MySQL Security:

What’s New & Best Practices

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

43% of companies have experienced a
data breach in the past year.
Source: Ponemon Institute, 2014

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Attackers Are Moving Faster

5 out of 6 large companies

60%
Of all targeted attacks struck
targeted by attackers in
small and medium sized
2014. 40% increase over
organizations.
2013.

Nearly one million new

Zero-day vulnerabilities in threats (malware) released
24 2014. An all time high. each day in 2014. And more
sophisticated.

Source: Internet Security Threat Report 2015, Symantec

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Database Vulnerabilities
• Poor Configurations • Lack of Encryption
– Set controls and change default setting – Data, Back, & Network Encryption
• Over Privileged Accounts • Proper Credential or Key Management
– Privilege Policies – Use mysql_config_editor , Key Vaults
• Weak Access Control • Unsecured Backups
– Dedicated Administrative Accounts – Encrypted Backups
• Weak Authentication • No Monitoring
– Strong Password Enforcement – Security Monitoring, Users, Objects
• Weak Auditing • Poorly Coded Applications
– Compliance & Audit Policies – Database Firewall
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
Database Attacks
• SQL Injection
– Prevention: DB Firewall, White List, Input Validation
• Buffer Overflow
– Prevention: Frequently apply Database Software updates, DB Firewall, White List, Input Validation
• Brute Force Attack
– Prevention: lock out accounts after a defined number of incorrect attempts.
• Network Eavesdropping
– Prevention: Require SSL/TLS for all Connections and Transport
• Malware
– Prevention: Tight Access Controls, Limited Network IP access, Change default settings

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Database Malicious Actions
• Information Disclosure: Obtain credit card and other personal information
– Defense: Encryption – Data and Network, Tighter Access Controls
• Denial of Service: Run resource intensive queries
– Defense: Resource Usage Limits – Set various limits – Max Connections, Sessions, Timeouts, …
• Elevation of Privilege: Retrieve and use administrator credentials
– Defense: Stronger authentication, Access Controls, Auditing
• Spoofing: Retrieve and use other credentials
– Defense: Stronger account and password policies
• Tampering: Change data in the database, Delete transaction records
• Defense: Tighter Access Controls, Auditing, Monitoring, Backups

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Regulatory Compliance
• Regulations
– PCI – DSS: Payment Card Data
– HIPAA: Privacy of Health Data
– Sarbanes Oxley: Accuracy of Financial Data
– EU Data Protection Directive: Protection of Personal Data
– Data Protection Act (UK): Protection of Personal Data
• Requirements
– Continuous Monitoring (Users, Schema, Backups, etc)
– Data Protection (Encryption, Privilege Management, etc.)
– Data Retention (Backups, User Activity, etc.)
– Data Auditing (User activity, etc.)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

PCI-DSS
• Requirement 2: Secure Configurations, Security Settings & Patching White Paper
– Not Using Vendor Default Passwords and Security Settings
A Guide to MySQL
• Requirement 3: Protecting Cardholder Data – Strong Cryptography and PCI Compliance
– Protect Stored Cardholder Data

• Requirement 6: Up to Date Patching and Secure Systems

– Develop and Maintain Secure Systems and Applications

• Requirement 7: User Access and Authorization

– Restrict Access to Cardholder Data by Need to Know

• Requirement 8: Identity and Access Management

– Identify and Authenticate Access to System Components

• Requirement 10: Monitoring, Tracking and Auditing

– Track and Monitor Access to Cardholder Data

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

HIPPA
• Access Controls
– Access only to those persons or software programs that have been granted access rights
– Unique User Identification, Emergency Access Procedure, Automatic Logoff, Encryption and Decryption
• Authentication
– Verify that a person or entity seeking electronic health information is the one claimed
• Integrity
– Protect electronic protected health information from improper alteration or destruction
• Transmission Security
– Guard against unauthorized access that is being transmitted over a network
• Encryption
– Encrypt electronic protected health information
• Audit Control
– Record and examine activity that contain or use electronic protected health information

