SlideShare une entreprise Scribd logo
1  sur  51
Télécharger pour lire hors ligne
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
MySQL & GDPR
Privacy and Security requirements
Olivier Dasini
MySQL Principal Solutions Architect EMEA
olivier.dasini@oracle.com
Twitter : @freshdaz
Blog : http://dasini.net/blog
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated
into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing
decisions. The development, release, and timing of any features or
functionality described for Oracle’s products remains at the sole
discretion of Oracle.
2
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Me, Myself & I
➢
MySQL Geek
✔ Addicted to MySQL for 15+ years!
✔ Playing with databases for 20+ years
➢
MySQL Writer, Blogger and Speaker
✔ Also former : DBA, Consultant, Architect, Trainer, ...
➢
MySQL Principal Solutions Architect EMEA at Oracle
➢
Stay tuned! :
✔ Twitter : @freshdaz
✔ Blog : http://dasini.net/blog
3
Olivier DASINI
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
89%
of Organizations Experienced Data
Breaches, According to New Ponemon
Report
Source: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data,
conducted by Ponemon Institute
4
66%
of the largest businesses in the UK have
suffered a cyberattack or data breach
within the past twelve months
Source: UK government's Cyber Security Breaches Survey 2016
25%
experience a repeated breach at least one
a month
Source: UK government's Cyber Security Breaches Survey 2016
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Mega Breaches
429 Million identities
exposed in 2015.
75%
Web sites with vulnerabilities.
15% of all websites had a
critical vulnerability.
9
In 2015, a record of nine
mega-breaches were
reported.
One worlds largest 191M.
(Mega-breach = more than 10 million
records.)
Mobile Vulnerabilities on
the rise – up 214%
Infection by SQL Injection
still strong.
Malware attacks on
databases
5
Source: Internet Security Threat Report 2016, Symantec
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Cost of Data Breaches
6
Source: Ponemon Institue, 2018
$0
$1,000,000
$2,000,000
$3,000,000
$4,000,000
$5,000,000
$6,000,000
$7,000,000
$1,900,000
$2,800,000
$4,600,000
$6,300,000
Small to Medium Breaches
Records
20 Million 30 Million 40 Million 50 Million
$0
$50,000,000
$100,000,000
$150,000,000
$200,000,000
$250,000,000
$300,000,000
$350,000,000
$400,000,000
$199,830,000
$279,310,000
$325,270,000
$350,440,000
Mega Breaches
Records
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Poor Configurations
– Set controls and change default
setting
• Over Privileged Accounts
– Privilege Policies
• Weak Access Control
– Dedicated Administrative Accounts
• Weak Authentication
– Strong Password Enforcement
• Weak Auditing
– Compliance & Audit Policies
• Lack of Encryption
– Data, Backup, & Network Encryption
• Proper Credential & Key Management
– Use mysql_config_editor , Key Vaults
• Unsecured Backups
– Encrypted Backups
• No Monitoring
– Security Monitoring, Users, Objects
• Poorly Coded Applications
– Database Firewall
Database Vulnerabilities
7
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Database Attacks
• SQL Injection
– Prevention: DB Firewall, White List, Input Validation
• Buffer Overflow
– Prevention: Frequently apply Database Software updates, DB Firewall, White List, Input Validation
• Insider Abuse
– Prevention: Tight Access Controls, User specific authentication, Auditing, Monitoring, Encryption
• Brute Force Attack
– Prevention: lock out accounts after a defined number of incorrect attempts.
• Network Eavesdropping
– Prevention: Require SSL/TLS for all Connections and Transport
• Malware
– Prevention: Tight Access Controls, Limited Network IP access, Change default settings, Encryption
8
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Complexity grows, Risk Grows
9
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Security Improvements
• Test/Demo database has been removed
– Now in separate packages
• Anonymous account creation is removed.
• Creation of single root account – local host
only
• Default installation ensures encrypted
communication by default
– Automatic generation of SSL/RSA Certs/Keys
• For EE : At server startup if options Certs/Keys were not set
• For CE : Through new mysql_ssl_rsa_setup utility
• Automatic detection of SSL Certs/Keys
10
• Client attempts secure TLS connection by
default
• Compile time restriction over location used
for data import/export operations
• Ensures location has restricted access
• Only mysql user and group
• Supports disabling data import/export
• Set secure-file-priv to empty string
MySQL Installer for Windows includes various Security Setup and Hardening Steps
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Improving MySQL Access Controls
• Easier to manage user and applications rights
• As standards compliant as practically possible
• Multiple default roles
• Export the role graph in GraphML
– Visualize with ROLES_GRPHML()
11
Directly
Indirectly
Set Role(s)
Default Role(s)
Set of
ACLS
Set of
ACLS
SQL Roles
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Password Features
• Password history - provides DBAs more password management
– Require new passwords not reuse old ones - By number of changes and/or time.
– Establish password-reuse policy globally as well as on a per-account basis.
• SHA2 with Caching
– Strong and Fast
– Strong - SHA-256 password hashing (many rounds, seeds, …)
– Fast - Caching
• Greatly reduces latency
– https://mysqlserverteam.com/upgrading-to-mysql-8-0-default-authentication-plugin-considerations/
• Supports for more connection protocols
• Seamless RSA password-exchange capabilities (No linking OpenSSL)
12
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Password Features
• New! Current password required for SET PASSWORD (8.0.13+)
– Enhances the security by authorizing the users to change their password only if they could provide the
current password
– The new behavior is controlled by password_require_current column in the mysql.user table for
every user
– https://dev.mysql.com/worklog/task/?id=11544
13
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
8.0: File and Tablespace Encryption
• AES 256 encryption of UNDO and REDO Logs
• Super Simple to manage - Set
– innodb_undo_log_encrypt=ON/OFF 
– innodb_redo_log_encrypt=ON/OFF
• And
– ON - Pages written after setting are encrypted
– OFF - Pages written after setting are not
14
• New! Support Transparent Data Encryption for Shared Tablespaces (8.0.13+)
– Extends tablespace encryption to general/shared tablespsces
– Encryption ON/OFF can be specified either at create time or later with the SQL Syntax
●
CREATE/ALTER TABLESPACE my_tablespace ENCRYPTION='Y'/'N'; (default is unencrypted)
• Encryption is handled at the tablespace level, so either all or non of the tables in the tablespace is
encrypted
• https://dev.mysql.com/worklog/task/?id=9286
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Regulatory Compliance
• Regulations
– PCI – DSS: Payment Card Data
– HIPAA: Privacy of Health Data
– Sarbanes Oxley, GLBA, The USA Patriot Act:
Financial Data, NPI "personally identifiable financial information"
– FERPA – Student Data
– General Data Protection Regulation: Protection of Personal Data (GDPR)
– Data Protection Act (UK): Protection of Personal Data
• Requirements
– Continuous Monitoring (Users, Schema, Backups, etc)
– Data Protection (Encryption, Privilege Management, etc.)
– Data Retention (Backups, User Activity, etc.)
– Data Auditing (User activity, etc.)
15
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Introduction
16
https://ec.europa.eu/info/law/law-topic/data-protection_en
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Appropriate Security Controls
Data must be processed with controls that provide
“Privacy by design, appropriate security & confidentiality“
– Recitals of note - R74-78, R81, R83, R87, R90, A5, A24-25, A28, A32, A35)
• Exact security controls are not specified in the GDPR
– WHAT to do
– Not HOW to do it
17
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
EU General Data Protection Regulation (GDPR)
• Data privacy as a fundamental right
• Defines Data protection responsibilities, baselines, principles
• Provides Enforcement Powers
Focus is on 3 Areas (but common them for Regulations)
• Assessment – Processes, Profiles, Data Sensitivity, Risks
• Prevention – Encryption, Anonymization, Access Controls, Separation of Duties
• Detection – Auditing, Activity monitoring, Alerting, Reporting
18
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
GDPR and MySQL
• We can’t be entirely prescriptive
• We have many things that can be applied towards attaining compliance
– Products
– Features
– Best Practices
– Documents
– Integrations
19
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 20
MySQL Security Overview
Authentication
Authorization
Encryption
Firewall
MySQL Security
Auditing
Masking/De-Identification
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Assess Security Risks
21
Discover
Personal
Data
Scan
Security
Configuration
Privilege
Analysis
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Assess - MySQL Enterprise Features and GDPR
• Assess Risks (Articles 35, 90, 91)
– MySQL EnterpriseMySQL Enterprise MonitorMonitor
• Account assessment and reporting
• Identifies Security Vulnerabilities – discover security holes, advises remediating actions
– Advisors provide rules designed to enforce security best practices and alert upon discovering vulnerabilities
– MySQL EnterpriseMySQL Enterprise WorkbenchWorkbench
• Discover tables and columns containing “Personal Data”
• Data Modeling tool - Reverse Engineering of Data Model to review data stored in the database
• Schema Inspector, Table Inspectors – for schema assessment, grant inspection
– MySQL Security Best Practices Guidelines
• https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/
• https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/
22
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Monitor
• Enforce MySQL Security Best Practices
– Identifies Vulnerabilities
– Assesses current setup against security
hardening policies
• Monitoring & Alerting
– User Monitoring
– Password Monitoring
– Schema Change Monitoring
– Backup Monitoring
– Configuration Management
– Configuration Tuning Advice
• Centralized User Management
23
"I definitely recommend the MySQL Enterprise Monitor to DBAs
who don't have a ton of MySQL experience. It makes monitoring
MySQL security, performance and availability very easy to
understand and to act on.”
Sandi Barr
Sr. Software Engineer
Schneider Electric
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Administrative Privileges
• Database Privileges
• Session Limits and Object Privileges
• User privileges
– Creating, altering and deleting databases
– Creating, altering and deleting tables
– Execute INSERT, SELECT, UPDATE, DELETE queries
– Create, execute, or delete stored procedures and with what rights
– Create or delete indexes
24
Security Privilege Management in MySQL Workbench
MySQL Enterprise Monitor
Assess MySQL Authorization
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Assess your data and data model using MySQL Workbench
25
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Prevent - MySQL Enterprise Features and GDPR
• Prevent Attacks (Articles 32, 83, 28, 26, 5, 20, 27, 30, 64)
– MySQL Enterprise Security – Encrypt Data-at-rest using Transparent Data EncryptionTransparent Data Encryption
• Includes Key Management; Protects Tablespace via Encryption, Keys via Key Manager/Vault integration
– MySQL Enterprise Security – Masking and De-identificationMasking and De-identification
• Pseudonymize sensitive information (e.g. customers, billing…)
• Anonymize Personal Data before processing for development and testing
– MySQL Enterprise Security – FirewallFirewall
