MySQL Enterprise Security

Similar documents
What s New in MySQL 5.7 Geir Høydalsvik, Sr. Director, MySQL Engineering. Copyright 2015, Oracle and/or its affiliates. All rights reserved.

Oracle Database 11g: Security Release 2

Oracle Database 11g: Security Release 2

MySQL ENTERPRISE EDITION

State of the Dolphin Developing new Apps in MySQL 8

Projectplace: A Secure Project Collaboration Solution

IT Services IT LOGGING POLICY

What's New in MySQL 5.7?

Key Drivers for Data Security

Oracle Security Products and Their Relationship to EBS. Presented By: Christopher Carriero

Database Centric Information Security. Speaker Name / Title

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

VMware, SQL Server and Encrypting Private Data Townsend Security

Db2 for z/os Early experiences using Transparent Data Set Encryption

VMware, SQL Server and Encrypting Private Data Townsend Security

CoreMax Consulting s Cyber Security Roadmap

the SWIFT Customer Security

Compliance of Panda Products with General Data Protection Regulation (GDPR) Panda Security

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Oracle Database Vault and Applications Unlimited Certification Overview

Oracle Audit Vault. Trust-but-Verify for Enterprise Databases. Tammy Bednar Sr. Principal Product Manager Oracle Database Security

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

ITS. MySQL for Database Administrators (40 Hours) (Exam code 1z0-883) (OCP My SQL DBA)

CS 356 Operating System Security. Fall 2013

Security Architecture

A company built on security

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Oracle Database Vault

Oracle Database 18c and Autonomous Database

Google Identity Services for work

Choosing the level that works for you!

MySQL for Database Administrators Ed 3.1

MySQL for Database Administrators Ed 4

CO MySQL for Database Administrators

Vendor: Oracle. Exam Code: 1Z Exam Name: Oracle Database 11g Security Essentials. Version: Demo

Vormetric Data Security

Cybersecurity The Evolving Landscape

PCI DSS and VNC Connect

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Oracle Database 11g for Experienced 9i Database Administrators

Layer Security White Paper


The Nasuni Security Model

Transparent Solutions for Security and Compliance with Oracle Database 11g. An Oracle White Paper September 2008

Virtual Machine Encryption Security & Compliance in the Cloud

PCI DSS Compliance. White Paper Parallels Remote Application Server

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

Oracle Database Vault

SDR Guide to Complete the SDR

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Data Protection. Plugging the gap. Gary Comiskey 26 February 2010

Solutions Business Manager Web Application Security Assessment

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Complete document security

Security Information & Policies

Oracle Database Security Assessment Tool (DBSAT) Overview

McAfee Database Security

TRACKVIA SECURITY OVERVIEW

A Security Admin's Survival Guide to the GDPR.

Oracle Advanced Security Transparent Data Encryption (TDE)

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

Secure Access & SWIFT Customer Security Controls Framework

mhealth SECURITY: STATS AND SOLUTIONS

IT Security Training MS-500: Microsoft 365 Security Administration. Upcoming Dates. Course Description. Course Outline $2,

Compliance and Privileged Password Management

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

MySQL Enterprise Edition

SQL Security Whitepaper SECURITY AND COMPLIANCE SOLUTIONS FOR PCI DSS PAYMENT CARD INDUSTRY DATA SECURITY STANDARD

Oracle Database Auditing

MySQL Port Reference

QuickBooks Online Security White Paper July 2017

Security Principles for Stratos. Part no. 667/UE/31701/004

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Cassandra Database Security

HOW SNOWFLAKE SETS THE STANDARD WHITEPAPER

Security Policies and Procedures Principles and Practices

Security+ SY0-501 Study Guide Table of Contents

Top Reasons To Audit An IAM Program. Bryan Cook Focal Point Data Risk

hcloud Deployment Models

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Oracle Database Security Assessment Tool

Security Fundamentals for your Privileged Account Security Deployment

CipherCloud CASB+ Connector for ServiceNow

Administration and Data Retention. Best Practices for Systems Management

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Private Clouds: Opportunity to Improve Data Security and Lower Costs. InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Who s Protecting Your Keys? August 2018

SYMANTEC DATA CENTER SECURITY

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Security Readiness Assessment

HIPAA Regulatory Compliance

An Oracle White Paper June Oracle Audit Vault and Database Firewall

Database Security Service. Service Overview. Issue 16 Date HUAWEI TECHNOLOGIES CO., LTD.

