As a company that provides financial services, Square deals with sensitive data on a daily basis, and strong database access control is a core requirement. The task of managing database credentials for 1500+ users across 2000+ clusters manually is extremely tedious and error-prone. Thus, Square developed Lionheart as a microservice to automate much of this work, removing the need for DBAs to manually grant database access to users. Lionheart is responsible for creating and auditing user access. It automatically rotates users, certificates, and grants for both applications and developers every several days. In this talk, we will discuss how to keep your MySQL databases secure, with a discussion on the importance of using TLS encryption, as well as how we leveraged several other open-source tools to make this management easier. We'll discuss the gotchas we ran into, as well as some tips to help you manage your MySQL user access.
In this day and age, maintaining privacy throughout our electronic communications is absolutely necessary. Creating user accounts, and not exposing your MongoDB environment to the wider internet, are basic concepts that have been missed in the past. Once that has been addressed, individuals and organizations interested in becoming PCI compliant must turn to securing their data through encryption. With MongoDB, we have two options for encryption: at rest (only available as an enterprise feature with MongoDB) and transport encryption.
In this session, we will review
- MongoDB default security
- Additional layers of security
- Audit and Log reduction
- Encryption and why it's important
- Step by step for encryption at rest and in transit
- Percona for MongoDB security features
A discussion of different types of encryption as it relates to MySQL and the community, followed by a deep dive into key management with Hashicorp's Vault software and MySQL.
Real world examples, problems, and "what worked" for Empowered Benefits as they embarked on their journey to implement encryption at rest in their health care centric IT environment.
Data security plays a critical role in PayPal's database infrastructures. In this presentation, we will discuss how PayPal enforces data security. The following areas will be covered:
- SSL encrypted connections between applications and database instances, as well as database to database instances
- Integration of database login with LDAP for user authentication and authorization
- Enterprise auditing for database access and metadata/object modifications
- Securing application login with custom SSL key and password management, password rotations
- Methods to avoid password exposure, such as by using MySQL connection strings
- Challenges of standardization of MySQL to Percona XtraDB in PayPal. How we handled
-- different versions of MySQL on different operating systems
-- application users with super user privileges
-- incompatibilities between MySQL commercial and Percona XtraDB Cluster
Security is always a challenge when it comes to data, but regulations like GDPR brings a new layer on top. With rules come more and more restrictions to access and manipulate data. Join us in this presentation to check security best practices, and traditional and new features available for MySQL, including features coming with the new MySQL 8.
In this talk, DBA's and sysadmins will walk through the security features available on the OS and MySQL:
- SO security
- Audit Plugin
- MySQL 8 features
- New caching_sha2_password
- Password Management
- FIPS mode
We will share our experience of working with thousands of support customers, help the audience to become familiar with all the security concepts and methods, and give you the necessary knowledge to apply to your environment.
- General concepts
- what happens when keyring plugin is loaded
- where keys are stored
keyring initialization failures
taking care of core dumps
- how to setup keyring_vault (separation of servers on Vault server)
- list of keys on a server (base64 encoded)
2) How Innodb Master Key encryption internal works:
- where the encryption key is stored
- the relation between Master Key and tablespace's encryption key
- keyring cooperation
- keyring uninstallation
3) how key rotation works
4) can table be re-encrypted?
5) Encryption threads
- what are encryption threads
- key rotation
6) binlog encryption:
- communication between master and slave
- key rotation
- MySQL / PS encryption (8.0.14)
As we move into the future, data becomes worth stealing and is stolen often. Backups become critical not only to be safe in case of an accident, but safe from people and computers who should not have your data. Security Compliance is here (and there will be more in the future) and both PCI and GDPR have requirements for backups. Plus our data may be what thieves really want so encryption, storage and retention policies must be looked at or used.
Come share your experience and learn from others on how to make databases secure and compliant.
Deploying SSL/TLS with MySQL at Booking.com on thousands of servers is not without issues.
In this session I'll tell you what steps we took, what problems we hit, and how we improved various parts of the MySQL ecosystem while doing so.
To start we go over the basics: Which TLS settings are there in MySQL and MariaDB and how does this differ from HTTPS as used in browsers. And why do we want TLS in the first place? Is TLS and SSL the same thing?
The first set of problems is inside MySQL: YaSSL vs. OpenSSL, verification issues and reloading of certificates.
The second set of problems is inside Connectors: I'll touch on DBD::mysql (Perl), Go-MySQL-Driver, libmysqlclient (C)
Not all connectors have the same options and defaults. I'll go into TLSv1.2 support.
The third set of problems is tools: Using the require_secure_transport option caused issues with Percona Toolkit and Orchestrator.
I'll also cover: RSA v.s EC, security issues I found and how I wrote a Proxy for MySQL