• MySQL Firewall Statement/User/IP Whitelists, Rules
– MySQL Enterprise Security – AuthenticationAuthentication
• Centralized Authentication Infrastructure
– DBA configurable IP whitelisting, Connection Limits, …
• Via server level and via per Account IP/Hostname Controls, Account resource limits, ...
– In transit data encryptionencryption
• Full support for TLS 1.2 - X509, Certificate Authorities, Exclude Lists, etc.
– Granular access controlsaccess controls
• Table Grants, Database Views, Stored Procedures, Functions
26
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Database
Encrypted
Tablespace Files
Undo/Redo logs
Shared Tablespaces
Protected
Key
Hacker /
Dishonest OS User
Accesses
Files Directly
Information
Access Blocked
By Encryption
MySQL Transparent Data Encryption
Keyring plugin - used to retrieve
keys from Key Stores over
Standardized KMIP protocol
Protects against Attacks on Database Files
27
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
What is Transparent Data Encryption?
• Data at Rest Encryption
– General/Shared Tablespaces, Redo & Undo logs, Disks, Storage, OS File system
• Strong Encryption – AES 256
• Keep it simple to manage – Complexity is the enemy of security
– One master key for the whole instance
– Easy, flexible to manage encrypted tablespaces (support tablespace export/import)
• Transparent to applications and users
– No application code, schema or data type changes
• Transparent to DBAs
– Keys are hidden from DBAs, no configuration changes
• High Performance / Low Overhead
– Simple Key Rotation without massive decryption/encryption costs
• Requires Key Management
– Protection (most important thing), rotation, storage, recovery
28
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• KMIP – Key Management Interoperability
Protocol (Oasis Standard)
– Keys are protected and secure
• KMIP mode tested with the following products
– Oracle Key Vault (OKV)
– Gemalto Safenet KeySecure
– Fornetix Key Orchestration Appliance
– Thales Vormetric Key Manager
• Enables customers to meet regulatory
requirements
• Additional Options
– Key Ring File
– Encrypted Key Ring File
Also
– Cloud Key Services (AWS)
• https://dev.mysql.com/doc/refman/8.0/en/keyring.html
MySQL Enterprise Transparent Data Encryption
KMIP Compliant
29
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: Overview
30
Inbound
SQL Traffic
Web
Applications
SQL Injection Attack
Via Brower
ALLOW
BLOCK
DETECT
11
22
33
Instance
MySQL Enterprise FirewallInternet
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall: Operating Modes
31
ALLOW
IN Whitelist
PASSES Rule
Blocks SQL Attacks
Allows “Matching” SQL
Table
Table
Table
BLOCK
NOT IN Whitelist
FAILS Rule
BLOCK and ALERT
DETECT (IDS)
NOT In Whitelist
ALLOW and ALERT
Table
Table
Table
ALLOW – Execute SQL
- SQL Matches Whitelist
- SQL Passes Rule
BLOCK – Block the request
- Not in Whitelist
- SQL FAILs Rule
- In Block Mode
DETECT – Execute SQL & Alert
- Not in Whitelist
- SQL FAILs Rule
- In Alert Mode
11
22
33
Table
Table
Table
Allows SQL & Alerts
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall
• Real Time Protection
– Queries checked against White List and Custom Rules
• Blocks SQL Injection Attacks
– Block Out of Policy Transactions
• Intrusion Detection
– Detect and Alert on Out of Policy Transactions
• Automated White List
– Learning mode for creation of approved list of SQL command patterns on a per user basis
• Custom Rules using JSON definition
• Transparent
– No changes to application required
MySQL Enterprise Firewall monitoring
32
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Masking & De-Identification
33
De-identify, Anonymize Sensitive Data
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Masking & De-Identification
34
• Data Masking
– String masking
– Dictionary based replacement
– Specific masking
●
SSN
●
Payment card : Strict/Relaxed
Data Masking and Random Data Generation
• Random Data Generator
– Random number within a range
– Email
– Payment card (Luhn check
compliant)
– SSN
– Dictionary based generation
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• String data masking
– Mask a substring within a string : ArthXXXXnt
– Mask substrings at the beginning and at the end :
• XXthurDeXX
• SSN masking : XXXX-XX-1234
• Payment Card masking
– Strict: XXXXXXXXXXXXXXX7395, Relaxed: 493812XXXXXXXXX7395
• Dictionary based masking
– gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports
35
Data Masking
MySQL Enterprise Masking & De-Identification
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Random data within range
– gen_rnd(10000, 20000) => 12503
• Email : kajsm.hamskdk@example.com
• Payment card : 7389026626032990
– Configurable length : 12 to 19 digits
• SSN : 915-63-3858
• US Phone number : 1-555-3456-332
36
Random Data Generation
MySQL Enterprise Masking & De-Identification
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Load multiple dictionaries
– Maps dictionary file => dictionary name
– In memory data for faster retrieval
• Generation based on dictionary data
– gen_dictionary(“periodictable”) => Oxygen
– If 007 on the blacklist then substitute otherwise provide random value
• Blacklisted – 007 – thus randomly substituted from Jobs Dictionary
– gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant”
• Not blacklisted – Administrator – thus passes through
– gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator”
37
Dictionary based data generation, data blacklists
MySQL Enterprise Masking & De-Identification
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Authentication
38
Integrates MySQL with existing
security infrastructures
Integrates MySQL with existing
security infrastructures
• Integrate with Centralized Authentication Infrastructure
– Centralized Account Management
– Password Policy Management
– Groups & Roles
• PAM (Pluggable Authentication Modules)
– Native LDAP
• Access native LDAP service for authentication
– Windows
• Access native Windows service - Use to Authenticate users using Windows Active Directory or to a
native host
– Linux PAM Standard interface (Unix, LDAP, Kerberos, others)
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Detect - MySQL Enterprise Features and GDPR – 1 of 2
• Detect (Articles 30, 82, 33)
– MySQL Enterprise Security – AuditAudit
• Policy-based auditing solution – gather audit log of activity
• Use to spot database misuse
• Use to prove compliance to GDPR
– MySQL Enterprise Security – FirewallFirewall
• Real-time protection against database specific attacks
• Use to alert and/or block nefarious activity – such as personal data leakage
39
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Audit
40
• Out-of-the-box logging of connections, logins, and query
• Simple to fine grained policies for filtering, and log rotation
• Dynamically enabled, disabled: no server restart
• Various options for the Audit Logs
– XML-based audit stream
– JSON
– Compression
– Encryption
– Remote Read Only SQL statement access
• Send data to a remote server / audit data vault
• Oracle Audit Vault, Splunk, etc...
Adds regulatory compliance to
MySQL applications
(GDPR, HIPAA, PCI DSS, etc.)
Adds regulatory compliance to
MySQL applications
(GDPR, HIPAA, PCI DSS, etc.)
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Audit - Work Flow
41
• NEW! JSON
• NEW! SQL Views
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• Starting with MySQL Enterprise 5.7.13
• Allows DBAs to “custom” design audit process
– Use very fine grained rules
• Reduce audit log file size
• Reduce File System IO and Storage / Increases performance (less items logged).
• Increases audit log post processing efficiency – less data to process for
immediate answers.
• Defined using JSON
– Coarse grained rules
• When you need to watch everything
• Obsolete. Recommended is to use new audit log filtering.
MySQL Enterprise Audit Filtering
42
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Detect - MySQL Enterprise Features and GDPR – 2 of 2
–MySQL EnterpriseEnterprise WorkbenchWorkbench
• Security related –
–Inspect Audit Data
–Configure Firewall
–Manage Users
–MySQL EnterpriseEnterprise MonitorMonitor
• Monitor / Alert on Firewall, Audit, Backups and more
• Detect configuration changes
43
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Additional Security Controls – 1 of 3
Hashing, Signing, Encryption Functions
– Symmetric Encryption – AES
– Hashing – SHA-2, SHA-1
– Asymmetric Public Key Encryption (RSA)
– Asymmetric Private Key Decryption (RSA)
– Generate Public/Private Key (RSA, DSA, DH)
– Derive Symmetric Keys from Public and Private Key pairs (DH)
– Digitally Sign Data (RSA, DSA)
– Verify Data Signature (RSA, DSA)
– Validation Data Authenticity (RSA, DSA)
44
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Disaster Recovery - ensure availability of end-user data
• Backup
– MySQL Enterprise Backup
• Full, Incremental, Differential, Partial Online Backups
• Includes encryption (AES 256) & compression
• Support for MySQL TDE
• Point in Time, Full, Partial Recovery options
– Oracle Cloud MySQL database service includes Backup and Recovery
45
Additional Security Controls – 2 of 3
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Disaster Recovery - ensure availability of end-user data
• High Availability
– Various options
• MySQL InnoDB Cluster
– Based on MySQL Master / Master - Group Replication
• Traditional MySQL Replication Topologies
– Asynchronous
– Semi-synchronous
46
Additional Security Controls – 3 of 3
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Edition
• MySQL Enterprise Authentication
– External Authentication Modules
• Microsoft AD, Linux PAMs, Native LDAP
• MySQL Enterprise Encryption
– Public/Private Key Cryptography
– Asymmetric Encryption
– Digital Signatures, Data Validation
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
– User Activity Auditing, Regulatory
Compliance
47
• MySQL Enterprise Monitor
– Changes in Database Configurations, Users
Permissions, Database Schema, Passwords
• MySQL Enterprise Backup
– Securing Backups, AES 256 encryption
• MySQL Enterprise TDE
– AES 256 encryption
– Key Management
• MySQL Enterprise De-Identification
– Data Masking and Obfuscation
– Formatted Data Randomization
– Pseudonymization, Data Blacklists
– Random Data Generation
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
Enterprise
Masking & De-Identification
• Masking
• Substitute/Subset
• Random Formatted Data
• Blacklisted Data
48
Copyright © 2018 Oracle and/or its affiliates. All rights reserved. |
• MySQL Enterprise Security : https://dev.mysql.com/doc/refman/8.0/en/mysql-enterprise-security.html
• Security in MySQL : https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/
• MySQL Secure Deployment Guide : https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/
• MySQL Enterprise Audit : https://www.mysql.com/products/enterprise/audit.html
• MySQL Enterprise Transparent Data Encryption : https://www.mysql.com/products/enterprise/tde.html
• MySQL Enterprise Masking and De-identification : https://www.mysql.com/products/enterprise/masking.html
• MySQL Enterprise Authentication : https://www.mysql.com/products/enterprise/security.html
• MySQL Enterprise Firewall : https://www.mysql.com/products/enterprise/firewall.html
• MySQL Enterprise Backup : https://www.mysql.com/products/enterprise/backup.html
• MySQL Enteprise Monitor : https://www.mysql.com/products/enterprise/monitor.html
• MySQL Enterprise Encryption : https://www.mysql.com/products/enterprise/encryption.html
• Enterprise Encryption Functions : https://dev.mysql.com/doc/refman/8.0/en/enterprise-encryption-function-reference.html
• MySQL Enterprise Workbench : https://www.mysql.com/products/workbench/
49
References
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Thank you!
MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements

Contenu connexe

Tendances

MySQL 8.0 - What's New ?
MySQL 8.0 - What's New ?MySQL 8.0 - What's New ?
MySQL 8.0 - What's New ?Olivier DASINI
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamOlivier DASINI
 
MySQL Day Paris 2018 - MySQL JSON Document Store
MySQL Day Paris 2018 - MySQL JSON Document StoreMySQL Day Paris 2018 - MySQL JSON Document Store
MySQL Day Paris 2018 - MySQL JSON Document StoreOlivier DASINI
 
MySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryMySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryOlivier DASINI
 
MySQL 8.0.19 - New Features Summary
MySQL 8.0.19 - New Features SummaryMySQL 8.0.19 - New Features Summary
MySQL 8.0.19 - New Features SummaryOlivier DASINI
 
MySQL Document Store for Modern Applications
MySQL Document Store for Modern ApplicationsMySQL Document Store for Modern Applications
MySQL Document Store for Modern ApplicationsOlivier DASINI
 
MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018Olivier DASINI
 
MySQL 8.0.21 - New Features Summary
MySQL 8.0.21 - New Features SummaryMySQL 8.0.21 - New Features Summary
MySQL 8.0.21 - New Features SummaryOlivier DASINI
 
MySQL Performance Best Practices
MySQL Performance Best PracticesMySQL Performance Best Practices
MySQL Performance Best PracticesOlivier DASINI
 
Case Study: MySQL migration from latin1 to UTF-8
Case Study: MySQL migration from latin1 to UTF-8Case Study: MySQL migration from latin1 to UTF-8
Case Study: MySQL migration from latin1 to UTF-8Olivier DASINI
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceOlivier DASINI
 
MySQL Day Paris 2016 - State Of The Dolphin
MySQL Day Paris 2016 - State Of The DolphinMySQL Day Paris 2016 - State Of The Dolphin
MySQL Day Paris 2016 - State Of The DolphinOlivier DASINI
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionOlivier DASINI
 
Upgrading to MySQL 8.0 webinar slides November 27th, 2019
Upgrading to MySQL 8.0 webinar slides November 27th, 2019Upgrading to MySQL 8.0 webinar slides November 27th, 2019
Upgrading to MySQL 8.0 webinar slides November 27th, 2019Dave Stokes
 
MySQL High Availability Solutions - Avoid loss of service by reducing the r...
MySQL High Availability Solutions  -  Avoid loss of service by reducing the r...MySQL High Availability Solutions  -  Avoid loss of service by reducing the r...
MySQL High Availability Solutions - Avoid loss of service by reducing the r...Olivier DASINI
 
MySQL 5.7 InnoDB Cluster (Jan 2018)
MySQL 5.7 InnoDB Cluster (Jan 2018)MySQL 5.7 InnoDB Cluster (Jan 2018)
MySQL 5.7 InnoDB Cluster (Jan 2018)Olivier DASINI
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMorgan Tocker
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)Mario Beck
 
MySQL InnoDB Cluster - A complete High Availability solution for MySQL
MySQL InnoDB Cluster - A complete High Availability solution for MySQLMySQL InnoDB Cluster - A complete High Availability solution for MySQL
MySQL InnoDB Cluster - A complete High Availability solution for MySQLOlivier DASINI
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityMario Beck
 

Tendances (20)

MySQL 8.0 - What's New ?
MySQL 8.0 - What's New ?MySQL 8.0 - What's New ?
MySQL 8.0 - What's New ?
 