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Sarbanes Oxley
• Accurate and factual business and financial reports
– Verify that the records protected from tampering and modification
• Protect data accuracy and integrity
– Minimal permissions on data for each employee
– Deny any privileges above minimal
– Audit all activity

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Data Protection Act – UK 1998
• Personal data shall be processed fairly and lawfully
• Personal data shall be obtained only for one or more specified and lawful purposes
• Personal data shall be adequate, relevant and not excessive
• Personal data shall be accurate and, where necessary, kept up to date
• Personal data processed for any purpose shall not be kept for longer than is necessary
• Personal data shall be processed in accordance with the rights of data subjects
• Measures shall be taken against unauthorized or unlawful processing of personal data
and against accidental loss or destruction of, or damage to, personal data.
• Personal data shall not be transferred to a country or territory outside the European
Economic Area

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

DBA Responsibilities
• Ensure only users who should get access, can get access
• Limit what users and applications can do
• Limit from where users and applications can access data
• Watch what is happening, and when it happened
• Make sure to back things up securely
• Minimize attack surface

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Security Overview
Authentication

Authorization

MySQL Security Encryption

Firewall

Auditing

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Security Overview
MySQL Privilege Management
Linux / LDAP Administration
Windows AD Authentication Authorization Database & Objects
Custom Proxy Users

Security
SSL/TLS Block Threats
Firewall &
Public Key Encryption Auditing
Auditing
Private Key Regulatory Compliance
Digital Signatures Login and Query Activities

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Authorization
• Administrative Privileges
• Database Privileges Security Privilege Management in MySQL Workbench

• Session Limits and Object Privileges

• Fine grained controls over user privileges
– Creating, altering and deleting databases
– Creating, altering and deleting tables
– Execute INSERT, SELECT, UPDATE, DELETE queries
– Create, execute, or delete stored procedures and with what rights
– Create or delete indexes

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Privilege Management Grant Tables
user db tables_priv
• User Accounts • Database Level Privileges • Table level privileges
• Global Privileges • Database, Tables, Objects • Table and columns
• User and host

columns_priv procs_priv proxies_priv

• Specific columns • Stored Procedures • Proxy Users
• Functions • Proxy Privileges
• Single function privilege

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Privilege Management
• Continuous assessment
– Configuration
– Users
– Permissions and Rights
• Audit & Review activity
– Who – does activity match expectation
– What – is this it limited as expected
– When – acts often are at odd / off peak times
– Where – Connections should be from expected hosts
• MySQL has simple to use controls and privileges to set secure limits

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Authentication
• Built in Authentication
– user table stores users and encrypted passwords
• X.509
– Server authenticates client certificates
• MySQL Native, SHA 256 Password plugin
– Native uses SHA1 or plugin with SHA-256 hashing and per user salting for user account passwords.
• MySQL Enterprise Authentication
– Microsoft Active Directory
– Linux PAMs (Pluggable Authentication Modules)
• Support LDAP and more

• Custom Authentication

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Password Policies
• Accounts without Passwords
– Assign passwords to all accounts to prevent unauthorized use
• Password Validation Plugin
– Enforce Strong Passwords
• Password Expiration/Rotation
– Require users to reset their password
• Account lockout (in v. 5.7)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Encryption
• SSL/TLS Encryption • MySQL Enterprise Encryption
– Between MySQL clients and Server – Asymmetric Encrypt/Decrypt
– Replication: Between Master & Slave – Generate Public Key and Private Keys
• Data Encryption – Derive Session Keys
– AES Encrypt/Decrypt – Digital Signatures
• MySQL Enterprise Backup
– AES Encrypt/Decrypt

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

SSL/TLS
• Encrypted connections
– Between MySQL Client and Server
– Replication: Between Master & Slave
• MySQL enables encryption on a per-connection basis
– Identity verification using the X509 standard
• Specify the appropriate SSL certificate and key files
• Will work with trusted CAs (Certificate Authorities)
• Supports CRLs – Certificate Revocation Lists

