SlideShare a Scribd company logo

Guob - MySQL e LGPD

V
Vinicius M Grippa

This document discusses various features in MySQL and Percona Server that provide data encryption and security capabilities. It begins with an introduction to the speaker and Percona company. Then it covers topics like SSL, password management using plugins, OS/cloud security, audit plugins, tablespace and log encryption in Percona Server and MySQL 8. Transparent data encryption and new password hashing algorithms are also summarized.

Technology
1 of 72
Download to read offline
© 2019 Percona1 MySQL e LGPD(Lei Geral de Proteção de Dados) Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
© 2019 Percona2 • Engenheiro de Support na Percona desde 2017. • Trabalhando com MySQL há 7 anos. • Trabalhando com banco de dados há 10 anos. • Speaker na PL 2018/2019, conferências e meetups sobre MySQL/MongoDB. Sobre mim 2
© 2019 Percona3 • Fundada em 2006 • +200 engenheiros ao redor do mundo • Ferramentas com +1 bilhão de downloads • Percona Live é um dos grandes eventos sobre banco de dados open-source Sobre Percona 3
© 2019 Percona4 O que é a LGPD?
© 2019 Percona5 • Lei Geral de Proteção de Dados Pessoais, a "GDPR brasileira". • Criada para proteger a liberdade e a privacidade de consumidores e cidadãos. • Estabelecer regras claras sobre coleta, armazenamento, tratamento e compartilhamento de dados pessoais. • Estabelecer punições para quem descumprir a lei. LGPD 5
© 2019 Percona6 • O titular Seria o proprietário dos dados, no caso as pessoas físicas. • O controlador É representado pelo tomador dos dados, ou seja, as pessoas jurídicas • O operador A empresa responsável pela coleta de dados e sua efetiva segurança através de soluções automatizadas • O encarregado É o profissional que responde pela proteção dos dados da empresa. Quem são os atores envolvidos na LGPD 6
© 2019 Percona7 • Peça-chave no processo de adequação das empresas à LGPD • Demanda por segurança (VPN, Criptografia, Firewall, REST) • Demanda por soluções de armazenamento (Backup) • Demanda por processamento dos dados O que muda para o profissional de TI? 7
© 2019 Percona8 Princípios Básicos • Acesso minimo • Isolamento • Audit • Proteção contra invasão • Firewall 8
© 2019 Percona9 Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 9
© 2019 Percona10 OS/Cloud Security
© 2019 Percona11 OS/Cloud Security • Remover serviços que não são usados • Não rodar compiladores • Firewalls • Acesso restrito a internet • Desabilitar root remoto • Uso de chave SSH
© 2019 Percona12 OS/Cloud Security • Uso do Amazon Virtual Private Cloud (VPC) • Uso do AWS Identity and Access Management (IAM) policies • Uso de security groups
© 2019 Percona13 OS/Cloud Security
© 2019 Percona14 OS/Cloud Security
© 2019 Percona15 OS/Cloud Security
© 2019 Percona16 SSL 16
© 2019 Percona17 SSL • Transportar a informação de forma segura • SSL provê esse meio • Default for MySQL 5.7-8.0 or higher • MySQL 8.0.16 suporta mudanças em runtime das variáveis TLS • Certificados • MySQL 5.7 • mysql_ssl_rsa_setup • MySQL 5.6 • openssl
© 2019 Percona18 | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | | ssl_key | server-key.pem | +--------------------+--------------- mysql > show global variables like '%ssl%'; +--------------------+-----------------+ | Variable_name | Value | +--------------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | mysqlx_ssl_ca | | | mysqlx_ssl_capath | | | mysqlx_ssl_cert | | | mysqlx_ssl_cipher | | | mysqlx_ssl_crl | | | mysqlx_ssl_crlpath | | | mysqlx_ssl_key | | | ssl_ca | ca.pem | | ssl_capath | | SSL
© 2019 Percona19 mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 SSL
© 2019 Percona20 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
© 2019 Percona21 SSL
© 2019 Percona22 Password Management 22
© 2019 Percona23 Password Management • Password expiration • validate_password plugin • Percona LDAP plugin 23
© 2019 Percona24 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
© 2019 Percona25 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
© 2019 Percona26 mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement. Password Expiration
© 2019 Percona27 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
© 2019 Percona28 validate_plugin - Instalação # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
© 2019 Percona29 validate_plugin - Validação mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
© 2019 Percona30 validate_plugin - Exemplo mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
© 2019 Percona31 mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec) validate_plugin - Exemplo
© 2019 Percona32 As of MySQL 8.0.14, user accounts are permitted to have dual passwords, designated as primary and secondary passwords. Dual-password capability makes it possible to seamlessly perform credential changes in scenarios like this: ● A system has a large number of MySQL servers, possibly involving replication. ● Multiple applications connect to different MySQL servers. ● Periodic credential changes must be made to the account or accounts used by the applications to connect to the servers. Dual Password Support
© 2019 Percona33 Audit Plugin 33
© 2019 Percona34 Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is different from general log • Filter by command / user / database • MariaDB Audit Plugin
© 2019 Percona35 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec)
© 2019 Percona36 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
© 2019 Percona37 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | | Audit Plugin
© 2019 Percona38 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec) Audit Plugin
© 2019 Percona39 Percona Server Encryption Features 39
© 2019 Percona40 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables innodb_parallel_dblwr_encrypt • innodb_sys_tablespace_encrypt • innodb_temp_tablespace_encrypt
© 2019 Percona41 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
© 2019 Percona42 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
© 2019 Percona43 MySQL 8 Features (Undo, Redo Encryption) 43
© 2019 Percona44 MySQL 8 - (Undo, Redo Encryption) • MySQL 8 extends tablespace encryption feature to redo log and undo log. • It is necessary using one of the Keyring plugins.
© 2019 Percona45 MySQL 8 - (Undo, Redo Encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
© 2019 Percona46 Transparent Data Encryption (TDE) 46
© 2019 Percona47 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database. • Encryption and decryption occurs without any additional coding, data type or schema modifications.
© 2019 Percona48 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
© 2019 Percona49 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
© 2019 Percona50 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
© 2019 Percona51 caching_sha2_password 51
© 2019 Percona52 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client) Note: In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password.
© 2019 Percona53 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
© 2019 Percona54 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+-------------------------- -----------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+-------------------------- -----------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+-------------------------- -----------------+ 2 rows in set (0.00 sec)
© 2019 Percona55 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
© 2019 Percona56 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
© 2019 Percona57 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ 2 rows in set (0.01 sec)
© 2019 Percona58 FIPS Mode 58
© 2019 Percona59 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime. • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server. 59
© 2019 Percona60 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
© 2019 Percona61 Example mysql> select md5('GUOB'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
© 2019 Percona62 Example mysql> show warnings; +---------+-------+-------------------------------------------------------------- ----------+ | Level | Code | Message | +---------+-------+-------------------------------------------------------------- ----------+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+-------------------------------------------------------------- ----------+ 1 row in set (0.00 sec) 62
© 2019 Percona63 Exemplo mysql> select sha2('GUOB', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | 3a9490e26ca5ffa08dfd34d8958cb4d145174f91a5067f6ae8af847c2f808436 | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
© 2019 Percona64 Roles 64
© 2019 Percona65 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them.
© 2019 Percona66 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec)
© 2019 Percona67 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
© 2019 Percona68 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +---------------------------------------------- ---------+ | CURRENT_ROLE() | +---------------------------------------------- ---------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`loca lhost` | +---------------------------------------------- ---------+
© 2019 Percona69 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time.
© 2019 Percona70 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practic es/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections /#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encry ption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encry ption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_ roles_on_login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8- 0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tables pace-encryption-about
© 2019 Percona71 Any Questions? 71
© 2019 Percona72 We’re Hiring! Percona’s open source database experts are true superheroes, improving database performance for customers across the globe. Our staff live in nearly 30 different countries around the world, and most work remotely from home. Discover what it means to have a Percona career with the smartest people in the database performance industries, solving the most challenging problems our customers come across.

