Percona Live Europe 2018: What's New in MySQL 8.0 Security

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
MySQL 8.0
What’s New in Security ?
Georgi “Joro” Kodinov
MySQL SrvGen Team Lead

Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, timing, and pricing of any
features or functionality described for Oracle’s products may change and remains at the
sole discretion of Oracle Corporation.

Program Agenda
Security Challenges
New Security Features in MySQL 8
New Security Features in MySQL Enterprise Edition
MySQL Security Architecture
1
2
3
4
3

Cost of Data Breaches
5
Source: Ponemon Institute, 2018
$1.9M
$2.8M
$4.6M
$6.3M
$0
$1,000,000
$2,000,000
$3,000,000
$4,000,000
$5,000,000
$6,000,000
$7,000,000
Less than 10,000 10,000 to 25,000 25,001 to 50,000 Greater than
50,000
Records
Small to Medium Breaches
$199M
$279M
$325M
$350M
$0
$50,000,000
$100,000,000
$150,000,000
$200,000,000
$250,000,000
$300,000,000
$350,000,000
$400,000,000
20 Million 30 Million 40 Million 50 Million
Records
Mega Breaches

Regulatory Compliance
• Regulations
– PCI – DSS: Payment Card Data
– HIPAA: Privacy of Health Data
– Sarbanes Oxley, GLBA, The USA Patriot Act:
Financial Data, NPI "personally identifiable financial information"
– FERPA – Student Data
– EU General Data Protection Directive: Protection of Personal Data (GDPR)
– Data Protection Act (UK): Protection of Personal Data
• Requirements
– Continuous Monitoring (Users, Schema, Backups, etc.)
– Data Protection (Encryption, Privilege Management, etc.)
– Data Retention (Backups, User Activity, etc.)
– Data Auditing (User activity, etc.)
6

How to Secure your Databases
Assess
 Locate Risks and Vulnerabilities, Ensure that necessary security controls are
Prevent
 Using Cryptography, User Controls, Access Controls, etc
Detect
 Still a possibility of a breach – so Audit, Monitor, Alert
Recover
 Ensure service is not interrupted as a result of a security incident
 Even through the outage of a primary database
 Forensics – post mortem – fix vulnerability
7

New Security Features in MySQL 8.0
8

MySQL Security Overview Authentication
Authorization
Encryption
Firewall
MySQL Security
Auditing
New! Masking/De-Identification
• Available in 5.7.24 & 8.0.13
• Will be in MySQLaaS as well

New! MySQL Roles
Improving MySQL Access Controls
• Introduced in the 8.0.0 DMR
• Easier to manage user and applications rights
• As standards compliant as practically possible
• Multiple default roles
• Can export the role graph in GraphML
10
Feature Request
from DBAs
Directly
Indirectly
Set Role(s)
Default Role(s)
Set of
ACLS
Set of
ACLS

SQL Roles Implementation In a Nutshell
• A role is a user account with login disabled.
• A memory based hash of flattened privilege sets for each active role
• 2 new tables: mysql.role_edges and mysql.default_roles
• 2 new SQL functions: CURRENT_ROLE() and ROLE_GRAPHML()
• 3 new global privileges: CREATE ROLE, DROP ROLE and ROLE_ADMIN
• Extensions to: ALTER USER, GRANT/REVOKE, SET and SHOW GRANTS
11

SQL Roles Implementation: MySQL Extras
• Roles can have an optional host part (not currently used)
• Pre-roles ACL code is used when there’s no active role(s)
• Users can be assigned several roles
• Users can have zero or more default roles
• Active Roles can be changed – from various assigned roles
– For example just escalate or change privileges from within an application for certain
operations
12

Role Examples
13

MySQL Enterprise Masking and De-Identification
New in MySQL 8.0.13 AND 5.7.24!
• Data De-identification helps database customers improve security
• Accelerates compliance for
– Government – GDPR, CHHS
– Financial - PCI
– Healthcare – HIPAA, Clinic Trials Data
• Reduce IT costs by simplifying sanitizing production data
– Transforming sensitive data for use in analytics, testing, development, and more
14

NEW! MySQL Enterprise Masking and De-Identification
15
De-identify, Anonymize Sensitive Data
ID Last First SSN
1111 Smith John 555-12-5555
1112 Templeton Richard 444-12-4444
ID Last First SSN
2874 Smith John XXX-XX-
5555
3281 Templeton Richard XXX-XX-
4444
Employee Table
Masked View
"Data Masking is a method to hide
sensitive information by replacing
real values with substitutes.”
Random Data Generation