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL TeamMySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
MySQL Database Service - 100% Developed, Managed and Supported by the MySQL Team
 
MySQL Day Paris 2018 - MySQL JSON Document Store
MySQL Day Paris 2018 - MySQL JSON Document StoreMySQL Day Paris 2018 - MySQL JSON Document Store
MySQL Day Paris 2018 - MySQL JSON Document Store
 
MySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features SummaryMySQL 8.0.22 - New Features Summary
MySQL 8.0.22 - New Features Summary
 
MySQL 8.0.19 - New Features Summary
MySQL 8.0.19 - New Features SummaryMySQL 8.0.19 - New Features Summary
MySQL 8.0.19 - New Features Summary
 
MySQL Document Store for Modern Applications
MySQL Document Store for Modern ApplicationsMySQL Document Store for Modern Applications
MySQL Document Store for Modern Applications
 
MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018MySQL 8.0, what's new ? - Forum PHP 2018
MySQL 8.0, what's new ? - Forum PHP 2018
 
MySQL 8.0.21 - New Features Summary
MySQL 8.0.21 - New Features SummaryMySQL 8.0.21 - New Features Summary
MySQL 8.0.21 - New Features Summary
 
MySQL Performance Best Practices
MySQL Performance Best PracticesMySQL Performance Best Practices
MySQL Performance Best Practices
 
Case Study: MySQL migration from latin1 to UTF-8
Case Study: MySQL migration from latin1 to UTF-8Case Study: MySQL migration from latin1 to UTF-8
Case Study: MySQL migration from latin1 to UTF-8
 
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud ServiceMySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
MySQL Day Paris 2016 - Introducing Oracle MySQL Cloud Service
 
MySQL Day Paris 2016 - State Of The Dolphin
MySQL Day Paris 2016 - State Of The DolphinMySQL Day Paris 2016 - State Of The Dolphin
MySQL Day Paris 2016 - State Of The Dolphin
 
MySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise EditionMySQL Day Paris 2016 - MySQL Enterprise Edition
MySQL Day Paris 2016 - MySQL Enterprise Edition
 
Upgrading to MySQL 8.0 webinar slides November 27th, 2019
Upgrading to MySQL 8.0 webinar slides November 27th, 2019Upgrading to MySQL 8.0 webinar slides November 27th, 2019
Upgrading to MySQL 8.0 webinar slides November 27th, 2019
 
MySQL High Availability Solutions - Avoid loss of service by reducing the r...
MySQL High Availability Solutions  -  Avoid loss of service by reducing the r...MySQL High Availability Solutions  -  Avoid loss of service by reducing the r...
MySQL High Availability Solutions - Avoid loss of service by reducing the r...
 
MySQL 5.7 InnoDB Cluster (Jan 2018)
MySQL 5.7 InnoDB Cluster (Jan 2018)MySQL 5.7 InnoDB Cluster (Jan 2018)
MySQL 5.7 InnoDB Cluster (Jan 2018)
 
MySQL Cloud Service Deep Dive
MySQL Cloud Service Deep DiveMySQL Cloud Service Deep Dive
MySQL Cloud Service Deep Dive
 
MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)MySQL for Software-as-a-Service (SaaS)
MySQL for Software-as-a-Service (SaaS)
 
MySQL InnoDB Cluster - A complete High Availability solution for MySQL
MySQL InnoDB Cluster - A complete High Availability solution for MySQLMySQL InnoDB Cluster - A complete High Availability solution for MySQL
MySQL InnoDB Cluster - A complete High Availability solution for MySQL
 
MySQL Security
MySQL SecurityMySQL Security
MySQL Security
 

Similaire à MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements

DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityGeorgi Kodinov
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Kal BO
 
Percona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 SecurityPercona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 SecurityGeorgi Kodinov
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldMaria Colgan
 
SOUG Day - autonomous what is next
SOUG Day - autonomous what is nextSOUG Day - autonomous what is next
SOUG Day - autonomous what is nextThomas Teske
 
How Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EEHow Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EENick Mader
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudMarketingArrowECS_CZ
 
Netherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 -   MySQL ClusterNetherlands Tech Tour 03 -   MySQL Cluster
Netherlands Tech Tour 03 - MySQL ClusterMark Swarbrick
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingDLT Solutions
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraLuca Martelli
 
Oracle Management Cloud - HybridCloud Café - May 2016
Oracle Management Cloud - HybridCloud Café - May 2016Oracle Management Cloud - HybridCloud Café - May 2016
Oracle Management Cloud - HybridCloud Café - May 2016Bastien Leblanc
 
Oracle Cloud Café hybrid Cloud 19 mai 2016
Oracle Cloud Café hybrid Cloud 19 mai 2016Oracle Cloud Café hybrid Cloud 19 mai 2016
Oracle Cloud Café hybrid Cloud 19 mai 2016Sorathaya Sirimanotham
 
What_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cWhat_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cMaria Colgan
 
Big data oracle_introduccion
Big data oracle_introduccionBig data oracle_introduccion
Big data oracle_introduccionFran Navarro
 
MySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesMySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesHarin Vadodaria
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC ProjectERPScan
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQLVittorio Cioe
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Andrejs Prokopjevs
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launchScott Lynn
 

Similaire à MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements (20)

DevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 SecurityDevTalks.ro 2019 What's New in MySQL 8.0 Security
DevTalks.ro 2019 What's New in MySQL 8.0 Security
 
Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...Best Practices for implementing Database Security Comprehensive Database Secu...
Best Practices for implementing Database Security Comprehensive Database Secu...
 
Percona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 SecurityPercona Live Europe 2018: What's New in MySQL 8.0 Security
Percona Live Europe 2018: What's New in MySQL 8.0 Security
 
The Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous WorldThe Changing Role of a DBA in an Autonomous World
The Changing Role of a DBA in an Autonomous World
 
SOUG Day - autonomous what is next
SOUG Day - autonomous what is nextSOUG Day - autonomous what is next
SOUG Day - autonomous what is next
 
How Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EEHow Partners Can Tap into a New Revenue Stream w/MySQL EE
How Partners Can Tap into a New Revenue Stream w/MySQL EE
 
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate CloudEngineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
Engineered Systems - nejlepší cesta, jak zabezpečit váš dataAccelerate Cloud
 
MySQL cluster 7.4
MySQL cluster 7.4 MySQL cluster 7.4
MySQL cluster 7.4
 
Netherlands Tech Tour 03 - MySQL Cluster
Netherlands Tech Tour 03 -   MySQL ClusterNetherlands Tech Tour 03 -   MySQL Cluster
Netherlands Tech Tour 03 - MySQL Cluster
 
Oracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and MaskingOracle Key Vault Data Subsetting and Masking
Oracle Key Vault Data Subsetting and Masking
 
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba EraThe Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era
 
Oracle Management Cloud - HybridCloud Café - May 2016
Oracle Management Cloud - HybridCloud Café - May 2016Oracle Management Cloud - HybridCloud Café - May 2016
Oracle Management Cloud - HybridCloud Café - May 2016
 
Oracle Cloud Café hybrid Cloud 19 mai 2016
Oracle Cloud Café hybrid Cloud 19 mai 2016Oracle Cloud Café hybrid Cloud 19 mai 2016
Oracle Cloud Café hybrid Cloud 19 mai 2016
 
What_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12cWhat_to_expect_from_oracle_database_12c
What_to_expect_from_oracle_database_12c
 
Big data oracle_introduccion
Big data oracle_introduccionBig data oracle_introduccion
Big data oracle_introduccion
 
MySQL 8.0 - Security Features
MySQL 8.0 - Security FeaturesMySQL 8.0 - Security Features
MySQL 8.0 - Security Features
 
EAS-SEC Project
EAS-SEC ProjectEAS-SEC Project
EAS-SEC Project
 
Modern Data Security with MySQL
Modern Data Security with MySQLModern Data Security with MySQL
Modern Data Security with MySQL
 
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...Password Policies in Oracle Access Manager. How to improve user authenticatio...
Password Policies in Oracle Access Manager. How to improve user authenticatio...
 