SafeNet ProtectApp APPLICATION-LEVEL ENCRYPTION

Protect Your End-of-Life Windows Server 2003 Operating System

Transcription:

MySQL Enterprise Security Mike Frank Product Management Director

Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Program Agenda 1 2 3 4 Security Challenges MySQL Security Solutions The Details New in MySQL 8 Confidential Oracle Internal/Restricted/Highly Restricted 3

89% of 66% of 25% experience Organizations Experienced Data Breaches, According to New Ponemon Report Source: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute the largest businesses in the UK have suffered a cyberattack or data breach within the past twelve months Source: UK government's Cyber Security Breaches Survey 2016 a repeated breach at least one a month Source: UK government's Cyber Security Breaches Survey 2016 Oracle Confidential Internal/Restricted/Highly Restricted 4

Mega Breaches 429 Million identities exposed in 2015. 75% Web sites with vulnerabilities. 15% of all websites had a critical vulnerability. 9 In 2015, a record of nine mega-breaches were reported. One worlds largest 191M. (Mega-breach = more than 10 million records.) Mobile Vulnerabilities on the rise up 214% Infection by SQL Injection still strong. Malware attacks on databases Source: Internet Security Threat Report 2016, Symantec Oracle Confidential Internal/Restricted/Highly Restricted 5

Complexity grows Risk Grows 6

Regulatory Compliance Regulations PCI DSS: Payment Card Data HIPAA: Privacy of Health Data Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information" FERPA Student Data EU General Data Protection Directive: Protection of Personal Data (GDPR) Data Protection Act (UK): Protection of Personal Data Requirements Continuous Monitoring (Users, Schema, Backups, etc) Data Protection (Encryption, Privilege Management, etc.) Data Retention (Backups, User Activity, etc.) Data Auditing (User activity, etc.) 7

Principles of Securing Databases Assess Locate Risks and Vulnerabilities, Ensure that necessary security controls are Prevent Using Cryptography, User Controls, Access Controls, etc Detect Still a possibility of a breach so Audit, Monitor, Alert Recover Ensure service is not interrupted as a result of a security incident Even through the outage of a primary database Forensics post mortem fix vulnerability Confidential Oracle Internal/Restricted/Highly Restricted 8

MySQL Security Overview Authentication Authorization Encryption MySQL Security Firewall Auditing Monitoring Availability Oracle Confidential Internal 9

MySQL Enterprise Edition MySQL Enterprise TDE Data-at-Rest Encryption Key Management/Security MySQL Enterprise Authentication External Authentication Modules Microsoft AD, Linux PAMs MySQL Enterprise Encryption Public/Private Key Cryptography Asymmetric Encryption Digital Signatures, Data Validation User Activity Auditing, Regulatory Compliance MySQL Enterprise Firewall Block SQL Injection Attacks Intrusion Detection MySQL Enterprise Audit User Activity Auditing, Regulatory Compliance MySQL Enterprise Monitor Changes in Database Configurations, Users Permissions, Database Schema, Passwords MySQL Enterprise Backup Securing Backups, AES 256 encryption MySQL Enterprise Thread pool Attack Hardening 10

MySQL Security Architecture Enterprise Authentication SSO - LDAP, AD, PAM Workbench Model Data Audit Data User Management Network Encryption Strong Authentication Firewall Thread Pool Attack minimization Access Controls Enterprise Monitor Identifies Vulnerabilities Security hardening policies Monitoring & Alerting User Monitoring Password Monitoring Schema Change Monitoring Backup Monitoring Enterprise Audit Powerful Rules Engine Audit Vault Enterprise Backup Encrypted HA Innodb Cluster Key Vault Data Encryption TDE Encryption PKI Assess Prevent Detect Recover 11

