What's new in MySQL 8.0 security

在本课程中,我们将概述MySQL8.0中的所有新安全特性,以及它们如何结合在一起以应对现代安全挑战。MySQL8在加强MySQL安装的安全性方面迈出了新的一步,提供了新的灵活工具,包括全新的默认身份验证方法、SQL角色、透明磁盘加密的增强功能,以及有关密码重用、复杂性和暴力破解密码的现代密码控制。猜剑。

展开查看详情

1.MySQL 8.0 What’s New in Security ? Georgi “Joro” Kodinov MySQL SrvGen Team Lead Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

2.Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, timing, and pricing of any features or functionality described for Oracle’s products may change and remains at the sole discretion of Oracle Corporation. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

3.Program Agenda 1 Security Challenges 2 New Security Features in MySQL 8 3 New Security Features in MySQL Enterprise Edition 4 MySQL Security Architecture Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 3

4.Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 4

5.Cost of Data Breaches Small to Medium Breaches Mega Breaches $7.000.000 $400.000.000 $6.3M $350M $350.000.000 $325M $6.000.000 $300.000.000 $279M $5.000.000 $4.6M $250.000.000 $4.000.000 $199M $200.000.000 $3.000.000 $2.8M $150.000.000 $1.9M $2.000.000 $100.000.000 $1.000.000 $50.000.000 $0 $0 Less than 10,000 10,000 to 25,000 25,001 to 50,000 Greater than 20 Million 30 Million 40 Million 50 Million 50,000 Records Records Source: Ponemon Institute, 2018 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 5

6.Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information" – FERPA – Student Data – EU General Data Protection Directive: Protection of Personal Data (GDPR) – Data Protection Act (UK): Protection of Personal Data • Requirements – Continuous Monitoring (Users, Schema, Backups, etc.) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 6

7.How to Secure your Databases Assess  Locate Risks and Vulnerabilities, Ensure that necessary security controls are Prevent  Using Cryptography, User Controls, Access Controls, etc Detect  Still a possibility of a breach – so Audit, Monitor, Alert Recover  Ensure service is not interrupted as a result of a security incident  Even through the outage of a primary database  Forensics – post mortem – fix vulnerability Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 7

8.New Security Features in MySQL 8.0 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 8

9.MySQL Security Overview Authentication Authorization Encryption MySQL Security Firewall Auditing New! Masking/De-Identification • Available in 5.7.24 & 8.0.13 • Will be in MySQLaaS as well Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 9

10.New! MySQL Roles Improving MySQL Access Controls Feature Request • Introduced in the 8.0.0 DMR from DBAs • Easier to manage user and applications rights • As standards compliant as practically possible • Multiple default roles Directly Default Role(s) • Can export the role graph in GraphML Set of ACLS Indirectly Set Role(s) Set of ACLS Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 10

11.SQL Roles Implementation In a Nutshell • A role is a user account with login disabled. • A memory based hash of flattened privilege sets for each active role • 2 new tables: mysql.role_edges and mysql.default_roles • 2 new SQL functions: CURRENT_ROLE() and ROLE_GRAPHML() • 3 new global privileges: CREATE ROLE, DROP ROLE and ROLE_ADMIN • Extensions to: ALTER USER, GRANT/REVOKE, SET and SHOW GRANTS Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 11

12.SQL Roles Implementation: MySQL Extras • Roles can have an optional host part (not currently used) • Pre-roles ACL code is used when there’s no active role(s) • Users can be assigned several roles • Users can have zero or more default roles • Active Roles can be changed – from various assigned roles – For example just escalate or change privileges from within an application for certain operations Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 12

13.Role Examples Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 13

14.MySQL Enterprise Masking and De-Identification New in MySQL 8.0.13 AND 5.7.24! • Data De-identification helps database customers improve security • Accelerates compliance for – Government – GDPR, CHHS – Financial - PCI – Healthcare – HIPAA, Clinic Trials Data • Reduce IT costs by simplifying sanitizing production data – Transforming sensitive data for use in analytics, testing, development, and more Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 14

15.NEW! MySQL Enterprise Masking and De-Identification De-identify, Anonymize Sensitive Data Employee Table ID Last First SSN "Data Masking is a method to hide 1111 Smith John 555-12-5555 1112 Templeton Richard 444-12-4444 sensitive information by replacing real values with substitutes.” Random Data Generation Masked View ID Last First SSN 2874 Smith John XXX-XX- 5555 3281 Templeton Richard XXX-XX- 4444 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 15

16.MySQL Enterprise Masking and De-Identification Data Masking and Random Data Generation • Data Masking • Random Data Generators – String masking – Random number within a range – Dictionary based replacement – Email – Specific masking – Payment card (Luhn check compliant) • SSN – SSN • Payment card : Strict/Relaxed – Dictionary based generation Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 16

