SlideShare a Scribd company logo

Mysql security 5.7

Mark Swarbrick
Mark Swarbrick

This document discusses database security and the growing threat of data breaches. It notes that 43% of companies experienced a data breach in the past year, and that 552 million identities were exposed in 2013, a 493% increase from the previous year. The document outlines common database vulnerabilities and attacks, and recommends strategies like access controls, encryption, monitoring and firewalls to enhance database security and prevent breaches.

Technology
1 of 56
Downloaded 85 times
1
2
3
4
5
6
7
8
9
10
11
Most read
12
13
14
15
Most read
16
17
18
19
20
21
22
Most read
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Security Mark  Swarbrick,  MySQL  Sales  Consultant  UK&I     Mark.Swarbrick@oracle.com  
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | 43% of  companies  have  experienced  a   data  breach  in  the  past  year. Source:  Ponemon  InsRtute,  2014 Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 2
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Mega  Breaches 552  Million  idenRRes   exposed  in  2013.    493%   increase  over  previous  year 77% Web  sites  with  vulnerabiliRes.   1-­‐in-­‐8  of  all  websites  had  a   criRcal  vulnerability.   8 Breaches  that  exposed   more  than  10  million   records  in  2013. Total  Breaches  increased   62%  in  2013     Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 3 Source:  Internet  Security  Threat  Report  2014,  Symantec
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Target  Breach,  2013,  $270  million   The  hackers  who  commibed  the  Target  breach  took  40  million  credit   and  debit  card  numbers  and  70  million  records,  including  names  and   addresses  of  shoppers.   Source:  Fortune.com,  2014 Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 4 Cybercrime  cost  the  global  economy  $575  billion/year   Source:  paymetric.com,  2014 One  major  data  breach  discovered  every  month   Those  breaches  include  Michaels  Stores,  Sally  Beauty  Supply,   Neiman  Marcus,  AOL,  eBay  and  P.F.  Chang’s  Chinese  Bistro.   Source:  paymetric.com,  2014
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | •   Poor  ConfiguraRons –   Set  controls  and  change  default              segng •   Over  Privileged  Accounts –   Privilege  Policies •   Weak  Access  Control –   Dedicated  AdministraRve  Accounts •   Weak  AuthenRcaRon –   Strong  Password  Enforcement •   Weak  AudiRng –   Compliance  &  Audit  Policies •   Lack  of  EncrypRon –   Data,  Back,  &  Network  EncrypRon •   Proper  CredenRal  or  Key  Management –   Use  mysql_config_editor  ,  Key  Vaults •   Unsecured  Backups –   Encrypted  Backups •   No  Monitoring –   Security  Monitoring,  Users,  Objects •   Poorly  Coded  ApplicaRons –   Database  Firewall 5 Database  VulnerabiliRes
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Abacks   •   SQL  InjecRon –   PrevenRon:  DB  Firewall,  White  List,  Input  ValidaRon •   Buffer  Overflow –   PrevenRon:  Frequently  apply  Database  Sooware  updates,  DB  Firewall,  White  List,  Input  ValidaRon     •   Brute  Force  Aback –   PrevenRon:  lock  out  accounts  aoer  a  defined  number  of  incorrect  abempts. •   Network  Eavesdropping –   PrevenRon:  Require  SSL/TLS  for  all  ConnecRons  and  Transport •   Malware   –   PrevenRon:  Tight  Access  Controls,  Limited  Network  IP  access,    Change  default  segngs 6
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Malicious  AcRons •   InformaRon  Disclosure:  Obtain  credit  card  and  other  personal  informaRon –   Defense:  EncrypRon  –  Data  and  Network,  Tighter  Access  Controls   •   Denial  of  Service:  Run  resource  intensive  queries –   Defense:  Resource  Usage  Limits  –  Set  various  limits  –  Max  ConnecRons,  Sessions,  Timeouts,  … •   ElevaRon  of  Privilege:  Retrieve  and  use  administrator  credenRals –   Defense:  Stronger  authenRcaRon,  Access  Controls,  AudiRng •   Spoofing:  Retrieve  and  use  other  credenRals –   Defense:  Stronger  account  and  password  policies   •   Tampering:  Change  data  in  the  database,  Delete  transacRon  records •   Defense:  Tighter  Access  Controls,  AudiRng,  Monitoring,  Backups 7
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Regulatory  Compliance •   RegulaRons –   PCI  –  DSS:  Payment  Card  Data –   HIPAA:  Privacy  of  Health  Data –   Sarbanes  Oxley:  Accuracy  of  Financial  Data –   EU  Data  ProtecRon  DirecRve:  ProtecRon  of  Personal  Data –   Data  ProtecRon  Act  (UK):  ProtecRon  of  Personal  Data •   Requirements –   ConRnuous  Monitoring  (Users,  Schema,  Backups,  etc) –   Data  ProtecRon  (EncrypRon,  Privilege  Management,  etc.) –   Data  RetenRon  (Backups,  User  AcRvity,  etc.) –   Data  AudiRng  (User  acRvity,  etc.) 8 https://www.mysql.com/why-mysql/white-papers/mysql-pci-data-security-compliance/
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | DBA  ResponsibiliRes •   Ensure  only  users  who  should  get  access,  can  get  access •   Limit  what  users  and  applicaRons  can  do •   Limit  from  where  users  and  applicaRons  can  access  data •   Watch  what  is  happening,  and  when  it  happened •   Make  sure  to  back  things  up  securely •   Minimize  aback  surface
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 10 MySQL  Security  Overview AuthenRcaRon AuthorizaRon EncrypRon Firewall MySQL  Security AudiRng
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Block  Threats AudiRng Regulatory  Compliance Login  and  Query  AcRviRes SSL/TLS   Public  Key   Private  Key   Digital  Signatures Privilege  Management AdministraRon Database  &  Objects Proxy  Users MySQL   Linux  /  LDAP Windows  AD Custom Oracle  ConfidenRal  –  Internal 11 MySQL  Security  Overview AuthorizaRon      AuthenRcaRon   Firewall  &   AudiRng EncrypRon Security
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  AuthorizaRon •   AdministraRve  Privileges •   Database  Privileges •   Session  Limits  and  Object  Privileges •   Fine  grained  controls  over  user  privileges   –   CreaRng,  altering  and  deleRng  databases   –   CreaRng,  altering  and  deleRng  tables   –   Execute  INSERT,  SELECT,  UPDATE,  DELETE  queries   –   Create,  execute,  or  delete  stored  procedures  and  with  what  rights –   Create  or  delete  indexes 12 Security  Privilege  Management  in  MySQL  Workbench
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Privilege  Management •   user:  user  accounts,  global  privileges  columns •   db:  database-­‐level  privileges •   tables_priv:  Contains  table-­‐level  privileges •   columns_priv:  Contains  column-­‐level  privileges •   procs_priv:  Contains  stored  procedure  and  funcRon  privileges •   proxies_priv:  Contains  proxy-­‐user 13
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 14 MySQL  Privilege  Management  Grant  Tables tables_priv •   Table  level  privileges •   Table  and  columns db •   Database  Level  Privileges •   Database,  Tables,  Objects   •   User  and  host user •   User  Accounts •   Global  Privileges proxies_priv •   Proxy  Users •   Proxy  Privileges procs_priv •   Stored  Procedures •   FuncRons •   Single  funcRon  privilege   columns_priv •   Specific  columns
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  AuthenRcaRon •   Built  in  AuthenRcaRon –  user  table  stores  users  and  encrypted  passwords •   X.509 –   Server  authenRcates  client  cerRficates •   MySQL  NaRve,  SHA  256  Password  plugin –   NaRve  uses  SHA1  or  plugin  with  SHA-­‐256  hashing  and  per  user  salRng  for  user  account  passwords. •   MySQL  Enterprise  AuthenRcaRon –   Microsoo  AcRve  Directory –   Linux  PAMs  (Pluggable  AuthenRcaRon  Modules) •   Support  LDAP  and  more 15
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Password  Policies •   Accounts  without  Passwords –   Assign  passwords  to  all  accounts  to  prevent  unauthorized  use •   Password  ValidaRon  Plugin –   Enforce  Strong  Passwords •   Password  ExpiraRon/RotaRon –   Require  users  to  reset  their  password •   Account  lockout  (in  v.  5.7) 16