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Database Firewall
• SQL Injection Attacks
– #1 Web Application Vulnerability
– 77% of Web Sites had vulnerabilities
• MySQL Enterprise Firewall
– Monitor database statements in real-time
– Automatic White List “rules” generation for any application
– Block SQL Injection Attacks
– Intrusion Detection System

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Database Auditing
• Auditing for Security & Compliance
– FIPS, HIPAA, PCI-DSS, SOX, DISA STIG, …
• MySQL built-in logging infrastructure:
– general log, error log
• MySQL Enterprise Audit
– Granularity made for auditing
– Can be modified live
– Contains additional details
– Compatible with Oracle Audit Vault.

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening
Installation
• Mysql_secure_installation
• Keep MySQL up to date
• MySQL Installer for Windows
• Yum/Apt Repository
Configuration User Management
• Firewall • Remove Extra Accounts
• Auditing and Logging • Grant Minimal Privileges
• Limit Network Access • Audit users and privileges
• Monitor changes

Passwords Encryption Backups

• Strong Password Policy • SSL/TLS for Secure • Monitor Backups
Connections
• Hashing, Expiration • Encrypt Backups
• Data Encryption (AES, RSA)
• Password Validation Plugin

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL 5.7 Linux Packages - Security Improvements
• Test/Demo database has been removed • Client attempts secure TLS connection by default
– Now in separate packages • Compile time restriction over location used for
• Anonymous account creation is removed. data import/export operations
• Creation of single root account – local host only • Ensures location has restricted access
• Default installation ensures encrypted • Only mysql user and group
communication by default • Supports disabling data import/export
– Automatic generation of SSL/RSA Certs/Keys
• For EE : At server startup if options Certs/Keys were not set • Set secure-file-priv to empty string
• For CE : Through new mysql_ssl_rsa_setup utility

• Automatic detection of SSL Certs/Keys

MySQL Installer for Windows includes various Security Setup and Hardening Steps

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Installation
• MySQL_Secure_Installation / MySQL Installer for Windows
– Set a strong password for root account
– Remove root accounts that are accessible from outside the local host
– Remove anonymous-user accounts
– Remove the test database
• Which by default can be accessed by all users
• Including Anonymous Users
• Keep MySQL up to date
– Repos – YUM/APT/SUSE
– MySQL Installer for Windows

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Software Updates - Database and OS Maintenance
• Maintaining security requires keeping Operating System and MySQL
security patches up to date.
– May require a restart (mysql or operating system) to take effect.
• To enable seamless upgrades consider MySQL Replication
– Allows for changes to be performed in a rolling fashion
• Best practice to upgrade slaves first
– MySQL 5.6 and above supports GTID-based replication
• Provides for simple rolling upgrades

• Follow OS vendor specific hardening Guidelines

– For example
• http://www.oracle.com/technetwork/articles/servers-storage-admin/tips-harden-oracle-linux-1695888.html

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Configuration
• Audit Activity • Disable unauthorized reading from
– Use Enterprise Audit local files
– Alt. Transiently enable Query Logging – Disable LOAD DATA LOCAL INFILE
– Monitor and Inspect regularly
• Run MySQL on non default port
• Disable or Limit Remote Access – More difficult to find database
– If local “skip-networking” or bind-
address=127.0.0.1 • Limit MySQL OS User
– If Remote access then limit hosts/IP • Ensure secure-auth is enabled
• Consider changing default port
• Change root username

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Best Practices
Parameter Recommended Value Why
Secure_file_priv A Designated Leaf directory for Only allows file to be loaded from a specific
data loads location. Limits use of MySQL to get data from
across the OS
Symbolic_links Boolean – NO Prevents redirection into less secure filesystem
directories
Default-storage_engine InnoDB Ensures transactions commits, ???
General-log Boolean – OFF Should only be used for debugging – off
otherwise
Log-raw Default - OFF Should only be used for debugging – off
otherwise
Skip-networking ON If all local, then block network connections or
or bind-address 127.0.0.1 limit to the local host.
SSL options Set valid values Should encrypt network communication