• Data Masking
– String masking
– Dictionary based replacement
– Specific masking
• SSN
• Payment card : Strict/Relaxed
• Random Data Generators
– Random number within a range
– Email
– Payment card (Luhn check compliant)
– SSN
– Dictionary based generation
16
Data Masking and Random Data Generation

• String data masking
– Mask a substring within a string : ArthXXXXnt
– Mask substrings at the beginning and at the end :
• XXthurDeXX
• SSN masking : XXXX-XX-1234
• Payment Card masking
– Strict: XXXXXXXXXXXXXXX7395, Relaxed: 493812XXXXXXXXX7395
• Dictionary based masking
– gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports
17
Data Masking

• Random data within range
– gen_range(10000, 20000) => 12503
• Email : kajsm.hamskdk@example.com
• Payment card : 7389026626032990
– Configurable length : 12 to 19 digits
• SSN : 915-63-3858
• US Phone number : 1-555-3456-332
18
Random Data Generation

• Load multiple dictionaries
– Maps dictionary file => dictionary name
– In memory data for faster retrieval
• Generation based on dictionary data
– gen_dictionary(“periodictable”) => Oxygen
– If 007 on the blacklist then substitute otherwise provide random value
• Blacklisted – 007 – thus randomly substituted from Jobs Dictionary
– gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant”
• Not blacklisted – Administrator – thus passes through
– gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator”
19
Dictionary based data generation, data blacklists

Data Masking Examples

MySQL Enterprise Authentication
21
• Integrate with Centralized Authentication Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
Supports
– Windows Active Directory (for windows MySQL servers)
– Linux PAM (Pluggable Authentication Modules)
– New Native LDAP
• Ultra Fast and Flexible
• Works with Windows AD (even on non-windows MySQL servers)
Integrates MySQL with existing
security infrastructures

MySQL Enterprise Authentication: Native LDAP
• Direct Connection over
LDAP Protocol/Ports
• Authentication with
– User and Password
– or SASL
• Customizable for users
and groups
22
Connector
LDAP
Service
Dir
Tree
Port:389
MySQL Native LDAP
Plugin
1) User/Password
Or
2) SASL
2) SASL
SASLD

New! Atomic ACL Statements
• Long standing MySQL issue!
– For Replication, HA, Backups, etc.
• Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary
• Not just a table operation: memory caches need update too
• Applies to statements performing multiple logical operations, e.g.
– CREATE USER u1, u2
– GRANT SELECT ON *.* TO u1, u2
• Uses a custom MDL lock to block ACL related activity
– While altering the ACL caches and tables
23
Feature Request
from DBAs

New! Dynamic Privileges
Provides finer grained administrative level access controls
• Too often SUPER is required for tasks when less privilege is really needed
– Support concept of “least privilege”
• Needed to allow adding administrative access controls
– Now can come with new components
– Examples
• Replication
• HA
• Backup
• Give us your ideas
24
Feature Request
from DBAs

Why Dynamic Global Privileges?
• How to add a new global privilege (the 5.7 version)
– Add a column in mysql.user
– Extend the parser
– Amend ACL cache code: reading, caching, writing, upgrade, …
– Add checks for the new privilege
• Not possible from a plugin !
• Abuse of existing privileges (SUPER) !
• The SUPER-potent SUPER !
25

How Do Dynamic Privileges Work ?
• Provides new component service
– Can add, remove and check global privileges
• Only GRANTs are persisted
– Stored in mysql.global_grants
• Uses the familiar
– GRANT <dynamic_acl> ON *.* TO … syntax
26

MySQL Password Features
• New! Password Management
– Require new passwords not reuse old ones - By number of changes and/or time.
– Password-reuse (aka Password History)
• Policy can be set globally as well as on a per-account basis.
– New in 8.0.13: Can require old password when changing too
• New! SHA2 with Caching. Now Default !
– Strong (when storing) and Fast (when connecting)
• Strong - SHA-256 password hashing (many rounds, random salt, …)
• Fast – Caching: Greatly reduces latency
• New! Seamless RSA password-exchange capabilities (Lowers SSL Costs)
27

MySQL Password Policies – Review
• Accounts without Passwords
– Assign passwords to all accounts to prevent unauthorized use
• Password Validation Plugin
– Enforce Strong Passwords
• Password Expiration/Rotation
– Require users to reset their password
• Account lockout (in v. 5.7)
• Password Retry Rules (in v. 5.7.16+)
• New! Password History (in v. 8.0)
28

