MySQL + GDPR

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|

MySQLSecurityandGDPRMarkSwarbrickMySQLPrincipalSalesConsultantMark.swarbrick@oracle.com

1


SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.

2


Introduction

•  TheE.U.GeneralDataProtectionRegulation(GDPR)comesintoeffectinMay2018

• GDPRisaEuropeanUnion“EU”-wideframework– ProtectionofpersonaldataofEU-basedindividuals– Restrictionstomovementofthatdata

• PublishedMay2016,EnforceablebyMay2018•  FinesforGDPRviolationsare

– Thegreaterof20,000,000Eurosor4%ofannualrevenue(R150,A83)

Confidential–OracleInternal 4


GDPR:WhoandWhat• WhodoestheGDPRaffect?

– TheGDPRnotonlyappliestoorganisationslocatedwithintheEUbutitwillalsoapplytoorganisationslocatedoutsideoftheEUiftheyoffergoodsorservicesto,ormonitorthebehaviourof,EUdatasubjects.ItappliestoallcompaniesprocessingandholdingthepersonaldataofdatasubjectsresidingintheEuropeanUnion,regardlessofthecompany’slocation.

• Whatconstitutespersonaldata?– Anyinformationrelatedtoanaturalpersonor‘DataSubject’,thatcanbeusedtodirectlyorindirectlyidentifytheperson.Itcanbeanythingfromaname,aphoto,anemailaddress,bankdetails,postsonsocialnetworkingwebsites,medicalinformation,oracomputerIPaddress.

5

http://www.eugdpr.org/gdpr-faqs.html


AppropriateSecurityControls

• Datamustbeprocessedwithcontrolsthatprovide“appropriatesecurityandconfidentiality“– Recitalsofnote-R74-78,R81,R83,R87,R90,A5,A24-25,A28,A32,A35)

•  ExactsecuritycontrolsarenotspecifiedintheGDPR– WHATtodo– NotHOWtodoit



EUGeneralDataProtectionRegulation(GDPR)• Dataprivacyasafundamentalright• DefinesDataprotectionresponsibilities,baselines,principles• ProvidesEnforcementPowersFocusison3Areas•  Assessment–Processes,Profiles,DataSensitivity,Ricks

•  Prevention–Encryption,Anonymization,AccessControls,SeparationofDuties

•  Detection–Auditing,Activitymonitoring,Alerting,Reporting

7


ComplexitygrowsRiskGrows

8


GDPRandMySQL• Wecan’tbeentirelyprescriptive• Wehavemanythingsthatcanbeappliedtowardsattainingcompliance

– Products– Features– BestPractices– Documents– Integrations

9

Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 10

EnterpriseSecurityArchitecture ¡ Workbench

• Model • Data • Audit Data • User Management

¡ ¡ Enterprise Monitor • Identifies Vulnerabilities • Security hardening policies • Monitoring & Alerting • User Monitoring • Password Monitoring • Schema Change Monitoring • Backup Monitoring

¡ Data Encryption • TDE • Encryption • PKI

¡ Firewall

¡ Key Vault

¡ Enterprise Authentication • SSO - LDAP, AD, PAM

¡ Network Encryption

¡ Enterprise Audit • Powerful Rules Engine

¡ Audit Vault

¡ Strong Authentication

¡ Access Controls

¡ Assess ¡ Prevent ¡ Detect ¡ Recover

¡ Enterprise Backup • Encrypted ¡ HA

• Innodb Cluster

¡ Thread Pool • Attack minimization


AssessSecurityRisks

11

DiscoverPersonalData

ScanSecurity

ConfigurationPrivilegeAnalysis


Assess-MySQLEnterpriseFeaturesandGDPR• AssessRisks(Articles35,90,91)

– MySQLEnterpriseMonitor•  Accountassessmentandreporting•  IdentifiesSecurityVulnerabilities–discoversecurityholes,advisesremediatingactions

– Advisorsproviderulesdesignedtoenforcesecuritybestpracticesandalertupondiscoveringvulnerabilities

