1

MariaDBRoadshow2016MariaDBSecureDataManagement-ThreatsandBestPrac6ces

2

CommonThreatstoYourData

OutdatedMariaDBpackages

TheInternet1.

2.

3.

4.

5.

ExcessiveTrust

Applica6ons

LackofVisibility

3

TheInternet•  DatabasedrivenWebpagesarecommoditynow•  StartedasasmallhostedWebapplica?on,nowbusinesscri?cal•  ...Defense●  DonotallowTCPconnec?onstoMariaDBfromtheInternetatlarge.

●  ConfigureMariaDBtolistenonanetworkinterfacethatisonlyaccessiblefromthehostwhereyourapplica?onruns.

●  DesignyourphysicalnetworktoconnecttheapptoMariaDB

●  Usebind-addresstobindtoaspecificnetworkinterface

●  UseyourOS’sfirewall

4

BestPrac6ce:Encryptsensi6vedata●  Encryptsomedataintheapplica?on

○  Non-keydata○  Creditcardnumbers

●  EncryptdataintransitusingSSL○  FromclientstoMaxScale○  FromclientstoMariaDB○  BetweenMariaDBreplica?onnodes

●  Encryptdataatrestusingadvancedtablespaceencryp?onfunc?onalityinMariaDB10.1○  InnoDBtablespaceencryp?on○  InnoDBredologencryp?on○  Binarylogencryp?on

5

ThreatsfromApplica6ons•  DenialofServiceAUackscreatedbyoverloadingapplica?on•  SQLqueryinjec?onaUacks•  …

Defense●  Donotrunyourapplica?ononyourMariaDBServer.●  DonotinstallunnecessarypackagesonyourMariaDBServer.●  Anoverloadedapplica?oncanusesomuchmemorythatMariaDBcouldslowor

evenbekilledbytheOS.Thisisaneffec?veDDoSaUackvector.●  Acompromisedapplica?onorservicecanhavemanyserioussideeffects

○  DiscoveryofMariaDBcreden?als○  Directaccesstodata○  Privilegeescala?on

6

BestPrac6ce:UseaGateway

●  CreateaDatabaseFirewall

●  Restricttheopera?onsthatclients(applica?ons)areallowedto

perform

●  Iden?fyandflagpoten?allydangerousqueries

●  Customizerulesaboutwhat’sallowedandwhat’snot

●  Implementconnec?onpoolingcapabili?escanprotectagainst

DDoSaUacks

7

ExcessiveTrust•  Disgruntledemployees•  Mistakesandhumanerror

●  DonotusetheMariaDB“root”userforapplica?onaccess.●  Grantonlytheprivilegesrequiredbyyourapplica?on.●  MinimizetheprivilegesgrantedtotheMariaDBuseraccountsusedbyyourapplica?ons

○  Don’tgrantCREATEorDROPprivileges.○  Don’tgranttheFILEprivilege.○  Don’tgranttheSUPERprivilege.○  Don’tgrantaccesstothemysqldatabase

●  Limituserswhohave:○  SSHaccesstoyourMariaDBserver.○  SudoprivilegesonyourMariaDBserver.

●  Setthesecure_file_privop?ontoensurethatuserswiththeFILEprivilegecannotwriteorreadMariaDBdataorimportantsystemfiles.

8

BestPrac6ce:ManageMariaDBuseraccountscarefully●  Use OS permissions to restrict access to MariaDB data and backups.

●  Allow root access to MariaDB only from local clients—no administrative access over the network.

●  Use the unix_socket authentication plugin so that only the OS root user can connect as the MariaDB root user.

●  Use strong passwords.

○  Enable the cracklib_password_check plugin.

●  Use a separate MariaDB user account for each of your applications.

●  Allow access from a minimal set of IP addresses.

9

OutdatedMariaDBPackages●  LinuxvendorsofendistributeoutdatedversionsofMariaDB

whichlackthemostup-to-datesecurityfixesandfeatures:○  MariaDB10.0inDebian8(Jessie)○  MariaDB5.5inRHEL7

●  UseMariaDBEnterprisepackages:○  Updatedwiththemost-recentsecurityfixesandfeatures○  Cri?calsecurityfeaturesenabledbydefault

10

BestPrac6ce:UpdateMariaDBandotherpackages●  Stayontopofthemostrecentsecurityfixesbykeepingyour

MariaDBpackagesupdated

●  ApplysecurityupdatesdistributedbyyourOSvendor,ashighlightedbyrecentproblemsinglibcandopenssl.

11

LackofVisibility•  Applica?onssharethesameuserfordatabaseconnec?ons

•  Novisibilityatthedatabasebackendaboutwhichapplica?onisaccessingthedata

•  Scriptsdonotusespecificusersorevenusetherootuser•  Nochancetoevaluatewhichtooliscausingissues

•  DirectaccesstodatabasewithoutusingnamedDBAusers•  NowaytotrackwhichDBA/DevOppdidaccessdata

•  Requirementtoauditaccesstodataisincreasing•  Weneedtoknowwhoisaccessingwhatandwhen

12

BestPrac6ce:NamedUsersandAudit●  Usenameduserswheneverpossible

•  Dis?nguishbetweentechnicalusers(applica?ons)anddirectaccess(tools,DBA,..)

