mysql manchester tt - security
TRANSCRIPT
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Security: Best PracGces
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
43% of companies have experienced a data breach in the past year. Source: Ponemon InsGtute, 2014
Oracle ConfidenGal – Internal/Restricted/Highly Restricted 2
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Mega Breaches
552 Million idenGGes exposed in 2013. 493% increase over previous year 77% Web sites with vulnerabiliGes.
1-‐in-‐8 of all websites had a criGcal vulnerability.
8 Breaches that exposed more than 10 million records in 2013.
Total Breaches increased 62% in 2013
Oracle ConfidenGal – Internal/Restricted/Highly Restricted 3
Source: Internet Security Threat Report 2014, Symantec
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
• Poor ConfiguraGons – Set controls and change default se[ng
• Over Privileged Accounts – Privilege Policies
• Weak Access Control – Dedicated AdministraGve Accounts
• Weak AuthenGcaGon – Strong Password Enforcement
• Weak AudiGng – Compliance & Audit Policies
• Lack of EncrypGon – Data, Back, & Network EncrypGon
• Proper CredenGal or Key Management – Use mysql_config_editor , Key Vaults
• Unsecured Backups – Encrypted Backups
• No Monitoring – Security Monitoring, Users, Objects
• Poorly Coded ApplicaGons – Database Firewall
4
Database VulnerabiliGes
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Database Ahacks • SQL InjecGon
– PrevenGon: DB Firewall, White List, Input ValidaGon
• Buffer Overflow – PrevenGon: Frequently apply Database Sokware updates, DB Firewall, White List, Input ValidaGon
• Brute Force Ahack – PrevenGon: lock out accounts aker a defined number of incorrect ahempts.
• Network Eavesdropping – PrevenGon: Require SSL/TLS for all ConnecGons and Transport
• Malware – PrevenGon: Tight Access Controls, Limited Network IP access, Change default se[ngs
5
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Database Malicious AcGons • InformaGon Disclosure: Obtain credit card and other personal informaGon
– Defense: EncrypGon – Data and Network, Tighter Access Controls
• Denial of Service: Run resource intensive queries – Defense: Resource Usage Limits – Set various limits – Max ConnecGons, Sessions, Timeouts, …
• ElevaGon of Privilege: Retrieve and use administrator credenGals – Defense: Stronger authenGcaGon, Access Controls, AudiGng
• Spoofing: Retrieve and use other credenGals – Defense: Stronger account and password policies
• Tampering: Change data in the database, Delete transacGon records • Defense: Tighter Access Controls, AudiGng, Monitoring, Backups
6
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Regulatory Compliance • RegulaGons
– PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley: Accuracy of Financial Data – EU Data ProtecGon DirecGve: ProtecGon of Personal Data – Data ProtecGon Act (UK): ProtecGon of Personal Data
• Requirements – ConGnuous Monitoring (Users, Schema, Backups, etc) – Data ProtecGon (EncrypGon, Privilege Management, etc.) – Data RetenGon (Backups, User AcGvity, etc.) – Data AudiGng (User acGvity, etc.)
