Modern Data Security with MySQL · MySQL Enterprise Transparent Data Encryption 2 Tier Architecture...
Transcript of Modern Data Security with MySQL · MySQL Enterprise Transparent Data Encryption 2 Tier Architecture...
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Modern Data Securitywith MySQL
Vittorio CioeMySQL Sr. Sales [email protected]
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Sensitivity: Internal2
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Copyright @ 2018 Oracle and/or its affiliates. All rights reserved.
Agenda
• Modern data security
• MySQL Security Capabilities
• MySQL and GDPR
• Conclusion
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Modern Data Security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Some time ago: trust based data security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
...and the future
came...
data
are
everywhere
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Now: need for embedded data security
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Complexity grows -> Risk Grows
8
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Data Security Cycle
9
ASSESS PREVENT DETECT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Security Capabilities
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Assess Security Risks
11
DiscoverPersonal
Data
ScanSecurity
Configuration
PrivilegeAnalysis
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Monitor
• Enforce MySQL Security Best Practices
– Identifies Vulnerabilities
– Assesses current setup against security hardening policies
• Monitoring & Alerting
– User Monitoring
– Password Monitoring
– Schema Change Monitoring
– Backup Monitoring
– Configuration Management
– Configuration Tuning Advice
• Centralized User Management
12
"I definitely recommend the MySQL Enterprise
Monitor to DBAs who don't have a ton of
MySQL experience. It makes monitoring
MySQL security, performance and availability
very easy to understand and to act on.”
Sandi Barr
Sr. Software Engineer
Schneider Electric
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Assess MySQL Authorization
• Administrative Privileges
• Database Privileges
• Session Limits and Object Privileges
• User privileges
– Creating, altering and deleting databases
– Creating, altering and deleting tables
– Execute INSERT, SELECT, UPDATE, DELETE queries
– Create, execute, or delete stored procedures and with what rights
– Create or delete indexes
13
Security Privilege Management in MySQL Workbench
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Authentication
14
• Integrate with Centralized Authentication Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
• PAM (Pluggable Authentication Modules)
– Standard interface (Unix, LDAP, Kerberos, others)
–Windows • Access native Windows service - Use to Authenticate users using Windows
Active Directory or to a native host
Integrates MySQL with existing security infrastructures
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Authentication: PAM
• Standard Interface
Unix/Linux
• Proxy Users
15
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Authentication: Windows
• Windows Active Directory
• Windows Native Services
16
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Authentication: LDAP (new!!)
• Standard Interface
LDAP Authentication
• Proxy Users
17
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Assess your data and data model using MySQL Workbench
18
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Protect from live threats
19
Protect from SQL injection
Store Data Encrypted
Enforce security roles
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Firewall: Overview
20
Inbound
SQL Traffic
Web
Applications
SQL Injection Attack
Via Brower
ALLOW
BLOCK
DETECT
1
2
3
Instance
MySQL Enterprise FirewallInternet
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Firewall
• Block SQL Injection Attacks
– Allow: SQL Statements that match Whitelist
– Block: SQL statements that are not on Whitelist
• Intrusion Detection System– Detect: SQL statements that are not on Whitelist• SQL Statements execute and alert administrators
21
Select * from employee where id=22
Select * from employee where id=22 or 1=1
Block✖
Allow✔
White ListApplications
Detect & AlertIntrusion Detection
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Firewall
• Real Time Protection
–Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Positive Security Model
• Block Suspicious Traffic–Out of Policy Transactions detected & blocked
• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
–No changes to application required
22
MySQL Enterprise Firewall monitoring
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Database
Encrypted
Tablespace
Files
Protected
Key
Hacker /
Dishonest OS User
Accesses
Files Directly
Information
Access Blocked
By Encryption
MySQL TDE – Protects against Attacks on Database Files
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Key Vault
MySQL Enterprise Transparent Data Encryption2 Tier Architecture
MySQL DatabaseTablespace Keys
MySQLServer
Plugin & Services
Infrastructure
InnoDB
ClientKeyring plugins
• Master Key• Stored outside the database• Oracle Key Vault • SafeNet KeySecure• KMIP Compliant Key Vault
• Tablespace Key• Protected by master key
Master Key
Plain Text
Encrypted 2
Encrypted 1
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Key Vault High-Level Architecture
Standby
Administration
Console, Alerts,
Reports
Secure Backups
= Credential Files/Other
Wallets
=
Password/phrases
Keystores
= Certificates
Databases
Servers
Middleware
25
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL 8.0: Atomicity in Privileges
• Privilege Tables now 100% InnoDB
• User Management DDLs Atomic– CREATE USER
– ALTER USER
– RENAME USER
– DROP USER
– GRANT
– REVOKE
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
• Fully Function, Flexible, Properly Architected Roles
• Create and Drop Roles, Grant to Roles
• Grant Roles to Roles, Grant Roles to Users
• Limit Hosts that can use roles, Define Default Roles
• Decide what roles are applicable during a session
• And even visualize Roles with SQL function ROLES_GRAPHML()
MySQL 8.0: Security Roles
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Detect suspicious events
28
Audit live events
Watch live queries
Disaster Recovery
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Audit - Work Flow
29
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Focus on MySQL EE Audit
• GDPR
–Mandates recording or auditing of the activities on the Personal Data
– Recommends records must be maintained centrally • Under the responsibility of the Controller.