Recommended

GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Building the Governance Ready Enterprise for GDPR Compliance December 2017
Building the Governance Ready Enterprise for GDPR Compliance December 2017Building the Governance Ready Enterprise for GDPR Compliance December 2017
Building the Governance Ready Enterprise for GDPR Compliance December 2017Index Engines Inc.
 
GDPR and Hadoop
GDPR and HadoopGDPR and Hadoop
GDPR and HadoopJanosch Woschitz
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designMichelangelo van Dam
 
Building the Governance Ready Enterprise for GDPR Compliance
Building the Governance Ready Enterprise for GDPR ComplianceBuilding the Governance Ready Enterprise for GDPR Compliance
Building the Governance Ready Enterprise for GDPR ComplianceIndex Engines Inc.
 
Qubole on Amazon AWS: Security and Compliance
Qubole on Amazon AWS: Security and ComplianceQubole on Amazon AWS: Security and Compliance
Qubole on Amazon AWS: Security and ComplianceVasu S
 

Recommended

GDPR Changing Mindset
GDPR Changing MindsetGDPR Changing Mindset
GDPR Changing MindsetNetworkIQ
 
The Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsThe Definitive GDPR Guide for Event Professionals
The Definitive GDPR Guide for Event ProfessionalsHubilo
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...ARMA International
 
Building the Governance Ready Enterprise for GDPR Compliance December 2017
Building the Governance Ready Enterprise for GDPR Compliance December 2017Building the Governance Ready Enterprise for GDPR Compliance December 2017
Building the Governance Ready Enterprise for GDPR Compliance December 2017Index Engines Inc.
 
GDPR and Hadoop
GDPR and HadoopGDPR and Hadoop
GDPR and HadoopJanosch Woschitz
 
Privacy by design
Privacy by designPrivacy by design
Privacy by designMichelangelo van Dam
 
Building the Governance Ready Enterprise for GDPR Compliance
Building the Governance Ready Enterprise for GDPR ComplianceBuilding the Governance Ready Enterprise for GDPR Compliance
Building the Governance Ready Enterprise for GDPR ComplianceIndex Engines Inc.
 
