Mike Frank and Georgi Kodinov from Oracle gave a deep dive into security changes in MySQL 8.0. A lot of the features are only available in MySQL Enterprise and I tired to keep it clear in my notes which required Enterprise but may have gotten some confused.
- Security Challenges
- 89% of organizations experience data breaches, according to new Ponemon Survey
- Complexity grows risks grow
- Database consolidation
- HA
- Regulatory compliance
- PCI
- HIPAA
- GDPR
- FERPA
- Data Protection Act (UK)
- ….
- How to Secure
- Assess
- Locate Risk and Vulnerabilities
- Prevent
- Using Cryptography, User Controls, Access Controls, etc
- Detect
- Audit, Monitor, Alert
- Recover
- Ensure service is not disrupted as a result of security incident
- Even through the outage of a primary database
- Forensics – post mortem – fix vulnerability
- Assess
- MySQL Security Solutions
- Enterprise Edition
- TDE
- MySQL Enterprise Authentication
- MySQL Enterprise Encryption
- MysQL Enterprise Firewall
- MySQL Enterprise Audit
- MysQL Enterprise Monitor
- MysQL Enterprise Backup
- MysQL Enterprise Thread pool
- TDE
- key ring
- only tablespace level in 5.7
- Enterprise Edition uses KMIP for key management
- Keyring API
- each key has a name/ACL
- stored in key store
- a uniform infrastructure for handling keys
- usable by both server and plugins
- Fully extensible
- minimum effort to add new backends and consumers
- current consumers
- InnoDB tablespace encryption
- SQL user defined functions (UDF) plugin
- current backends
- flat file backend
- KMIP compliant clients
- Enterprise Edition
- New Features
- MySQL Roles
- multiple default roles
- Can export the role graph in GraphML
- implemented as user account with login disabled
- new tables mysql.role_edges and mysql.default_roles
- Atomic ACL Statements
- Dynamic Privileges
- provides finer grained administrative level access controls
- Password Features
- Password History
- SHA2 with Caching
- File Encryption
- innodb_undo_log_encrypt
- innodb_redo_log_encrypt
- MySQL Roles