MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL...
Transcript of MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL...
![Page 1: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/1.jpg)
Ronald BradfordPrincipal Database Reliability Engineer
MySQL Data Security Risk Assessment
June 2018
Database+Operations Conference
Barcelona, Spain
21-22 June 2018
https://dataops.barcelona/
![Page 2: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/2.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Table of contents
2
MySQL Data Security Risk Assessment
1 Why?
2 How?
3 Recommendations
4 Implementation Challenge
5 Ongoing Risk
![Page 3: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/3.jpg)
About Okta/Speaker
![Page 4: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/4.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
About speaker – Ronald Bradford
5
• Principal Database Reliability Engineer (DBRE) at Okta• 29 years of RDBMS experience• 19 years of MySQL experience
• Speakerhttp://ronaldbradford.com/presentations/
• Authorhttp://effectivemysql.com/
![Page 5: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/5.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
About Okta
6
• Leading provider of identity for the enterprise• Connects and protects employees of many of the world’s largest
enterprises• Securely connects enterprises to their partners, suppliers and customers• Okta helps customers fulfill their missions faster by making it safe and
easy to use the technologies they need to do their most significant work
![Page 6: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/6.jpg)
Why?
![Page 7: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/7.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Why data security risk assessment is important?
8
• Humans seek convenience over complexity• Humans prey on other humans• Humans are better at recognition than programmed solutions
![Page 8: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/8.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Reference example (3 years)
9
• Are any of your password 3 years old?• Have any employees left in the past 3 years?• Were any password stored in clear-text?
![Page 9: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/9.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
What is happening now on your database?
10
• Hard failures• Invalid access to any data-store (e.g. Invalid password)• How frequent/often?
• Soft attacks• SELECT email from customers;
![Page 10: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/10.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Open source failures
11
• Generational bad habits (e.g. defaults)• No default administrator password• No password strength• Open ports• Poor ACLs examples
• Continued bad habits• NoSQL products• Docker
![Page 11: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/11.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
IRL comparison
12
• Physical Security• Badge+Photo+Scan+Security Guard• Pinpad+Timed Access• Metal Detectors• Secondary Scan
• Monitoring• Security Cameras+Recording+Image Recognition
• Human Intelligence• Random Security Guard Checks• Peers
![Page 12: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/12.jpg)
How?
![Page 13: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/13.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Password-less authentication
14
• First Access • Computer Login (Password)• VPN (Password+Token/MFA)• Company Systems (Password+MFA/Token)• Other (Firewall, bastion, ssh)
• Then• $ ssh <any-db-server>• $ mysql -e "ANY COMMAND I LIKE”
![Page 14: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/14.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
No MySQL password necessary (sudo)
15
• OS ‘root’ access• $ ssh dba@server• $ sudo su –
• Compromises• $ service mysql restart --skip-grant-tables• $ strings /var/lib/mysql/mysql/user.MYD
• mysql> create user demo@localhost identified by 'SomeLongP155wd#';
• strings /ebs/var/lib/mysql/mysql/user.MYD | grep demo
• demo*294B43D3206B0B0A1670A2E606F1D5B9655906B7
![Page 15: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/15.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Password use
16
• Lack of strength• Lack of rotation• Clear-text
• my.cnf• master.info• Third party tools
• /etc/percona-toolkit/percona-toolkit.conf
• Process space• Command line
• Weaker encryption methods (e.g. SHA1 v SHA256+SALT)
![Page 16: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/16.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
MySQL privileges
17
• The GRANT ALL problem (i.e. SUPER, ALTER and everything else)• The *.* problem (i.e. not schema.table)• The % or 10.% problem (i.e. not host but network)• The DEFINER / INVOKER stored function problem• The mysql.user problem• The read-only problem
![Page 17: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/17.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
NoSQL and no security
18
• MongoDB• Cassandra• Redis• Elasticsearch• <insert other products here>
https://www.slideshare.net/wurbanski/nosql-no-security
https://speakerdeck.com/xeraa/nosql-means-no-security
![Page 18: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/18.jpg)
Recommendations
![Page 19: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/19.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Practical policies and actions
20
1. Purpose driven credentials (*)
2. Least privileged model (*)
3. Segregation of responsibility4. Environment boundaries (*)
5. No clear-text passwords (*)
6. Longer & stronger passwords7. Password rotation8. Sha256 password with salt (*)
9. Remove snowflakes10. Timeouts11. Timed access12. Logging (*)
13. Auditing (*)
14. Human Factor Authentication (HFA) (*)
15. Release cadence (*)
![Page 20: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/20.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Accounts with a purpose (1)
21
• Individually Named Accounts• By name
• johnsmith• dba_jsmith
• By Purpose• zabbix• splunk• pt• collectd• xtrabackup
![Page 21: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/21.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Know your privileges (2)
22
• If an account requires SUPER, why?• Evaluate and reevaluate regularly (e.g. each quarter)
• e.g. Percona Toolkit• GRANT ALL PRIVILEGES ON *.* to percona@localhost;
• You can alter a table with?
• pt-heartbeat requires• GRANT REPLICATION CLIENT ON *.* TO percona@localhost
• GRANT INSERT, DELETE ON heartbeat.heartbeat TO percona@localhost
• pt-slave-delay requires• GRANT SUPER ON *.* TO percona@localhost;
• Replaceable with native MySQL 5.6 delayed replication
![Page 22: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/22.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Always separate environments (4)
24
• Is an password shared• Across test/stage/prod
• Do you have tools to validate passwords across environments?
