Oow MySQL Whats new in security overview sept 2017 v1

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.|

MySQL8.0:What’sNewinSecurityMikeFrank PMDirectorGeorgi“Joro”Kodinov MySQLServerManager

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.


SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecXon.ItisintendedforinformaXonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncXonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andXmingofanyfeaturesorfuncXonalitydescribedforOracle’sproductsremainsatthesolediscreXonofOracle.

2


ProgramAgenda

SecurityChallenges

MySQLSecuritySoluXons

TheDetails

NewSecurityFeaturesinMySQL8

NewSecurityFeaturesinMySQLEnterpriseEdiXon

1

2

3

4

ConfidenXal–OracleInternal/Restricted/HighlyRestricted 3

5


89%ofOrganizaXonsExperiencedDataBreaches,AccordingtoNewPonemonReportSource:SixthAnnualBenchmarkStudyonPrivacy&SecurityofHealthcareData,conductedbyPonemonInsXtute

OracleConfidenXal–Internal/Restricted/HighlyRestricted 4

66%ofthelargestbusinessesintheUKhavesufferedacyberafackordatabreachwithinthepasttwelvemonthsSource:UKgovernment'sCyberSecurityBreachesSurvey2016

25%experiencearepeatedbreachatleastoneamonthSource:UKgovernment'sCyberSecurityBreachesSurvey2016


MegaBreaches

429MillionidenXXesexposedin2015.

75%WebsiteswithvulnerabiliXes.15%ofallwebsiteshadacriXcalvulnerability.

9In2015,arecordofninemega-breacheswerereported.

Oneworldslargest191M.(Mega-breach=morethan10millionrecords.)

MobileVulnerabiliXesontherise–up214%

InfecXonbySQLInjecXonsXllstrong.

Malwareafacksondatabases

OracleConfidenXal–Internal/Restricted/HighlyRestricted 5

Source:InternetSecurityThreatReport2016,Symantec


ComplexitygrowsRiskGrows

6


RegulatoryCompliance•  RegulaXons

–  PCI–DSS:PaymentCardData–  HIPAA:PrivacyofHealthData–  SarbanesOxley,GLBA,TheUSAPatriotAct:

FinancialData,NPI"personallyidenXfiablefinancialinformaXon"–  FERPA–StudentData–  EUGeneralDataProtecXonDirecXve:ProtecXonofPersonalData(GDPR)–  DataProtecXonAct(UK):ProtecXonofPersonalData

•  Requirements–  ConXnuousMonitoring(Users,Schema,Backups,etc)–  DataProtecXon(EncrypXon,PrivilegeManagement,etc.)–  DataRetenXon(Backups,UserAcXvity,etc.)–  DataAudiXng(UseracXvity,etc.)

7


• GDPR– Thegreaterof20,000,000Eurosor4%ofannualrevenue

• PCI– Rangefrom$5,000to$500,000,leviedbybanks/creditcardinsXtuXons.

– Banksfinebasedonforensicresearchtoremediatenoncompliance.CreditcardinsXtuXonsfinetopunishment

• HIPAA– Finesupto$400to$50kperviolaXon(orperrecord)

•  $3.62Million–Averagecostofabreach

• WW$141perstolenrecord– Theaveragepercapitacostofdatabreachwas$225intheUnitedStatesand$190inCanada.

•  ThefasterthedatabreachcanbeidenXfiedandcontained,thelowerthecosts.

8

CaughtOutofRegulatoryCompliance->LargeFinesDataBreach->LargeLosses

*PonemonInsXtute’s2017CostofDataBreachStudy:GlobalOverview


HowtoSecureyourDatabases¡ Assess¡ LocateRisksandVulnerabiliXes,Ensurethatnecessarysecuritycontrolsare

¡ Prevent¡ UsingCryptography,UserControls,AccessControls,etc

¡ Detect¡ SXllapossibilityofabreach–soAudit,Monitor,Alert

¡ Recover¡ Ensureserviceisnotinterruptedasaresultofasecurityincident¡ Eventhroughtheoutageofaprimarydatabase¡ Forensics–postmortem–fixvulnerability


Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| OracleConfidenXal–Internal 10

MySQLSecurityOverviewAuthenXcaXon

AuthorizaXon

EncrypXon

FirewallMySQLSecurity

AudiXng

Monitoring

Availability


MySQLEnterpriseEdiXon-SECURITY•  MySQLEnterpriseTDE

–  Data-at-RestEncrypXon–  KeyManagement/Security

•  MySQLEnterpriseAuthenXcaXon–  ExternalAuthenXcaXonModules

•  MicrosovAD,LinuxPAMs,LDAP

•  MySQLEnterpriseEncrypXon–  Public/PrivateKeyCryptography–  AsymmetricEncrypXon–  DigitalSignatures,DataValidaXon–  UserAcXvityAudiXng,RegulatoryCompliance

11

•  MySQLEnterpriseFirewall–  BlockSQLInjecXonAfacks–  IntrusionDetecXon

•  MySQLEnterpriseAudit–  UserAcXvityAudiXng,RegulatoryCompliance

•  MySQLEnterpriseMonitor–  ChangesinDatabaseConfiguraXons,UsersPermissions,DatabaseSchema,Passwords

•  MySQLEnterpriseBackup–  SecuringBackups,AES256encrypXon

•  MySQLEnterpriseThreadpool–  AfackHardening

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 12

MySQLSecurityArchitecture ¡Workbench

• Model• Data• AuditData• UserManagement

¡¡EnterpriseMonitor• IdenXfiesVulnerabiliXes• Securityhardeningpolicies• Monitoring&AlerXng• UserMonitoring• PasswordMonitoring• SchemaChangeMonitoring• BackupMonitoring

¡ DataEncrypXon• TDE• EncrypXon• PKI

¡Firewall

¡KeyVault

¡EnterpriseAuthen@ca@on• SSO-LDAP,AD,PAM

¡NetworkEncryp@on

¡EnterpriseAudit• PowerfulRulesEngine

¡AuditVault

¡StrongAuthen@ca@on

¡AccessControls• Grants,• Roles,• DynamicPriv

¡Assess¡Prevent¡Detect¡Recover

¡EnterpriseBackup• Encrypted ¡HA

• InnodbCluster

¡ ThreadPool• AfackminimizaXon


WhatisTransparentDataEncrypXon?• DataatRestEncrypXon

– Tablespaces,Disks,Storage,OSFilesystem

•  TransparenttoapplicaXonsandusers– NoapplicaXoncode,schemaordatatypechanges

•  TransparenttoDBAs– KeysarehiddenfromDBAs,noconfiguraXonchanges

• RequiresKeyManagement– ProtecXon,rotaXon,storage,recovery


Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| ConfidenXal–OracleInternal/Restricted/HighlyRestricted 14

MySQLTransparentDataEncrypXon

EncryptedDatabaseFiles

TablespaceKey

MaliciousOSUser/Hacker

AccessesFilesDirectly

InformaXonAccessBlockedByEncrypXon

MasterKey


UsingMySQLTransparentDataEncrypXonisEASYSQL•  NewopXoninCREATETABLE

ENCRYPTION=“Y”

•  NewSQL:ALTERINSTANCEROTATEINNODBMASTERKEY

PluginInfrastructure•  Newplugintype:keyring•  AbilitytoloadpluginbeforeInnoDB

iniXalizaXon:--early-plugin-load

Keyringplugin•  UsedtoretrievekeysfromKeyStores

•  OverStandardizedKMIPprotocol

InnoDB•  Supportforencryptedtables•  IMPORT/EXPORTofencryptedtables

•  SupportformasterkeyrotaXon



MySQLEnterpriseTDE:KMIPCompliant

• KMIP–KeyManagementInteroperabilityProtocol(OasisStandard)

• Keysareprotectedandsecure

•  Enablescustomerstomeetregulatoryrequirements

• KMIPmodetestedwiththefollowingproducts–  OracleKeyVault(OKV)

–  GemaltoSafenetKeySecure

–  ForneXxKeyOrchestraXonAppliance

– Moreintheworks


TheKeyringAPI:TheBigPicture

17

TheMySQLServer

Plugins(Consumers) Keys

KeyringPlugin(backend)

KeyStorage

Keys

KeyringPluginService

KeyringPluginAPI

KeysKeyRingAPI EachKey

HasaName/ACL


WhatistheKeyringAPI?• Auniforminfrastructureforhandlingkeys• Usablebyboththeserverandplugins• AvailableinMySQL5.7andupasapluginAPIandapluginservice•  Fullyextensible• CanbeiniXalizedbeforeInnoDBatstartup• Minimumefforttoaddnewbackendsandconsumers

18


Keyringplugins:TheInventory

19

• CurrentConsumers– InnoDBtablespaceencrypXon– SQLuserdefinedfuncXons(UDF)plugin

• CurrentBackends– Flatfilebackend– KMIPcompliantclients

•  OracleKeyVault•  GemaltoSafenetKeySecure•  ProbablymoreiftheysupportKMIPstandards–giveitatry.


MySQLEnterpriseAuthenXcaXon

20

•  IntegratewithCentralizedAuthenXcaXonInfrastructure– CentralizedAccountManagement– PasswordPolicyManagement– Groups&RolesSupports– WindowsAcXveDirectory– LinuxPAM(PluggableAuthenXcaXonModules)– NewNaXveLDAP

•  UltraFastandFlexible

IntegratesMySQLwithexisXngsecurityinfrastructures


MySQLEnterpriseEncrypXon• MySQLencrypXonfuncXons

– SymmetricencrypXonAES256(AllEdiXons)– Public-key/asymmetriccryptography–RSA

• KeymanagementfuncXons– Generatepublicandprivatekeys– Keyexchangemethods:DH

•  SignandverifydatafuncXons– Cryptographichashingfordigitalsigning,verificaXon,&validaXon–RSA,DSA

21


MySQLEnterpriseAudit• Out-of-the-boxloggingofconnecXons,logins,andquery• Userdefinedpoliciesforfiltering,andlogrotaXon• Dynamicallyenabled,disabled:noserverrestart• XML-basedauditstreamperOracleAuditVaultspec• New!Featuresin5.7.21

– JSON– Compression– EncrypXon

22

Addsregulatorycomplianceto

MySQLapplicaXons(HIPAA,Sarbanes-Oxley,PCI,etc.)


MySQLEnterpriseFirewall•  RealTimeProtecXon

–  QueriesanalyzedandmatchedagainstWhiteList

•  BlocksSQLInjecXonAfacks–  BlockOutofPolicyTransacXons

•  IntrusionDetecXon–  DetectandAlertonOutofPolicyTransacXons

•  LearnsWhiteList–  AutomatedcreaXonofapprovedlistofSQLcommandpafernsonaperuserbasis

•  Transparent–  NochangestoapplicaXonrequired

23

MySQLEnterpriseFirewallmonitoring


MySQLEnterpriseFirewall•  New!Featurein5.7.20–CombinedFirewall/AuditRules

–  Createmoregeneralallow/denyfirewallrulesusingJSONsyntax–usingabort=on

Example-blockexecuXonofspecific

•  SQLstatements(insert,update,delete)

•  Foraspecifictable(finances.bank_account)

Testrules

•  BywriXngtoauditlog•  Ifdataasexpectedchangetofirewall

–  add“abort”

24


NewSecurityFeaturesinMySQL8.0



New!MySQLRolesImprovingMySQLAccessControls•  Introducedinthe8.0.0DMR•  EasiertomanageuserandapplicaXonsrights• AsstandardscompliantaspracXcallypossible• MulXpledefaultroles• CanexporttherolegraphinGraphML

26

FeatureRequestfromDBAs

Directly

IndirectlySetRole(s)

DefaultRole(s)SetofACLS

SetofACLS


SQLRolesImplementaXonDetails-1• Aroleisbasicallyauseraccountwithlogindisabled.• AmemorybasedhashofflafenedprivilegesetsforeachacXverole•  2newtables:mysql.role_edgesandmysql.default_roles•  2newSQLfuncXons:CURRENT_ROLE()andROLE_GRAPHML()•  3newglobalprivileges:CREATEROLE,DROPROLEandROLE_ADMIN•  Extensionsto:ALTERUSER,GRANT/REVOKE,SET[DEFAULT]ROLEandSHOWGRANTS

27


SQLRolesImplementaXonDetails-2• RolescanhaveanopXonalhostpart(notcurrentlyused)• Pre-rolesACLcodeisusedwhenthere’snoacXverole(s)• Userscanbeassignedseveralroles• Userscanhavezeroormoredefaultroles• AcXveRolescanbechanged–fromvariousassignedroles

– ForexamplejustescalateorchangeprivilegesfromwithinanapplicaXonforcertainoperaXons

28


RoleExamples

29


New!AtomicACLStatements•  LongstandingMySQLissue!

– ForReplicaXon,HA,Backups,etc.• Possiblenow-ACLtablesresidein8.0InnoDBDataDicXonary• NotjustatableoperaXon:memorycachesneedupdatetoo• AppliestostatementsperformingmulXplelogicaloperaXons,e.g.

– CREATEUSERu1,u2– GRANTSELECTON*.*TOu1,u2

• UsesacustomMDLlocktoblockACLrelatedacXvity– WhilealteringtheACLcachesandtables

30



New!DynamicPrivilegesProvidesfinergrainedadministraXvelevelaccesscontrols•  Tooovensuperisrequiredfortaskswhenlessprivilegeisreallyneeded

– Supportconceptof“leastprivilege”• NeededtoallowaddingadministraXveaccesscontrols

– Nowcancomewithnewcomponents– Examples

•  ReplicaXon•  HA•  Backup

• Giveusyourideas

31


WhyDynamicGlobalPrivileges?• Howtoaddanewglobalprivilege(the5.7version)

– Addacolumninmysql.user– Extendtheparser– AmendACLcachecode:reading,caching,wriXng,upgrade,…– Addchecksforthenewprivilege

• Notpossiblefromaplugin!• AbuseofexisXngprivileges(SUPER)!•  TheSUPER-potentSUPER!