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  EncrypRon •   SSL/TLS  EncrypRon –   Between  MySQL  clients  and  Server –   ReplicaRon:  Between  Master  &  Slave •   Data  EncrypRon –   AES  Encrypt/Decrypt 17 •   MySQL  Enterprise  EncrypRon –   Asymmetric  Encrypt/Decrypt –   Generate  Public  Key  and  Private  Keys –   Derive  Session  Keys –   Digital  Signatures •   MySQL  Enterprise  Backup –   AES  Encrypt/Decrypt
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | SSL/TLS •   Encrypted  connecRons   –   Between  MySQL  Client  and  Server –   ReplicaRon:  Between  Master  &  Slave •   MySQL  enables  encrypRon  on  a  per-­‐connecRon  basis –   IdenRty  verificaRon  using  the  X509  standard •   Specify  the  appropriate  SSL  cerRficate  and  key  files •   Will  work  with  trusted  CAs  (CerRficate  AuthoriRes) •   Supports  CRLs  –  CerRficate  RevocaRon  Lists   18
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  AudiRng •   AudiRng  for  Security  &  Compliance –   FIPS,  HIPAA,  PCI-­‐DSS,  SOX,  DISA  STIG,  … •   MySQL  built-­‐in  logging  infrastructure: –   general  log,  error  log •   MySQL  Enterprise  Audit –   Granularity  made  for  audiRng –   Can  be  modified  live –   Contains  addiRonal  details –   CompaRble  with  Oracle  Audit  Vault.
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Firewall •   SQL  InjecRon:  #1  Web  ApplicaRon  Vulnerability –   77%  of  Web  Sites  had  vulnerabiliRes –   1  in  8  criRcal  vulnerabiliRes •   MySQL  Enterprise  Firewall –   Monitor  database  statements  in  real-­‐Rme –   AutomaRc  White  List  “rules”  generaRon  for  any  applicaRon –   Out  of  policy  database  transacRons  detected  and  blocked 20
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 21 MySQL  Database  Hardening User  Management •   Remove  Extra  Accounts •   Grant  Minimal  Privileges   •   Audit  users  and  privileges ConfiguraRon •   Firewall •   AudiRng  and  Logging •   Limit  Network  Access •   Monitor  changes InstallaRon •   Mysql_secure_installaRon •   Keep  MySQL  up  to  date −   MySQL  Installer  for  Windows −   Yum/Apt  Repository Backups •   Monitor  Backups •   Encrypt  Backups EncrypRon •   SSL/TLS  for  Secure                                                ConnecRons •   Data  EncrypRon  (AES,  RSA) Passwords •   Strong  Password  Policy •   Hashing,  ExpiraRon •   Password  ValidaRon  Plugin
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  5.7  Linux  Packages  -­‐  Security  Improvements •   Test/Demo  database  has  been  removed –   Now  in  separate  packages  (prod/dev) •   Anonymous  account  creaRon  is  removed. •   CreaRon  of  single  root  account  –  local  host  only •   Default  installaRon  ensures  encrypted  communicaRon  by  default   –   AutomaRc  generaRon  of  SSL/RSA  Certs/Keys •   For  EE  :  At  server  startup  if  opRons  Certs/Keys  were  not  set •   For  CE  :  Through  new  mysql_ssl_rsa_setup  uRlity •   AutomaRc  detecRon  of  SSL  Certs/Keys   •   Client  abempts  secure  TLS  connecRon  by  default 22 MySQL  Installer  for  Windows    includes  various  Security  Setup  and  Hardening  Steps    
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  InstallaRon •   MySQL_Secure_InstallaRon  /  MySQL  Installer  for  Windows –   Set  a  strong  password  for  root  account –   Remove  root  accounts  that  are  accessible  from  outside  the  local  host –   Remove  anonymous-­‐user  accounts –   Remove  the  test  database •   Which  by  default  can  be  accessed  by  all  users •   Including  Anonymous  Users •   Keep  MySQL  up  to  date –   Repos  –  YUM/APT/SUSE –   MySQL  Installer  for  Windows 23
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Sooware  Updates  -­‐  Database  and  OS  Maintenance •   Maintaining  security  requires  keeping  OperaRng  System  and  MySQL          security  patches  up  to  date. –   May  require  a  restart  (mysql  or  operaRng  system)  to  take  effect. •   To  enable  seamless  upgrades  consider  MySQL  ReplicaRon –   Allows  for  changes  to  be  performed  in  a  rolling  fashion •   Best  pracRce  to  upgrade  slaves  first –   MySQL  5.6  and  above  supports  GTID-­‐based  replicaRon   •   Provides  for  simple  rolling  upgrades •   Follow  OS  vendor  specific  hardening  Guidelines –   For  example   •   hbp://www.oracle.com/technetwork/arRcles/servers-­‐storage-­‐admin/Rps-­‐harden-­‐oracle-­‐linux-­‐1695888.html 24
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  ConfiguraRon •   Audit  AcRvity   –   Use  Enterprise  Audit –   Alt.  Transiently  enable  Query  Logging –   Monitor  and  Inspect  regularly •   Disable  or  Limit  Remote  Access   –   If  local  “skip-­‐networking”  or  bind-­‐          address=127.0.0.1 –   If  Remote  access  then  limit  hosts/IP • Change  root  username 25 •   Disable  unauthorized  reading  from        local  files –   Disable  LOAD  DATA  LOCAL  INFILE •   Run  MySQL  on  non  default  port –   More  difficult  to  find  database •   Limit  MySQL  OS  User •   Ensure  secure-­‐auth  is  enabled  (do          not  allow  old  passwords  format)
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Best  PracRces Parameter Recommended  Value Why Secure_file_priv A  Designated  Leaf  directory  for   data  loads Only  allows  file  to  be  loaded  from  a  specific   locaRon.    Limits  use  of  MySQL  to  get  data  from   across  the  OS Symbolic_links Boolean  –  NO Prevents  redirecRon  into  less  secure  filesystem   directories Default-­‐storage_engine InnoDB Ensures  transacRons  commits,  data  safety! General-­‐log Boolean  –  OFF Should  only  be  used  for  debugging  –  off   otherwise Log-­‐raw Default  -­‐  OFF Should  only  be  used  for  debugging  –  off   otherwise Skip-­‐networking   or  bind-­‐address ON   127.0.0.1 If  all  local,  then  block  network  connecRons  or   limit  to  the  local  host. SSL  opRons Set  valid  values Should  encrypt  network  communicaRon 26
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Password  Policies •   Enforce  Strong  Password  Policies •   Password  Hashing •   Password  ExpiraRon •   Password  ValidaRon  Plugin •   AuthenRcaRon  Plugin –   Inherits  the  password  policies  from  the  component   –   LDAP,  Windows  AcRve  Directory,  etc. •   Disable  accounts  when  not  in  use –   Account  lockout  (5.7+) 27
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Backups •   Backups  are  Business  CriRcal –   Used  to  restore  aoer  aback –   Migrate,  move  or  clone  server –   Part  of  Audit  Trail •   Regularly  Scheduled  Backups •   Monitor  Backups •   Encrypt  Backups 28
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | ApplicaRons  and  CredenRals  -­‐  Best  PracRces •   ApplicaRons  –  minimize  sharing  credenRals  (username/password)   –   Finer  grained  the  beber  –  don’t  overload  across  many  applicaRons/servers •   Should  enable  support  for  credenRal  rotaRon –   Do  not  require  all  passwords  to  be  changed  in  synchronizaRon. –   Facilitates  beber  troubleshooRng  and  root-­‐cause  analysis. •   Steps  to  changing  credenRals  should  be  secure  and  straigh~orward –   Not  embedded  in  your  code •   Can  be  changed  without  redeploying  an  applicaRon •   Should  never  be  stored  in  version  control  and  must  differ  between  environments. •   ApplicaRons  should  get  credenRals  using  a  secure  configuraRon  methodology. 29
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  EdiRon •   MySQL  Enterprise  AuthenRcaRon –   External  AuthenRcaRon  Modules •   Microsoo  AD,  Linux  PAMs •   MySQL  Enterprise  EncrypRon –   Public/Private  Key  Cryptography –   Asymmetric  EncrypRon –   Digital  Signatures,  Data  ValidaRon •   MySQL  Enterprise  Firewall –   Query  Monitoring,  White  List          Matching,   •   MySQL  Enterprise  Audit –   User  AcRvity  AudiRng,  Regulatory  Compliance   30 •   MySQL  Enterprise  Monitor –   Changes  in  Database  ConfiguraRons,  Users            Permissions,  Database  Schema,  Passwords •   MySQL  Enterprise  Backup   –   Securing  Backups,  AES  256  encrypRon
