Upload
mark-swarbrick
View
166
Download
5
Embed Size (px)
Citation preview
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLSecurityandGDPRMarkSwarbrickMySQLPrincipalSalesConsultantMark.swarbrick@oracle.com
1
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirection.Itisintendedforinformationpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfunctionality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andtimingofanyfeaturesorfunctionalitydescribedforOracle’sproductsremainsatthesolediscretionofOracle.
2
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Introduction
• TheE.U.GeneralDataProtectionRegulation(GDPR)comesintoeffectinMay2018
• GDPRisaEuropeanUnion“EU”-wideframework– ProtectionofpersonaldataofEU-basedindividuals– Restrictionstomovementofthatdata
• PublishedMay2016,EnforceablebyMay2018• FinesforGDPRviolationsare
– Thegreaterof20,000,000Eurosor4%ofannualrevenue(R150,A83)
Confidential–OracleInternal 4
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
GDPR:WhoandWhat• WhodoestheGDPRaffect?
– TheGDPRnotonlyappliestoorganisationslocatedwithintheEUbutitwillalsoapplytoorganisationslocatedoutsideoftheEUiftheyoffergoodsorservicesto,ormonitorthebehaviourof,EUdatasubjects.ItappliestoallcompaniesprocessingandholdingthepersonaldataofdatasubjectsresidingintheEuropeanUnion,regardlessofthecompany’slocation.
• Whatconstitutespersonaldata?– Anyinformationrelatedtoanaturalpersonor‘DataSubject’,thatcanbeusedtodirectlyorindirectlyidentifytheperson.Itcanbeanythingfromaname,aphoto,anemailaddress,bankdetails,postsonsocialnetworkingwebsites,medicalinformation,oracomputerIPaddress.
5
http://www.eugdpr.org/gdpr-faqs.html
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AppropriateSecurityControls
• Datamustbeprocessedwithcontrolsthatprovide“appropriatesecurityandconfidentiality“– Recitalsofnote-R74-78,R81,R83,R87,R90,A5,A24-25,A28,A32,A35)
• ExactsecuritycontrolsarenotspecifiedintheGDPR– WHATtodo– NotHOWtodoit
Confidential–OracleInternal 6
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
EUGeneralDataProtectionRegulation(GDPR)• Dataprivacyasafundamentalright• DefinesDataprotectionresponsibilities,baselines,principles• ProvidesEnforcementPowersFocusison3Areas• Assessment–Processes,Profiles,DataSensitivity,Ricks
• Prevention–Encryption,Anonymization,AccessControls,SeparationofDuties
• Detection–Auditing,Activitymonitoring,Alerting,Reporting
7
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
ComplexitygrowsRiskGrows
8
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
GDPRandMySQL• Wecan’tbeentirelyprescriptive• Wehavemanythingsthatcanbeappliedtowardsattainingcompliance
– Products– Features– BestPractices– Documents– Integrations
9
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.| 10
EnterpriseSecurityArchitecture ¡ Workbench
• Model • Data • Audit Data • User Management
¡ ¡ Enterprise Monitor • Identifies Vulnerabilities • Security hardening policies • Monitoring & Alerting • User Monitoring • Password Monitoring • Schema Change Monitoring • Backup Monitoring
¡ Data Encryption • TDE • Encryption • PKI
¡ Firewall
¡ Key Vault
¡ Enterprise Authentication • SSO - LDAP, AD, PAM
¡ Network Encryption
¡ Enterprise Audit • Powerful Rules Engine
¡ Audit Vault
¡ Strong Authentication
¡ Access Controls
¡ Assess ¡ Prevent ¡ Detect ¡ Recover
¡ Enterprise Backup • Encrypted ¡ HA
• Innodb Cluster
¡ Thread Pool • Attack minimization
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AssessSecurityRisks
11
DiscoverPersonalData
ScanSecurity
ConfigurationPrivilegeAnalysis
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Assess-MySQLEnterpriseFeaturesandGDPR• AssessRisks(Articles35,90,91)
– MySQLEnterpriseMonitor• Accountassessmentandreporting• IdentifiesSecurityVulnerabilities–discoversecurityholes,advisesremediatingactions
– Advisorsproviderulesdesignedtoenforcesecuritybestpracticesandalertupondiscoveringvulnerabilities
– MySQLWorkbenchEE• Discovertablesandcolumnscontaining“PersonalData”• DataModelingtool-ReverseEngineeringofDataModeltoreviewdatastoredinthedatabase• SchemaInspector,TableInspectors–forschemaassessment,grantinspection
– MySQLSecurityBestPracticesGuidelines
12
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseMonitor• EnforceMySQLSecurityBestPractices
– IdentifiesVulnerabilities– Assessescurrentsetupagainstsecurityhardeningpolicies
• Monitoring&Alerting– UserMonitoring– PasswordMonitoring– SchemaChangeMonitoring– BackupMonitoring– ConfigurationManagement– ConfigurationTuningAdvice
• CentralizedUserManagement
13
"I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.”
