaterof20,000,000Eurosor4%ofannualrevenue
• PCI– Rangefrom$5,000to$500,000,leviedbybanks/creditcardinsXtuXons.
– Banksfinebasedonforensicresearchtoremediatenoncompliance.CreditcardinsXtuXonsfinetopunishment
• HIPAA– Finesupto$400to$50kperviolaXon(orperrecord)
• $3.62Million–Averagecostofabreach
• WW$141perstolenrecord– Theaveragepercapitacostofdatabreachwas$225intheUnitedStatesand$190inCanada.
• ThefasterthedatabreachcanbeidenXfiedandcontained,thelowerthecosts.
8
CaughtOutofRegulatoryCompliance->LargeFinesDataBreach->LargeLosses
*PonemonInsXtute’s2017CostofDataBreachStudy:GlobalOverview
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
HowtoSecureyourDatabases¡ Assess¡ LocateRisksandVulnerabiliXes,Ensurethatnecessarysecuritycontrolsare
¡ Prevent¡ UsingCryptography,UserControls,AccessControls,etc
¡ Detect¡ SXllapossibilityofabreach–soAudit,Monitor,Alert
¡ Recover¡ Ensureserviceisnotinterruptedasaresultofasecurityincident¡ Eventhroughtheoutageofaprimarydatabase¡ Forensics–postmortem–fixvulnerability
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 9
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenXal–Internal 10
MySQLSecurityOverviewAuthenXcaXon
AuthorizaXon
EncrypXon
FirewallMySQLSecurity
AudiXng
Monitoring
Availability
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEdiXon-SECURITY• MySQLEnterpriseTDE
– Data-at-RestEncrypXon– KeyManagement/Security
• MySQLEnterpriseAuthenXcaXon– ExternalAuthenXcaXonModules
• MicrosovAD,LinuxPAMs,LDAP
• MySQLEnterpriseEncrypXon– Public/PrivateKeyCryptography– AsymmetricEncrypXon– DigitalSignatures,DataValidaXon– UserAcXvityAudiXng,RegulatoryCompliance
11
• MySQLEnterpriseFirewall– BlockSQLInjecXonAfacks– IntrusionDetecXon
• MySQLEnterpriseAudit– UserAcXvityAudiXng,RegulatoryCompliance
• MySQLEnterpriseMonitor– ChangesinDatabaseConfiguraXons,UsersPermissions,DatabaseSchema,Passwords
• MySQLEnterpriseBackup– SecuringBackups,AES256encrypXon
• MySQLEnterpriseThreadpool– AfackHardening
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 12
MySQLSecurityArchitecture ¡Workbench
• Model• Data• AuditData• UserManagement
¡¡EnterpriseMonitor• IdenXfiesVulnerabiliXes• Securityhardeningpolicies• Monitoring&AlerXng• UserMonitoring• PasswordMonitoring• SchemaChangeMonitoring• BackupMonitoring
¡ DataEncrypXon• TDE• EncrypXon• PKI
¡Firewall
¡KeyVault
¡EnterpriseAuthen@ca@on• SSO-LDAP,AD,PAM
¡NetworkEncryp@on
¡EnterpriseAudit• PowerfulRulesEngine
¡AuditVault
¡StrongAuthen@ca@on
¡AccessControls• Grants,• Roles,• DynamicPriv
¡Assess¡Prevent¡Detect¡Recover
¡EnterpriseBackup• Encrypted ¡HA
• InnodbCluster
¡ ThreadPool• AfackminimizaXon
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
WhatisTransparentDataEncrypXon?• DataatRestEncrypXon
– Tablespaces,Disks,Storage,OSFilesystem
• TransparenttoapplicaXonsandusers– NoapplicaXoncode,schemaordatatypechanges
• TransparenttoDBAs– KeysarehiddenfromDBAs,noconfiguraXonchanges
• RequiresKeyManagement– ProtecXon,rotaXon,storage,recovery
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 13
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| ConfidenXal–OracleInternal/Restricted/HighlyRestricted 14
MySQLTransparentDataEncrypXon
EncryptedDatabaseFiles
TablespaceKey
MaliciousOSUser/Hacker
AccessesFilesDirectly
InformaXonAccessBlockedByEncrypXon