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Monitor •   Enforce  MySQL  Security  Best  PracRces –   IdenRfies  VulnerabilRes –   Assesses  current  setup  against  security  hardening  policies •   Monitoring  &  AlerRng –   User  Monitoring –   Password  Monitoring –   Schema  Change  Monitoring –   Backup  Monitoring –   Firewall  Monitoring?  for  3.1-­‐  ML  is  Checking •   ConfiguraRon  Management –   ConfiguraRon  Tuning  Advice •   Centralized  User  Management 31 "I  definitely  recommend  the  MySQL  Enterprise   Monitor  to  DBAs  who  don't  have  a  ton  of  MySQL   experience.  It  makes  monitoring  MySQL  security,   performance  and  availability  very  easy  to   understand  and  to  act  on.” Sandi  Barr Sr.  Sooware  Engineer Schneider  Electric
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |     Oracle  Enterprise  Manager  for  MySQL 32 Performance Security Availability •   Availability  monitoring •   Performance  monitoring •   ConfiguraRon  monitoring •   All  available  metrics  collected –   Allowing  for  custom  threshold          based  incident  reports •   MySQL  auto-­‐detecRon  
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall •   Real  Time  ProtecRon –   Queries  analyzed  and  matched  against  White  List •   Blocks  SQL  InjecRon  Abacks –   PosiRve  Security  Model •   Block  Suspicious  Traffic –   Out  of  Policy  TransacRons  detected  &  blocked •   Learns  White  List   –   Automated  creaRon  of  approved  list  of  SQL  command  paberns  on  a  per  user  basis •   Transparent –   No  changes  to  applicaRon  required 33 MySQL    Enterprise  Firewall  monitoring
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall • SQL  InjecRon  ProtecRon  with  PosiRve  Security  Model 34 •   Out  of  policy  database  transacRons  detected  and  blocked •   Logging  &  Analysis Select *.* from employee where id=22 Select *.* from employee where id=22 or 1=1 Block  &  Log✖ Allow  &  Log✔ White  ListApplicaAons
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Firewall  Overview 35 Inbound   SQL  traffic Firewall Web ApplicaRons Internet In  Whitelist ALLOW MySQL  Instance SQL  InjecRon  Aback Via  Brower Blocks SQL Abacks Allows Normal SQL Results Table Table Table Not  In  Whitelist BLOCK
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Firewall  Workflow 36
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall  Details •   Firewall  operaRon  is  turned  on  at  a  per  user  level •   Per  User  States  are   –   RECORDING –   PROTECTING –   OFF 37
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | 38 Per  User  Firewall  White  Lists  
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | What  happens  when  SQL  is  blocked? • The  client  applicaRon  gets  an  ERROR mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE; ERROR 1045 (28000): Statement was blocked by Firewall mysql> SHOW DATABASES; ERROR 1045 (28000): Statement was blocked by Firewall mysql> TRUNCATE TABLE mysql.user; ERROR 1045 (28000): Statement was blocked by Firewall • Reported  to  the  Error  Log • Increment  Counter 39
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Monitoring  the  Firewall Firewall Status Counters mysql> SHOW STATUS LIKE 'Firewall%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | Firewall_access_denied | 32 | | Firewall_access_granted | 138 | | Firewall_cached_entries | 39 | +-------------------------+-------+ 3 rows in set (0,00 sec) 40
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | What’s  the  whitelist  look  like? • mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost= 'wpuser@localhost'; +------------------+----------------------------------------------------------------------------------+ | userhost | substr(rule,1,80) | +------------------+----------------------------------------------------------------------------------+ | wpuser@localhost | SELECT * FROM `wp_posts` WHERE `ID` = ? LIMIT ? | | wpuser@localhost | SELECT `option_value` FROM `wp_options` WHERE `option_name` = ? LIMIT ? | | wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . `ID` = ? AND | ... | wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE `ID` = ? | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | +------------------+----------------------------------------------------------------------------------+ 41
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall  DocumentaRon • hbp://dev.mysql.com/doc/refman/5.6/en/firewall.html • hbp://mysqlserverteam.com/new-­‐mysql-­‐enterprise-­‐firewall-­‐prevent-­‐sql-­‐ injecRon-­‐abacks/ 42
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon 43 •   Integrate  with  Centralized  AuthenRcaRon  Infrastructure   –   Centralized  Account  Management –   Password  Policy  Management –   Groups  &  Roles •   PAM  (Pluggable  AuthenRcaRon  Modules) –   Standard  interface  (Unix,  LDAP,  Kerberos,  others) –   Windows   •   Access  naRve  Windows  service  -­‐  Use  to  AuthenRcate  users  using  Windows          AcRve  Directory  or  to  a  naRve  host Integrates  MySQL  with  exisRng   security  infrastructures
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon:  PAM •   Standard  Interface –   LDAP –   Unix/Linux •   Proxy  Users 44
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon:  Windows • Windows  AcRve  Directory • Windows  NaRve  Services 45
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  EncrypRon •   MySQL  encrypRon  funcRons –   Symmetric  encrypRon  AES256  (All  EdiRons) –   Public-­‐key  /  asymmetric  cryptography  –  RSA •   Key  management    funcRons –   Generate  public  and  private  keys –   Key  exchange  methods:  DH •   Sign  and  verify  data  funcRons –   Cryptographic  hashing  for  digital  signing,  verificaRon,  &  validaRon  –  RSA,DSA 46
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) Could  be   From  Client  App Within  MySQL  (funcAon  call) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” All  within  MySQL
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” App  encrypts MySQL  Stores  Decrypts
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” App  encrypts MySQL  Stores   App  Decrypts
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# “This  is  a  secret” Oracle  (or  other)  Key  Vault  Generates  Keys App  Encrypts  (only  has  public  Key) MySQL  Stores  Decrypts
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Audit •   Out-­‐of-­‐the-­‐box  logging  of  connecRons,  logins,  and  query •   User  defined  policies  for  filtering,  and  log  rotaRon •   Dynamically  enabled,  disabled:  no  server  restart •   XML-­‐based  audit  stream  per  Oracle  Audit  Vault  spec 51 Adds  regulatory  compliance  to   MySQL  applicaRons   (HIPAA,  Sarbanes-­‐Oxley,  PCI,  etc.)
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Audit 52 2.  User  Joe  connects  and  runs  a  query 1.  DBA  enables  Audit  plugin 3.  Joe’s  connecRon  &  query  logged
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Backup •   Online  Backup  for  InnoDB  (scriptable  interface) •   Full,  Incremental,  ParRal  Backups  (with  compression) •   Strong  EncrypRon  (AES  256) •   Point  in  Time,  Full,  ParRal  Recovery  opRons •   Metadata  on  status,  progress,  history •   Scales  –  High  Performance/Unlimited  Database  Size •   Windows,  Linux,  Unix •   CerRfied  with  Oracle  Secure  Backup,  NetBackup,  Tivoli,  others 53
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Oracle  CerRficaRons •   Oracle  Enterprise  Manager  for        MySQL •   Oracle  Linux  (w/DRBD  stack) •   Oracle  VM •   Oracle  Solaris •   Oracle  Solaris  Clustering •   Oracle  Clusterware •   Oracle  Audit  Vault  and  Database  Firewall •   Oracle  Secure  Backup •   Oracle  Fusion  Middleware •   Oracle  GoldenGate •   My  Oracle  Support MySQL  integrates  into  your  Oracle  environment 54
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  Audit  Vault  and  Database  Firewall •   Oracle  DB  Firewall –   Oracle,  MySQL,  SQL  Server,  IBM  DB2,  Sybase –   AcRvity  Monitoring  &  Logging –   White  List,  Black  List,  ExcepRon  List •   Audit  Vault –   Built-­‐in  Compliance  Reports –   External  storage  for  audit  archive 55
Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Thank  You