Qubole on Amazon AWS: Security and Compliance
Qubole on Amazon AWS: Security and ComplianceQubole on Amazon AWS: Security and Compliance
Qubole on Amazon AWS: Security and ComplianceVasu S
 
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz PatrickDigital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz PatrickTealium
 
Data: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaData: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaCloudera, Inc.
 
GDPR Compliance
GDPR ComplianceGDPR Compliance
GDPR ComplianceMiguel Mello
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
TrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Karina Matos
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesCraig Adams
 
The GDPR and What It Means to You
The GDPR and What It Means to YouThe GDPR and What It Means to You
The GDPR and What It Means to YouDelphix
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 
Why Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateWhy Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateDelphix
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR WhitepaperVlad Alexandru
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesSyed Nazir Razik ACP, CSM, PMP
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
CONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACIONCONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACIONrios abogados
 
A Little Security For Big Data
A Little Security For Big DataA Little Security For Big Data
A Little Security For Big DataSaurabh Kheni
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
Expanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challengesExpanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challengesTom Kirby
 
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeNext generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeJisc
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL SecurityVinicius M Grippa
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityVinicius M Grippa
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLMarcelo Altmann
 

More Related Content

What's hot

Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz PatrickDigital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz PatrickTealium
 
Data: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaData: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaCloudera, Inc.
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewErnest Staats
 
TrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) Karina Matos
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesCraig Adams
 
The GDPR and What It Means to You
The GDPR and What It Means to YouThe GDPR and What It Means to You
The GDPR and What It Means to YouDelphix
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingAvtex
 
Why Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateWhy Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateDelphix
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesSyed Nazir Razik ACP, CSM, PMP
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance EvolvedSafeNet
 
CONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACIONCONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACIONrios abogados
 
A Little Security For Big Data
A Little Security For Big DataA Little Security For Big Data
A Little Security For Big DataSaurabh Kheni
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonUlf Mattsson
 
Expanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challengesExpanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challengesTom Kirby
 
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeNext generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeJisc
 

What's hot (19)

Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz PatrickDigital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
Digital Velocity London 2017 - Data Privacy and Sovereignty, Sheila Fitz Patrick
 
Data: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie GarciaData: Open for Good and Secure by Default | Eddie Garcia
Data: Open for Good and Secure by Default | Eddie Garcia
 
GDPR Compliance
GDPR ComplianceGDPR Compliance
GDPR Compliance
 
SafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server EncryptionSafeNet DataSecure vs. Native SQL Server Encryption
SafeNet DataSecure vs. Native SQL Server Encryption
 
GDPR Benefits and a Technical Overview
GDPR Benefits and a Technical OverviewGDPR Benefits and a Technical Overview
GDPR Benefits and a Technical Overview
 
TrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data GraveyardsTrustArc Webinar: Challenges & Risks Of Data Graveyards
TrustArc Webinar: Challenges & Risks Of Data Graveyards
 
General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR) General Data Protection Regulation (GDPR)
General Data Protection Regulation (GDPR)
 
Information Governance Maturity for Financial Services
Information Governance Maturity for Financial ServicesInformation Governance Maturity for Financial Services
Information Governance Maturity for Financial Services
 
The GDPR and What It Means to You
The GDPR and What It Means to YouThe GDPR and What It Means to You
The GDPR and What It Means to You
 
TechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile ComputingTechFuse 2012: Cloud and Mobile Computing
TechFuse 2012: Cloud and Mobile Computing
 
Why Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major UpdateWhy Your Approach To Data Governance Needs a Major Update
Why Your Approach To Data Governance Needs a Major Update
 
MySQL GDPR Whitepaper
MySQL GDPR WhitepaperMySQL GDPR Whitepaper
MySQL GDPR Whitepaper
 
The General data protection regulation : Salient clauses
The General data protection regulation : Salient clausesThe General data protection regulation : Salient clauses
The General data protection regulation : Salient clauses
 
PCI Compliance Evolved
PCI Compliance EvolvedPCI Compliance Evolved
PCI Compliance Evolved
 
CONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACIONCONFIDENCIALIDAD DE LA INFORMACION
CONFIDENCIALIDAD DE LA INFORMACION
 
A Little Security For Big Data
A Little Security For Big DataA Little Security For Big Data
A Little Security For Big Data
 
New york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattssonNew york oracle users group 2013 spring general meeting ulf mattsson
New york oracle users group 2013 spring general meeting ulf mattsson
 
Expanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challengesExpanded top ten_big_data_security_and_privacy_challenges
Expanded top ten_big_data_security_and_privacy_challenges
 
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgradeNext generation storage: eliminating the guesswork and avoiding forklift upgrade
Next generation storage: eliminating the guesswork and avoiding forklift upgrade
 

Similar to Guob - MySQL e LGPD

Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityVinicius M Grippa
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLMarcelo Altmann
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019Yashada Jadhav
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLMarcelo Altmann
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19Alkin Tezuysal
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...Geir Høydalsvik
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMarcelo Altmann
 
MySQL sys schema deep dive
MySQL sys schema deep diveMySQL sys schema deep dive
MySQL sys schema deep diveMark Leith
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Big Data Spain
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?Alkin Tezuysal
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL ServerGeorgi Kodinov
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebAlkin Tezuysal
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESNazmul Hossain Rakib
 