New! OpenSSL Dynamically Linked / FIPS Module Support
• Dynamically Linked in 8.0 CAN
– Use optimized OpenSSL Libraries (use AES-NI acceleration)
– Be patched without MySQL Upgrade
– Run with OpenSSL FIPS Object Module
• Meeting US Federal Requirements
• Provides confidentiality, integrity and message digest services.
– Leverage OpenSSL engines (HSMs etc.)
• Moves cryptography off CPU - dedicated cryptography devices
• Meeting more stringent security requirements
• May improve performance
29

MySQL 8.0 TDE
• New! AES 256 encryption of UNDO and REDO Logs
Super Simple to manage - Set
innodb_undo_log_encrypt=ON/OFF
innodb_redo_log_encrypt=ON/OFF
And
ON - Pages written after setting are encrypted
OFF - Pages written after setting are not.
 New in 8.0.13 ! Support for encryption in shared table-spaces
30

MySQL Security Architecture

MySQL Enterprise Edition - SECURITY
• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management/Security
• MySQL Enterprise Authentication
– External Authentication Modules
• Microsoft AD, Linux PAMs, LDAP
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
– User Activity Auditing, Regulatory Compliance
• MySQL Data Masking
32
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise Thread pool
– Attack Hardening

33
Enterprise
Security Architecture
 Workbench
•Model
•Data
•Audit Data
•User Management
  Enterprise Monitor
•Identifies Vulnerabilities
•Security hardening policies
•Monitoring & Alerting
•User Monitoring
•Password Monitoring
•Schema Change Monitoring
•Backup Monitoring
Data Encryption
•TDE
•Encryption
•PKI
 Firewall
 Enterprise Authentication
•SSO - LDAP, AD, PAM
 Network Encryption
 Enterprise Audit
•Powerful Rules Engine
 Audit Vault
 Strong Authentication
 Access Controls
 Assess
 Prevent
 Detect
 Recover
 Enterprise Backup
•Encrypted
 HA
•Innodb Cluster
Thread Pool
•Attack minimization
 Key Vault
•Protect Keys
 Enterprise
Masking & De-Identification
•Masking
•Substitute/Subset
•Random Formatted Data
•Blacklisted Data

What is Transparent Data Encryption?
• Data at Rest Encryption
– Tablespaces, Disks, Storage, OS File system
• Transparent to applications and users
– No application code, schema or data type changes
• Transparent to DBAs
– Keys are hidden from DBAs, no configuration changes
• Requires Key Management
– Protection, rotation, storage, recovery
34

MySQL Transparent Data Encryption
Encrypted
Database Files
Tablespace Key
Malicious OS User / Hacker
Accesses Files Directly
Information Access Blocked
By Encryption
Master Key

Using MySQL Transparent Data Encryption is EASY
SQL
• New option in CREATE TABLE
ENCRYPTION=“Y”
• New SQL: ALTER INSTANCE ROTATE
INNODB MASTER KEY
Plugin Infrastructure
• New plugin type: keyring
• Ability to load plugin before InnoDB
initialization: --early-plugin-load
Keyring plugin
• Used to retrieve keys from Key Stores
• Over Standardized KMIP protocol
InnoDB
• Support for encrypted tables
• IMPORT/EXPORT of encrypted tables
• Support for master key rotation
• New! undo/redo log encryption
36

MySQL Enterprise TDE: KMIP Compliant
• KMIP – Key Management Interoperability Protocol (Oasis Standard)
• Keys are protected and secure
• Enables customers to meet regulatory requirements
• KMIP mode tested with the following products
– Oracle Key Vault (OKV)
– Gemalto Safenet KeySecure
– Fornetix Key Orchestration Appliance
– Thales Vormetric
37

The Keyring API: The Big Picture
38
The MySQL ServerPlugins
(Consumers) Keys
Keyring Plugin
(backend)
Key Storage
Keys
Keyring
Plugin
Service
Keyring
Plugin API
Keys
Key
Ring
API Each Key
Has a
Name/ACL

What is the Keyring API ?
• A uniform infrastructure for handling keys
• Usable by both the server and plugins
• Available in MySQL 5.7 and up as a plugin API and a plugin service
• Fully extensible
• Can be initialized before InnoDB at startup
• Minimum effort to add new backends and consumers
• New! A keyring migration tool to facilitate moving keys across back-ends !
39