More Related Content

What's hot (20)

PDF
Amazon Redshift 아키텍처 및 모범사례::김민성::AWS Summit Seoul 2018
Amazon Web Services Korea
 
PDF
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Jignesh Shah
 
PPTX
Turbocharge SQL Performance in PL/SQL with Bulk Processing
Steven Feuerstein
 
PDF
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon Web Services Korea
 
PPTX
事例で学ぶApache Cassandra
Yuki Morishita
 
PPTX
What to Expect From Oracle database 19c
Maria Colgan
 
PDF
Cassandra at eBay - Cassandra Summit 2012
Jay Patel
 
PPTX
Centralized log-management-with-elastic-stack
Rich Lee
 
PDF
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Zohar Elkayam
 
PDF
AWS EMR Cost optimization
SANG WON PARK
 
PDF
PostgreSQL replication
NTT DATA OSS Professional Services
 
PDF
Understanding PostgreSQL LW Locks
Jignesh Shah
 
PDF
Server monitoring using grafana and prometheus
Celine George
 
PDF
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
PDF
Introduction into MySQL Query Tuning for Dev[Op]s
Sveta Smirnova
 
PDF
Democratizing Data Quality Through a Centralized Platform
Databricks
 
PPTX
Elastic Data Warehousing
Snowflake Computing
 
PDF
SQL Performance Tuning and New Features in Oracle 19c
RachelBarker26
 
PPTX
Apache Hadoop Security - Ranger
Isheeta Sanghi
 
PDF
On-boarding with JanusGraph Performance
Chin Huang
 
Amazon Redshift 아키텍처 및 모범사례::김민성::AWS Summit Seoul 2018
Amazon Web Services Korea
 
Best Practices of HA and Replication of PostgreSQL in Virtualized Environments
Jignesh Shah
 
Turbocharge SQL Performance in PL/SQL with Bulk Processing
Steven Feuerstein
 
Amazon RDS Proxy 집중 탐구 - 윤석찬 :: AWS Unboxing 온라인 세미나
Amazon Web Services Korea
 
事例で学ぶApache Cassandra
Yuki Morishita
 
What to Expect From Oracle database 19c
Maria Colgan
 
Cassandra at eBay - Cassandra Summit 2012
Jay Patel
 
Centralized log-management-with-elastic-stack
Rich Lee
 
Oracle Database Performance Tuning Advanced Features and Best Practices for DBAs
Zohar Elkayam
 
AWS EMR Cost optimization
SANG WON PARK
 
PostgreSQL replication
NTT DATA OSS Professional Services
 
Understanding PostgreSQL LW Locks
Jignesh Shah
 
Server monitoring using grafana and prometheus
Celine George
 
5 Steps to PostgreSQL Performance
Command Prompt., Inc
 
Introduction into MySQL Query Tuning for Dev[Op]s
Sveta Smirnova
 
Democratizing Data Quality Through a Centralized Platform
Databricks
 
Elastic Data Warehousing
Snowflake Computing
 
SQL Performance Tuning and New Features in Oracle 19c
RachelBarker26
 
Apache Hadoop Security - Ranger
Isheeta Sanghi
 
On-boarding with JanusGraph Performance
Chin Huang
 

Similar to Mysql security 5.7 (20)

PDF
MySQL Manchester TT - Security
Mark Swarbrick
 
PDF
MySQL Security
Mario Beck
 
PPTX
MySQL Tech Tour 2015 - 5.7 Security
Mark Swarbrick
 
PDF
Modern Data Security with MySQL
Vittorio Cioe
 
PDF
MySQL Security
Ted Wennmark
 
PDF
MySQL Day Paris 2016 - MySQL Enterprise Edition
Olivier DASINI
 
PDF
MySQL Security & GDPR
Mark Swarbrick
 
PDF
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
PDF
MySQL for Oracle DBAs
Mario Beck
 
PPT
Open Science Grid security-atlas-t2 Bob Cowles
Information Security Awareness Group
 
PPTX
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Cloudera, Inc.
 
PDF
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 
PDF
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
PPTX
Fighting cyber fraud with hadoop
Niel Dunnage
 
PDF
More Databases. More Hackers. More Audits.
Imperva
 
PDF
OWASP Top Ten in Practice
Security Innovation
 
PDF
Top Azure security fails and how to avoid them
Karl Ots
 
PDF
Oracle Identity & Access Management
DLT Solutions
 
PPTX
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
Denny Lee
 
PDF
Database monitoring - First and Last Line of Defense
Imperva
 
MySQL Manchester TT - Security
Mark Swarbrick
 
MySQL Security
Mario Beck
 
MySQL Tech Tour 2015 - 5.7 Security
Mark Swarbrick
 
Modern Data Security with MySQL
Vittorio Cioe
 
MySQL Security
Ted Wennmark
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
Olivier DASINI
 
MySQL Security & GDPR
Mark Swarbrick
 
Oracle Database 11g Security and Compliance Solutions - By Tom Kyte
Edgar Alejandro Villegas
 
MySQL for Oracle DBAs
Mario Beck
 
Open Science Grid security-atlas-t2 Bob Cowles
Information Security Awareness Group
 
Comprehensive Security for the Enterprise IV: Visibility Through a Single End...
Cloudera, Inc.
 