Sandi Barr Sr. Software Engineer
Schneider Electric
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AssessMySQLAuthorization• AdministrativePrivileges• DatabasePrivileges• SessionLimitsandObjectPrivileges• Userprivileges
– Creating,alteringanddeletingdatabases– Creating,alteringanddeletingtables– ExecuteINSERT,SELECT,UPDATE,DELETEqueries– Create,execute,ordeletestoredproceduresandwithwhatrights– Createordeleteindexes
14
Security Privilege Management in MySQL Workbench
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthentication
15
• IntegratewithCentralizedAuthenticationInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&Roles
• PAM(PluggableAuthenticationModules)– Standardinterface(Unix,LDAP,Kerberos,others)– Windows
• AccessnativeWindowsservice-UsetoAuthenticateusersusingWindowsActiveDirectoryortoanativehost
IntegratesMySQLwithexistingsecurityinfrastructures
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthentication:PAM• StandardInterface
– LDAP– Unix/Linux
• ProxyUsers
16
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAuthentication:Windows• WindowsActiveDirectory• WindowsNativeServices
17
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AssessyourdataanddatamodelusingMySQLWorkbench
18
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Prevent-MySQLEnterpriseFeaturesandGDPR• PreventAttacks(Articles32,83,28,26,5,20,27,30,64)
– MySQLEnterpriseSecurity–TransparentDataEncryption• IncludesKeyManagement• ProtectsTablespaceviaEncryption,KeysviaKeyManager/Vaultintegration
– MySQLEnterpriseSecurity–Firewall• MySQLFirewallStatement/User/IPWhitelists,Rules
– MySQLEnterpriseAuthentication– DBAconfigurableIPwhitelisting,ConnectionLimits,…
• ViaserverlevelandviaperAccountIP/HostnameControls,Accountresourcelimits,
– Intransitdataencryption-• FullsupportforTLS1.2-X509,CertificateAuthorities,ExcludeLists,etc.
– Granularaccesscontrols• TableGrants,DatabaseViews,StoredProcedures,Functions
19
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall:Overview
20
Inbound SQL Traffic
Web Applications
SQL Injection Attack Via Brower
ALLOW
BLOCK
DETECT
1
2
3
Instance
MySQL Enterprise Firewall Internet
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• BlockSQLInjectionAttacks
– Allow:SQLStatementsthatmatchWhitelist– Block:SQLstatementsthatarenotonWhitelist
• IntrusionDetectionSystem– Detect:SQLstatementsthatarenotonWhitelist
• SQLStatementsexecuteandalertadministrators
21
Select * from employee where id=22
Select * from employee where id=22 or 1=1Block ✖
Allow ✔
White List Applications
Detect & Alert Intrusion Detection
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseFirewall• RealTimeProtection
– QueriesanalyzedandmatchedagainstWhiteList
• BlocksSQLInjectionAttacks– PositiveSecurityModel
• BlockSuspiciousTraffic– OutofPolicyTransactionsdetected&blocked
• LearnsWhiteList– AutomatedcreationofapprovedlistofSQLcommandpatternsonaperuserbasis
• Transparent– Nochangestoapplicationrequired
22
MySQL Enterprise Firewall monitoring
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
KeyVaultHigh-LevelArchitecture
Standby
Administration Console, Alerts,
Reports
Secure Backups
= Credential Files/Other
Wallets
= Password/phrases
Keystores
= Certificates
Databases
Servers
Middleware
23
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQL Database
Encrypted Tablespace
Files
Protected Key