MySQL sys schema deep dive
MySQL sys schema deep diveMySQL sys schema deep dive
MySQL sys schema deep diveMark Leith
 

Similar to Guob - MySQL e LGPD (20)

Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL Security
 
Percona Live 2019 - MySQL Security
Percona Live 2019 - MySQL SecurityPercona Live 2019 - MySQL Security
Percona Live 2019 - MySQL Security
 
Percona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQLPercona University - ProxySQL para MySQL
Percona University - ProxySQL para MySQL
 
MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019MySQL Security and Standardization at PayPal - Percona Live 2019
MySQL Security and Standardization at PayPal - Percona Live 2019
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Enhancing MySQL Security
Enhancing MySQL SecurityEnhancing MySQL Security
Enhancing MySQL Security
 
DB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQLDB Floripa - ProxySQL para MySQL
DB Floripa - ProxySQL para MySQL
 
How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19How to upgrade like a boss to MySQL 8.0 - PLE19
How to upgrade like a boss to MySQL 8.0 - PLE19
 
ProxySQL para mysql
ProxySQL para mysqlProxySQL para mysql
ProxySQL para mysql
 
Curso de MySQL 5.7
Curso de MySQL 5.7Curso de MySQL 5.7
Curso de MySQL 5.7
 
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
The State of the Dolphin, MySQL Keynote at Percona Live Europe 2019, Amsterda...
 
MysQL melhores práticas de seguranca
MysQL melhores práticas de segurancaMysQL melhores práticas de seguranca
MysQL melhores práticas de seguranca
 
Proxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXCProxy SQL 2.0 with PXC
Proxy SQL 2.0 with PXC
 
MySQL sys schema deep dive
MySQL sys schema deep diveMySQL sys schema deep dive
MySQL sys schema deep dive
 
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
Securing Big Data at rest with encryption for Hadoop, Cassandra and MongoDB o...
 
How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?How to upgrade like a boss to my sql 8.0?
How to upgrade like a boss to my sql 8.0?
 
2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server2014 OpenSuse Conf: Protect your MySQL Server
2014 OpenSuse Conf: Protect your MySQL Server
 
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 FebMysql 8 vs Mariadb 10.4 Webinar 2020 Feb
Mysql 8 vs Mariadb 10.4 Webinar 2020 Feb
 
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICESCENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
CENTRAL MANAGEMENT OF NETWORK AND CALL SERVICES
 
MySQL sys schema deep dive
MySQL sys schema deep diveMySQL sys schema deep dive
MySQL sys schema deep dive
 

More from Vinicius M Grippa

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfVinicius M Grippa
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxVinicius M Grippa
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performanceVinicius M Grippa
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerVinicius M Grippa
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphsVinicius M Grippa
 

More from Vinicius M Grippa (6)

MySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdfMySQL up and running 30 minutes.pdf
MySQL up and running 30 minutes.pdf
 
PL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptxPL22 - Backup and Restore Performance.pptx
PL22 - Backup and Restore Performance.pptx
 
MySQL backup and restore performance
MySQL backup and restore performanceMySQL backup and restore performance
MySQL backup and restore performance
 
Moving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to considerMoving mongo db to the cloud strategies and points to consider
Moving mongo db to the cloud strategies and points to consider
 
Cpu analysis with flamegraphs
Cpu analysis with flamegraphsCpu analysis with flamegraphs
Cpu analysis with flamegraphs
 
K8s - Setting up minikube
K8s - Setting up minikubeK8s - Setting up minikube
K8s - Setting up minikube
 