Solaris 11.4 launch
Solaris 11.4 launchSolaris 11.4 launch
Solaris 11.4 launch
 

Plus de Olivier DASINI

MySQL JSON Document Store - A Document Store with all the benefits of a Trans...
MySQL JSON Document Store - A Document Store with all the benefits of a Trans...MySQL JSON Document Store - A Document Store with all the benefits of a Trans...
MySQL JSON Document Store - A Document Store with all the benefits of a Trans...Olivier DASINI
 
MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...Olivier DASINI
 
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP Paris
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP ParisMySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP Paris
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP ParisOlivier DASINI
 
MySQL Day Paris 2016 - MySQL as a Document Store
MySQL Day Paris 2016 - MySQL as a Document StoreMySQL Day Paris 2016 - MySQL as a Document Store
MySQL Day Paris 2016 - MySQL as a Document StoreOlivier DASINI
 
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB Cluster
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB ClusterMySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB Cluster
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB ClusterOlivier DASINI
 
What's New in MySQL 5.7
What's New in MySQL 5.7What's New in MySQL 5.7
What's New in MySQL 5.7Olivier DASINI
 
Upgrade to MySQL 5.6 without downtime
Upgrade to MySQL 5.6 without downtimeUpgrade to MySQL 5.6 without downtime
Upgrade to MySQL 5.6 without downtimeOlivier DASINI
 

Plus de Olivier DASINI (7)

MySQL JSON Document Store - A Document Store with all the benefits of a Trans...
MySQL JSON Document Store - A Document Store with all the benefits of a Trans...MySQL JSON Document Store - A Document Store with all the benefits of a Trans...
MySQL JSON Document Store - A Document Store with all the benefits of a Trans...
 
MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...MySQL Document Store - A Document Store with all the benefts of a Transactona...
MySQL Document Store - A Document Store with all the benefts of a Transactona...
 
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP Paris
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP ParisMySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP Paris
MySQL InnoDB Cluster - Meetup Oracle MySQL / AFUP Paris
 
MySQL Day Paris 2016 - MySQL as a Document Store
MySQL Day Paris 2016 - MySQL as a Document StoreMySQL Day Paris 2016 - MySQL as a Document Store
MySQL Day Paris 2016 - MySQL as a Document Store
 
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB Cluster
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB ClusterMySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB Cluster
MySQL Day Paris 2016 - MySQL HA: InnoDB Cluster and NDB Cluster
 
What's New in MySQL 5.7
What's New in MySQL 5.7What's New in MySQL 5.7
What's New in MySQL 5.7
 
Upgrade to MySQL 5.6 without downtime
Upgrade to MySQL 5.6 without downtimeUpgrade to MySQL 5.6 without downtime
Upgrade to MySQL 5.6 without downtime
 

Dernier

presentation by faizan[1] [Read-Only].pptx
presentation by faizan[1] [Read-Only].pptxpresentation by faizan[1] [Read-Only].pptx
presentation by faizan[1] [Read-Only].pptxkhfaizan534
 
عناصر نباتية PDF.pdfbotanical elements..
عناصر نباتية PDF.pdfbotanical elements..عناصر نباتية PDF.pdfbotanical elements..
عناصر نباتية PDF.pdfbotanical elements..mennamohamed200y
 
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024California Asphalt Pavement Association
 
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...marijomiljkovic1
 
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)Mizan Rahman
 
autonomous_vehicle_working_paper_01072020-_508_compliant.pdf
autonomous_vehicle_working_paper_01072020-_508_compliant.pdfautonomous_vehicle_working_paper_01072020-_508_compliant.pdf
autonomous_vehicle_working_paper_01072020-_508_compliant.pdfPandurangGurakhe
 
Injection Power Cycle - The most efficient power cycle
Injection Power Cycle - The most efficient power cycleInjection Power Cycle - The most efficient power cycle
Injection Power Cycle - The most efficient power cyclemarijomiljkovic1
 
Advanced Additive Manufacturing by Sumanth A.pptx
Advanced Additive Manufacturing by Sumanth A.pptxAdvanced Additive Manufacturing by Sumanth A.pptx
Advanced Additive Manufacturing by Sumanth A.pptxSumanth A
 
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...Luuk Brederode
 
Searching and Sorting Algorithms
Searching and Sorting AlgorithmsSearching and Sorting Algorithms
Searching and Sorting AlgorithmsAshutosh Satapathy
 
12. Stairs by U Nyi Hla ngae from Myanmar.pdf
12. Stairs by U Nyi Hla ngae from Myanmar.pdf12. Stairs by U Nyi Hla ngae from Myanmar.pdf
12. Stairs by U Nyi Hla ngae from Myanmar.pdftpo482247
 
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...J. Agricultural Machinery
 
Research paper publications: Meaning of Q1 Q2 Q3 Q4 Journal
Research paper publications: Meaning of Q1 Q2 Q3 Q4 JournalResearch paper publications: Meaning of Q1 Q2 Q3 Q4 Journal
Research paper publications: Meaning of Q1 Q2 Q3 Q4 JournalDr. Manjunatha. P
 
NIPORT Home Economics Questions Solution 2024.pdf
NIPORT Home Economics Questions Solution 2024.pdfNIPORT Home Economics Questions Solution 2024.pdf
NIPORT Home Economics Questions Solution 2024.pdfMohonDas
 
electricity generation from food waste - based bioenergy with IOT.pptx
electricity generation from food waste - based bioenergy with IOT.pptxelectricity generation from food waste - based bioenergy with IOT.pptx
electricity generation from food waste - based bioenergy with IOT.pptxAravindhKarthik1
 
A brief about Jeypore Sub-station Presentation
A brief about Jeypore Sub-station PresentationA brief about Jeypore Sub-station Presentation
A brief about Jeypore Sub-station PresentationJeyporess2021
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesJacopo Nardiello
 
zomato data mining datasets for quality prefernece and conntrol.pptx
zomato data mining  datasets for quality prefernece and conntrol.pptxzomato data mining  datasets for quality prefernece and conntrol.pptx
zomato data mining datasets for quality prefernece and conntrol.pptxPratikMhatre39
 
Artificial organ courses Hussein L1-C2.pptx
Artificial organ courses Hussein  L1-C2.pptxArtificial organ courses Hussein  L1-C2.pptx
Artificial organ courses Hussein L1-C2.pptxHusseinMishbak
 

Dernier (20)

presentation by faizan[1] [Read-Only].pptx
presentation by faizan[1] [Read-Only].pptxpresentation by faizan[1] [Read-Only].pptx
presentation by faizan[1] [Read-Only].pptx
 
عناصر نباتية PDF.pdfbotanical elements..
عناصر نباتية PDF.pdfbotanical elements..عناصر نباتية PDF.pdfbotanical elements..
عناصر نباتية PDF.pdfbotanical elements..
 
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024
Caltrans District 8 Update for the CalAPA Spring Asphalt Conference 2024
 
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...
EJECTOR REFRIGERATION CYCLE WITH THE INJECTION OF A HIGH DENSITY FLUID INTO A...
 