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements
Olivier DASINI
 
UpdateConf 2018: Top 18 Azure security fails and how to avoid them
Karl Ots
 
Fighting cyber fraud with hadoop
Niel Dunnage
 
More Databases. More Hackers. More Audits.
Imperva
 
OWASP Top Ten in Practice
Security Innovation
 
Top Azure security fails and how to avoid them
Karl Ots
 
Oracle Identity & Access Management
DLT Solutions
 
SQLCAT: Addressing Security and Compliance Issues with SQL Server 2008
Denny Lee
 
Database monitoring - First and Last Line of Defense
Imperva
 
Ad

More from Mark Swarbrick (20)

PDF
MySQL NoSQL Document Store
Mark Swarbrick
 
PPSX
MySQL @ the University Of Nottingham
Mark Swarbrick
 
PDF
InnoDb Vs NDB Cluster
Mark Swarbrick
 
PDF
Intro To MySQL 2019
Mark Swarbrick
 
PDF
MySQL 8
Mark Swarbrick
 
PDF
MySQL Dublin Event Nov 2018 - MySQL 8
Mark Swarbrick
 
PDF
MySQL Dublin Event Nov 2018 - State of the Dolphin
Mark Swarbrick
 
PDF
Oracle Code Event - MySQL JSON Document Store
Mark Swarbrick
 
PDF
TLV - MySQL Security overview
Mark Swarbrick
 
PDF
TLV - MySQL Enterprise Edition + Cloud
Mark Swarbrick
 
PDF
TLV - Whats new in MySQL 8
Mark Swarbrick
 
PDF
MySQL At University Of Nottingham - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL At Mastercard - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL 8 - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL Security + GDPR - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL InnoDB + NDB Cluster - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL Cloud - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL 2018 Intro - 2018 MySQL Days
Mark Swarbrick
 
PDF
MySQL + GDPR
Mark Swarbrick
 
PDF
MySQL Cluster Whats New
Mark Swarbrick
 
MySQL NoSQL Document Store
Mark Swarbrick
 
MySQL @ the University Of Nottingham
Mark Swarbrick
 
InnoDb Vs NDB Cluster
Mark Swarbrick
 
Intro To MySQL 2019
Mark Swarbrick
 
MySQL 8
Mark Swarbrick
 
MySQL Dublin Event Nov 2018 - MySQL 8
Mark Swarbrick
 
MySQL Dublin Event Nov 2018 - State of the Dolphin
Mark Swarbrick
 
Oracle Code Event - MySQL JSON Document Store
Mark Swarbrick
 
TLV - MySQL Security overview
Mark Swarbrick
 
TLV - MySQL Enterprise Edition + Cloud
Mark Swarbrick
 
TLV - Whats new in MySQL 8
Mark Swarbrick
 
MySQL At University Of Nottingham - 2018 MySQL Days
Mark Swarbrick
 
MySQL At Mastercard - 2018 MySQL Days
Mark Swarbrick
 
MySQL 8 - 2018 MySQL Days
Mark Swarbrick
 
MySQL Security + GDPR - 2018 MySQL Days
Mark Swarbrick
 
MySQL InnoDB + NDB Cluster - 2018 MySQL Days
Mark Swarbrick
 
MySQL Cloud - 2018 MySQL Days
Mark Swarbrick
 
MySQL 2018 Intro - 2018 MySQL Days
Mark Swarbrick
 
MySQL + GDPR
Mark Swarbrick
 
MySQL Cluster Whats New
Mark Swarbrick
 
Ad

Recently uploaded (20)

PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
PPTX
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
PDF
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
PDF
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PDF
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
PDF
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
PDF
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PDF
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
PPTX
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PDF
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
COMPARISON OF RASTER ANALYSIS TOOLS OF QGIS AND ARCGIS
Sharanya Sarkar
 
From Code to Challenge: Crafting Skill-Based Games That Engage and Reward
aiyshauae
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
CIFDAQ Weekly Market Wrap for 11th July 2025
CIFDAQ
 
Exolore The Essential AI Tools in 2025.pdf
Srinivasan M
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Presentation - Vibe Coding The Future of Tech
yanuarsinggih1
 
SWEBOK Guide and Software Services Engineering Education
Hironori Washizaki
 
Newgen Beyond Frankenstein_Build vs Buy_Digital_version.pdf
darshakparmar
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
New from BookNet Canada for 2025: BNC BiblioShare - Tech Forum 2025
BookNet Canada
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Jak MŚP w Europie Środkowo-Wschodniej odnajdują się w świecie AI
dominikamizerska1
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Fl Studio 24.2.2 Build 4597 Crack for Windows Free Download 2025
faizk77g
 
WooCommerce Workshop: Bring Your Laptop
Laura Hartwig
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
CIFDAQ Market Insights for July 7th 2025
CIFDAQ
 