Recently uploaded

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Guob - MySQL e LGPD

  • 1. © 2019 Percona1 MySQL e LGPD(Lei Geral de Proteção de Dados) Vinicius M. Grippa Senior Support Engineer for MySQL/MongoDB vinicius.grippa@percona.com
  • 2. © 2019 Percona2 • Engenheiro de Support na Percona desde 2017. • Trabalhando com MySQL há 7 anos. • Trabalhando com banco de dados há 10 anos. • Speaker na PL 2018/2019, conferências e meetups sobre MySQL/MongoDB. Sobre mim 2
  • 3. © 2019 Percona3 • Fundada em 2006 • +200 engenheiros ao redor do mundo • Ferramentas com +1 bilhão de downloads • Percona Live é um dos grandes eventos sobre banco de dados open-source Sobre Percona 3
  • 4. © 2019 Percona4 O que é a LGPD?
  • 5. © 2019 Percona5 • Lei Geral de Proteção de Dados Pessoais, a "GDPR brasileira". • Criada para proteger a liberdade e a privacidade de consumidores e cidadãos. • Estabelecer regras claras sobre coleta, armazenamento, tratamento e compartilhamento de dados pessoais. • Estabelecer punições para quem descumprir a lei. LGPD 5
  • 6. © 2019 Percona6 • O titular Seria o proprietário dos dados, no caso as pessoas físicas. • O controlador É representado pelo tomador dos dados, ou seja, as pessoas jurídicas • O operador A empresa responsável pela coleta de dados e sua efetiva segurança através de soluções automatizadas • O encarregado É o profissional que responde pela proteção dos dados da empresa. Quem são os atores envolvidos na LGPD 6
  • 7. © 2019 Percona7 • Peça-chave no processo de adequação das empresas à LGPD • Demanda por segurança (VPN, Criptografia, Firewall, REST) • Demanda por soluções de armazenamento (Backup) • Demanda por processamento dos dados O que muda para o profissional de TI? 7
  • 8. © 2019 Percona8 Princípios Básicos • Acesso minimo • Isolamento • Audit • Proteção contra invasão • Firewall 8
  • 9. © 2019 Percona9 Agenda • SO/Cloud security • SSL • Password management • Audit plugin • Percona Server encryption features • MySQL 8 features (undo, redo encryption) • TDE • New caching_sha2_password • FIPS mode • Roles 9
  • 11. © 2019 Percona11 OS/Cloud Security • Remover serviços que não são usados • Não rodar compiladores • Firewalls • Acesso restrito a internet • Desabilitar root remoto • Uso de chave SSH
  • 12. © 2019 Percona12 OS/Cloud Security • Uso do Amazon Virtual Private Cloud (VPC) • Uso do AWS Identity and Access Management (IAM) policies • Uso de security groups
  • 17. © 2019 Percona17 SSL • Transportar a informação de forma segura • SSL provê esse meio • Default for MySQL 5.7-8.0 or higher • MySQL 8.0.16 suporta mudanças em runtime das variáveis TLS • Certificados • MySQL 5.7 • mysql_ssl_rsa_setup • MySQL 5.6 • openssl
  • 18. © 2019 Percona18 | ssl_cert | server-cert.pem | | ssl_cipher | | | ssl_crl | | | ssl_crlpath | | | ssl_fips_mode | OFF | | ssl_key | server-key.pem | +--------------------+--------------- mysql > show global variables like '%ssl%'; +--------------------+-----------------+ | Variable_name | Value | +--------------------+-----------------+ | have_openssl | YES | | have_ssl | YES | | mysqlx_ssl_ca | | | mysqlx_ssl_capath | | | mysqlx_ssl_cert | | | mysqlx_ssl_cipher | | | mysqlx_ssl_crl | | | mysqlx_ssl_crlpath | | | mysqlx_ssl_key | | | ssl_ca | ca.pem | | ssl_capath | | SSL
  • 19. © 2019 Percona19 mysql: root@localhost ((none)) GRANT ALL PRIVILEGES ON *.* TO 'ssluser'@'%' IDENTIFIED BY 'sekret' REQUIRE SSL; Query OK, 0 rows affected, 1 warning (0.00 sec) Query OK, 0 rows affected (0.01 sec) [root@node1 ~]# mysql -ussluser -psekret --ssl-cert=/var/lib/mysql/client-cert.pem --ssl-key=/var/lib/mysql/client-key.pem --ssl-ca=/var/lib/mysql/ca.pem -h 127.0.0.1 -P 3306 -e "s"| grep SSL mysql: [Warning] Using a password on the command line interface can be insecure. SSL: Cipher in use is ECDHE-RSA-AES128-GCM-SHA256 SSL
  • 20. © 2019 Percona20 It is also possible to set ssl-mode to ensure that all connections use SSL. This option is available only for client programs, not the server. [client] ssl-mode=required SSL
  • 22. © 2019 Percona22 Password Management 22
  • 23. © 2019 Percona23 Password Management • Password expiration • validate_password plugin • Percona LDAP plugin 23
  • 24. © 2019 Percona24 Password Expiration • MySQL enables database administrators to expire account passwords manually, and to establish a policy for automatic password expiration. Expiration policy can be established globally, and individual accounts can be set to either defer to the global policy or override the global policy with specific per-account behavior.
  • 25. © 2019 Percona25 Password Expiration Individual Accounts mysql> create user test_expired_user@localhost identified by 'Sekr$K1et' PASSWORD EXPIRE INTERVAL 1 day; Query OK, 0 rows affected (0.01 sec) Globally mysql> SET GLOBAL default_password_lifetime = 1;
  • 26. © 2019 Percona26 mysql: test_expired_user@localhost ((none)) > show databases; ERROR 1820 (HY000): You must reset your password using ALTER USER statement before executing this statement. Password Expiration
  • 27. © 2019 Percona27 validate_plugin Its main purpose is to test passwords and improve security. It is possible to ensure the strength, length and required characters of the password.
