SlideShare a Scribd company logo

Enhancing MySQL Security

V
Vinicius M Grippa

Security is always a challenge when its comes to data. Moreso, regulations like GDPR add a whole new layer on top of it, with rules more and more restrictive to access and manipulate data. Join us in this presentation to check security best practices as well as traditional and new features available for MySQL, including features coming with the new MySQL 8. In this talk, DBAs and sysadmins will walk through the security features available on the OS and MySQL. These features include: SO security SSL ACL TDE Audit Plugin MySQL 8 features (undo, redo, and binlog encryption) New caching_sha2_password Roles Password Management FIPS mode

Technology
1 of 65
Download to read offline
© 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
© 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
© 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
© 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
© 2019 Percona5 OS/Cloud Security
© 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
© 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
© 2019 Percona8 OS/Cloud Security
© 2019 Percona9 OS/Cloud Security
© 2019 Percona10 OS/Cloud Security
© 2019 Percona11 SSL
© 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
© 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
© 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
© 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
© 2019 Percona16 SSL
© 2019 Percona17 Password Management
© 2019 Percona18 Password Management • Password expiration • validate_password plugin
© 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
© 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
© 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
© 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
© 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
© 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
© 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona27 Audit Plugin
© 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
© 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
© 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
© 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
© 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
© 2019 Percona33 Percona Server Encryption Features
© 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
© 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
© 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
© 2019 Percona37 MySQL 8 Features (undo, redo encryption)
© 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
© 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
© 2019 Percona40 Transparent Data Encryption(TDE)
© 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
© 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
© 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
© 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
© 2019 Percona45 caching_sha2_password
© 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
© 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
© 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
© 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
© 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
© 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
© 2019 Percona52 FIPS Mode
© 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
© 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
© 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
© 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
© 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
© 2019 Percona58 Roles
© 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
© 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
© 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
© 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
© 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
© 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64
© 2019 Percona65 Questions?

Recommended

Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Jaime Crespo
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19
Alkin Tezuysal
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
Avi Networks
 
MariaDB Performance Tuning Crash Course
MariaDB Performance Tuning Crash CourseMariaDB Performance Tuning Crash Course
MariaDB Performance Tuning Crash Course
Severalnines
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.
Mydbops
 

Recommended

Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Query Optimization with MySQL 5.6: Old and New Tricks - Percona Live London 2013
Jaime Crespo
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
Mayank Patel
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19
Alkin Tezuysal
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
Avi Networks
 
MariaDB Performance Tuning Crash Course
MariaDB Performance Tuning Crash CourseMariaDB Performance Tuning Crash Course
MariaDB Performance Tuning Crash Course
Severalnines
 
Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.Modern query optimisation features in MySQL 8.
Modern query optimisation features in MySQL 8.
Mydbops
 
Reducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQLReducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQL
Kenny Gryp
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
Stenio Ferreira
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
Mitchell Pronschinske
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro Tips
Shiva Narayanaswamy
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
Jeroen Niesen
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Neeraj Kumar
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18
Derek Downey
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
n|u - The Open Security Community
 
MySQL/MariaDB Proxy Software Test
MySQL/MariaDB Proxy Software TestMySQL/MariaDB Proxy Software Test
MySQL/MariaDB Proxy Software Test
I Goo Lee
 
Percona Live 2022 - MySQL Shell for Visual Studio Code
Percona Live 2022 - MySQL Shell for Visual Studio CodePercona Live 2022 - MySQL Shell for Visual Studio Code
Percona Live 2022 - MySQL Shell for Visual Studio Code
Frederic Descamps
 
MySQL_MariaDB로의_전환_기술요소-202212.pptx
MySQL_MariaDB로의_전환_기술요소-202212.pptxMySQL_MariaDB로의_전환_기술요소-202212.pptx
MySQL_MariaDB로의_전환_기술요소-202212.pptx
NeoClova
 
How to operate MySQL InnoDB Cluster with MySQL Shell
How to operate MySQL InnoDB Cluster with MySQL ShellHow to operate MySQL InnoDB Cluster with MySQL Shell
How to operate MySQL InnoDB Cluster with MySQL Shell
Frederic Descamps
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWS
Amazon Web Services
 
MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6
MYXPLAIN
 
MySQL 8.0 EXPLAIN ANALYZE
MySQL 8.0 EXPLAIN ANALYZEMySQL 8.0 EXPLAIN ANALYZE
MySQL 8.0 EXPLAIN ANALYZE
Norvald Ryeng
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
Amazon Web Services
 
Azure SQL Database & Azure SQL Data Warehouse
Azure SQL Database & Azure SQL Data WarehouseAzure SQL Database & Azure SQL Data Warehouse
Azure SQL Database & Azure SQL Data Warehouse
Mohamed Tawfik
 
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorialMySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
Frederic Descamps
 
Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
Vinicius M Grippa
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
Yashada Jadhav
 

More Related Content

What's hot

Reducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQLReducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQL
Kenny Gryp
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShell
Karl Fosaaen
 
MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6
MYXPLAIN
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
Nelson Calero
 

What's hot (20)

Reducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQLReducing Risk When Upgrading MySQL
Reducing Risk When Upgrading MySQL
 
Secret Management Architectures
Secret Management Architectures Secret Management Architectures
Secret Management Architectures
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
AWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro TipsAWS Connectivity, VPC Design and Security Pro Tips
AWS Connectivity, VPC Design and Security Pro Tips
 
Networking deep dive
Networking deep diveNetworking deep dive
Networking deep dive
 
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
Part 03: Azure Virtual Networks – Understanding and Creating Point-to-Site VP...
 
BSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShellBSides Portland - Attacking Azure Environments with PowerShell
BSides Portland - Attacking Azure Environments with PowerShell
 
HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18HandsOn ProxySQL Tutorial - PLSC18
HandsOn ProxySQL Tutorial - PLSC18
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
MySQL/MariaDB Proxy Software Test
MySQL/MariaDB Proxy Software TestMySQL/MariaDB Proxy Software Test
MySQL/MariaDB Proxy Software Test
 
Percona Live 2022 - MySQL Shell for Visual Studio Code
Percona Live 2022 - MySQL Shell for Visual Studio CodePercona Live 2022 - MySQL Shell for Visual Studio Code
Percona Live 2022 - MySQL Shell for Visual Studio Code
 
MySQL_MariaDB로의_전환_기술요소-202212.pptx
MySQL_MariaDB로의_전환_기술요소-202212.pptxMySQL_MariaDB로의_전환_기술요소-202212.pptx
MySQL_MariaDB로의_전환_기술요소-202212.pptx
 
How to operate MySQL InnoDB Cluster with MySQL Shell
How to operate MySQL InnoDB Cluster with MySQL ShellHow to operate MySQL InnoDB Cluster with MySQL Shell
How to operate MySQL InnoDB Cluster with MySQL Shell
 
Disaster Recovery Options with AWS
Disaster Recovery Options with AWSDisaster Recovery Options with AWS
Disaster Recovery Options with AWS
 
MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6MySQL Indexing - Best practices for MySQL 5.6
MySQL Indexing - Best practices for MySQL 5.6
 
MySQL 8.0 EXPLAIN ANALYZE
MySQL 8.0 EXPLAIN ANALYZEMySQL 8.0 EXPLAIN ANALYZE
MySQL 8.0 EXPLAIN ANALYZE
 
Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0Automate the operation of your Oracle Cloud infrastructure v2.0
Automate the operation of your Oracle Cloud infrastructure v2.0
 
Encryption and Key Management in AWS
Encryption and Key Management in AWSEncryption and Key Management in AWS
Encryption and Key Management in AWS
 
Azure SQL Database & Azure SQL Data Warehouse
Azure SQL Database & Azure SQL Data WarehouseAzure SQL Database & Azure SQL Data Warehouse
Azure SQL Database & Azure SQL Data Warehouse
 
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorialMySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
MySQL InnoDB Cluster and Group Replication in a nutshell hands-on tutorial
 

Similar to Enhancing MySQL Security

Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Big Data Spain
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
Geir Høydalsvik
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
ali raza
 