Mysql security 5.7

  • 1. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Security Mark  Swarbrick,  MySQL  Sales  Consultant  UK&I     [email protected]  
  • 2. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | 43% of  companies  have  experienced  a   data  breach  in  the  past  year. Source:  Ponemon  InsRtute,  2014 Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 2
  • 3. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Mega  Breaches 552  Million  idenRRes   exposed  in  2013.    493%   increase  over  previous  year 77% Web  sites  with  vulnerabiliRes.   1-­‐in-­‐8  of  all  websites  had  a   criRcal  vulnerability.   8 Breaches  that  exposed   more  than  10  million   records  in  2013. Total  Breaches  increased   62%  in  2013     Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 3 Source:  Internet  Security  Threat  Report  2014,  Symantec
  • 4. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Target  Breach,  2013,  $270  million   The  hackers  who  commibed  the  Target  breach  took  40  million  credit   and  debit  card  numbers  and  70  million  records,  including  names  and   addresses  of  shoppers.   Source:  Fortune.com,  2014 Oracle  ConfidenRal  –  Internal/Restricted/Highly  Restricted 4 Cybercrime  cost  the  global  economy  $575  billion/year   Source:  paymetric.com,  2014 One  major  data  breach  discovered  every  month   Those  breaches  include  Michaels  Stores,  Sally  Beauty  Supply,   Neiman  Marcus,  AOL,  eBay  and  P.F.  Chang’s  Chinese  Bistro.   Source:  paymetric.com,  2014
  • 5. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | •   Poor  ConfiguraRons –   Set  controls  and  change  default              segng •   Over  Privileged  Accounts –   Privilege  Policies •   Weak  Access  Control –   Dedicated  AdministraRve  Accounts •   Weak  AuthenRcaRon –   Strong  Password  Enforcement •   Weak  AudiRng –   Compliance  &  Audit  Policies •   Lack  of  EncrypRon –   Data,  Back,  &  Network  EncrypRon •   Proper  CredenRal  or  Key  Management –   Use  mysql_config_editor  ,  Key  Vaults •   Unsecured  Backups –   Encrypted  Backups •   No  Monitoring –   Security  Monitoring,  Users,  Objects •   Poorly  Coded  ApplicaRons –   Database  Firewall 5 Database  VulnerabiliRes
  • 6. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Abacks   •   SQL  InjecRon –   PrevenRon:  DB  Firewall,  White  List,  Input  ValidaRon •   Buffer  Overflow –   PrevenRon:  Frequently  apply  Database  Sooware  updates,  DB  Firewall,  White  List,  Input  ValidaRon     •   Brute  Force  Aback –   PrevenRon:  lock  out  accounts  aoer  a  defined  number  of  incorrect  abempts. •   Network  Eavesdropping –   PrevenRon:  Require  SSL/TLS  for  all  ConnecRons  and  Transport •   Malware   –   PrevenRon:  Tight  Access  Controls,  Limited  Network  IP  access,    Change  default  segngs 6
  • 7. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Malicious  AcRons •   InformaRon  Disclosure:  Obtain  credit  card  and  other  personal  informaRon –   Defense:  EncrypRon  –  Data  and  Network,  Tighter  Access  Controls   •   Denial  of  Service:  Run  resource  intensive  queries –   Defense:  Resource  Usage  Limits  –  Set  various  limits  –  Max  ConnecRons,  Sessions,  Timeouts,  … •   ElevaRon  of  Privilege:  Retrieve  and  use  administrator  credenRals –   Defense:  Stronger  authenRcaRon,  Access  Controls,  AudiRng •   Spoofing:  Retrieve  and  use  other  credenRals –   Defense:  Stronger  account  and  password  policies   •   Tampering:  Change  data  in  the  database,  Delete  transacRon  records •   Defense:  Tighter  Access  Controls,  AudiRng,  Monitoring,  Backups 7
  • 8. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Regulatory  Compliance •   RegulaRons –   PCI  –  DSS:  Payment  Card  Data –   HIPAA:  Privacy  of  Health  Data –   Sarbanes  Oxley:  Accuracy  of  Financial  Data –   EU  Data  ProtecRon  DirecRve:  ProtecRon  of  Personal  Data –   Data  ProtecRon  Act  (UK):  ProtecRon  of  Personal  Data •   Requirements –   ConRnuous  Monitoring  (Users,  Schema,  Backups,  etc) –   Data  ProtecRon  (EncrypRon,  Privilege  Management,  etc.) –   Data  RetenRon  (Backups,  User  AcRvity,  etc.) –   Data  AudiRng  (User  acRvity,  etc.) 8 https://www.mysql.com/why-mysql/white-papers/mysql-pci-data-security-compliance/
  • 9. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | DBA  ResponsibiliRes •   Ensure  only  users  who  should  get  access,  can  get  access •   Limit  what  users  and  applicaRons  can  do •   Limit  from  where  users  and  applicaRons  can  access  data •   Watch  what  is  happening,  and  when  it  happened •   Make  sure  to  back  things  up  securely •   Minimize  aback  surface
  • 10. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 10 MySQL  Security  Overview AuthenRcaRon AuthorizaRon EncrypRon Firewall MySQL  Security AudiRng
  • 11. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Block  Threats AudiRng Regulatory  Compliance Login  and  Query  AcRviRes SSL/TLS   Public  Key   Private  Key   Digital  Signatures Privilege  Management AdministraRon Database  &  Objects Proxy  Users MySQL   Linux  /  LDAP Windows  AD Custom Oracle  ConfidenRal  –  Internal 11 MySQL  Security  Overview AuthorizaRon      AuthenRcaRon   Firewall  &   AudiRng EncrypRon Security
  • 12. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  AuthorizaRon •   AdministraRve  Privileges •   Database  Privileges •   Session  Limits  and  Object  Privileges •   Fine  grained  controls  over  user  privileges   –   CreaRng,  altering  and  deleRng  databases   –   CreaRng,  altering  and  deleRng  tables   –   Execute  INSERT,  SELECT,  UPDATE,  DELETE  queries   –   Create,  execute,  or  delete  stored  procedures  and  with  what  rights –   Create  or  delete  indexes 12 Security  Privilege  Management  in  MySQL  Workbench
  • 13. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Privilege  Management •   user:  user  accounts,  global  privileges  columns •   db:  database-­‐level  privileges •   tables_priv:  Contains  table-­‐level  privileges •   columns_priv:  Contains  column-­‐level  privileges •   procs_priv:  Contains  stored  procedure  and  funcRon  privileges •   proxies_priv:  Contains  proxy-­‐user 13
  • 14. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 14 MySQL  Privilege  Management  Grant  Tables tables_priv •   Table  level  privileges •   Table  and  columns db •   Database  Level  Privileges •   Database,  Tables,  Objects   •   User  and  host user •   User  Accounts •   Global  Privileges proxies_priv •   Proxy  Users •   Proxy  Privileges procs_priv •   Stored  Procedures •   FuncRons •   Single  funcRon  privilege   columns_priv •   Specific  columns
  • 15. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  AuthenRcaRon •   Built  in  AuthenRcaRon –  user  table  stores  users  and  encrypted  passwords •   X.509 –   Server  authenRcates  client  cerRficates •   MySQL  NaRve,  SHA  256  Password  plugin –   NaRve  uses  SHA1  or  plugin  with  SHA-­‐256  hashing  and  per  user  salRng  for  user  account  passwords. •   MySQL  Enterprise  AuthenRcaRon –   Microsoo  AcRve  Directory –   Linux  PAMs  (Pluggable  AuthenRcaRon  Modules) •   Support  LDAP  and  more 15
  • 16. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Password  Policies •   Accounts  without  Passwords –   Assign  passwords  to  all  accounts  to  prevent  unauthorized  use •   Password  ValidaRon  Plugin –   Enforce  Strong  Passwords •   Password  ExpiraRon/RotaRon –   Require  users  to  reset  their  password •   Account  lockout  (in  v.  5.7) 16
  • 17. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  EncrypRon •   SSL/TLS  EncrypRon –   Between  MySQL  clients  and  Server –   ReplicaRon:  Between  Master  &  Slave •   Data  EncrypRon –   AES  Encrypt/Decrypt 17 •   MySQL  Enterprise  EncrypRon –   Asymmetric  Encrypt/Decrypt –   Generate  Public  Key  and  Private  Keys –   Derive  Session  Keys –   Digital  Signatures •   MySQL  Enterprise  Backup –   AES  Encrypt/Decrypt