  • 28. © 2019 Percona28 validate_plugin - Instalação # Runtime mysql: root@localhost ((none)) > INSTALL PLUGIN validate_password SONAME 'validate_password.so'; Query OK, 0 rows affected (0.07 sec) # my.cnf [mysqld] plugin-load-add=validate_password.so
  • 29. © 2019 Percona29 validate_plugin - Validação mysql: root@localhost ((none)) > show global variables like '%plugin%'; +-------------------------------+--------------------------+ | Variable_name | Value | +-------------------------------+--------------------------+ | default_authentication_plugin | mysql_native_password | | plugin_dir | /usr/lib64/mysql/plugin/ | +-------------------------------+--------------------------+ 2 rows in set (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'validate%'; +-------------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------------+---------------+ | validate_password | ACTIVE | +-------------------+---------------+ 1 row in set (0.00 sec)
  • 30. © 2019 Percona30 validate_plugin - Exemplo mysql: root@localhost ((none)) > set global validate_password_length = 6; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > set global validate_password_policy=2; Query OK, 0 rows affected (0.00 sec)
  • 31. © 2019 Percona31 mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements mysql: root@localhost ((none)) > create user test_password@localhost identified by 'PasSw0Rd12@'; Query OK, 0 rows affected (0.00 sec) validate_plugin - Exemplo
  • 32. © 2019 Percona32 As of MySQL 8.0.14, user accounts are permitted to have dual passwords, designated as primary and secondary passwords. Dual-password capability makes it possible to seamlessly perform credential changes in scenarios like this: ● A system has a large number of MySQL servers, possibly involving replication. ● Multiple applications connect to different MySQL servers. ● Periodic credential changes must be made to the account or accounts used by the applications to connect to the servers. Dual Password Support
  • 34. © 2019 Percona34 Audit Plugin • MySQL Enterprise – Paid • Percona Server (works with community version) – Free • It is different from general log • Filter by command / user / database • MariaDB Audit Plugin
  • 35. © 2019 Percona35 Audit Plugin - Installing mysql > INSTALL PLUGIN audit_log SONAME 'audit_log.so'; Query OK, 0 rows affected (0.05 sec) mysql > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'audit%'; +-------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +-------------+---------------+ | audit_log | ACTIVE | +-------------+---------------+ 1 row in set (0.00 sec)
  • 36. © 2019 Percona36 Audit Plugin [mysqld] ## Audit Logging ## audit_log_policy=ALL audit_log_format=JSON audit_log_file=/var/log/mysql/audit.log audit_log_rotate_on_size=1024M audit_log_rotations=10
  • 37. © 2019 Percona37 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_buffer_size | 1048576 | | audit_log_exclude_accounts | | | audit_log_exclude_commands | | | audit_log_exclude_databases | | | audit_log_file | /var/log/mysql/audit.log | | audit_log_flush | OFF | | audit_log_format | JSON | | audit_log_handler | FILE | | audit_log_include_accounts | | | audit_log_include_commands | | | audit_log_include_databases | | Audit Plugin
  • 38. © 2019 Percona38 mysql: root@localhost ((none)) > show global variables like 'audit%'; +-----------------------------+--------------------------+ | Variable_name | Value | +-----------------------------+--------------------------+ | audit_log_policy | ALL | | audit_log_rotate_on_size | 1073741824 | | audit_log_rotations | 10 | | audit_log_strategy | ASYNCHRONOUS | | audit_log_syslog_facility | LOG_USER | | audit_log_syslog_ident | percona-audit | | audit_log_syslog_priority | LOG_INFO | +-----------------------------+--------------------------+ 18 rows in set (0.02 sec) Audit Plugin
  • 39. © 2019 Percona39 Percona Server Encryption Features 39
  • 40. © 2019 Percona40 Percona Server Encryption Percona server provides extra encryption: • encrypt_binlog • encrypt_tmp_files • innodb_encrypt_online_alter_logs • innodb_encrypt_tables innodb_parallel_dblwr_encrypt • innodb_sys_tablespace_encrypt • innodb_temp_tablespace_encrypt
  • 41. © 2019 Percona41 Percona Server Encryption [mysqld] # Binary Log Encryption encrypt_binlog master_verify_checksum = 1 binlog_checksum = 1 mysql: root@localhost ((none)) > show global variables like '%encrypt_binlog%'; +----------------+-------+ | Variable_name | Value | +----------------+-------+ | encrypt_binlog | ON | +----------------+-------+ 1 row in set (0.00 sec)
  • 42. © 2019 Percona42 Percona Server Encryption mysql: root@localhost ((none)) > show global variables like '%encrypt%'; +----------------------------------+-------------+ | Variable_name | Value | +----------------------------------+-------------+ | block_encryption_mode | aes-128-ecb | | encrypt_binlog | ON | | encrypt_tmp_files | OFF | | innodb_encrypt_online_alter_logs | OFF | | innodb_encrypt_tables | OFF | | innodb_parallel_dblwr_encrypt | OFF | | innodb_sys_tablespace_encrypt | OFF | | innodb_temp_tablespace_encrypt | OFF | +----------------------------------+-------------+ 8 rows in set (0.00 sec)
  • 43. © 2019 Percona43 MySQL 8 Features (Undo, Redo Encryption) 43
  • 44. © 2019 Percona44 MySQL 8 - (Undo, Redo Encryption) • MySQL 8 extends tablespace encryption feature to redo log and undo log. • It is necessary using one of the Keyring plugins.