Keyring plugins: The Inventory
• Current Consumers
– InnoDB tablespace encryption
– SQL user defined functions (UDF) plugin
– Enterprise Audit
• Current Backends
– Flat file backend (In EE can be encrypted)
– KMIP compliant clients
• Oracle KeyVault
• Gemalto Safenet KeySecure
• Probably more if they support KMIP standards – give it a try.
40

MySQL Enterprise Encryption
• MySQL encryption functions
– Symmetric encryption AES256 (All Editions)
– Public-key / asymmetric cryptography – RSA
• Key management functions
– Generate public and private keys
– Key exchange methods: DH
• Sign and verify data functions
– Cryptographic hashing for digital signing, verification, & validation – RSA,DSA
• New since 8.0.11: MySQL can work in FIPs mode
41

MySQL Enterprise Audit
• Out-of-the-box logging of connections, logins, and query
• User defined policies for filtering, and log rotation
• Dynamically enabled, disabled: no server restart
• XML-based audit stream per Oracle Audit Vault spec
• New! Features in 5.7.21 and in 8.0
– JSON
– Compression
– Encryption
42
Adds regulatory compliance to
MySQL applications
(HIPAA, Sarbanes-Oxley, PCI, etc.)

MySQL Enterprise Firewall
• Real Time Protection
– Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Block Out of Policy Transactions
• Intrusion Detection
– Detect and Alert on Out of Policy Transactions
• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
– No changes to application required
• New! Feature in 5.7.20/8.0 – Combined Firewall/Audit Rules
– Create more general allow/deny firewall rules using JSON syntax – using abort=on
43
MySQL Enterprise Firewall monitoring

MySQL Enterprise Firewall
• New! Feature in 5.7.20 – Combined Firewall/Audit Rules
– Create more general allow/deny firewall rules using JSON syntax – using abort=on
Example - block execution of specific
• SQL statements (insert, update, delete)
• For a specific table (finances.bank_account)
Test rules
• By writing to audit log
• If data as expected change to firewall
– add “abort”
44

Security Direction
• Continuing to focus a great deal on security
• New things are in the works, especially in
these areas:
– TDE / Encryption / Key management
– Masking, Obfuscation, De-identification, Tokenization
– Audit
– Firewall
– Authentication
– Integration to various Oracle Cloud services
– Data masking
45
Customer feedback
and requirements
drive our priorities
Tell us what you want,
need, etc.
Give us problematic
use cases

46
Enterprise
Security Architecture
 Workbench
•Model
•Data
•Audit Data
•User Management
  Enterprise Monitor
•Identifies Vulnerabilities
•Security hardening policies
•Monitoring & Alerting
•User Monitoring
•Password Monitoring
•Schema Change Monitoring
•Backup Monitoring
Data Encryption
•TDE
•Encryption
•PKI
 Firewall
 Enterprise Authentication
•SSO - LDAP, AD, PAM
 Network Encryption
 Enterprise Audit
•Powerful Rules Engine
 Audit Vault
 Strong Authentication
 Access Controls
 Assess
 Prevent
 Detect
 Recover
 Enterprise Backup
•Encrypted
 HA
•Innodb Cluster
Thread Pool
•Attack minimization
 Key Vault
•Protect Keys
 Enterprise
Masking & De-Identification
•Masking
•Substitute/Subset
•Random Formatted Data
•Blacklisted Data

MySQL Enterprise Edition - SECURITY
• MySQL Enterprise TDE
– Data-at-Rest Encryption
– Key Management/Security
• MySQL Enterprise Authentication
– External Authentication Modules
• Microsoft AD, Linux PAMs, LDAP
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
• MySQL Data Masking
47
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise Thread pool
– Attack Hardening

Security Resources
• http://mysqlserverteam.com/
• http://insidemysql.com/
• https://blogs.oracle.com/mysql
• https://www.mysql.com/why-mysql/#en-0-40
• https://www.mysql.com/why-mysql/presentations/#en-17-40
• https://www.mysql.com/news-and-events/on-demand-webinars/#en-20-
40
• https://www.mysql.com/news-and-events/health-check/
48

Thank you!
49

Percona Live Europe 2018: What's New in MySQL 8.0 Security

Percona Live Europe 2018: What's New in MySQL 8.0 Security

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Percona Live Europe 2018: What's New in MySQL 8.0 Security

Ähnlich wie Percona Live Europe 2018: What's New in MySQL 8.0 Security (20)

Mehr von Georgi Kodinov

Mehr von Georgi Kodinov (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Percona Live Europe 2018: What's New in MySQL 8.0 Security

Hinweis der Redaktion