  • 18. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | SSL/TLS •   Encrypted  connecRons   –   Between  MySQL  Client  and  Server –   ReplicaRon:  Between  Master  &  Slave •   MySQL  enables  encrypRon  on  a  per-­‐connecRon  basis –   IdenRty  verificaRon  using  the  X509  standard •   Specify  the  appropriate  SSL  cerRficate  and  key  files •   Will  work  with  trusted  CAs  (CerRficate  AuthoriRes) •   Supports  CRLs  –  CerRficate  RevocaRon  Lists   18
  • 19. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  AudiRng •   AudiRng  for  Security  &  Compliance –   FIPS,  HIPAA,  PCI-­‐DSS,  SOX,  DISA  STIG,  … •   MySQL  built-­‐in  logging  infrastructure: –   general  log,  error  log •   MySQL  Enterprise  Audit –   Granularity  made  for  audiRng –   Can  be  modified  live –   Contains  addiRonal  details –   CompaRble  with  Oracle  Audit  Vault.
  • 20. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Database  Firewall •   SQL  InjecRon:  #1  Web  ApplicaRon  Vulnerability –   77%  of  Web  Sites  had  vulnerabiliRes –   1  in  8  criRcal  vulnerabiliRes •   MySQL  Enterprise  Firewall –   Monitor  database  statements  in  real-­‐Rme –   AutomaRc  White  List  “rules”  generaRon  for  any  applicaRon –   Out  of  policy  database  transacRons  detected  and  blocked 20
  • 21. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  ConfidenRal  –  Internal 21 MySQL  Database  Hardening User  Management •   Remove  Extra  Accounts •   Grant  Minimal  Privileges   •   Audit  users  and  privileges ConfiguraRon •   Firewall •   AudiRng  and  Logging •   Limit  Network  Access •   Monitor  changes InstallaRon •   Mysql_secure_installaRon •   Keep  MySQL  up  to  date −   MySQL  Installer  for  Windows −   Yum/Apt  Repository Backups •   Monitor  Backups •   Encrypt  Backups EncrypRon •   SSL/TLS  for  Secure                                                ConnecRons •   Data  EncrypRon  (AES,  RSA) Passwords •   Strong  Password  Policy •   Hashing,  ExpiraRon •   Password  ValidaRon  Plugin
  • 22. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  5.7  Linux  Packages  -­‐  Security  Improvements •   Test/Demo  database  has  been  removed –   Now  in  separate  packages  (prod/dev) •   Anonymous  account  creaRon  is  removed. •   CreaRon  of  single  root  account  –  local  host  only •   Default  installaRon  ensures  encrypted  communicaRon  by  default   –   AutomaRc  generaRon  of  SSL/RSA  Certs/Keys •   For  EE  :  At  server  startup  if  opRons  Certs/Keys  were  not  set •   For  CE  :  Through  new  mysql_ssl_rsa_setup  uRlity •   AutomaRc  detecRon  of  SSL  Certs/Keys   •   Client  abempts  secure  TLS  connecRon  by  default 22 MySQL  Installer  for  Windows    includes  various  Security  Setup  and  Hardening  Steps    
  • 23. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  InstallaRon •   MySQL_Secure_InstallaRon  /  MySQL  Installer  for  Windows –   Set  a  strong  password  for  root  account –   Remove  root  accounts  that  are  accessible  from  outside  the  local  host –   Remove  anonymous-­‐user  accounts –   Remove  the  test  database •   Which  by  default  can  be  accessed  by  all  users •   Including  Anonymous  Users •   Keep  MySQL  up  to  date –   Repos  –  YUM/APT/SUSE –   MySQL  Installer  for  Windows 23
  • 24. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Sooware  Updates  -­‐  Database  and  OS  Maintenance •   Maintaining  security  requires  keeping  OperaRng  System  and  MySQL          security  patches  up  to  date. –   May  require  a  restart  (mysql  or  operaRng  system)  to  take  effect. •   To  enable  seamless  upgrades  consider  MySQL  ReplicaRon –   Allows  for  changes  to  be  performed  in  a  rolling  fashion •   Best  pracRce  to  upgrade  slaves  first –   MySQL  5.6  and  above  supports  GTID-­‐based  replicaRon   •   Provides  for  simple  rolling  upgrades •   Follow  OS  vendor  specific  hardening  Guidelines –   For  example   •   hbp://www.oracle.com/technetwork/arRcles/servers-­‐storage-­‐admin/Rps-­‐harden-­‐oracle-­‐linux-­‐1695888.html 24
  • 25. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  ConfiguraRon •   Audit  AcRvity   –   Use  Enterprise  Audit –   Alt.  Transiently  enable  Query  Logging –   Monitor  and  Inspect  regularly •   Disable  or  Limit  Remote  Access   –   If  local  “skip-­‐networking”  or  bind-­‐          address=127.0.0.1 –   If  Remote  access  then  limit  hosts/IP • Change  root  username 25 •   Disable  unauthorized  reading  from        local  files –   Disable  LOAD  DATA  LOCAL  INFILE •   Run  MySQL  on  non  default  port –   More  difficult  to  find  database •   Limit  MySQL  OS  User •   Ensure  secure-­‐auth  is  enabled  (do          not  allow  old  passwords  format)
  • 26. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Best  PracRces Parameter Recommended  Value Why Secure_file_priv A  Designated  Leaf  directory  for   data  loads Only  allows  file  to  be  loaded  from  a  specific   locaRon.    Limits  use  of  MySQL  to  get  data  from   across  the  OS Symbolic_links Boolean  –  NO Prevents  redirecRon  into  less  secure  filesystem   directories Default-­‐storage_engine InnoDB Ensures  transacRons  commits,  data  safety! General-­‐log Boolean  –  OFF Should  only  be  used  for  debugging  –  off   otherwise Log-­‐raw Default  -­‐  OFF Should  only  be  used  for  debugging  –  off   otherwise Skip-­‐networking   or  bind-­‐address ON   127.0.0.1 If  all  local,  then  block  network  connecRons  or   limit  to  the  local  host. SSL  opRons Set  valid  values Should  encrypt  network  communicaRon 26
  • 27. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Password  Policies •   Enforce  Strong  Password  Policies •   Password  Hashing •   Password  ExpiraRon •   Password  ValidaRon  Plugin •   AuthenRcaRon  Plugin –   Inherits  the  password  policies  from  the  component   –   LDAP,  Windows  AcRve  Directory,  etc. •   Disable  accounts  when  not  in  use –   Account  lockout  (5.7+) 27
  • 28. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Database  Hardening:  Backups •   Backups  are  Business  CriRcal –   Used  to  restore  aoer  aback –   Migrate,  move  or  clone  server –   Part  of  Audit  Trail •   Regularly  Scheduled  Backups •   Monitor  Backups •   Encrypt  Backups 28
  • 29. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | ApplicaRons  and  CredenRals  -­‐  Best  PracRces •   ApplicaRons  –  minimize  sharing  credenRals  (username/password)   –   Finer  grained  the  beber  –  don’t  overload  across  many  applicaRons/servers •   Should  enable  support  for  credenRal  rotaRon –   Do  not  require  all  passwords  to  be  changed  in  synchronizaRon. –   Facilitates  beber  troubleshooRng  and  root-­‐cause  analysis. •   Steps  to  changing  credenRals  should  be  secure  and  straigh~orward –   Not  embedded  in  your  code •   Can  be  changed  without  redeploying  an  applicaRon •   Should  never  be  stored  in  version  control  and  must  differ  between  environments. •   ApplicaRons  should  get  credenRals  using  a  secure  configuraRon  methodology. 29
  • 30. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  EdiRon •   MySQL  Enterprise  AuthenRcaRon –   External  AuthenRcaRon  Modules •   Microsoo  AD,  Linux  PAMs •   MySQL  Enterprise  EncrypRon –   Public/Private  Key  Cryptography –   Asymmetric  EncrypRon –   Digital  Signatures,  Data  ValidaRon •   MySQL  Enterprise  Firewall –   Query  Monitoring,  White  List          Matching,   •   MySQL  Enterprise  Audit –   User  AcRvity  AudiRng,  Regulatory  Compliance   30 •   MySQL  Enterprise  Monitor –   Changes  in  Database  ConfiguraRons,  Users            Permissions,  Database  Schema,  Passwords •   MySQL  Enterprise  Backup   –   Securing  Backups,  AES  256  encrypRon
  • 31. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Monitor •   Enforce  MySQL  Security  Best  PracRces –   IdenRfies  VulnerabilRes –   Assesses  current  setup  against  security  hardening  policies •   Monitoring  &  AlerRng –   User  Monitoring –   Password  Monitoring –   Schema  Change  Monitoring –   Backup  Monitoring –   Firewall  Monitoring?  for  3.1-­‐  ML  is  Checking •   ConfiguraRon  Management –   ConfiguraRon  Tuning  Advice •   Centralized  User  Management 31 "I  definitely  recommend  the  MySQL  Enterprise   Monitor  to  DBAs  who  don't  have  a  ton  of  MySQL   experience.  It  makes  monitoring  MySQL  security,   performance  and  availability  very  easy  to   understand  and  to  act  on.” Sandi  Barr Sr.  Sooware  Engineer Schneider  Electric