7
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
PCI-‐DSS • Requirement 2: Secure ConfiguraGons, Security Se[ngs & Patching
– Not Using Vendor Default Passwords and Security Se[ngs
• Requirement 3: ProtecGng Cardholder Data – Strong Cryptography – Protect Stored Cardholder Data
• Requirement 6: Up to Date Patching and Secure Systems – Develop and Maintain Secure Systems and ApplicaGons
• Requirement 7: User Access and AuthorizaGon – Restrict Access to Cardholder Data by Need to Know
• Requirement 8: IdenGty and Access Management – IdenGfy and AuthenGcate Access to System Components
• Requirement 10: Monitoring, Tracking and AudiGng – Track and Monitor Access to Cardholder Data
8
White Paper
A Guide to MySQL
and PCI Compliance
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
HIPPA • Access Controls
– Access only to those persons or sokware programs that have been granted access rights – Unique User IdenGficaGon, Emergency Access Procedure, AutomaGc Logoff, EncrypGon and DecrypGon
• AuthenGcaGon – Verify that a person or enGty seeking electronic health informaGon is the one claimed
• Integrity – Protect electronic protected health informaGon from improper alteraGon or destrucGon
• Transmission Security – Guard against unauthorized access that is being transmihed over a network
• EncrypGon – Encrypt electronic protected health informaGon
• Audit Control – Record and examine acGvity that contain or use electronic protected health informaGon
9
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Sarbanes Oxley • Accurate and factual business and financial reports
– Verify that the records protected from tampering and modificaGon
• Protect data accuracy and integrity – Minimal permissions on data for each employee – Deny any privileges above minimal – Audit all acGvity
10
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Data ProtecGon Act – UK 1998 • Personal data shall be processed fairly and lawfully • Personal data shall be obtained only for one or more specified and lawful purposes
• Personal data shall be adequate, relevant and not excessive • Personal data shall be accurate and, where necessary, kept up to date • Personal data processed for any purpose shall not be kept for longer than is necessary • Personal data shall be processed in accordance with the rights of data subjects • Measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destrucGon of, or damage to, personal data.
• Personal data shall not be transferred to a country or territory outside the European Economic Area
11
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
DBA ResponsibiliGes • Ensure only users who should get access, can get access • Limit what users and applicaGons can do • Limit from where users and applicaGons can access data • Watch what is happening, and when it happened • Make sure to back things up securely • Minimize ahack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenGal – Internal 13
MySQL Security Overview AuthenGcaGon
AuthorizaGon
EncrypGon
Firewall
MySQL Security
AudiGng
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Block Threats
AudiGng
Regulatory Compliance
Login and Query AcGviGes
SSL/TLS
Public Key
Private Key
Digital Signatures
Privilege Management
AdministraGon
Database & Objects
Proxy Users
MySQL
Linux / LDAP
Windows AD
Custom
Oracle ConfidenGal – Internal 14
MySQL Security Overview
AuthorizaGon AuthenGcaGon
Firewall & AudiGng EncrypGon
Security
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL AuthorizaGon • AdministraGve Privileges • Database Privileges • Session Limits and Object Privileges • Fine grained controls over user privileges
– CreaGng, altering and deleGng databases – CreaGng, altering and deleGng tables – Execute INSERT, SELECT, UPDATE, DELETE queries – Create, execute, or delete stored procedures and with what rights – Create or delete indexes
15
Security Privilege Management in MySQL Workbench
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Privilege Management • user: user accounts, global privileges columns • db: database-‐level privileges • tables_priv: Contains table-‐level privileges • columns_priv: Contains column-‐level privileges • procs_priv: Contains stored procedure and funcGon privileges • proxies_priv: Contains proxy-‐user
16
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenGal – Internal 17
MySQL Privilege Management Grant Tables tables_priv
• Table level privileges • Table and columns
db• Database Level Privileges • Database, Tables, Objects • User and host
user• User Accounts • Global Privileges
proxies_priv• Proxy Users • Proxy Privileges
procs_priv• Stored Procedures • FuncGons • Single funcGon privilege
columns_priv• Specific columns
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Privilege Management • ConGnuous assessment
– ConfiguraGon – Users – Permissions and Rights
• Audit & Review acGvity – Who – does acGvity match expectaGon – What – is this it limited as expected – When – acts oken are at odd / off peak Gmes – Where – ConnecGons should be from expected hosts
• MySQL has simple to use controls and privileges to set secure limits
18
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL AuthenGcaGon • Built in AuthenGcaGon
– user table stores users and encrypted passwords
• X.509 – Server authenGcates client cerGficates
• MySQL NaGve, SHA 256 Password plugin – NaGve uses SHA1 or plugin with SHA-‐256 hashing and per user salGng for user account passwords.
• MySQL Enterprise AuthenGcaGon – Microsok AcGve Directory – Linux PAMs (Pluggable AuthenGcaGon Modules)
• Support LDAP and more
• Custom AuthenGcaGon
19
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Password Policies • Accounts without Passwords
– Assign passwords to all accounts to prevent unauthorized use • Password ValidaGon Plugin
– Enforce Strong Passwords • Password ExpiraGon/RotaGon
– Require users to reset their password • Account lockout (in v. 5.7)
20
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL EncrypGon • SSL/TLS EncrypGon
– Between MySQL clients and Server – ReplicaGon: Between Master & Slave
• Data EncrypGon – AES Encrypt/Decrypt
21
• MySQL Enterprise EncrypGon – Asymmetric Encrypt/Decrypt – Generate Public Key and Private Keys – Derive Session Keys – Digital Signatures
• MySQL Enterprise Backup – AES Encrypt/Decrypt
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
SSL/TLS • Encrypted connecGons
– Between MySQL Client and Server – ReplicaGon: Between Master & Slave
• MySQL enables encrypGon on a per-‐connecGon basis – IdenGty verificaGon using the X509 standard
• Specify the appropriate SSL cerGficate and key files • Will work with trusted CAs (CerGficate AuthoriGes) • Supports CRLs – CerGficate RevocaGon Lists
22
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Database Firewall • SQL InjecGon Ahacks
– #1 Web ApplicaGon Vulnerability – 77% of Web Sites had vulnerabiliGes
• MySQL Enterprise Firewall – Monitor database statements in real-‐Gme – AutomaGc White List “rules” generaGon for any applicaGon – Block SQL InjecGon Ahacks – Intrusion DetecGon System
23
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Database AudiGng • AudiGng for Security & Compliance
– FIPS, HIPAA, PCI-‐DSS, SOX, DISA STIG, … • MySQL built-‐in logging infrastructure:
– general log, error log • MySQL Enterprise Audit
– Granularity made for audiGng – Can be modified live – Contains addiGonal details – CompaGble with Oracle Audit Vault.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle ConfidenGal – Internal 25
MySQL Database Hardening User Management
• Remove Extra Accounts
• Grant Minimal Privileges
• Audit users and privileges
ConfiguraGon • Firewall • AudiGng and Logging • Limit Network Access
• Monitor changes
InstallaGon • Mysql_secure_installaGon
• Keep MySQL up to date
• MySQL Installer for Windows
• Yum/Apt Repository
Backups
• Monitor Backups
• Encrypt Backups
EncrypGon • SSL/TLS for Secure ConnecGons
• Data EncrypGon (AES, RSA)
Passwords • Strong Password Policy • Hashing, ExpiraGon • Password ValidaGon Plugin
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL 5.7 Linux Packages -‐ Security Improvements • Test/Demo database has been removed
– Now in separate packages
• Anonymous account creaGon is removed.
• CreaGon of single root account – local host only • Default installaGon ensures encrypted communicaGon by default – AutomaGc generaGon of SSL/RSA Certs/Keys
• For EE : At server startup if opGons Certs/Keys were not set
• For CE : Through new mysql_ssl_rsa_setup uGlity
• AutomaGc detecGon of SSL Certs/Keys
26
• Client ahempts secure TLS connecGon by default
• Compile Gme restricGon over locaGon used for data import/export operaGons
• Ensures locaGon has restricted access • Only mysql user and group
• Supports disabling data import/export
• Set secure-‐file-‐priv to empty string
MySQL Installer for Windows includes various Security Setup and Hardening Steps
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: InstallaGon • MySQL_Secure_InstallaGon / MySQL Installer for Windows
– Set a strong password for root account – Remove root accounts that are accessible from outside the local host – Remove anonymous-‐user accounts – Remove the test database
• Which by default can be accessed by all users • Including Anonymous Users
• Keep MySQL up to date – Repos – YUM/APT/SUSE – MySQL Installer for Windows
27
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Sokware Updates -‐ Database and OS Maintenance • Maintaining security requires keeping OperaGng System and MySQL security patches up to date. – May require a restart (mysql or operaGng system) to take effect.
• To enable seamless upgrades consider MySQL ReplicaGon – Allows for changes to be performed in a rolling fashion
• Best pracGce to upgrade slaves first – MySQL 5.6 and above supports GTID-‐based replicaGon
• Provides for simple rolling upgrades
• Follow OS vendor specific hardening Guidelines – For example
• hhp://www.oracle.com/technetwork/arGcles/servers-‐storage-‐admin/Gps-‐harden-‐oracle-‐linux-‐1695888.html
28
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: ConfiguraGon • Audit AcGvity
– Use Enterprise Audit – Alt. Transiently enable Query Logging – Monitor and Inspect regularly
• Disable or Limit Remote Access – If local “skip-‐networking” or bind-‐address=127.0.0.1
– If Remote access then limit hosts/IP
• Consider changing default port • Change root username
29
• Disable unauthorized reading from local files – Disable LOAD DATA LOCAL INFILE
• Run MySQL on non default port – More difficult to find database
• Limit MySQL OS User • Ensure secure-‐auth is enabled
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: Best PracGces Parameter Recommended Value Why
Secure_file_priv A Designated Leaf directory for data loads
Only allows file to be loaded from a specific locaGon. Limits use of MySQL to get data from across the OS
Symbolic_links Boolean – NO Prevents redirecGon into less secure filesystem directories
Default-‐storage_engine InnoDB Ensures transacGons commits, ???
General-‐log Boolean – OFF Should only be used for debugging – off otherwise
Log-‐raw Default -‐ OFF Should only be used for debugging – off otherwise
Skip-‐networking or bind-‐address
ON 127.0.0.1
If all local, then block network connecGons or limit to the local host.
SSL opGons Set valid values Should encrypt network communicaGon
30
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: Password Policies • Enforce Strong Password Policies • Password Hashing • Password ExpiraGon • Password ValidaGon Plugin • AuthenGcaGon Plugin
– Inherits the password policies from the component – LDAP, Windows AcGve Directory, etc.
• Disable accounts when not in use – Account lockout (5.7+)
31
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: EncrypGon • Encryted CommunicaGon and More • SSL/TLS encrypted for transport • X.509 adds addiGonal “Factor” – something you have – in addiGon to username/password or other authenGcaGon – Assures the client is validated – thus more likely trusted
• Use database and applicaGon level encrypGon of highly sensiGve data • User database or applicaGon funcGons to mask or de-‐idenGfy data
– Personal IDs, Credit Cards, … • Consider Public Keys for ApplicaGons that encrypt only
32
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Database Hardening: Backups • Backups are Business CriGcal
– Used to restore aker ahack – Migrate, move or clone server – Part of Audit Trail
• Regularly Scheduled Backups • Monitor Backups • Encrypt Backups
33
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
ApplicaGons and CredenGals -‐ Best PracGces • ApplicaGons – minimize sharing a credenGals (username/password)
– Finer grained the beher – don’t overload across many applicaGons/servers
• Should enable support for credenGal rotaGon – Do not require all passwords to be changed in synchronizaGon. – Facilitates beher troubleshooGng and root-‐cause analysis.
• Steps to changing credenGals should be secure and straigh{orward – Not embedded in your code
• Can be changed without redeploying an applicaGon • Should never be stored in version control and must differ between environments. • ApplicaGons should get credenGals using a secure configuraGon methodology.
34
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise EdiGon • MySQL Enterprise AuthenGcaGon
– External AuthenGcaGon Modules • Microsok AD, Linux PAMs
• MySQL Enterprise EncrypGon – Public/Private Key Cryptography – Asymmetric EncrypGon – Digital Signatures, Data ValidaGon
• MySQL Enterprise Firewall – Block SQL InjecGon Ahacks – Intrusion DetecGon
• MySQL Enterprise Audit – User AcGvity AudiGng, Regulatory Compliance
35
• MySQL Enterprise Monitor – Changes in Database ConfiguraGons, Users Permissions, Database Schema, Passwords
• MySQL Enterprise Backup – Securing Backups, AES 256 encrypGon
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Monitor • Enforce MySQL Security Best PracGces
– IdenGfies VulnerabilGes – Assesses current setup against security hardening policies
• Monitoring & AlerGng – User Monitoring – Password Monitoring – Schema Change Monitoring – Backup Monitoring
– ConfiguraGon Management – ConfiguraGon Tuning Advice
• Centralized User Management
36
"I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.”