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)
Fabrics Finishing Manual ( Arkey Knit Dyeing Mills Ltd)
 
autonomous_vehicle_working_paper_01072020-_508_compliant.pdf
autonomous_vehicle_working_paper_01072020-_508_compliant.pdfautonomous_vehicle_working_paper_01072020-_508_compliant.pdf
autonomous_vehicle_working_paper_01072020-_508_compliant.pdf
 
Injection Power Cycle - The most efficient power cycle
Injection Power Cycle - The most efficient power cycleInjection Power Cycle - The most efficient power cycle
Injection Power Cycle - The most efficient power cycle
 
Advanced Additive Manufacturing by Sumanth A.pptx
Advanced Additive Manufacturing by Sumanth A.pptxAdvanced Additive Manufacturing by Sumanth A.pptx
Advanced Additive Manufacturing by Sumanth A.pptx
 
Caltrans view on recycling of in-place asphalt pavements
Caltrans view on recycling of in-place asphalt pavementsCaltrans view on recycling of in-place asphalt pavements
Caltrans view on recycling of in-place asphalt pavements
 
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...
PhD summary of Luuk Brederode, presented at 2023-10-17 to Veitch Lister Consu...
 
Searching and Sorting Algorithms
Searching and Sorting AlgorithmsSearching and Sorting Algorithms
Searching and Sorting Algorithms
 
12. Stairs by U Nyi Hla ngae from Myanmar.pdf
12. Stairs by U Nyi Hla ngae from Myanmar.pdf12. Stairs by U Nyi Hla ngae from Myanmar.pdf
12. Stairs by U Nyi Hla ngae from Myanmar.pdf
 
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...
Investigating the Efficiency of Drinking Water Treatment Sludge and Iron-Base...
 
Research paper publications: Meaning of Q1 Q2 Q3 Q4 Journal
Research paper publications: Meaning of Q1 Q2 Q3 Q4 JournalResearch paper publications: Meaning of Q1 Q2 Q3 Q4 Journal
Research paper publications: Meaning of Q1 Q2 Q3 Q4 Journal
 
NIPORT Home Economics Questions Solution 2024.pdf
NIPORT Home Economics Questions Solution 2024.pdfNIPORT Home Economics Questions Solution 2024.pdf
NIPORT Home Economics Questions Solution 2024.pdf
 
electricity generation from food waste - based bioenergy with IOT.pptx
electricity generation from food waste - based bioenergy with IOT.pptxelectricity generation from food waste - based bioenergy with IOT.pptx
electricity generation from food waste - based bioenergy with IOT.pptx
 
A brief about Jeypore Sub-station Presentation
A brief about Jeypore Sub-station PresentationA brief about Jeypore Sub-station Presentation
A brief about Jeypore Sub-station Presentation
 
The Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on KubernetesThe Art of Cloud Native Defense on Kubernetes
The Art of Cloud Native Defense on Kubernetes
 
zomato data mining datasets for quality prefernece and conntrol.pptx
zomato data mining  datasets for quality prefernece and conntrol.pptxzomato data mining  datasets for quality prefernece and conntrol.pptx
zomato data mining datasets for quality prefernece and conntrol.pptx
 
Artificial organ courses Hussein L1-C2.pptx
Artificial organ courses Hussein  L1-C2.pptxArtificial organ courses Hussein  L1-C2.pptx
Artificial organ courses Hussein L1-C2.pptx
 