What is Transparent Data Encryption? Data at Rest Encryption Tablespaces, Disks, Storage, OS File system Transparent to applications and users No application code, schema or data type changes Transparent to DBAs Keys are hidden from DBAs, no configuration changes Requires Key Management Protection, rotation, storage, recovery Confidential Oracle Internal/Restricted/Highly Restricted 12

Biggest Challenge: Encryption Key Management Management Proliferation of encryption wallets and keys Authorized sharing of keys Key availability, retention, and recovery Custody of keys and key storage files Regulations Physical separation of keys from encrypted data Periodic key rotations Monitoring and auditing of keys Long-term retention of keys and encrypted data 13

MySQL Enterprise TDE: Goals Data at Rest Encryption Tablespace Encryption Key Protection Most Important and Difficult Strong Encryption AES 256 Simple to Manage One master key for whole MySQL instance High Performance & Low Overhead Simple Key Rotation without massive decrypt/encryption costs High Quality Infrastructure Expand and support more security capabilities - encryption, keys, certs,

MySQL Transparent Data Encryption Tablespace Key Accesses Files Directly Encrypted Database Files Master Key Information Access Blocked By Encryption Malicious OS User / Hacker Confidential Oracle Internal/Restricted/Highly Restricted 15

Using MySQL Transparent Data Encryption is EASY Plugin Infrastructure New plugin type : keyring Ability to load plugin before InnoDB initialization : --early-plugin-load Keyring plugin Used to retrieve keys from Key Stores Over Standardized KMIP protocol SQL New option in CREATE TABLE ENCRYPTION= Y New SQL : ALTER INSTANCE ROTATE INNODB MASTER KEY InnoDB Support for encrypted tables IMPORT/EXPORT of encrypted tables Support for master key rotation Confidential Oracle Internal/Restricted/Highly Restricted 18

Example Commands Installation Set configuration for MySQL to talk to Oracle Key Vault Connect to MySQL install plugin okv_kmip_keyring_file soname okv_kmip_keyring.dll'; Encrypt a table CREATE TABLE `<table>` ( `ID` int(11) NOT NULL AUTO_INCREMENT, `Name` char(35) NOT NULL DEFAULT '', ) ENGINE=InnoDB ENCRYPTION="Y" Rotate Master Key ALTER INSTANCE ROTATE INNODB MASTER KEY; Confidential Oracle Internal/Restricted/Highly Restricted 19

PCI DSS PCI DSS v3.0 November 2013 3.5 Store cryptographic keys in a secure form (3.5.2), in the fewest possible locations (3.5.3) and with access restricted to the fewest possible custodians (3.5.1) 3.6 Verify that key-management procedures are implemented for periodic key changes (3.6.4) And more! 20

Key Vaults and Key Stores: General Purpose Middleware Standby Databases Administration Console, Alerts, Reports Servers Secure Backups Wallets Keystores = Certificates = Password/phrases = Credential Files/Other 21

Oracle Key Vault Turnkey solution based on hardened stack Includes Oracle Database and security options Open x86-64 hardware to choose from Easy to install, configure, deploy, and patch Separation of duties for administrative users Full auditing, preconfigured reports, and alerts 22

MySQL Enterprise TDE: KMIP Compliant DBA never knows the Master Key Only a Key Vault Admin(s) have Master Key access Keys are protected and secure Enables customers to meet regulatory requirements

MySQL Enterprise Firewall Real Time Protection Queries analyzed and matched against White List Blocks SQL Injection Attacks Block Out of Policy Transactions Intrusion Detection Detect and Alert on Out of Policy Transactions Learns White List Automated creation of approved list of SQL command patterns on a per user basis Transparent No changes to application required MySQL Enterprise Firewall monitoring 24

MySQL Enterprise Authentication Integrates MySQL with existing security infrastructures Integrate with Centralized Authentication Infrastructure Centralized Account Management Password Policy Management Groups & Roles Supports Linux PAM (Pluggable Authentication Modules) Windows Active Directory LDAP 25

