OpenWorld 2017: MySQL 8.0: What’s New in Security

Mike Frank and Georgi Kodinov from Oracle gave a deep dive into security changes in MySQL 8.0.  A lot of the features are only available in MySQL Enterprise and I tired to keep it clear in my notes which required Enterprise but may have gotten some confused.

  • Security Challenges
    • 89% of organizations experience data breaches, according to new Ponemon Survey
    • Complexity grows risks grow
      • Database consolidation
      • HA
    • Regulatory compliance
      • PCI
      • HIPAA
      • GDPR
      • FERPA
      • Data Protection Act (UK)
      • ….
  • How to Secure
    • Assess
      • Locate Risk and Vulnerabilities
    • Prevent
      • Using Cryptography, User Controls, Access Controls, etc
    • Detect
      • Audit, Monitor, Alert
    • Recover
      • Ensure service is not disrupted as a result of security incident
      • Even through the outage of a primary database
      • Forensics – post mortem – fix vulnerability
  • MySQL Security Solutions
    • Enterprise Edition
      • TDE
      • MySQL Enterprise Authentication
      • MySQL Enterprise Encryption
      • MysQL Enterprise Firewall
      • MySQL Enterprise Audit
      • MysQL Enterprise Monitor
      • MysQL Enterprise Backup
      • MysQL Enterprise Thread pool
    • TDE
      • key ring
      • only tablespace level in 5.7
      • Enterprise Edition uses KMIP for key management
    • Keyring API
      • each key has a name/ACL
      • stored in key store
      • a uniform infrastructure for handling keys
      • usable by both server and plugins
      • Fully extensible
      • minimum effort to add new backends and consumers
      • current consumers
        • InnoDB tablespace encryption
        • SQL user defined functions (UDF) plugin
      • current backends
        • flat file backend
        • KMIP compliant clients
  • New Features
    • MySQL Roles
      • multiple default roles
      • Can export the role graph in GraphML
      • implemented as user account with login disabled
      • new tables mysql.role_edges and mysql.default_roles
    • Atomic ACL Statements
    • Dynamic Privileges
      • provides finer grained administrative level access controls
    • Password Features
      • Password History
      • SHA2 with Caching
    • File Encryption
      • innodb_undo_log_encrypt
      • innodb_redo_log_encrypt

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s