MasterKey
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
UsingMySQLTransparentDataEncrypXonisEASYSQL• NewopXoninCREATETABLE
ENCRYPTION=“Y”
• NewSQL:ALTERINSTANCEROTATEINNODBMASTERKEY
PluginInfrastructure• Newplugintype:keyring• AbilitytoloadpluginbeforeInnoDB
iniXalizaXon:--early-plugin-load
Keyringplugin• UsedtoretrievekeysfromKeyStores
• OverStandardizedKMIPprotocol
InnoDB• Supportforencryptedtables• IMPORT/EXPORTofencryptedtables
• SupportformasterkeyrotaXon
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 15
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseTDE:KMIPCompliant
• KMIP–KeyManagementInteroperabilityProtocol(OasisStandard)
• Keysareprotectedandsecure
• Enablescustomerstomeetregulatoryrequirements
• KMIPmodetestedwiththefollowingproducts– OracleKeyVault(OKV)
– GemaltoSafenetKeySecure
– ForneXxKeyOrchestraXonAppliance
– Moreintheworks
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
TheKeyringAPI:TheBigPicture
17
TheMySQLServer
Plugins(Consumers) Keys
KeyringPlugin(backend)
KeyStorage
Keys
KeyringPluginService
KeyringPluginAPI
KeysKeyRingAPI EachKey
HasaName/ACL
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
WhatistheKeyringAPI?• Auniforminfrastructureforhandlingkeys• Usablebyboththeserverandplugins• AvailableinMySQL5.7andupasapluginAPIandapluginservice• Fullyextensible• CanbeiniXalizedbeforeInnoDBatstartup• Minimumefforttoaddnewbackendsandconsumers
18
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
Keyringplugins:TheInventory
19
• CurrentConsumers– InnoDBtablespaceencrypXon– SQLuserdefinedfuncXons(UDF)plugin
• CurrentBackends– Flatfilebackend– KMIPcompliantclients
• OracleKeyVault• GemaltoSafenetKeySecure• ProbablymoreiftheysupportKMIPstandards–giveitatry.
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthenXcaXon
20
• IntegratewithCentralizedAuthenXcaXonInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&RolesSupports– WindowsAcXveDirectory– LinuxPAM(PluggableAuthenXcaXonModules)– NewNaXveLDAP
• UltraFastandFlexible
IntegratesMySQLwithexisXngsecurityinfrastructures
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEncrypXon• MySQLencrypXonfuncXons
– SymmetricencrypXonAES256(AllEdiXons)– Public-key/asymmetriccryptography–RSA
• KeymanagementfuncXons– Generatepublicandprivatekeys– Keyexchangemethods:DH
• SignandverifydatafuncXons– Cryptographichashingfordigitalsigning,verificaXon,&validaXon–RSA,DSA
21
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAudit• Out-of-the-boxloggingofconnecXons,logins,andquery• Userdefinedpoliciesforfiltering,andlogrotaXon• Dynamicallyenabled,disabled:noserverrestart• XML-basedauditstreamperOracleAuditVaultspec• New!Featuresin5.7.21
– JSON– Compression– EncrypXon
22
Addsregulatorycomplianceto
MySQLapplicaXons(HIPAA,Sarbanes-Oxley,PCI,etc.)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• RealTimeProtecXon
– QueriesanalyzedandmatchedagainstWhiteList
• BlocksSQLInjecXonAfacks– BlockOutofPolicyTransacXons
• IntrusionDetecXon– DetectandAlertonOutofPolicyTransacXons
• LearnsWhiteList– AutomatedcreaXonofapprovedlistofSQLcommandpafernsonaperuserbasis
• Transparent– NochangestoapplicaXonrequired
23
MySQLEnterpriseFirewallmonitoring
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• New!Featurein5.7.20–CombinedFirewall/AuditRules