MySQL Day Paris 2018 - MySQL & GDPR; Privacy and Security requirements

  • 1. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | MySQL & GDPR Privacy and Security requirements Olivier Dasini MySQL Principal Solutions Architect EMEA olivier.dasini@oracle.com Twitter : @freshdaz Blog : http://dasini.net/blog
  • 2. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2
  • 3. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Me, Myself & I ➢ MySQL Geek ✔ Addicted to MySQL for 15+ years! ✔ Playing with databases for 20+ years ➢ MySQL Writer, Blogger and Speaker ✔ Also former : DBA, Consultant, Architect, Trainer, ... ➢ MySQL Principal Solutions Architect EMEA at Oracle ➢ Stay tuned! : ✔ Twitter : @freshdaz ✔ Blog : http://dasini.net/blog 3 Olivier DASINI
  • 4. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 89% of Organizations Experienced Data Breaches, According to New Ponemon Report Source: Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, conducted by Ponemon Institute 4 66% of the largest businesses in the UK have suffered a cyberattack or data breach within the past twelve months Source: UK government's Cyber Security Breaches Survey 2016 25% experience a repeated breach at least one a month Source: UK government's Cyber Security Breaches Survey 2016
  • 5. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Mega Breaches 429 Million identities exposed in 2015. 75% Web sites with vulnerabilities. 15% of all websites had a critical vulnerability. 9 In 2015, a record of nine mega-breaches were reported. One worlds largest 191M. (Mega-breach = more than 10 million records.) Mobile Vulnerabilities on the rise – up 214% Infection by SQL Injection still strong. Malware attacks on databases 5 Source: Internet Security Threat Report 2016, Symantec
  • 6. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Cost of Data Breaches 6 Source: Ponemon Institue, 2018 $0 $1,000,000 $2,000,000 $3,000,000 $4,000,000 $5,000,000 $6,000,000 $7,000,000 $1,900,000 $2,800,000 $4,600,000 $6,300,000 Small to Medium Breaches Records 20 Million 30 Million 40 Million 50 Million $0 $50,000,000 $100,000,000 $150,000,000 $200,000,000 $250,000,000 $300,000,000 $350,000,000 $400,000,000 $199,830,000 $279,310,000 $325,270,000 $350,440,000 Mega Breaches Records
  • 7. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Poor Configurations – Set controls and change default setting • Over Privileged Accounts – Privilege Policies • Weak Access Control – Dedicated Administrative Accounts • Weak Authentication – Strong Password Enforcement • Weak Auditing – Compliance & Audit Policies • Lack of Encryption – Data, Backup, & Network Encryption • Proper Credential & Key Management – Use mysql_config_editor , Key Vaults • Unsecured Backups – Encrypted Backups • No Monitoring – Security Monitoring, Users, Objects • Poorly Coded Applications – Database Firewall Database Vulnerabilities 7
  • 8. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Database Attacks • SQL Injection – Prevention: DB Firewall, White List, Input Validation • Buffer Overflow – Prevention: Frequently apply Database Software updates, DB Firewall, White List, Input Validation • Insider Abuse – Prevention: Tight Access Controls, User specific authentication, Auditing, Monitoring, Encryption • Brute Force Attack – Prevention: lock out accounts after a defined number of incorrect attempts. • Network Eavesdropping – Prevention: Require SSL/TLS for all Connections and Transport • Malware – Prevention: Tight Access Controls, Limited Network IP access, Change default settings, Encryption 8
  • 9. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Complexity grows, Risk Grows 9
  • 10. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Security Improvements • Test/Demo database has been removed – Now in separate packages • Anonymous account creation is removed. • Creation of single root account – local host only • Default installation ensures encrypted communication by default – Automatic generation of SSL/RSA Certs/Keys • For EE : At server startup if options Certs/Keys were not set • For CE : Through new mysql_ssl_rsa_setup utility • Automatic detection of SSL Certs/Keys 10 • Client attempts secure TLS connection by default • Compile time restriction over location used for data import/export operations • Ensures location has restricted access • Only mysql user and group • Supports disabling data import/export • Set secure-file-priv to empty string MySQL Installer for Windows includes various Security Setup and Hardening Steps
  • 11. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Improving MySQL Access Controls • Easier to manage user and applications rights • As standards compliant as practically possible • Multiple default roles • Export the role graph in GraphML – Visualize with ROLES_GRPHML() 11 Directly Indirectly Set Role(s) Default Role(s) Set of ACLS Set of ACLS SQL Roles
  • 12. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Password Features • Password history - provides DBAs more password management – Require new passwords not reuse old ones - By number of changes and/or time. – Establish password-reuse policy globally as well as on a per-account basis. • SHA2 with Caching – Strong and Fast – Strong - SHA-256 password hashing (many rounds, seeds, …) – Fast - Caching • Greatly reduces latency – https://mysqlserverteam.com/upgrading-to-mysql-8-0-default-authentication-plugin-considerations/ • Supports for more connection protocols • Seamless RSA password-exchange capabilities (No linking OpenSSL) 12
  • 13. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Password Features • New! Current password required for SET PASSWORD (8.0.13+) – Enhances the security by authorizing the users to change their password only if they could provide the current password – The new behavior is controlled by password_require_current column in the mysql.user table for every user – https://dev.mysql.com/worklog/task/?id=11544 13
  • 14. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 8.0: File and Tablespace Encryption • AES 256 encryption of UNDO and REDO Logs • Super Simple to manage - Set – innodb_undo_log_encrypt=ON/OFF  – innodb_redo_log_encrypt=ON/OFF • And – ON - Pages written after setting are encrypted – OFF - Pages written after setting are not 14 • New! Support Transparent Data Encryption for Shared Tablespaces (8.0.13+) – Extends tablespace encryption to general/shared tablespsces – Encryption ON/OFF can be specified either at create time or later with the SQL Syntax ● CREATE/ALTER TABLESPACE my_tablespace ENCRYPTION='Y'/'N'; (default is unencrypted) • Encryption is handled at the tablespace level, so either all or non of the tables in the tablespace is encrypted • https://dev.mysql.com/worklog/task/?id=9286
  • 15. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Regulatory Compliance • Regulations – PCI – DSS: Payment Card Data – HIPAA: Privacy of Health Data – Sarbanes Oxley, GLBA, The USA Patriot Act: Financial Data, NPI "personally identifiable financial information" – FERPA – Student Data – General Data Protection Regulation: Protection of Personal Data (GDPR) – Data Protection Act (UK): Protection of Personal Data • Requirements – Continuous Monitoring (Users, Schema, Backups, etc) – Data Protection (Encryption, Privilege Management, etc.) – Data Retention (Backups, User Activity, etc.) – Data Auditing (User activity, etc.) 15
  • 16. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Introduction 16 https://ec.europa.eu/info/law/law-topic/data-protection_en
  • 17. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Appropriate Security Controls Data must be processed with controls that provide “Privacy by design, appropriate security & confidentiality“ – Recitals of note - R74-78, R81, R83, R87, R90, A5, A24-25, A28, A32, A35) • Exact security controls are not specified in the GDPR – WHAT to do – Not HOW to do it 17
  • 18. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | EU General Data Protection Regulation (GDPR) • Data privacy as a fundamental right • Defines Data protection responsibilities, baselines, principles • Provides Enforcement Powers Focus is on 3 Areas (but common them for Regulations) • Assessment – Processes, Profiles, Data Sensitivity, Risks • Prevention – Encryption, Anonymization, Access Controls, Separation of Duties • Detection – Auditing, Activity monitoring, Alerting, Reporting 18
  • 19. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | GDPR and MySQL • We can’t be entirely prescriptive • We have many things that can be applied towards attaining compliance – Products – Features – Best Practices – Documents – Integrations 19
  • 20. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | 20 MySQL Security Overview Authentication Authorization Encryption Firewall MySQL Security Auditing Masking/De-Identification
  • 21. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Assess Security Risks 21 Discover Personal Data Scan Security Configuration Privilege Analysis
  • 22. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Assess - MySQL Enterprise Features and GDPR • Assess Risks (Articles 35, 90, 91) – MySQL EnterpriseMySQL Enterprise MonitorMonitor • Account assessment and reporting • Identifies Security Vulnerabilities – discover security holes, advises remediating actions – Advisors provide rules designed to enforce security best practices and alert upon discovering vulnerabilities – MySQL EnterpriseMySQL Enterprise WorkbenchWorkbench • Discover tables and columns containing “Personal Data” • Data Modeling tool - Reverse Engineering of Data Model to review data stored in the database • Schema Inspector, Table Inspectors – for schema assessment, grant inspection – MySQL Security Best Practices Guidelines • https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/ • https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/ 22
  • 23. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Monitor • Enforce MySQL Security Best Practices – Identifies Vulnerabilities – Assesses current setup against security hardening policies • Monitoring & Alerting – User Monitoring – Password Monitoring – Schema Change Monitoring – Backup Monitoring – Configuration Management – Configuration Tuning Advice • Centralized User Management 23 "I definitely recommend the MySQL Enterprise Monitor to DBAs who don't have a ton of MySQL experience. It makes monitoring MySQL security, performance and availability very easy to understand and to act on.” Sandi Barr Sr. Software Engineer Schneider Electric
  • 24. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Administrative Privileges • Database Privileges • Session Limits and Object Privileges • User privileges – Creating, altering and deleting databases – Creating, altering and deleting tables – Execute INSERT, SELECT, UPDATE, DELETE queries – Create, execute, or delete stored procedures and with what rights – Create or delete indexes 24 Security Privilege Management in MySQL Workbench MySQL Enterprise Monitor Assess MySQL Authorization
  • 25. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Assess your data and data model using MySQL Workbench 25
  • 26. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Prevent - MySQL Enterprise Features and GDPR • Prevent Attacks (Articles 32, 83, 28, 26, 5, 20, 27, 30, 64) – MySQL Enterprise Security – Encrypt Data-at-rest using Transparent Data EncryptionTransparent Data Encryption • Includes Key Management; Protects Tablespace via Encryption, Keys via Key Manager/Vault integration – MySQL Enterprise Security – Masking and De-identificationMasking and De-identification • Pseudonymize sensitive information (e.g. customers, billing…) • Anonymize Personal Data before processing for development and testing – MySQL Enterprise Security – FirewallFirewall • MySQL Firewall Statement/User/IP Whitelists, Rules – MySQL Enterprise Security – AuthenticationAuthentication • Centralized Authentication Infrastructure – DBA configurable IP whitelisting, Connection Limits, … • Via server level and via per Account IP/Hostname Controls, Account resource limits, ... – In transit data encryptionencryption • Full support for TLS 1.2 - X509, Certificate Authorities, Exclude Lists, etc. – Granular access controlsaccess controls • Table Grants, Database Views, Stored Procedures, Functions 26