  • 32. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |     Oracle  Enterprise  Manager  for  MySQL 32 Performance Security Availability •   Availability  monitoring •   Performance  monitoring •   ConfiguraRon  monitoring •   All  available  metrics  collected –   Allowing  for  custom  threshold          based  incident  reports •   MySQL  auto-­‐detecRon  
  • 33. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall •   Real  Time  ProtecRon –   Queries  analyzed  and  matched  against  White  List •   Blocks  SQL  InjecRon  Abacks –   PosiRve  Security  Model •   Block  Suspicious  Traffic –   Out  of  Policy  TransacRons  detected  &  blocked •   Learns  White  List   –   Automated  creaRon  of  approved  list  of  SQL  command  paberns  on  a  per  user  basis •   Transparent –   No  changes  to  applicaRon  required 33 MySQL    Enterprise  Firewall  monitoring
  • 34. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall • SQL  InjecRon  ProtecRon  with  PosiRve  Security  Model 34 •   Out  of  policy  database  transacRons  detected  and  blocked •   Logging  &  Analysis Select *.* from employee where id=22 Select *.* from employee where id=22 or 1=1 Block  &  Log✖ Allow  &  Log✔ White  ListApplicaAons
  • 35. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Firewall  Overview 35 Inbound   SQL  traffic Firewall Web ApplicaRons Internet In  Whitelist ALLOW MySQL  Instance SQL  InjecRon  Aback Via  Brower Blocks SQL Abacks Allows Normal SQL Results Table Table Table Not  In  Whitelist BLOCK
  • 36. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Firewall  Workflow 36
  • 37. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall  Details •   Firewall  operaRon  is  turned  on  at  a  per  user  level •   Per  User  States  are   –   RECORDING –   PROTECTING –   OFF 37
  • 38. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | 38 Per  User  Firewall  White  Lists  
  • 39. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | What  happens  when  SQL  is  blocked? • The  client  applicaRon  gets  an  ERROR mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE; ERROR 1045 (28000): Statement was blocked by Firewall mysql> SHOW DATABASES; ERROR 1045 (28000): Statement was blocked by Firewall mysql> TRUNCATE TABLE mysql.user; ERROR 1045 (28000): Statement was blocked by Firewall • Reported  to  the  Error  Log • Increment  Counter 39
  • 40. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Monitoring  the  Firewall Firewall Status Counters mysql> SHOW STATUS LIKE 'Firewall%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | Firewall_access_denied | 32 | | Firewall_access_granted | 138 | | Firewall_cached_entries | 39 | +-------------------------+-------+ 3 rows in set (0,00 sec) 40
  • 41. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | What’s  the  whitelist  look  like? • mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost= 'wpuser@localhost'; +------------------+----------------------------------------------------------------------------------+ | userhost | substr(rule,1,80) | +------------------+----------------------------------------------------------------------------------+ | wpuser@localhost | SELECT * FROM `wp_posts` WHERE `ID` = ? LIMIT ? | | wpuser@localhost | SELECT `option_value` FROM `wp_options` WHERE `option_name` = ? LIMIT ? | | wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . `ID` = ? AND | ... | wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE `ID` = ? | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | | wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A | +------------------+----------------------------------------------------------------------------------+ 41
  • 42. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Firewall  DocumentaRon • hbp://dev.mysql.com/doc/refman/5.6/en/firewall.html • hbp://mysqlserverteam.com/new-­‐mysql-­‐enterprise-­‐firewall-­‐prevent-­‐sql-­‐ injecRon-­‐abacks/ 42
  • 43. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon 43 •   Integrate  with  Centralized  AuthenRcaRon  Infrastructure   –   Centralized  Account  Management –   Password  Policy  Management –   Groups  &  Roles •   PAM  (Pluggable  AuthenRcaRon  Modules) –   Standard  interface  (Unix,  LDAP,  Kerberos,  others) –   Windows   •   Access  naRve  Windows  service  -­‐  Use  to  AuthenRcate  users  using  Windows          AcRve  Directory  or  to  a  naRve  host Integrates  MySQL  with  exisRng   security  infrastructures
  • 44. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon:  PAM •   Standard  Interface –   LDAP –   Unix/Linux •   Proxy  Users 44
  • 45. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  AuthenRcaRon:  Windows • Windows  AcRve  Directory • Windows  NaRve  Services 45
  • 46. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  EncrypRon •   MySQL  encrypRon  funcRons –   Symmetric  encrypRon  AES256  (All  EdiRons) –   Public-­‐key  /  asymmetric  cryptography  –  RSA •   Key  management    funcRons –   Generate  public  and  private  keys –   Key  exchange  methods:  DH •   Sign  and  verify  data  funcRons –   Cryptographic  hashing  for  digital  signing,  verificaRon,  &  validaRon  –  RSA,DSA 46
  • 47. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) Could  be   From  Client  App Within  MySQL  (funcAon  call) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” All  within  MySQL
  • 48. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” App  encrypts MySQL  Stores  Decrypts
  • 49. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# MySQL  Enterprise  EncrypRon   FuncRons Can  Generate   Public/Private  Key  Pairs (or  use  those  generated  externally  –   say  by  OpenSSL) “This  is  a  secret” App  encrypts MySQL  Stores   App  Decrypts
  • 50. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL   DecrypRon“This  is  a  secret” Public  Key (It  only  encrypts) Private  Key (It  can  decrypt) EncrypRon #@%@&# “This  is  a  secret” Oracle  (or  other)  Key  Vault  Generates  Keys App  Encrypts  (only  has  public  Key) MySQL  Stores  Decrypts
  • 51. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Audit •   Out-­‐of-­‐the-­‐box  logging  of  connecRons,  logins,  and  query •   User  defined  policies  for  filtering,  and  log  rotaRon •   Dynamically  enabled,  disabled:  no  server  restart •   XML-­‐based  audit  stream  per  Oracle  Audit  Vault  spec 51 Adds  regulatory  compliance  to   MySQL  applicaRons   (HIPAA,  Sarbanes-­‐Oxley,  PCI,  etc.)
  • 52. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Audit 52 2.  User  Joe  connects  and  runs  a  query 1.  DBA  enables  Audit  plugin 3.  Joe’s  connecRon  &  query  logged
  • 53. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Backup •   Online  Backup  for  InnoDB  (scriptable  interface) •   Full,  Incremental,  ParRal  Backups  (with  compression) •   Strong  EncrypRon  (AES  256) •   Point  in  Time,  Full,  ParRal  Recovery  opRons •   Metadata  on  status,  progress,  history •   Scales  –  High  Performance/Unlimited  Database  Size •   Windows,  Linux,  Unix •   CerRfied  with  Oracle  Secure  Backup,  NetBackup,  Tivoli,  others 53
  • 54. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | MySQL  Enterprise  Oracle  CerRficaRons •   Oracle  Enterprise  Manager  for        MySQL •   Oracle  Linux  (w/DRBD  stack) •   Oracle  VM •   Oracle  Solaris •   Oracle  Solaris  Clustering •   Oracle  Clusterware •   Oracle  Audit  Vault  and  Database  Firewall •   Oracle  Secure  Backup •   Oracle  Fusion  Middleware •   Oracle  GoldenGate •   My  Oracle  Support MySQL  integrates  into  your  Oracle  environment 54
  • 55. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Oracle  Audit  Vault  and  Database  Firewall •   Oracle  DB  Firewall –   Oracle,  MySQL,  SQL  Server,  IBM  DB2,  Sybase –   AcRvity  Monitoring  &  Logging –   White  List,  Black  List,  ExcepRon  List •   Audit  Vault –   Built-­‐in  Compliance  Reports –   External  storage  for  audit  archive 55
  • 56. Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    |Copyright  ©  2014,  Oracle  and/or  its  affiliates.  All  rights  reserved.    | Thank  You