– Createmoregeneralallow/denyfirewallrulesusingJSONsyntax–usingabort=on
Example-blockexecuXonofspecific
• SQLstatements(insert,update,delete)
• Foraspecifictable(finances.bank_account)
Testrules
• BywriXngtoauditlog• Ifdataasexpectedchangetofirewall
– add“abort”
24
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
NewSecurityFeaturesinMySQL8.0
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 25
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
New!MySQLRolesImprovingMySQLAccessControls• Introducedinthe8.0.0DMR• EasiertomanageuserandapplicaXonsrights• AsstandardscompliantaspracXcallypossible• MulXpledefaultroles• CanexporttherolegraphinGraphML
26
FeatureRequestfromDBAs
Directly
IndirectlySetRole(s)
DefaultRole(s)SetofACLS
SetofACLS
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SQLRolesImplementaXonDetails-1• Aroleisbasicallyauseraccountwithlogindisabled.• AmemorybasedhashofflafenedprivilegesetsforeachacXverole• 2newtables:mysql.role_edgesandmysql.default_roles• 2newSQLfuncXons:CURRENT_ROLE()andROLE_GRAPHML()• 3newglobalprivileges:CREATEROLE,DROPROLEandROLE_ADMIN• Extensionsto:ALTERUSER,GRANT/REVOKE,SET[DEFAULT]ROLEandSHOWGRANTS
27
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SQLRolesImplementaXonDetails-2• RolescanhaveanopXonalhostpart(notcurrentlyused)• Pre-rolesACLcodeisusedwhenthere’snoacXverole(s)• Userscanbeassignedseveralroles• Userscanhavezeroormoredefaultroles• AcXveRolescanbechanged–fromvariousassignedroles
– ForexamplejustescalateorchangeprivilegesfromwithinanapplicaXonforcertainoperaXons
28
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
New!AtomicACLStatements• LongstandingMySQLissue!
– ForReplicaXon,HA,Backups,etc.• Possiblenow-ACLtablesresidein8.0InnoDBDataDicXonary• NotjustatableoperaXon:memorycachesneedupdatetoo• AppliestostatementsperformingmulXplelogicaloperaXons,e.g.
– CREATEUSERu1,u2– GRANTSELECTON*.*TOu1,u2
• UsesacustomMDLlocktoblockACLrelatedacXvity– WhilealteringtheACLcachesandtables
30
FeatureRequestfromDBAs
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
New!DynamicPrivilegesProvidesfinergrainedadministraXvelevelaccesscontrols• Tooovensuperisrequiredfortaskswhenlessprivilegeisreallyneeded
– Supportconceptof“leastprivilege”• NeededtoallowaddingadministraXveaccesscontrols
– Nowcancomewithnewcomponents– Examples
• ReplicaXon• HA• Backup
• Giveusyourideas
31
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
WhyDynamicGlobalPrivileges?• Howtoaddanewglobalprivilege(the5.7version)
– Addacolumninmysql.user– Extendtheparser– AmendACLcachecode:reading,caching,wriXng,upgrade,…– Addchecksforthenewprivilege
• Notpossiblefromaplugin!• AbuseofexisXngprivileges(SUPER)!• TheSUPER-potentSUPER!
32
FeatureRequestfromDBAs
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
HowDoDynamicPrivilegesWork?• Providesnewcomponentservice
– Canadd,removeandcheckglobalprivileges
• OnlyGRANTsarepersisted– Storedinmysql.global_grants
• Usesthefamiliar– GRANT<dynamic_acl>ON*.*TO…syntax
33
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLPasswordFeatures• New!Passwordhistory-providesDBAsmorepasswordmanagement
– Requirenewpasswordsnotreuseoldones-Bynumberofchangesand/orXme.– Establishpassword-reusepolicygloballyaswellasonaper-accountbasis.
• New!SHA2withCaching– StrongandFast– Strong-SHA-256passwordhashing(manyrounds,seeds,…)– Fast-Caching
• Greatlyreduceslatency
• New!SupportsformoreconnecXonprotocols• New!SeamlessRSApassword-exchangecapabiliXes(NolinkingOpenSSL)
34
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQL8.0FileEncrypXon• New!AES256encrypXonofUNDOandREDOLogsSuperSimpletomanage-Set• innodb_undo_log_encrypt=ON/OFF• innodb_redo_log_encrypt=ON/OFFAnd– ON-Pageswrifenaverse~ngareencrypted
– OFF-Pageswrifenaverse~ngarenot.
35
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityDirecXonConXnuingtofocusagreatdealonsecurityNewthingsareintheworksEspeciallyintheseareas• TDE/EncrypXon/KeyManagement• Audit• Firewall• AuthenXcaXon• IntegraXontovariousOracleCloudServices
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 36
Customerfeedbackandrequirementsdriveour
prioriXes
Telluswhatyouwant,need,etc.
GiveusproblemaXc
usecases
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 37
EnterpriseSecurityArchitecture ¡Workbench
• Model• Data• AuditData• UserManagement
¡¡EnterpriseMonitor• IdenXfiesVulnerabiliXes• Securityhardeningpolicies• Monitoring&AlerXng• UserMonitoring• PasswordMonitoring• SchemaChangeMonitoring• BackupMonitoring
¡ DataEncrypXon• TDE• EncrypXon• PKI
¡Firewall
¡KeyVault
¡EnterpriseAuthen@ca@on• SSO-LDAP,AD,PAM
¡NetworkEncryp@on
¡EnterpriseAudit• PowerfulRulesEngine
¡AuditVault
¡StrongAuthen@ca@on
¡AccessControls
¡Assess¡Prevent¡Detect¡Recover
¡EnterpriseBackup• Encrypted ¡HA
• InnodbCluster
¡ ThreadPool• AfackminimizaXon
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseEdiXon• MySQLEnterpriseTDE
– Data-at-RestEncrypXon– KeyManagement/Security
• MySQLEnterpriseAuthenXcaXon– ExternalAuthenXcaXonModules
• MicrosovAD,LinuxPAMs
• MySQLEnterpriseEncrypXon– Public/PrivateKeyCryptography– AsymmetricEncrypXon– DigitalSignatures,DataValidaXon– UserAcXvityAudiXng,RegulatoryCompliance
38
• MySQLEnterpriseFirewall– BlockSQLInjecXonAfacks– IntrusionDetecXon
• MySQLEnterpriseAudit– UserAcXvityAudiXng,RegulatoryCompliance
• MySQLEnterpriseMonitor– ChangesinDatabaseConfiguraXons,UsersPermissions,DatabaseSchema,Passwords
• MySQLEnterpriseBackup– SecuringBackups,AES256encrypXon
• MySQLEnterpriseThreadpool– AfackHardening
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SecurityResources• hfp://mysqlserverteam.com/• hfp://insidemysql.com/• hfps://blogs.oracle.com/mysql• hfps://www.mysql.com/why-mysql/#en-0-40• hfps://www.mysql.com/why-mysql/presentaXons/#en-17-40• hfps://www.mysql.com/news-and-events/on-demand-webinars/#en-20-40
• hfps://www.mysql.com/news-and-events/health-check/
39
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirecXon.ItisintendedforinformaXonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncXonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andXmingofanyfeaturesorfuncXonalitydescribedforOracle’sproductsremainsatthesolediscreXonofOracle.
ConfidenXal–OracleInternal/Restricted/HighlyRestricted 40