  • 45. © 2019 Percona45 MySQL 8 - (Undo, Redo Encryption) The process is very straightforward, to enable the encryption on the redo log and the undo log: mysql> set global innodb_undo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> set global innodb_redo_log_encrypt = 1; Query OK, 0 rows affected (0.00 sec) mysql> show global variables like '%log_encrypt%'; +-------------------------+-------+ | Variable_name | Value | +-------------------------+-------+ | innodb_redo_log_encrypt | ON | | innodb_undo_log_encrypt | ON | +-------------------------+-------+ 2 rows in set (0.00 sec)
  • 46. © 2019 Percona46 Transparent Data Encryption (TDE) 46
  • 47. © 2019 Percona47 Transparent Data Encryption (TDE) • Enables data-at-rest encryption in the database. • Encryption and decryption occurs without any additional coding, data type or schema modifications.
  • 48. © 2019 Percona48 Transparent Data Encryption (TDE) [mysqld] # TDE early-plugin-load=keyring_file.so keyring-file-data=/var/lib/mysql-keyring/keyring mysql: root@localhost ((none)) > INSTALL PLUGIN keyring_udf SONAME 'keyring_udf.so'; Query OK, 0 rows affected (0.00 sec) mysql: root@localhost ((none)) > SELECT PLUGIN_NAME, PLUGIN_STATUS FROM INFORMATION_SCHEMA.PLUGINS WHERE PLUGIN_NAME LIKE 'keyring%'; +--------------+---------------+ | PLUGIN_NAME | PLUGIN_STATUS | +--------------+---------------+ | keyring_file | ACTIVE | | keyring_udf | ACTIVE | +--------------+---------
  • 49. © 2019 Percona49 Transparent Data Encryption (TDE) mysql: root@localhost ((none)) > SELECT keyring_key_generate('MyKey', 'AES', 32); +------------------------------------------+ | keyring_key_generate('MyKey', 'AES', 32) | +------------------------------------------+ | 1 | +------------------------------------------+ 1 row in set (0.00 sec) mysql> CREATE TABLESPACE `amer_meeting1` ADD DATAFILE 'amer_meeting1.ibd' ENCRYPTION = 'Y' Engine=InnoDB; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='N'; ERROR 1478 (HY000): InnoDB: Tablespace `vgrippa` can contain only an ENCRYPTED tables. mysql: root@localhost (test) > CREATE TABLE t1 (a INT, b TEXT) TABLESPACE vgrippa ENCRYPTION='Y'; Query OK, 0 rows affected (0.02 sec)
  • 50. © 2019 Percona50 Transparent Data Encryption (TDE) A flag field in the INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES has bit number 13 set if tablespace is encrypted. mysql: root@localhost (test) > SELECT space, name, flag, (flag & 8192) != 0 AS encrypted FROM INFORMATION_SCHEMA.INNODB_SYS_TABLESPACES WHERE name in ('vgrippa'); +-------+---------+-------+-----------+ | space | name | flag | encrypted | +-------+---------+-------+-----------+ | 156 | vgrippa | 10240 | 1 | +-------+---------+-------+-----------+ 1 row in set (0.00 sec)
  • 52. © 2019 Percona52 caching_sha2_password MySQL provides two authentication plugins that implement SHA-256 hashing for user account passwords: • sha256_password: Implements basic SHA-256 authentication • caching_sha2_password: Implements SHA-256 authentication (like sha256_password), but uses caching on the server side for better performance and has additional features for wider applicability. (In MySQL 5.7, caching_sha2_password is implemented only on the client) Note: In MySQL 8.0, caching_sha2_password is the default authentication plugin rather than mysql_native_password.
  • 53. © 2019 Percona53 caching_sha2_password mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec) mysql: root@localhost ((none)) > grant all privileges on *.* to vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected, 1 warning (0.00 sec)
  • 54. © 2019 Percona54 caching_sha2_password mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+-------------------------- -----------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+-------------------------- -----------------+ | vgrippa | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | | vgrippa1 | localhost | mysql_native_password | *A00D6EEF76EC509DB66358D2E6685F8FF7A4C3DD | +----------+-----------+-----------------------+-------------------------- -----------------+ 2 rows in set (0.00 sec)
  • 55. © 2019 Percona55 Example # MySQL 8 [mysqld] default_authentication_plugin=caching_sha2_password mysql> CREATE USER 'sha2user'@'localhost' IDENTIFIED WITH caching_sha2_password BY 'password'; Query OK, 0 rows affected (0.06 sec) mysql> select user,host, plugin from mysql.user where user like 'sha2user%'; +----------+-----------+-----------------------+ | user | host | plugin | +----------+-----------+-----------------------+ | sha2user | localhost | caching_sha2_password | +----------+-----------+-----------------------+ 1 row in set (0.00 sec)
  • 56. © 2019 Percona56 Example mysql: root@localhost ((none)) > create user vgrippa@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec) mysql: root@localhost ((none)) > create user vgrippa1@localhost identified by 'teste'; Query OK, 0 rows affected (0.01 sec)
  • 57. © 2019 Percona57 Example mysql: root@localhost ((none)) > select user, host, plugin, authentication_string from mysql.user where user like 'vgrippa%'; +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ | user | host | plugin | authentication_string | +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ | vgrippa | localhost | caching_sha2_password | $A$005$)8?=V_"J75FFq |jUVMUZmnZ1t8aSybB4AISoj1MXdlseI0rQay6bGGlne8 | | vgrippa1 | localhost | caching_sha2_password | $A$005$zEZ;bEmj[hq1T!LFtqZzAB0hacxgwNfHM/gL6gBFHqY1wuozW2NO4Gj9958 | +----------+-----------+-----------------------+----------------------------------- -------------------------------------+ 2 rows in set (0.01 sec)