– MySQLWorkbenchEE•  Discovertablesandcolumnscontaining“PersonalData”•  DataModelingtool-ReverseEngineeringofDataModeltoreviewdatastoredinthedatabase•  SchemaInspector,TableInspectors–forschemaassessment,grantinspection

– MySQLSecurityBestPracticesGuidelines

12


MySQLEnterpriseMonitor•  EnforceMySQLSecurityBestPractices

–  IdentifiesVulnerabilities–  Assessescurrentsetupagainstsecurityhardeningpolicies

•  Monitoring&Alerting–  UserMonitoring–  PasswordMonitoring–  SchemaChangeMonitoring–  BackupMonitoring–  ConfigurationManagement–  ConfigurationTuningAdvice

•  CentralizedUserManagement

13

"I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.”

Sandi Barr Sr. Software Engineer

Schneider Electric


AssessMySQLAuthorization• AdministrativePrivileges• DatabasePrivileges•  SessionLimitsandObjectPrivileges• Userprivileges

– Creating,alteringanddeletingdatabases– Creating,alteringanddeletingtables– ExecuteINSERT,SELECT,UPDATE,DELETEqueries– Create,execute,ordeletestoredproceduresandwithwhatrights– Createordeleteindexes

14

Security Privilege Management in MySQL Workbench


MySQLEnterpriseAuthentication

15

•  IntegratewithCentralizedAuthenticationInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&Roles

• PAM(PluggableAuthenticationModules)– Standardinterface(Unix,LDAP,Kerberos,others)– Windows

•  AccessnativeWindowsservice-UsetoAuthenticateusersusingWindowsActiveDirectoryortoanativehost

IntegratesMySQLwithexistingsecurityinfrastructures


MySQLEnterpriseAuthentication:PAM•  StandardInterface

– LDAP– Unix/Linux

• ProxyUsers

16


MySQLEnterpriseAuthentication:Windows• WindowsActiveDirectory• WindowsNativeServices

17


AssessyourdataanddatamodelusingMySQLWorkbench

18


Prevent-MySQLEnterpriseFeaturesandGDPR• PreventAttacks(Articles32,83,28,26,5,20,27,30,64)

– MySQLEnterpriseSecurity–TransparentDataEncryption•  IncludesKeyManagement•  ProtectsTablespaceviaEncryption,KeysviaKeyManager/Vaultintegration

– MySQLEnterpriseSecurity–Firewall•  MySQLFirewallStatement/User/IPWhitelists,Rules

– MySQLEnterpriseAuthentication– DBAconfigurableIPwhitelisting,ConnectionLimits,…

•  ViaserverlevelandviaperAccountIP/HostnameControls,Accountresourcelimits,

– Intransitdataencryption-•  FullsupportforTLS1.2-X509,CertificateAuthorities,ExcludeLists,etc.

– Granularaccesscontrols•  TableGrants,DatabaseViews,StoredProcedures,Functions

19


MySQLEnterpriseFirewall:Overview

20

Inbound SQL Traffic

Web Applications

SQL Injection Attack Via Brower

ALLOW

BLOCK

DETECT

1

2

3

Instance

MySQL Enterprise Firewall Internet


MySQLEnterpriseFirewall• BlockSQLInjectionAttacks

– Allow:SQLStatementsthatmatchWhitelist– Block:SQLstatementsthatarenotonWhitelist

•  IntrusionDetectionSystem– Detect:SQLstatementsthatarenotonWhitelist

•  SQLStatementsexecuteandalertadministrators

21

Select * from employee where id=22

Select * from employee where id=22 or 1=1Block ✖

Allow ✔

White List Applications

Detect & Alert Intrusion Detection


MySQLEnterpriseFirewall• RealTimeProtection

– QueriesanalyzedandmatchedagainstWhiteList

• BlocksSQLInjectionAttacks– PositiveSecurityModel

• BlockSuspiciousTraffic– OutofPolicyTransactionsdetected&blocked

•  LearnsWhiteList– AutomatedcreationofapprovedlistofSQLcommandpatternsonaperuserbasis

•  Transparent– Nochangestoapplicationrequired

22

MySQL Enterprise Firewall monitoring


KeyVaultHigh-LevelArchitecture

Standby

Administration Console, Alerts,

Reports

Secure Backups

= Credential Files/Other

Wallets

= Password/phrases

Keystores

= Certificates

Databases

Servers

Middleware

23


MySQL Database

Encrypted Tablespace

Files

Protected Key

Hacker / Dishonest OS User

Accesses Files Directly

Information Access Blocked By Encryption

MySQLTDE–ProtectsagainstAttacksonDatabaseFiles


KeyVault

MySQLEnterpriseTransparentDataEncryption2TierArchitecture

MySQLDatabaseTablespaceKeys

MySQLServer

Plugin&Services

Infrastructure

InnoDB

ClientKeyringplugins

•  MasterKey

•  Storedoutsidethedatabase•  OracleKeyVault•  SafeNetKeySecure•  KMIP1.1CompliantKeyVault

•  TablespaceKey•  Protectedbymasterkey

MasterKey

Plain Text

Encrypted 2

Encrypted 1


Detect-MySQLEnterpriseFeaturesandGDPR–1of2• Detect(Articles30,82,33)

– MySQLEnterpriseSecurity–Audit•  Policy-basedauditingsolution–gatherauditlogofactivity•  Usetospotdatabasemisuse•  UsetoprovecompliancetoGDPR

– MySQLEnterpriseSecurity–Firewall•  Real-timeprotectionagainstdatabasespecificattacks•  Usetoalertand/orblocknefariousactivity–suchaspersonaldataleakage

26


FocusonMySQLEEAudit• GDPR

– MandatesrecordingorauditingoftheactivitiesonthePersonalData– Recommendsrecordsmustbemaintainedcentrally

•  UndertheresponsibilityoftheController.– Processorsandthird-partiesmustnotbeabletotamperordestroytheauditrecords.– Inadditiontobook-keeping,auditinghelpsinforensicanalysisincaseofabreach.

• MySQLEnterpriseAuditAuditdatacanbe– MaintainedinOracleAuditValue–certified– OutputsstandardXMLorJSONthateasilyintegratewithvarious3rdpartysolutions– Supportsencryption(MySQL5.7.18+)– Candirectsecuritylogstowrite-oncestorage

27


MySQLEnterpriseAudit-WorkFlow

28


Detect-MySQLEnterpriseFeaturesandGDPR–2of2– MySQLWorkbenchEE

•  Securityrelated––  InspectAuditData– ConfigureFirewall– ManageUsers

– MySQLEnterpriseMonitor• Monitor/AlertonFirewall,Audit,Backupsandmore•  Detectconfigurationchanges

29


AdditionalSecurityControlsHashing,Signing,EncryptionFunctions

– SymmetricEncryption–AES– Hashing–SHA-2,SHA-1– AsymmetricPublicKeyEncryption(RSA)– AsymmetricPrivateKeyDecryption(RSA)– GeneratePublic/PrivateKey(RSA,DSA,DH)– DeriveSymmetricKeysfromPublicandPrivateKeypairs(DH)– DigitallySignData(RSA,DSA)– VerifyDataSignature(RSA,DSA)– ValidationDataAuthenticity(RSA,DSA)



AdditionalSecurityControls• HA

– TraditionalReplication– MySQLInnoDBCluster

• DisasterRecovery– TraditionalReplication– MySQLInnoDBCluster

• Backup– MySQLEnterpriseBackup

•  Includesencryption•  SupportforMySQLTDE



MySQLCloudService

• Designedforsecurity• MySQLEnterpriseFeatures• Backup&Recovery

– BasedonMySQLEnterpriseBackup

•  Support(withconsultativesupport)

Confidential–OracleInternal 32Confidential–OracleInternal 32

+ MySQL Enterprise Edition


References


• HomepageEUGDPR– http://www.eugdpr.org/

• MySQLEnterprise– https://www.mysql.com/products/enterprise/

• MySQLPCIDSS– https://www.mysql.com/it/why-mysql/white-papers/mysql-pci-data-security-compliance/

• MySQLSecurityBestPractices– https://www.mysql.com/it/why-mysql/presentations/mysql-security-best-practices/

MySQL + GDPR

Technology

Transcript of MySQL + GDPR