●  Ensureregulatorycompliancewithrobustlogging

●  Recordconnec?ons,queryexecu?ons,andtablesaccessed●  Ac?vateaudi?ngusingtheMariaDBAuditPlugin

o  Uselogsforforensicanalysisaferanincident

o  Enableediscovery

o  Logeithertoafileortosyslog

Detect,Protect,Audit,Improve

DetectandPreventAUacks-UnauthorizedAccess-DenialofService-SQLInjec?ons

ProtectDatawithEncryp?onNa?veModeEncryp?onprotectsdataatrest

AuditforForensicsandCompliance

MariaDB10.1

InnoDB/

XtraDB

Aria

BenefitfromCommunityProtec?on

SSLEncryp?onprotectsdatainmo?on

MariaDBEnterpriseSecurity

DetectandPreventAUacks•  RoleBasedAccessControl•  Passwordmanagementand

valida?onplugin•  KeyManagementServices-

AWSorEperiKMS•  Blacklistfirewallfilteringin

MaxScale•  Authen?ca?onplugin

1.  LDAP2.  sshpassphrases3.  One-?mepasswords(even

withSMSconfirma?on)4.  Systemauthen?ca?on5.  Combina?onsof

authen?ca?onmodules

ProtectDatawithwithencryp?onNa?veModeEncryp?onprotectsdataatrest

•  Everything—alltablespacesandalltables•  Individualtables•  Everything,excludingindividualtables•  Supportforrollingkeys•  XtraDB/InnoDBlogfiles•  Binarylog

AuditforForensicsandCompliance•  Logdatabase

connec?on,queriesandtableaccess

SSL Encryption protects data in motion

BenefitfromCommunityProtec?on•  Fasterdetec?onof

vulnerabili?es•  BeUerthreatresponse•  Securityfeatures

MariaDBEnterpriseSecurity

16

PasswordValida6on

■  Simple_password_checkpluginEnforceaminimumpasswordlengthandtype/numberofcharacterstobeused

■  Cracklib_password_checkplugin

■  Stopusersfromchoosingeasytoguesspasswords.

■  Prohibitweakpasswordsbasedonusernameordic?onaryword

ExternalAuthen6ca6on

SingleSignOnisgeqngmandatoryinmostEnterprises.

■  PAM-Authen6ca6onPluginallowsusing/etc/shadowandanyPAMbasedauthen?ca?onlikeLDAP

■  Kerberos-Authen6ca6onasastandardizednetworkauthen?ca?onprotocolisprovidedGSSAPIbasedonUNIXandSSPIbasedonWindows

Authen6ca6on

17

ThreatProtec6onwiththeDatabaseFirewall

HowitWorks§  BlockorAllowqueriesthat

•  matchasetofrules•  matchingrulesforspecifiedusers•  matchcertainpaUerns

§  Mul?pleorderedrules§  Matchon

•  date/?me•  aWHEREclause•  Querytype•  Columnmatch•  awildcardorregularexpression

ProtectagainstSQLinjec6onPreventunauthorizeddataaccessPreventdatadamage

Query

FirewallFilter

SelectfromcustomerWhereid=5:SELECT*FROMCUSTOMERS;

MaxScale

1 3

2

Client

Queryfailed:1141Error:RequiredWHERE/HAVINGclauseismissing

Error

SQL

18

DenialofServiceacackprotec6on■  MariaDBMaxScalePersistentConnec?ons■  Connec?onpoolingprotectsagainstconnec?onsurges■  Cachetheconnec?onsfromMaxScaletothedatabaseserver■  Ratelimita?on■  Clientmul?plexing

19

SecuredConnec6ons

■  SSLConnec?onsbasedontheTLSv1.2Protocol

■  BetweenMariaDBConnectorsandServer

■  BetweenMariaDBConnectorsandMaxScale

■  SSLcanalsobeenabledforthereplica?onchannel

Encryp6onFunc6ons

■  Selec?veData-In-UseEncryp?on

■  Applica?oncontrolofdataencryp?on

■  BasedontheAES(AdvancedEncryp?onStandard)orDES(DataEncryp?onStandard)algorithm

Encryp6onforDatainMo6on

20

Data-at-RestEncryp6on

■  Tableortablesspaces

■  Logfiles

■  Independentofencryp?oncapabili?esofapplica?ons

■  Basedonencryp?onkeys,keyids,keyrota?onandkeyversioning

KeyManagementServices

■  Encryp?onpluginAPIofferschoiceo  Plugintoimplementthedata

encryp?ono  Manageencryp?onKeys

■  MariaDBEnterpriseop?onso  SimleKeyManagementincludedo  AmazonAWSKMSPluginincludedo  EperiKMSforonpremisekey

management-op?onal

Encryp6onforDataatRest

21

Audi6ngforSecurityandCompliance

■  Logs server activity o  Who connected to the

server o  Source of connection o  Queries executed o  Tables touched

■  File based or syslog based logging

MariaDBAuditPlugin

Connection

Query

Object

Connect Disconnect

Failed Connect

DDL DML+TCL

DCL

Database Tables

Timestamp Host User

Session

MariaDBSecurityGetsStrongerAlltheTime

22

MariaDBUserCommunity

▪  Quicklyiden?fiesnewthreats▪  Reportsvulnerabili?es▪  Createssolu?ons▪  Contributesfeatures

23

GETSTARTED:MariaDBSecurityAudit

Evaluateandaddressdatabasesecuritypolicies,technologies,andprac6ces

■  Reviewofyourdatabasesecurityneedsandrequirements■  Accesscontrolassessment■  AutomatedaUackprotec?onreview■  Encryp?ontoolsandprac?ces■  Forensiccapabili?esreview■  Ongoingcomplianceandsecurityplanning

FullyleverageMariaDB’ssecurity

capabili6es

Reducelegal,financial,andbrand

reputa6onrisk

24

Q&A

25

ThankYou