Similar to Enhancing MySQL Security (20)

Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL Security
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL Security
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXC
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de seguranca
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysql
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
 
MySQL NoSQL APIs
MySQL NoSQL APIsMySQL NoSQL APIs
MySQL NoSQL APIs
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 

More from Vinicius M Grippa

More from Vinicius M Grippa (6)

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptx
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performance
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to consider
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphs
 
K8s - Setting up minikube
K8s - Setting up minikubeK8s - Setting up minikube
K8s - Setting up minikube
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Recently uploaded (20)

Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 

Enhancing MySQL Security

  • 1. © 2019 Percona1 Enhancing MySQL Security Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
  • 2. © 2019 Percona2 ▪ Support Engineer at Percona since 2017 ▪ Working with MySQL for over six years ▪ Working with databases for over nine years ▪ Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
  • 3. © 2019 Percona3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
  • 4. © 2019 Percona4 Agenda ▪ SO/Cloud security ▪ SSL ▪ Password management ▪ Audit plugin ▪ Percona Server encryption features ▪ MySQL 8 features (undo, redo encryption) ▪ TDE ▪ New caching_sha2_password ▪ FIPS mode ▪ Roles
  • 6. © 2019 Percona6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
  • 7. © 2019 Percona7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
  • 12. © 2019 Percona12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 • mysql_ssl_rsa_setup ▪ MySQL 5.6 • openssl
  • 13. © 2019 Percona13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
  • 14. © 2019 Percona14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
  • 15. © 2019 Percona15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
  • 18. © 2019 Percona18 Password Management • Password expiration • validate_password plugin
  • 19. © 2019 Percona19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
  • 20. © 2019 Percona20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
  • 21. © 2019 Percona21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
  • 22. © 2019 Percona22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
  • 23. © 2019 Percona23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
  • 24. © 2019 Percona24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
  • 25. © 2019 Percona25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
  • 26. © 2019 Percona26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
  • 28. © 2019 Percona28 Audit Plugin ▪ MySQL Enterprise – Paid ▪ Percona Server (works with community version) – Free ▪ It is different from general log ▪ Filter by command / user / database
  • 29. © 2019 Percona29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+
  • 30. © 2019 Percona30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
  • 31. © 2019 Percona31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
  • 32. © 2019 Percona32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
  • 33. © 2019 Percona33 Percona Server Encryption Features
  • 34. © 2019 Percona34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
  • 35. © 2019 Percona35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
  • 36. © 2019 Percona36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
  • 37. © 2019 Percona37 MySQL 8 Features (undo, redo encryption)
  • 38. © 2019 Percona38 MySQL 8 - (undo, redo encryption) ▪ MySQL 8 extends tablespace encryption feature to redo log and undo log ▪ It is necessary using one of the Keyring plugins
  • 39. © 2019 Percona39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
  • 40. © 2019 Percona40 Transparent Data Encryption(TDE)
  • 41. © 2019 Percona41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
  • 42. © 2019 Percona42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
  • 43. © 2019 Percona43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
  • 44. © 2019 Percona44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
  • 46. © 2019 Percona46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client)
  • 47. © 2019 Percona47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
  • 48. © 2019 Percona48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------- --------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------- --------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+----------------------------- --------------+ 2 rows in set (0.00 sec)
  • 49. © 2019 Percona49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
  • 50. © 2019 Percona50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
  • 51. © 2019 Percona51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+--------------------------------------------- ---------------------------+ 2 rows in set (0.01 sec)
  • 53. © 2019 Percona53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
  • 54. © 2019 Percona54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
  • 55. © 2019 Percona55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
  • 56. © 2019 Percona56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------------- -----+ | Level | Code | Message | +---------+-------+------------------------------------------------------------------- -----+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------------- -----+ 1 row in set (0.00 sec)
  • 57. © 2019 Percona57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
  • 59. © 2019 Percona59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them. 59
  • 60. © 2019 Percona60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec) 60
  • 61. © 2019 Percona61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec) 61
  • 62. © 2019 Percona62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit; 62
  • 63. © 2019 Percona63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time. 63
  • 64. © 2019 Percona64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about 64