17.MySQL Enterprise Masking and De-Identification Data Masking • String data masking – Mask a substring within a string : ArthXXXXnt – Mask substrings at the beginning and at the end : • XXthurDeXX • SSN masking : XXXX-XX-1234 • Payment Card masking – Strict: XXXXXXXXXXXXXXX7395, Relaxed: 493812XXXXXXXXX7395 • Dictionary based masking – gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 17

18.MySQL Enterprise Masking and De-Identification Random Data Generation • Random data within range – gen_range(10000, 20000) => 12503 • Email : kajsm.hamskdk@example.com • Payment card : 7389026626032990 – Configurable length : 12 to 19 digits • SSN : 915-63-3858 • US Phone number : 1-555-3456-332 Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 18

19.MySQL Enterprise Masking and De-Identification Dictionary based data generation, data blacklists • Load multiple dictionaries – Maps dictionary file => dictionary name – In memory data for faster retrieval • Generation based on dictionary data – gen_dictionary(“periodictable”) => Oxygen – If 007 on the blacklist then substitute otherwise provide random value • Blacklisted – 007 – thus randomly substituted from Jobs Dictionary – gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant” • Not blacklisted – Administrator – thus passes through – gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator” Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 19

20.Data Masking Examples Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

21. Integrates MySQL with existing MySQL Enterprise Authentication security infrastructures • Integrate with Centralized Authentication Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles Supports – Windows Active Directory (for windows MySQL servers) – Linux PAM (Pluggable Authentication Modules) – New Native LDAP • Ultra Fast and Flexible • Works with Windows AD (even on non-windows MySQL servers) Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 21

22.MySQL Enterprise Authentication: Native LDAP • Direct Connection over LDAP Protocol/Ports • Authentication with Connector – User and Password 2) SASL – or SASL 1) User/Password Or • Customizable for users 2) SASL SASLD and groups Port:389 LDAP Tree Dir MySQL Native LDAP Service Plugin Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 22

23.New! Atomic ACL Statements • Long standing MySQL issue! Feature Request – For Replication, HA, Backups, etc. from DBAs • Possible now - ACL tables reside in 8.0 InnoDB Data Dictionary • Not just a table operation: memory caches need update too • Applies to statements performing multiple logical operations, e.g. – CREATE USER u1, u2 – GRANT SELECT ON *.* TO u1, u2 • Uses a custom MDL lock to block ACL related activity – While altering the ACL caches and tables Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 23

24.New! Dynamic Privileges Provides finer grained administrative level access controls • Too often SUPER is required for tasks when less privilege is really needed – Support concept of “least privilege” • Needed to allow adding administrative access controls – Now can come with new components – Examples • Replication • HA • Backup Feature Request • Give us your ideas from DBAs Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 24

25.Why Dynamic Global Privileges? • How to add a new global privilege (the 5.7 version) – Add a column in mysql.user – Extend the parser – Amend ACL cache code: reading, caching, writing, upgrade, … – Add checks for the new privilege • Not possible from a plugin ! • Abuse of existing privileges (SUPER) ! • The SUPER-potent SUPER ! Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 25

26.How Do Dynamic Privileges Work ? • Provides new component service – Can add, remove and check global privileges • Only GRANTs are persisted – Stored in mysql.global_grants • Uses the familiar – GRANT <dynamic_acl> ON *.* TO … syntax Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 26

27.MySQL Password Features • New! Password Management – Require new passwords not reuse old ones - By number of changes and/or time. – Password-reuse (aka Password History) • Policy can be set globally as well as on a per-account basis. – New in 8.0.13: Can require old password when changing too • New! SHA2 with Caching. Now Default ! – Strong (when storing) and Fast (when connecting) • Strong - SHA-256 password hashing (many rounds, random salt, …) • Fast – Caching: Greatly reduces latency • New! Seamless RSA password-exchange capabilities (Lowers SSL Costs) Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 27

28.MySQL Password Policies – Review • Accounts without Passwords – Assign passwords to all accounts to prevent unauthorized use • Password Validation Plugin – Enforce Strong Passwords • Password Expiration/Rotation – Require users to reset their password • Account lockout (in v. 5.7) • Password Retry Rules (in v. 5.7.16+) • New! Password History (in v. 8.0) Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 28

29.New! OpenSSL Dynamically Linked / FIPS Module Support • Dynamically Linked in 8.0 CAN – Use optimized OpenSSL Libraries (use AES-NI acceleration) – Be patched without MySQL Upgrade – Run with OpenSSL FIPS Object Module • Meeting US Federal Requirements • Provides confidentiality, integrity and message digest services. – Leverage OpenSSL engines (HSMs etc.) • Moves cryptography off CPU - dedicated cryptography devices • Meeting more stringent security requirements • May improve performance Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 29