Sandi Barr Sr. Sokware Engineer
Schneider Electric
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Enterprise Manager for MySQL
37
Performance Security
Availability
• Availability monitoring • Performance monitoring • ConfiguraGon monitoring • All available metrics collected
– Allowing for custom threshold based incident reports
• MySQL auto-‐detecGon
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall • Real Time ProtecGon
– Queries analyzed and matched against White List
• Blocks SQL InjecGon Ahacks – Block Out of Policy TransacGons
• Intrusion DetecGon – Detect and Alert on Out of Policy TransacGons
• Learns White List – Automated creaGon of approved list of SQL command paherns on a per user basis
• Transparent – No changes to applicaGon required
38
MySQL Enterprise Firewall monitoring
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall • Block SQL InjecGon Ahacks
– Allow: SQL Statements that match Whitelist – Block: SQL statements that are not on Whitelist
• Intrusion DetecGon System – Detect: SQL statements that are not on Whitelist
• SQL Statements execute and alert administrators
39
Select *.* from employee where id=22
Select *.* from employee where id=22 or 1=1Block ✖
Allow ✔
White List Applica@ons
Detect & Alert Intrusion DetecGon
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: Overview
40
Inbound SQL Traffic
Web Applica@ons
SQL Injec@on AJack Via Brower
ALLOW
BLOCK
DETECT
1
2
3
Instance
MySQL Enterprise Firewall Internet
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: OperaGng Modes
41
ALLOW In Whitelist
Blocks SQL AJacks
Allows “Matching” SQL
Table
Table
Table
BLOCK NOT In Whitelist BLOCK and ALERT DETECT (IDS) NOT In Whitelist ALLOW and ALERT
Table
Table
Table
ALLOW – Execute SQL -‐ SQL Matches Whitelist
BLOCK – Block the request -‐ Not in Whitelist
DETECT – Execute SQL & Alert -‐ Not in Whitelist
1
2
3
Table
Table
Table Allows SQL & Alerts
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 42
Receive SQL from client
Digest into parser tokens Firewall
Store SQL digest in Firewall whitelist
Check user Firewall mode
Detect or protect mode
In whitelist?
Execute SQL
Send Firewall alert to
error log
Reject SQL
Recording
Yes
Detect
Protect
Off
MySQL Enterprise Firewall Workflow
No
Protect or Detect
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall Details • Firewall operaGon is turned on at a per user level • Per User States are
– RECORDING – PROTECTING – DETECTING – OFF
43
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Workbench: Firewall Status
44
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 45
MySQL Enterprise Firewall: Per User Whitelists
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: What happens when SQL is blocked in Protect Mode?
• The client applicaGon gets an ERROR mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE;
ERROR 1045 (28000): Statement was blocked by Firewall
mysql> SHOW DATABASES;
ERROR 1045 (28000): Statement was blocked by Firewall
mysql> TRUNCATE TABLE mysql.user;
ERROR 1045 (28000): Statement was blocked by Firewall • Reported to the Error Log • Increment Counter
46
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: Monitoring
Firewall Status Counters
47
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: Whitelist Example • mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost=
'wpuser@localhost';
+------------------+----------------------------------------------------------------------------------+
| userhost | substr(rule,1,80) |
+------------------+----------------------------------------------------------------------------------+
| wpuser@localhost | SELECT * FROM `wp_posts` WHERE `ID` = ? LIMIT ? |
| wpuser@localhost | SELECT `option_value` FROM `wp_options` WHERE `option_name` = ? LIMIT ? |
| wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . `ID` = ? AND |
...
| wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE `ID` = ? |
| wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A |
| wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A |
+------------------+----------------------------------------------------------------------------------+
48
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise AuthenGcaGon
49
• Integrate with Centralized AuthenGcaGon Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles
• PAM (Pluggable AuthenGcaGon Modules) – Standard interface (Unix, LDAP, Kerberos, others) – Windows
• Access naGve Windows service -‐ Use to AuthenGcate users using Windows AcGve Directory or to a naGve host
Integrates MySQL with exisGng security infrastructures
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise AuthenGcaGon: PAM • Standard Interface
– LDAP – Unix/Linux
• Proxy Users
50
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise AuthenGcaGon: Windows • Windows AcGve Directory • Windows NaGve Services
51
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise EncrypGon • MySQL encrypGon funcGons
– Symmetric encrypGon AES256 (All EdiGons) – Public-‐key / asymmetric cryptography – RSA
• Key management funcGons – Generate public and private keys – Key exchange methods: DH
• Sign and verify data funcGons – Cryptographic hashing for digital signing, verificaGon, & validaGon – RSA,DSA
52
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise EncrypGon EncrypGon/DecrypGon within MySQL
53
Sensi@ve Data Sensi@ve Data
Private / Public Key Pairs -‐ Generate using MySQL Enterprise EncrypGon FuncGons -‐ Use externally generated (e.g. OpenSSL)
EncrypGon Public Key
DecrypGon Private Key
Encrypted Data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise EncrypGon App Encrypts/MySQL Decrypts
54
EncrypGon Public Key
DecrypGon Private Key
Encrypted Data
Sensi@ve Data
Applica@ons
Sensi@ve Data
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise EncrypGon App Encrypts / MySQL Stores / MySQL Decrypts
55
EncrypGon Public Key
DecrypGon Private Key
Encrypted Data
Sensi@ve Data Sensi@ve Data
Applica@ons Applica@ons
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Key Vault -‐ Generate keys using Oracle Key Vault -‐ Use externally generated (e.g. OpenSSL)
EncrypGon Public Key
DecrypGon Private Key
Encrypted Data
Sensi@ve Data
Applica@ons
Sensi@ve Data
MySQL Enterprise EncrypGon Oracle Key Vault Generates Keys (or externally generated)
56
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Audit • Out-‐of-‐the-‐box logging of connecGons, logins, and query • User defined policies for filtering, and log rotaGon • Dynamically enabled, disabled: no server restart • XML-‐based audit stream per Oracle Audit Vault spec
57
Adds regulatory compliance to
MySQL applicaGons (HIPAA, Sarbanes-‐Oxley, PCI, etc.)
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Audit
58
2. User Joe connects and runs a query
1. DBA enables Audit plugin
3. Joe’s connecGon & query logged
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Backup • Online Backup for InnoDB (scriptable interface) • Full, Incremental, ParGal Backups (with compression) • Strong EncrypGon (AES 256) • Point in Time, Full, ParGal Recovery opGons • Metadata on status, progress, history • Scales – High Performance/Unlimited Database Size • Windows, Linux, Unix • CerGfied with Oracle Secure Backup, NetBackup, Tivoli, others
59
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Oracle CerGficaGons • Oracle Enterprise Manager for MySQL
• Oracle Linux (w/DRBD stack) • Oracle VM • Oracle Solaris • Oracle Solaris Clustering • Oracle Clusterware
• Oracle Audit Vault and Database Firewall • Oracle Secure Backup • Oracle Fusion Middleware • Oracle GoldenGate • My Oracle Support
MySQL integrates into your Oracle environment
60
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Oracle Audit Vault and Database Firewall • Oracle DB Firewall
– Oracle, MySQL, SQL Server, IBM DB2, Sybase – AcGvity Monitoring & Logging – White List, Black List, ExcepGon List
• Audit Vault – Built-‐in Compliance Reports – External storage for audit archive
61
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Thank You