Hacker / Dishonest OS User
Accesses Files Directly
Information Access Blocked By Encryption
MySQLTDE–ProtectsagainstAttacksonDatabaseFiles
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
KeyVault
MySQLEnterpriseTransparentDataEncryption2TierArchitecture
MySQLDatabaseTablespaceKeys
MySQLServer
Plugin&Services
Infrastructure
InnoDB
ClientKeyringplugins
• MasterKey
• Storedoutsidethedatabase• OracleKeyVault• SafeNetKeySecure• KMIP1.1CompliantKeyVault
• TablespaceKey• Protectedbymasterkey
MasterKey
Plain Text
Encrypted 2
Encrypted 1
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Detect-MySQLEnterpriseFeaturesandGDPR–1of2• Detect(Articles30,82,33)
– MySQLEnterpriseSecurity–Audit• Policy-basedauditingsolution–gatherauditlogofactivity• Usetospotdatabasemisuse• UsetoprovecompliancetoGDPR
– MySQLEnterpriseSecurity–Firewall• Real-timeprotectionagainstdatabasespecificattacks• Usetoalertand/orblocknefariousactivity–suchaspersonaldataleakage
26
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
FocusonMySQLEEAudit• GDPR
– MandatesrecordingorauditingoftheactivitiesonthePersonalData– Recommendsrecordsmustbemaintainedcentrally
• UndertheresponsibilityoftheController.– Processorsandthird-partiesmustnotbeabletotamperordestroytheauditrecords.– Inadditiontobook-keeping,auditinghelpsinforensicanalysisincaseofabreach.
• MySQLEnterpriseAuditAuditdatacanbe– MaintainedinOracleAuditValue–certified– OutputsstandardXMLorJSONthateasilyintegratewithvarious3rdpartysolutions– Supportsencryption(MySQL5.7.18+)– Candirectsecuritylogstowrite-oncestorage
27
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLEnterpriseAudit-WorkFlow
28
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
Detect-MySQLEnterpriseFeaturesandGDPR–2of2– MySQLWorkbenchEE
• Securityrelated–– InspectAuditData– ConfigureFirewall– ManageUsers
– MySQLEnterpriseMonitor• Monitor/AlertonFirewall,Audit,Backupsandmore• Detectconfigurationchanges
29
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AdditionalSecurityControlsHashing,Signing,EncryptionFunctions
– SymmetricEncryption–AES– Hashing–SHA-2,SHA-1– AsymmetricPublicKeyEncryption(RSA)– AsymmetricPrivateKeyDecryption(RSA)– GeneratePublic/PrivateKey(RSA,DSA,DH)– DeriveSymmetricKeysfromPublicandPrivateKeypairs(DH)– DigitallySignData(RSA,DSA)– VerifyDataSignature(RSA,DSA)– ValidationDataAuthenticity(RSA,DSA)
Confidential–OracleInternal 30
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
AdditionalSecurityControls• HA
– TraditionalReplication– MySQLInnoDBCluster
• DisasterRecovery– TraditionalReplication– MySQLInnoDBCluster
• Backup– MySQLEnterpriseBackup
• Includesencryption• SupportforMySQLTDE
Confidential–OracleInternal 31
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
MySQLCloudService
• Designedforsecurity• MySQLEnterpriseFeatures• Backup&Recovery
– BasedonMySQLEnterpriseBackup
• Support(withconsultativesupport)
Confidential–OracleInternal 32Confidential–OracleInternal 32
+ MySQL Enterprise Edition
Copyright©2014Oracleand/oritsaffiliates.Allrightsreserved.|
References
Confidential–OracleInternal 33
• HomepageEUGDPR– http://www.eugdpr.org/
• MySQLEnterprise– https://www.mysql.com/products/enterprise/
• MySQLPCIDSS– https://www.mysql.com/it/why-mysql/white-papers/mysql-pci-data-security-compliance/
• MySQLSecurityBestPractices– https://www.mysql.com/it/why-mysql/presentations/mysql-security-best-practices/