– Processors and third-parties must not be able to tamper or destroy the audit records.
– In addition to book-keeping, auditing helps in forensic analysis in case of a breach.
• MySQL Enterprise Audit Audit data can be
–Maintained in Oracle Audit Value – certified
–Outputs standard XML or JSON that easily integrate with various 3rd party solutions
– Supports encryption
– Can direct security logs to write-once storage
30
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Review Audit Data With Workbench EE
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Enterprise Query Analyzer
• Real-time query performance
• Visual correlation graphs
• Find & fix expensive queries
• Detailed query statistics
• Query Response Time index (QRTi)
“With the MySQL Query Analyzer, we were able to identify and analyze problematic SQL code, and triple our database performance. More importantly, we were able to accomplish this in three days, rather than taking weeks.”
Keith Souhrada Software Development Engineer Big Fish Games
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL Enterprise Backup
• Online, non-locking backup and recovery – Complete MySQL instance backup (data and config)– Partial backup and restore
• Direct Cloud storage backups– Oracle Storage Cloud, S3, etc.
• Incremental backups• Point-in-time recovery• Advanced compressed and encryption• Backup to tape (SBT)• Optimistic backups• Cross-Platform (Windows, Linux, Unix)
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
InnoDB Cluster
34
App Servers withMySQL Router
MySQL Group Replication
MySQL ShellSetup, Manage,
Orchestrate
“High Availability becomes a corefirst class feature of MySQL!”
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Additional Security Controls
Hashing, Signing, Encryption Functions
– Symmetric Encryption – AES
– Hashing – SHA-2, SHA-1
– Asymmetric Public Key Encryption (RSA)
– Asymmetric Private Key Decryption (RSA)
– Generate Public/Private Key (RSA, DSA, DH)
– Derive Symmetric Keys from Public and Private Key pairs (DH)
– Digitally Sign Data (RSA, DSA)
– Verify Data Signature (RSA, DSA)
– Validation Data Authenticity (RSA, DSA)
Confidential – Oracle Internal 35
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
MySQL and GDPR
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
EU General Data Protection Regulation (GDPR)
• Data privacy as a fundamental right
• Defines Data protection responsibilities, baselines, principles
• Provides Enforcement Powers
Focus is on 3 Areas
• Assessment – Processes, Profiles, Data Sensitivity, Ricks
• Prevention – Encryption, Anonymization, Access Controls, Separation of Duties
• Detection – Auditing, Activity monitoring, Alerting, Reporting
37
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
GDPR and MySQL
• We can’t be entirely prescriptive
• We have many things that can be applied towards attaining compliance
– Assessment: MySQL Enterprise Monitor, MySQL Workbench EE, MySQL Security Best Practices Guidelines
– Prevention: MySQL Transparent Data Encryption, MySQL Enterprise Firewall, DBA configurable IP whitelisting, Connection Limits, In transit data encryption, Granular access controls
– Detection: MySQL Enterprise Firewall, MySQL Enterprise Audit, MySQL Workbench EE, MySQL Enterprise Monitor
38
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
Conclusion
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
40
Takeaway:MySQL EnterpriseSecurity Architecture
Workbench• Model• Data• Audit Data• User Management
Enterprise Monitor• Identifies Vulnerabilities• Security hardening policies• Monitoring & Alerting• User Monitoring• Password Monitoring• Schema Change Monitoring• Backup Monitoring
Data Encryption• TDE• Encryption• PKI
Firewall
Key Vault
Enterprise Authentication• SSO - LDAP, AD, PAM
Network Encryption
Enterprise Audit• Powerful Rules Engine
Audit Vault
Strong Authentication
Access Controls
Assess Prevent Detect Recover
Enterprise Backup• Encrypted
HA• Innodb Cluster
Thread Pool• Attack minimization
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Sensitivity: Internal
References
Confidential – Oracle Internal 41
• Home page EU GDPR
– http://www.eugdpr.org/
• MySQL Enterprise
– https://www.mysql.com/products/enterprise/
• MySQL PCI DSS– https://www.mysql.com/it/why-mysql/white-papers/mysql-pci-data-security-
compliance/
• MySQL Security Best Practices
– https://www.mysql.com/it/why-mysql/presentations/mysql-security-best-practices/
Sensitivity: Internal