SlideShare une entreprise Scribd logo

Percona Live 2019 - MySQL Security

V
Vinicius M Grippa

An introduction of the best practices about MySQL security. It covers data-in-motion (network) and data-at-rest (using TDE).

Technologie
1  sur  67
Télécharger pour lire hors ligne
Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com 1
• Support Engineer at Percona since 2017 • Working with MySQL for over six years • Working with databases for over nine years • Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
4 Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles
OS/Cloud Security
6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
8 OS/Cloud Security
9 OS/Cloud Security
10 OS/Cloud Security
SSL
12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 - mysql_ssl_rsa_setup ▪ MySQL 5.6 - openssl
13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
16 SSL
Password Management
18 Password Management • Password expiration • validate_password plugin
19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
Audit Plugin
28 Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is different from general log • Filter by command / user / database
29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec)
30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
Percona Server Encryption Features
34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
MySQL 8 Features (undo, redo encryption)
38 MySQL 8 - (undo, redo encryption) • MySQL 8 extends tablespace encryption feature to redo log and undo log • It is necessary using one of the Keyring plugins
39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
Transparent Data Encryption(TDE)
41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
caching_sha2_password
46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client) Note: In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password.
47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+------------------------- ------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+------------------------- ------------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+------------------------- ------------------+ 2 rows in set (0.00 sec)
49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ 2 rows in set (0.01 sec)
FIPS Mode
53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------ ------------+ | Level | Code | Message | +---------+-------+------------------------------------------------------------ ------------+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------ ------------+ 1 row in set (0.00 sec)
57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
Roles
59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them.
60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec)
61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit;
63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time.
64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setu p https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption. html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption. html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about
Questions?
Thank You to Our Sponsors
67 Rate My Session

Recommandé

Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL SecurityVinicius M Grippa
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL SecurityVinicius M Grippa
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7Eduardo Legatti
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 MinutesSveta Smirnova
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 

Recommandé

Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL SecurityVinicius M Grippa
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL SecurityVinicius M Grippa
 
DerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellDerbyCon2016 - Hacking SQL Server on Scale with PowerShell
DerbyCon2016 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7Eduardo Legatti
 
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)
2016 aRcTicCON - Hacking SQL Server on Scale with PowerShell (Slide Updates)Scott Sutherland
 
MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 Minutes MySQL Performance Schema in 20 Minutes
MySQL Performance Schema in 20 MinutesSveta Smirnova
 
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012
SQL Server Exploitation, Escalation, Pilfering - AppSec USA 2012Scott Sutherland
 
010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldapBabaa Naya
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019Yashada Jadhav
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraSveta Smirnova
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
MySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryMySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryOlivier DASINI
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2Morgan Tocker
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellKarl Fosaaen
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracingAnis Berejeb
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf TuningHighLoad2009
 
Mysql8 advance tuning with resource group
Mysql8 advance tuning with resource groupMysql8 advance tuning with resource group
Mysql8 advance tuning with resource groupMarco Tusa
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCVinicius M Grippa
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)YoungHeon (Roy) Kim
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Sumit Gupta
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 
Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPDVinicius M Grippa
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysqlMarcelo Altmann
 

Contenu connexe

Tendances

010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldapBabaa Naya
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019Yashada Jadhav
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraSveta Smirnova
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShellScott Sutherland
 
MySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryMySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryOlivier DASINI
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh clevernetsystemsgeneva
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2Morgan Tocker
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellKarl Fosaaen
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf TuningHighLoad2009
 
Mysql8 advance tuning with resource group
Mysql8 advance tuning with resource groupMysql8 advance tuning with resource group
Mysql8 advance tuning with resource groupMarco Tusa
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network securityZhaoyang Wang
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in ActionSveta Smirnova
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerScott Sutherland
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)YoungHeon (Roy) Kim
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Sumit Gupta
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite PluginsSveta Smirnova
 

Tendances (20)

010 sa302 aaa+ldap
010 sa302 aaa+ldap010 sa302 aaa+ldap
010 sa302 aaa+ldap
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
 
How to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with GaleraHow to Avoid Pitfalls in Schema Upgrade with Galera
How to Avoid Pitfalls in Schema Upgrade with Galera
 
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell2017 Secure360 - Hacking SQL Server on Scale with PowerShell
2017 Secure360 - Hacking SQL Server on Scale with PowerShell
 
MySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryMySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features Summary
 
Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh Présentation et démo ELK/SIEM/Wazuh
Présentation et démo ELK/SIEM/Wazuh
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2My sql 5.7-upcoming-changes-v2
My sql 5.7-upcoming-changes-v2
 
DerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShellDerbyCon 8 - Attacking Azure Environments with PowerShell
DerbyCon 8 - Attacking Azure Environments with PowerShell
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracing
 
Highload Perf Tuning
Highload Perf TuningHighload Perf Tuning
Highload Perf Tuning
 
Mysql8 advance tuning with resource group
Mysql8 advance tuning with resource groupMysql8 advance tuning with resource group
Mysql8 advance tuning with resource group
 
Oracle security 08-oracle network security
Oracle security 08-oracle network securityOracle security 08-oracle network security
Oracle security 08-oracle network security
 
MySQL Performance Schema in Action
MySQL Performance Schema in ActionMySQL Performance Schema in Action
MySQL Performance Schema in Action
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXC
 
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL ServerSecure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
Secure360 - Beyond xp cmdshell - Owning the Empire through SQL Server
 
ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)ProxySQL & PXC(Query routing and Failover Test)
ProxySQL & PXC(Query routing and Failover Test)
 
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
Oracle Access Manager Integration with Microsoft Active Directory for Zero Si...
 
Preparse Query Rewrite Plugins
Preparse Query Rewrite PluginsPreparse Query Rewrite Plugins
Preparse Query Rewrite Plugins
 

Similaire à Percona Live 2019 - MySQL Security

OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenOSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenNETWAYS
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLMarcelo Altmann
 
Performance schema and sys schema
Performance schema and sys schemaPerformance schema and sys schema
Performance schema and sys schemaMark Leith
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsSveta Smirnova
 
Memcached Functions For My Sql Seemless Caching In My Sql
Memcached Functions For My Sql Seemless Caching In My SqlMemcached Functions For My Sql Seemless Caching In My Sql
Memcached Functions For My Sql Seemless Caching In My SqlMySQLConference
 
MySQL server security
MySQL server securityMySQL server security
MySQL server securityDamien Seguy
 
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)Valeriy Kravchuk
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataColin Charles
 
Confoo 2021 -- MySQL New Features
Confoo 2021 -- MySQL New FeaturesConfoo 2021 -- MySQL New Features
Confoo 2021 -- MySQL New FeaturesDave Stokes
 
MySQL Shell - The Best MySQL DBA Tool
MySQL Shell - The Best MySQL DBA ToolMySQL Shell - The Best MySQL DBA Tool
MySQL Shell - The Best MySQL DBA ToolMiguel Araújo
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhatsqlhjalp
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012Roland Bouman
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentScyllaDB
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLMarcelo Altmann
 
MySQL Best Practices - OTN
MySQL Best Practices - OTNMySQL Best Practices - OTN
MySQL Best Practices - OTNRonald Bradford
 

Similaire à Percona Live 2019 - MySQL Security (20)

Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysql
 
OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert VanderkelenOSMC 2008 | Monitoring MySQL by Geert Vanderkelen
OSMC 2008 | Monitoring MySQL by Geert Vanderkelen
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
Mysql tracing
Mysql tracingMysql tracing
Mysql tracing
 
Performance schema and sys schema
Performance schema and sys schemaPerformance schema and sys schema
Performance schema and sys schema
 
Basic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database AdministratorsBasic MySQL Troubleshooting for Oracle Database Administrators
Basic MySQL Troubleshooting for Oracle Database Administrators
 
Memcached Functions For My Sql Seemless Caching In My Sql
Memcached Functions For My Sql Seemless Caching In My SqlMemcached Functions For My Sql Seemless Caching In My Sql
Memcached Functions For My Sql Seemless Caching In My Sql
 
Instalar MySQL CentOS
Instalar MySQL CentOSInstalar MySQL CentOS
Instalar MySQL CentOS
 
MySQL server security
MySQL server securityMySQL server security
MySQL server security
 
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)
MariaDB 10.5 new features for troubleshooting (mariadb server fest 2020)
 
Securing your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server dataSecuring your MySQL / MariaDB Server data
Securing your MySQL / MariaDB Server data
 
Confoo 2021 -- MySQL New Features
Confoo 2021 -- MySQL New FeaturesConfoo 2021 -- MySQL New Features
Confoo 2021 -- MySQL New Features
 
MySQL Shell - The Best MySQL DBA Tool
MySQL Shell - The Best MySQL DBA ToolMySQL Shell - The Best MySQL DBA Tool
MySQL Shell - The Best MySQL DBA Tool
 
Mysql nowwhat
Mysql nowwhatMysql nowwhat
Mysql nowwhat
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
Common schema my sql uc 2012
Common schema my sql uc 2012Common schema my sql uc 2012
Common schema my sql uc 2012
 
How to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla DeploymentHow to Bulletproof Your Scylla Deployment
How to Bulletproof Your Scylla Deployment
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
MySQL Best Practices - OTN
MySQL Best Practices - OTNMySQL Best Practices - OTN
MySQL Best Practices - OTN
 