  • 59. © 2019 Percona59 FIPS • MySQL supports FIPS mode, if compiled using OpenSSL, and an OpenSSL library and FIPS Object Module are available at runtime. • FIPS mode on the server side applies to cryptographic operations performed by the server. This includes replication (master/slave and Group Replication) and X Plugin, which run within the server. FIPS mode also applies to attempts by clients to connect to the server. 59
  • 60. © 2019 Percona60 Example mysql> show global variables like '%fips%'; +---------------+-------+ | Variable_name | Value | +---------------+-------+ | ssl_fips_mode | ON | +---------------+-------+ 1 row in set (0.01 sec) mysql> set global ssl_fips_mode=1; Query OK, 0 rows affected (0.06 sec)
  • 61. © 2019 Percona61 Example mysql> select md5('GUOB'); +----------------------------------+ | md5('a') | +----------------------------------+ | 00000000000000000000000000000000 | +----------------------------------+ 1 row in set, 1 warning (0.00 sec)
  • 62. © 2019 Percona62 Example mysql> show warnings; +---------+-------+-------------------------------------------------------------- ----------+ | Level | Code | Message | +---------+-------+-------------------------------------------------------------- ----------+ | Warning | 11272 | SSL fips mode error: FIPS mode ON/STRICT: MD5 digest is not supported. | +---------+-------+-------------------------------------------------------------- ----------+ 1 row in set (0.00 sec) 62
  • 63. © 2019 Percona63 Exemplo mysql> select sha2('GUOB', 256); +------------------------------------------------------------------+ | sha2('a', 256) | +------------------------------------------------------------------+ | 3a9490e26ca5ffa08dfd34d8958cb4d145174f91a5067f6ae8af847c2f808436 | +------------------------------------------------------------------+ 1 row in set (0.00 sec)
  • 65. © 2019 Percona65 Roles ● MySQL 8 comes with Roles feature. A role is a named collection of privileges. Like user accounts, roles can have privileges granted to and revoked from them.
  • 66. © 2019 Percona66 Roles mysql> create role app_read; Query OK, 0 rows affected (0.03 sec) mysql> grant select on *.* to app_read; Query OK, 0 rows affected (0.04 sec)
  • 67. © 2019 Percona67 Roles mysql> select * from app_db.joinit; ERROR 1142 (42000): SELECT command denied to user 'test_role'@'localhost' for table 'joinit' mysql> SELECT CURRENT_ROLE(); +----------------+ | CURRENT_ROLE() | +----------------+ | NONE | +----------------+ 1 row in set (0.00 sec)
  • 68. © 2019 Percona68 Roles mysql> SET ROLE all; Query OK, 0 rows affected (0.00 sec) mysql> SELECT CURRENT_ROLE(); +---------------------------------------------- ---------+ | CURRENT_ROLE() | +---------------------------------------------- ---------+ | `app_read`@`%`,`app_write`@`%`,`app_read`@`loca lhost` | +---------------------------------------------- ---------+
  • 69. © 2019 Percona69 Roles It is possible to use activate_all_roles_on_login to activate all roles granted to each account at login time.
  • 70. © 2019 Percona70 References # SO/Cloud security https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.html https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html # Audit log https://www.percona.com/blog/2015/09/10/percona-server-audit-log-plugin-best-practic es/ #caching_sha2_password https://dev.mysql.com/doc/refman/5.7/en/caching-sha2-pluggable-authentication.html # SSL https://www.percona.com/blog/2013/06/22/setting-up-mysql-ssl-and-secure-connections /#setup https://www.percona.com/blog/2013/10/10/mysql-ssl-performance-overhead/ # TDE https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encry ption.html https://www.percona.com/doc/percona-server/LATEST/management/data_at_rest_encry ption.html#usage https://dev.mysql.com/doc/refman/5.7/en/keyring-file-plugin.html # Roles https://dev.mysql.com/doc/refman/8.0/en/server-system-variables.html#sysvar_activate_all_ roles_on_login https://dev.mysql.com/doc/refman/8.0/en/roles.html # Password management https://dev.mysql.com/doc/refman/5.7/en/password-management.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-installation.html https://dev.mysql.com/doc/refman/5.7/en/validate-password-options-variables.html # FIPS https://dev.mysql.com/doc/refman/8.0/en/fips-mode.html # Percona Server 8.0 Alpha release https://www.percona.com/blog/2018/09/27/announcement-alpha-build-of-percona-server-8- 0/ # MySQL 8 redo and undo encryption https://dev.mysql.com/doc/refman/8.0/en/innodb-tablespace-encryption.html#innodb-tables pace-encryption-about
  • 71. © 2019 Percona71 Any Questions? 71
  • 72. © 2019 Percona72 We’re Hiring! Percona’s open source database experts are true superheroes, improving database performance for customers across the globe. Our staff live in nearly 30 different countries around the world, and most work remotely from home. Discover what it means to have a Percona career with the smartest people in the database performance industries, solving the most challenging problems our customers come across.