  • 27. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Database Encrypted Tablespace Files Undo/Redo logs Shared Tablespaces Protected Key Hacker / Dishonest OS User Accesses Files Directly Information Access Blocked By Encryption MySQL Transparent Data Encryption Keyring plugin - used to retrieve keys from Key Stores over Standardized KMIP protocol Protects against Attacks on Database Files 27
  • 28. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | What is Transparent Data Encryption? • Data at Rest Encryption – General/Shared Tablespaces, Redo & Undo logs, Disks, Storage, OS File system • Strong Encryption – AES 256 • Keep it simple to manage – Complexity is the enemy of security – One master key for the whole instance – Easy, flexible to manage encrypted tablespaces (support tablespace export/import) • Transparent to applications and users – No application code, schema or data type changes • Transparent to DBAs – Keys are hidden from DBAs, no configuration changes • High Performance / Low Overhead – Simple Key Rotation without massive decryption/encryption costs • Requires Key Management – Protection (most important thing), rotation, storage, recovery 28
  • 29. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • KMIP – Key Management Interoperability Protocol (Oasis Standard) – Keys are protected and secure • KMIP mode tested with the following products – Oracle Key Vault (OKV) – Gemalto Safenet KeySecure – Fornetix Key Orchestration Appliance – Thales Vormetric Key Manager • Enables customers to meet regulatory requirements • Additional Options – Key Ring File – Encrypted Key Ring File Also – Cloud Key Services (AWS) • https://dev.mysql.com/doc/refman/8.0/en/keyring.html MySQL Enterprise Transparent Data Encryption KMIP Compliant 29
  • 30. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Overview 30 Inbound SQL Traffic Web Applications SQL Injection Attack Via Brower ALLOW BLOCK DETECT 11 22 33 Instance MySQL Enterprise FirewallInternet
  • 31. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall: Operating Modes 31 ALLOW IN Whitelist PASSES Rule Blocks SQL Attacks Allows “Matching” SQL Table Table Table BLOCK NOT IN Whitelist FAILS Rule BLOCK and ALERT DETECT (IDS) NOT In Whitelist ALLOW and ALERT Table Table Table ALLOW – Execute SQL - SQL Matches Whitelist - SQL Passes Rule BLOCK – Block the request - Not in Whitelist - SQL FAILs Rule - In Block Mode DETECT – Execute SQL & Alert - Not in Whitelist - SQL FAILs Rule - In Alert Mode 11 22 33 Table Table Table Allows SQL & Alerts
  • 32. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Firewall • Real Time Protection – Queries checked against White List and Custom Rules • Blocks SQL Injection Attacks – Block Out of Policy Transactions • Intrusion Detection – Detect and Alert on Out of Policy Transactions • Automated White List – Learning mode for creation of approved list of SQL command patterns on a per user basis • Custom Rules using JSON definition • Transparent – No changes to application required MySQL Enterprise Firewall monitoring 32
  • 33. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Masking & De-Identification 33 De-identify, Anonymize Sensitive Data
  • 34. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Masking & De-Identification 34 • Data Masking – String masking – Dictionary based replacement – Specific masking ● SSN ● Payment card : Strict/Relaxed Data Masking and Random Data Generation • Random Data Generator – Random number within a range – Email – Payment card (Luhn check compliant) – SSN – Dictionary based generation
  • 35. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • String data masking – Mask a substring within a string : ArthXXXXnt – Mask substrings at the beginning and at the end : • XXthurDeXX • SSN masking : XXXX-XX-1234 • Payment Card masking – Strict: XXXXXXXXXXXXXXX7395, Relaxed: 493812XXXXXXXXX7395 • Dictionary based masking – gen_blacklist(“007”, “00designations”, “Cover_identity”) => Universal Exports 35 Data Masking MySQL Enterprise Masking & De-Identification
  • 36. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Random data within range – gen_rnd(10000, 20000) => 12503 • Email : kajsm.hamskdk@example.com • Payment card : 7389026626032990 – Configurable length : 12 to 19 digits • SSN : 915-63-3858 • US Phone number : 1-555-3456-332 36 Random Data Generation MySQL Enterprise Masking & De-Identification
  • 37. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Load multiple dictionaries – Maps dictionary file => dictionary name – In memory data for faster retrieval • Generation based on dictionary data – gen_dictionary(“periodictable”) => Oxygen – If 007 on the blacklist then substitute otherwise provide random value • Blacklisted – 007 – thus randomly substituted from Jobs Dictionary – gen_blacklist(“007”, “Job_mask", “Jobs") => “Accountant” • Not blacklisted – Administrator – thus passes through – gen_blacklist(“Administrator”, “Job_mask", “Jobs") => “Administrator” 37 Dictionary based data generation, data blacklists MySQL Enterprise Masking & De-Identification
  • 38. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Authentication 38 Integrates MySQL with existing security infrastructures Integrates MySQL with existing security infrastructures • Integrate with Centralized Authentication Infrastructure – Centralized Account Management – Password Policy Management – Groups & Roles • PAM (Pluggable Authentication Modules) – Native LDAP • Access native LDAP service for authentication – Windows • Access native Windows service - Use to Authenticate users using Windows Active Directory or to a native host – Linux PAM Standard interface (Unix, LDAP, Kerberos, others)
  • 39. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Detect - MySQL Enterprise Features and GDPR – 1 of 2 • Detect (Articles 30, 82, 33) – MySQL Enterprise Security – AuditAudit • Policy-based auditing solution – gather audit log of activity • Use to spot database misuse • Use to prove compliance to GDPR – MySQL Enterprise Security – FirewallFirewall • Real-time protection against database specific attacks • Use to alert and/or block nefarious activity – such as personal data leakage 39
  • 40. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit 40 • Out-of-the-box logging of connections, logins, and query • Simple to fine grained policies for filtering, and log rotation • Dynamically enabled, disabled: no server restart • Various options for the Audit Logs – XML-based audit stream – JSON – Compression – Encryption – Remote Read Only SQL statement access • Send data to a remote server / audit data vault • Oracle Audit Vault, Splunk, etc... Adds regulatory compliance to MySQL applications (GDPR, HIPAA, PCI DSS, etc.) Adds regulatory compliance to MySQL applications (GDPR, HIPAA, PCI DSS, etc.)
  • 41. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Audit - Work Flow 41 • NEW! JSON • NEW! SQL Views
  • 42. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • Starting with MySQL Enterprise 5.7.13 • Allows DBAs to “custom” design audit process – Use very fine grained rules • Reduce audit log file size • Reduce File System IO and Storage / Increases performance (less items logged). • Increases audit log post processing efficiency – less data to process for immediate answers. • Defined using JSON – Coarse grained rules • When you need to watch everything • Obsolete. Recommended is to use new audit log filtering. MySQL Enterprise Audit Filtering 42
  • 43. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Detect - MySQL Enterprise Features and GDPR – 2 of 2 –MySQL EnterpriseEnterprise WorkbenchWorkbench • Security related – –Inspect Audit Data –Configure Firewall –Manage Users –MySQL EnterpriseEnterprise MonitorMonitor • Monitor / Alert on Firewall, Audit, Backups and more • Detect configuration changes 43
  • 44. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Additional Security Controls – 1 of 3 Hashing, Signing, Encryption Functions – Symmetric Encryption – AES – Hashing – SHA-2, SHA-1 – Asymmetric Public Key Encryption (RSA) – Asymmetric Private Key Decryption (RSA) – Generate Public/Private Key (RSA, DSA, DH) – Derive Symmetric Keys from Public and Private Key pairs (DH) – Digitally Sign Data (RSA, DSA) – Verify Data Signature (RSA, DSA) – Validation Data Authenticity (RSA, DSA) 44
  • 45. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Disaster Recovery - ensure availability of end-user data • Backup – MySQL Enterprise Backup • Full, Incremental, Differential, Partial Online Backups • Includes encryption (AES 256) & compression • Support for MySQL TDE • Point in Time, Full, Partial Recovery options – Oracle Cloud MySQL database service includes Backup and Recovery 45 Additional Security Controls – 2 of 3
  • 46. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Disaster Recovery - ensure availability of end-user data • High Availability – Various options • MySQL InnoDB Cluster – Based on MySQL Master / Master - Group Replication • Traditional MySQL Replication Topologies – Asynchronous – Semi-synchronous 46 Additional Security Controls – 3 of 3
  • 47. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | MySQL Enterprise Edition • MySQL Enterprise Authentication – External Authentication Modules • Microsoft AD, Linux PAMs, Native LDAP • MySQL Enterprise Encryption – Public/Private Key Cryptography – Asymmetric Encryption – Digital Signatures, Data Validation • MySQL Enterprise Firewall – Block SQL Injection Attacks – Intrusion Detection • MySQL Enterprise Audit – User Activity Auditing, Regulatory Compliance 47 • MySQL Enterprise Monitor – Changes in Database Configurations, Users Permissions, Database Schema, Passwords • MySQL Enterprise Backup – Securing Backups, AES 256 encryption • MySQL Enterprise TDE – AES 256 encryption – Key Management • MySQL Enterprise De-Identification – Data Masking and Obfuscation – Formatted Data Randomization – Pseudonymization, Data Blacklists – Random Data Generation
  • 48. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | Enterprise Masking & De-Identification • Masking • Substitute/Subset • Random Formatted Data • Blacklisted Data 48
  • 49. Copyright © 2018 Oracle and/or its affiliates. All rights reserved. | • MySQL Enterprise Security : https://dev.mysql.com/doc/refman/8.0/en/mysql-enterprise-security.html • Security in MySQL : https://dev.mysql.com/doc/mysql-security-excerpt/8.0/en/ • MySQL Secure Deployment Guide : https://dev.mysql.com/doc/mysql-secure-deployment-guide/8.0/en/ • MySQL Enterprise Audit : https://www.mysql.com/products/enterprise/audit.html • MySQL Enterprise Transparent Data Encryption : https://www.mysql.com/products/enterprise/tde.html • MySQL Enterprise Masking and De-identification : https://www.mysql.com/products/enterprise/masking.html • MySQL Enterprise Authentication : https://www.mysql.com/products/enterprise/security.html • MySQL Enterprise Firewall : https://www.mysql.com/products/enterprise/firewall.html • MySQL Enterprise Backup : https://www.mysql.com/products/enterprise/backup.html • MySQL Enteprise Monitor : https://www.mysql.com/products/enterprise/monitor.html • MySQL Enterprise Encryption : https://www.mysql.com/products/enterprise/encryption.html • Enterprise Encryption Functions : https://dev.mysql.com/doc/refman/8.0/en/enterprise-encryption-function-reference.html • MySQL Enterprise Workbench : https://www.mysql.com/products/workbench/ 49 References
  • 50. Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | Thank you!