Plus de Vinicius M Grippa

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfVinicius M Grippa
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxVinicius M Grippa
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performanceVinicius M Grippa
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerVinicius M Grippa
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphsVinicius M Grippa
 

Plus de Vinicius M Grippa (6)

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptx
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performance
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to consider
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphs
 
K8s - Setting up minikube
K8s - Setting up minikubeK8s - Setting up minikube
K8s - Setting up minikube
 

Dernier

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 

Dernier (20)

Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 

Percona Live 2019 - MySQL Security

  • 1. Enhancing MySQL Security Vinicius M. Grippa Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com 1
  • 2. • Support Engineer at Percona since 2017 • Working with MySQL for over six years • Working with databases for over nine years • Speaker at PL 2018 and meetups about MySQL/MongoDB About Me
  • 3. 3 Basic Principles • Minimum access • Isolate • Audit • Avoid spying • Default firewall
  • 4. 4 Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles
  • 6. 6 OS/Cloud Security • Uninstall services that are not used • Do not run compilers • Firewalls • Block internet access • Disable remote root login • Use of SSH Key
  • 7. 7 OS/Cloud Security • Use of Amazon Virtual Private Cloud (VPC) • Use AWS Identity and Access Management (IAM) policies • Use security groups
  • 11. SSL
  • 12. 12 SSL • Move information over a network in a secure fashion • SSL provides an way to cryptograph the data • Default for MySQL 5.7 or higher • Certificates ▪ MySQL 5.7 - mysql_ssl_rsa_setup ▪ MySQL 5.6 - openssl
  • 13. 13 mysql > show global variables like '%ssl%'; +---------------+-----------------+ | Variable_name | Value | +---------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | ssl_ca | ca.pem | | ssl_capath | | | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_key | server-key.pem | +---------------+-----------------+ 9 rows in set (0.03 sec) SSL
  • 14. 14 SSL mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256
  • 15. 15 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
  • 18. 18 Password Management • Password expiration • validate_password plugin
  • 19. 19 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
  • 20. 20 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
  • 21. 21 Password Expiration mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement.
  • 22. 22 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
  • 23. 23 validate_plugin - Installing # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
  • 24. 24 validate_plugin - Validate mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
  • 25. 25 validate_plugin - Example mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
  • 26. 26 validate_plugin - Example mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec)
  • 28. 28 Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is different from general log • Filter by command / user / database
  • 29. 29 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec)
  • 30. 30 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
  • 31. 31 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | |
  • 32. 32 Audit Plugin mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec)
  • 34. 34 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables – BETA quality • innodb_parallel_dblwr_encrypt – ALPHA quality • innodb_sys_tablespace_encrypt – ALPHA quality • innodb_temp_tablespace_encrypt – BETA quality
  • 35. 35 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
  • 36. 36 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
  • 37. MySQL 8 Features (undo, redo encryption)
  • 38. 38 MySQL 8 - (undo, redo encryption) • MySQL 8 extends tablespace encryption feature to redo log and undo log • It is necessary using one of the Keyring plugins
  • 39. 39 MySQL 8 - (undo, redo encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
  • 41. 41 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database • Encryption and decryption occurs without any additional coding, data type or schema modifications
  • 42. 42 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
  • 43. 43 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
  • 44. 44 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
  • 46. 46 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client) Note: In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password.
  • 47. 47 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
  • 48. 48 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+------------------------- ------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+------------------------- ------------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+------------------------- ------------------+ 2 rows in set (0.00 sec)
  • 49. 49 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
  • 50. 50 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
  • 51. 51 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+-------------------------------------- ----------------------------------+ 2 rows in set (0.01 sec)
  • 53. 53 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server
  • 54. 54 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
  • 55. 55 Example mysql> select md5('a'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
  • 56. 56 Example mysql> show warnings; +---------+-------+------------------------------------------------------------ ------------+ | Level | Code | Message | +---------+-------+------------------------------------------------------------ ------------+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+------------------------------------------------------------ ------------+ 1 row in set (0.00 sec)
  • 57. 57 Example mysql> select sha2('a', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
  • 58. Roles
  • 59. 59 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them.
  • 60. 60 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec)
  • 61. 61 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
  • 62. 62 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +-------------------------------------------------------+ | CURRENT_ROLE() | +-------------------------------------------------------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`localhost` | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select * from app_db.joinit;
  • 63. 63 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time.
  • 64. 64 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practices/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections/#setu p https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption. html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encryption. html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_roles_on _login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8-0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tablespace-encr yption-about
  • 66. Thank You to Our Sponsors