MySQL Enterprise Encryption MySQL encryption functions Symmetric encryption AES256 (All Editions) Public-key / asymmetric cryptography RSA Key management functions Generate public and private keys Key exchange methods: DH Sign and verify data functions Cryptographic hashing for digital signing, verification, & validation RSA,DSA 26

MySQL Enterprise Audit Out-of-the-box logging of connections, logins, and query User defined policies for filtering, and log rotation Dynamically enabled, disabled: no server restart XML-based audit stream per Oracle Audit Vault spec New Features Coming Soon Adds regulatory compliance to MySQL applications (HIPAA, Sarbanes-Oxley, PCI, etc.) 27

Enterprise Security Architecture Enterprise Authentication SSO - LDAP, AD, PAM Workbench Model Data Audit Data User Management Network Encryption Strong Authentication Firewall Thread Pool Attack minimization Access Controls Enterprise Monitor Identifies Vulnerabilities Security hardening policies Monitoring & Alerting User Monitoring Password Monitoring Schema Change Monitoring Backup Monitoring Enterprise Audit Powerful Rules Engine Audit Vault Enterprise Backup Encrypted HA Innodb Cluster Key Vault Data Encryption TDE Encryption PKI Assess Prevent Detect Recover 28

New Security Features in MySQL 8.0 Confidential Oracle Internal/Restricted/Highly Restricted 29

New! MySQL Roles Improving MySQL Access Controls Introduced in the 8.0.0 DMR Easier to manage user and applications rights As standards compliant as practically possible Multiple default roles Can export the role graph in GraphML Directly In directly Default Role(s) Set Role(s) Set of ACLS Set of ACLS Feature Request from DBAs 30

Role Examples 33

New! Atomic ACL Statements Long standing MySQL issue! For Replication, HA, Backups, etc. Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary Not just a table operation: memory caches need update too Applies to statements performing multiple logical operations, e.g. CREATE USER u1, u2 GRANT SELECT ON *.* TO u1, u2 Uses a custom MDL lock to block ACL related activity While altering the ACL caches and tables Feature Request from DBAs 34

New! Dynamic Privileges Provides finer grained administrative level access controls Too often super is required for tasks when less privilege is really needed Support concept of least privilege Needed to allow adding administrative access controls Now can come with new components Examples Replication HA Backup Give us your ideas 35

Why Dynamic Global Privileges? How to add a new global privilege (the 5.7 version) Add a column in mysql.user Extend the parser Amend ACL cache code: reading, caching, writing, upgrade, Add checks for the new privilege Not possible from a plugin! Abuse of existing privileges (SUPER)! The SUPER-potent SUPER! Feature Request from DBAs 36

Dynamic Privileges at Work SUPER privilege split into a set of dynamic privileges, e.g. SYSTEM_VARIABLES_ADMIN ROLE_ADMIN CONNECTION_ADMIN, etc. Each plugin can now register and use their own unique privileges All existing MySQL plugins currently using SUPER are updated to add specific privileges, e.g. FIREWALL_ADMIN AUDIT_ADMIN VERSION_TOKEN_ADMIN Feature Request from DBAs 37

Security Direction Continuing to focus a great deal on security New things are in the works Especially in these areas TDE / Encryption Audit Firewall Authentication Customer feedback and requirements drive our priorities Tell us what you want, need, etc. Tell us problem uses cases to solve Confidential Oracle Internal/Restricted/Highly Restricted 38

Enterprise Security Architecture Enterprise Authentication SSO - LDAP, AD, PAM Workbench Model Data Audit Data User Management Network Encryption Strong Authentication Firewall Thread Pool Attack minimization Access Controls Enterprise Monitor Identifies Vulnerabilities Security hardening policies Monitoring & Alerting User Monitoring Password Monitoring Schema Change Monitoring Backup Monitoring Enterprise Audit Powerful Rules Engine Audit Vault Enterprise Backup Encrypted HA Innodb Cluster Key Vault Data Encryption TDE Encryption PKI Assess Prevent Detect Recover 39

Safe Harbor Statement The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle. Confidential Oracle Internal/Restricted/Highly Restricted 40

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback