This article is the graphic version of the webinar on April 9th-MySQL Security Solutions.
It mainly includes three aspects:
-
Face the challenge of security.
-
MySQL security features.
- Part of the function demonstration.
With the explosive growth of data, security has become the top priority for users, and data has become their most important asset.
This page contains all aspects of the risks faced by the database:
Lack of configuration: Refers to the security-related configuration of the database has not been reset, the default value or improper configuration is used. The solution is to change the default configuration and control.
Privileged account: There are multiple privileged accounts in the database, and this account has too many permissions, and misoperation will have a huge impact. The solution is to formulate an authority policy, the principle of minimization of authority, and match the appropriate authority for the user.
Weak access control: no dedicated management account is set up, account attributes are ambiguous, while performing query work, there is also performing management work. The solution is to set up a dedicated management account, and set different permissions for the management account and the application account.
Weak authentication: the password for the login account is simple, not changing for a long time, etc. The solution is to enforce "strong passwords" and rotate them regularly.
Weak auditing: it does not meet the requirements of the rules and regulations, and there is no audit or related audit strategy. The solution is to configure relevant audit records in accordance with compliance requirements and audit policies.
Lack of encryption: Lack of encryption in links involving data, backup and network transmission, resulting in data leakage. The solution is to use encryption in all aspects of data transmission.
Correct credential and key management: The credential and key used for encryption are not kept in accordance with the requirements, which will cause the key to be lost or unusable. The solution is to use a special key storage tool to store keys and credentials.
Unsafe backup: The backup does not use encryption and other measures, which leads to the leakage of backup data. The solution is to encrypt the backup data.
No monitoring: No monitoring measures are taken for the system, and it will be discovered afterwards. The solution is to use the correct monitoring system to monitor security, users, objects, etc.
Weak application coding: Insufficient application coding experience, no strict restrictions on query statements, resulting in unexpected query statements entering the database. The solution is to use a firewall to block queries outside the whitelist.
In addition to the security risks of databases, organizations that hold data need to respond to the ever-increasing requirements of data and information protection laws and regulations. Globally, data protection, especially personal data protection, has strengthened regulatory requirements. For example, the GDRP launched at the end of 2018, China’s Cyber Information Security Law has continued to supplement security specifications and guidelines in recent years, and the Standing Committee of the National People’s Congress announced in December 2019 , Enacting legislation on the protection and security of personal data is a priority for the next legislative year, indicating that China will soon introduce relevant laws in the near future.
This page shows the current international compliance requirements. If there is an international business organization, please pay attention to the relevant legal requirements to avoid illegal operations.
The above content is the challenge and compliance requirements faced by the database, so how to ensure the security of the database?
The security of the database is ensured through four aspects: evaluation, prevention, detection and recovery. This is a general methodology. Evaluation means locating risks and vulnerabilities and ensuring that the necessary security controls have been installed correctly. Prevention means using encryption algorithms, user control, access control and other means to prevent *** as much as possible. Detection means using auditing, monitoring, and warning lights to detect data intrusion that may still exist. Recovery means that in the event of a security incident, it can also ensure that the service will not be interrupted. And it is necessary to demonstrate the security incident and verify afterwards that the security vulnerabilities have been resolved.
In response to this methodology, MySQL provides the following security features.
The following figure is an overall overview of the security architecture of the enterprise version of MySQL:
Next, we will introduce the details of this architecture one by one.
Starting from MySQL8.0, the community version and the enterprise version use OpenSSL. Due to licensing issues, the community version could not use OpenSSL. This problem was resolved in 8.0 (OpenSSL was used in all versions of 8.0.18). Using OpenSSL can support various TLS protocols from 1.0 to 1.3. And based on Facebook's contribution, the dynamic option of SLL can support updating the certificate without restarting the server.
The advantages of using OpenSSL in 8.0 include: the use of the optimized OpenSSL library, which supports patching without upgrading. In addition, the OpenSSL-based FIPS object module is used to provide confidentiality, integration, and information summary services to meet FIPS (Federal Information Processing Standards) requirements.
TDE encryption originated from version 5.7, version 5.7 only applies to the encryption of tablespace files, and 8.0 extends it to the encryption of logs. Here is a demonstration of the TDE function:
8.0 adds a dedicated port for management. With this port, the DBA can log in to the server to manage the connection without being restricted by the maximum connection.
A set of system_user permissions has been added, the main purpose is to refine the permissions and prevent general users from having excessive permissions. Users with this permission copy and manage the following requirements:
8.0.16 adds the function of revoking some permissions, which can manage MySQL permissions more finely.
The role function can improve MySQL's access control:
Starting from MySQL8.0, the password uses SHA2 Caching by default, which makes it faster to connect.
In addition, in order to solve the problem of synchronization between changing the password and pushing to the application layer, a double password function has been added.
The MySQL password policy can include the following:
Next, I will introduce the Keyring API
Including the enterprise version TDE function, it is implemented based on this API. Using this API, the key can be stored in the host or a dedicated key vault. The latest Keyring API supports HashiCop Vault
Keyring can be used to manage keys, which is suitable for the following scenarios:
Use Keyring to encrypt data stored on disks, tablespaces, logs, etc. You can save the key in an encrypted file (Enterprise Edition) or use a dedicated key vault.
Data shielding and anti-identification functions can shield and de-identify sensitive data, remove sensitive information, and meet the requirements of laws and regulations.
In addition to shielding sensitive data, random data can also be generated for testing, and random data supports the use of custom dictionaries.
The audit function of MySQL Enterprise Edition supports out-of-the-box use, recording connections, logins and query logs and other related content.
The MySQL Enterprise Edition authentication function can centralize authentication and integrate management infrastructure.
Support LDAP authentication.
Finally, I will introduce the MySQL firewall. The firewall will block the statements recorded in the list from the server in the form of a whitelist, which can prevent SQL injection***. And can be used as a *** detection system to detect SQL and issue warnings.
Put a demo about firewall below:
The full functions of MySQL Enterprise Edition and security are shown in the figure above. Those who are interested can download the trial version to try it out at https://edelivery.oracle.com/.