• It’s just a test environment is not an excuse
![Page 23: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/23.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Removing clear-text passwords (5)
25
• .my.cnf• Clear-text• Can have any OS permissions• Can reside in any directory• Any MySQL version
• .mylogin.cnf• Not clear-text• Restricted file privileges• Locked to a specific OS user• MySQL 5.6+
![Page 24: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/24.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
A stronger password plugin (8)
26
• mysql_native_password• SHA1(SHA1()) (20 bytes)
• sha256_password plugin (5.6)• sha256 (32 bytes)• + salt
• caching_sha2_password (5.7)
https://mysqlserverteam.com/protecting-mysql-passwords-with-the-sha256_password-plugin/
https://dev.mysql.com/doc/refman/5.7/en/sha256-pluggable-authentication.html
![Page 25: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/25.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Logging (12) / Auditing (13)
28
• Limiting accounts to exact SQL (i.e. Whitelisting)• Allowed
• SHOW PROCESSLIST
• SHOW SLAVE STATUS
• SHOW MASTER STATUS
• SHOW ENGINE INNODB STATUS
• Allowed via SUPER• KILL
• Not Allowed via SUPER• SET GLOBAL
![Page 26: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/26.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Human Factor Authentication (HFA) (14)
29
• Requiring a human (or second human)• Very destructive operations
• CHANGE MASTER TO
• ALTER TABLE DROP PARTITION
![Page 27: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/27.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Software releases (15)
30
• New releases provide new functionality• Who is running MySQL 5.0?• Who is running MySQL 5.5?
• sha256_password (5.6)• mysql_config_editor (5.6)• SUPER granularity (8.0)
![Page 28: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/28.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
New available functionality (15)
31
• Stronger encryption plugins• mysql_config_editor• Password Expiry• Password strength check• Root default password• Mysql client logging removed• Start Slave password• Default SSL connections• Active/Inactive user accounts
• Roles• Super granularity• Password history
![Page 29: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/29.jpg)
Implementation Challenges
![Page 30: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/30.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Convergence is really hard
33
• CREATE USER• user @ host
• DROP USER
• GRANT privilege• REVOKE privilege
• Individual accounts• Environment accounts• Organization accounts
![Page 31: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/31.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Changing passwords
34
• Single server – Simple• Complex topology – Hard
• To replicate or not to replicate• Configuration management v replication• Are your replicas in read only mode?• Disabled configuration management• Lag slaves
![Page 32: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/32.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Example Topologies
35
![Page 33: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/33.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
User convergence
36
• User account with multiple @hosts• Different grants per @host
• User only on some servers• DROP USER [IF EXISTS] - MySQL 5.7
![Page 34: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/34.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
GRANT convergence example
37
• Monitor user (runs something every second)• Has
• GRANT SELECT, PROCESS, SHOW DATABASES, SUPER, REPLICATION CLIENT ON *.*
• GRANT SELECT, INSERT, UPDATE ON schema1.*
• GRANT CREATE, INSERT ON mysql.*
• Should have• GRANT PROCESS, REPLICATION CLIENT ON *.*
![Page 35: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/35.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Revoking privileges
38
• REVOKE ALL works on a subset, but only per schema• GRANT SELECT ON *.*• REVOKE ALL ON *.*
• There is no REVOKE [IF EXISTS]• REVOKE ALL ON *.* does not fail when re-executed• REVOKE ALL ON schema.* does
• A user always has the USAGE privilege (can never have no schemas)• REVOKE, GRANT are atomic statements
• i.e. the time in-between• All or nothing does not apply (i.e. both work or both fail)
![Page 36: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/36.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Tools
39
• External CMDB for users/grants• Yet another language or metadata
• Is pt-show-grants a CMDB option?• Password hash’s not clear-text
• But unknown
• GRANT not CREATE USER
![Page 37: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/37.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Guidelines
40
• Center for Information Security
• National Vulnerability Database• Common Vulnerabilities and Exposures (CVE)
• FedRAMP• PCI• Other compliance bodies
https://www.cisecurity.org/benchmark/oracle_mysql/
![Page 38: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/38.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
A stronger model example
41
• AWS RDS (not allowing SUPER)
• mysql> CALL mysql.rds_skip_repl_error;• mysql> CALL mysql.rds_kill(thread-id);
https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Appendix.MySQL.CommonDBATasks.html
![Page 39: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/39.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
MySQL wish list
42
• A user should be able to have a comment• Similar to CREATE TABLE
• Be able to active/inactive an account - MySQL 5.7• Be able to expire a password – MySQL 5.7• SUPER granularity – MySQL 8.0
• SQL whitelist• SQL blacklist
• REVOKE [ANY] PRIVILEGE
![Page 40: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/40.jpg)
Conclusions
![Page 41: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/41.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
Data security not discussed
46
• Many other issues to consider in security scope• Encryption• Secure communication, e.g. SSL/ipsec• Backups• Log Files• Data integrity (read_only, sql_mode)
![Page 42: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/42.jpg)
© Okta and/or its affiliates. All rights reserved. Okta Confidential
What can you do?
47
• Data security is not convenient• Data security is not easy• Data security is not a one off task
• Be an advocate at your company
![Page 43: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/43.jpg)
Thank You
![Page 44: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/44.jpg)
![Page 45: MySQL Data Security Risk Assessment...Ronald Bradford Principal Database Reliability Engineer MySQL Data Security Risk Assessment June 2018 Database+OperationsConference Barcelona,](https://reader034.fdocuments.us/reader034/viewer/2022042220/5ec5ee77ebe3a376a50f68fe/html5/thumbnails/45.jpg)