32



HowDoDynamicPrivilegesWork?• Providesnewcomponentservice

– Canadd,removeandcheckglobalprivileges

• OnlyGRANTsarepersisted– Storedinmysql.global_grants

• Usesthefamiliar– GRANT<dynamic_acl>ON*.*TO…syntax

33


MySQLPasswordFeatures• New!Passwordhistory-providesDBAsmorepasswordmanagement

– Requirenewpasswordsnotreuseoldones-Bynumberofchangesand/orXme.– Establishpassword-reusepolicygloballyaswellasonaper-accountbasis.

• New!SHA2withCaching– StrongandFast– Strong-SHA-256passwordhashing(manyrounds,seeds,…)– Fast-Caching

•  Greatlyreduceslatency

• New!SupportsformoreconnecXonprotocols• New!SeamlessRSApassword-exchangecapabiliXes(NolinkingOpenSSL)

34


MySQL8.0FileEncrypXon• New!AES256encrypXonofUNDOandREDOLogsSuperSimpletomanage-Set•  innodb_undo_log_encrypt=ON/OFF•  innodb_redo_log_encrypt=ON/OFFAnd– ON-Pageswrifenaverse~ngareencrypted

– OFF-Pageswrifenaverse~ngarenot.

35


SecurityDirecXonConXnuingtofocusagreatdealonsecurityNewthingsareintheworksEspeciallyintheseareas•  TDE/EncrypXon/KeyManagement• Audit•  Firewall• AuthenXcaXon•  IntegraXontovariousOracleCloudServices


Customerfeedbackandrequirementsdriveour

prioriXes

Telluswhatyouwant,need,etc.

GiveusproblemaXc

usecases

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.| 37

EnterpriseSecurityArchitecture ¡Workbench

• Model• Data• AuditData• UserManagement

¡¡EnterpriseMonitor• IdenXfiesVulnerabiliXes• Securityhardeningpolicies• Monitoring&AlerXng• UserMonitoring• PasswordMonitoring• SchemaChangeMonitoring• BackupMonitoring

¡ DataEncrypXon• TDE• EncrypXon• PKI

¡Firewall

¡KeyVault

¡EnterpriseAuthen@ca@on• SSO-LDAP,AD,PAM

¡NetworkEncryp@on

¡EnterpriseAudit• PowerfulRulesEngine

¡AuditVault

¡StrongAuthen@ca@on

¡AccessControls

¡Assess¡Prevent¡Detect¡Recover

¡EnterpriseBackup• Encrypted ¡HA

• InnodbCluster

¡ ThreadPool• AfackminimizaXon


MySQLEnterpriseEdiXon•  MySQLEnterpriseTDE

–  Data-at-RestEncrypXon–  KeyManagement/Security

•  MySQLEnterpriseAuthenXcaXon–  ExternalAuthenXcaXonModules

•  MicrosovAD,LinuxPAMs

•  MySQLEnterpriseEncrypXon–  Public/PrivateKeyCryptography–  AsymmetricEncrypXon–  DigitalSignatures,DataValidaXon–  UserAcXvityAudiXng,RegulatoryCompliance

38

•  MySQLEnterpriseFirewall–  BlockSQLInjecXonAfacks–  IntrusionDetecXon

•  MySQLEnterpriseAudit–  UserAcXvityAudiXng,RegulatoryCompliance

•  MySQLEnterpriseMonitor–  ChangesinDatabaseConfiguraXons,UsersPermissions,DatabaseSchema,Passwords

•  MySQLEnterpriseBackup–  SecuringBackups,AES256encrypXon

•  MySQLEnterpriseThreadpool–  AfackHardening


SecurityResources• hfp://mysqlserverteam.com/• hfp://insidemysql.com/• hfps://blogs.oracle.com/mysql• hfps://www.mysql.com/why-mysql/#en-0-40• hfps://www.mysql.com/why-mysql/presentaXons/#en-17-40• hfps://www.mysql.com/news-and-events/on-demand-webinars/#en-20-40

• hfps://www.mysql.com/news-and-events/health-check/

39


SafeHarborStatementTheprecedingisintendedtooutlineourgeneralproductdirecXon.ItisintendedforinformaXonpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncXonality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andXmingofanyfeaturesorfuncXonalitydescribedforOracle’sproductsremainsatthesolediscreXonofOracle.



Thankyou!

41

Technology

Oow MySQL Whats new in security overview sept 2017 v1