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Password Policies
• Enforce Strong Password Policies
• Password Hashing
• Password Expiration
• Password Validation Plugin
• Authentication Plugin
– Inherits the password policies from the component
– LDAP, Windows Active Directory, etc.
• Disable accounts when not in use
– Account lockout (5.7+)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Encryption
• Encryted Communication and More
• SSL/TLS encrypted for transport
• X.509 adds additional “Factor” – something you have – in addition to
username/password or other authentication
– Assures the client is validated – thus more likely trusted
• Use database and application level encryption of highly sensitive data
• User database or application functions to mask or de-identify data
– Personal IDs, Credit Cards, …
• Consider Public Keys for Applications that encrypt only

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Database Hardening: Backups
• Backups are Business Critical
– Used to restore after attack
– Migrate, move or clone server
– Part of Audit Trail
• Regularly Scheduled Backups
• Monitor Backups
• Encrypt Backups

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Applications and Credentials - Best Practices
• Applications – minimize sharing a credentials (username/password)
– Finer grained the better – don’t overload across many applications/servers
• Should enable support for credential rotation
– Do not require all passwords to be changed in synchronization.
– Facilitates better troubleshooting and root-cause analysis.
• Steps to changing credentials should be secure and straightforward
– Not embedded in your code
• Can be changed without redeploying an application
• Should never be stored in version control and must differ between environments.
• Applications should get credentials using a secure configuration methodology.

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Edition
• MySQL Enterprise Authentication • MySQL Enterprise Monitor
– External Authentication Modules – Changes in Database Configurations, Users
• Microsoft AD, Linux PAMs Permissions, Database Schema, Passwords
• MySQL Enterprise Encryption • MySQL Enterprise Backup
– Public/Private Key Cryptography – Securing Backups, AES 256 encryption
– Asymmetric Encryption
– Digital Signatures, Data Validation
• MySQL Enterprise Firewall
– Block SQL Injection Attacks
– Intrusion Detection
• MySQL Enterprise Audit
– User Activity Auditing, Regulatory Compliance

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Monitor
• Enforce MySQL Security Best Practices
– Identifies Vulnerabilties
– Assesses current setup against security hardening policies
• Monitoring & Alerting
– User Monitoring
– Password Monitoring
– Schema Change Monitoring
– Backup Monitoring
– Configuration Management "I definitely recommend the MySQL Enterprise
Monitor to DBAs who don't have a ton of MySQL
– Configuration Tuning Advice experience. It makes monitoring MySQL security,
• Centralized User Management performance and availability very easy to
understand and to act on.”
Sandi Barr
Sr. Software Engineer
Schneider Electric

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Oracle Enterprise Manager for MySQL
• Availability monitoring
• Performance monitoring
• Configuration monitoring
• All available metrics collected
– Allowing for custom threshold
based incident reports
• MySQL auto-detection
Performance
Security
Availability

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall
• Real Time Protection
– Queries analyzed and matched against White List
• Blocks SQL Injection Attacks
– Block Out of Policy Transactions
• Intrusion Detection MySQL Enterprise Firewall monitoring

– Detect and Alert on Out of Policy Transactions

• Learns White List
– Automated creation of approved list of SQL command patterns on a per user basis
• Transparent
– No changes to application required
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |
MySQL Enterprise Firewall
• Block SQL Injection Attacks
– Allow: SQL Statements that match Whitelist
– Block: SQL statements that are not on Whitelist
• Intrusion Detection System
– Detect: SQL statements that are not on Whitelist
• SQL Statements execute and alert administrators

Select *.* from employee where id=22 ✔ Allow

Select *.* from employee where id=22 or 1=1

White List ✖ Block
Applications
Detect & Alert
Intrusion Detection

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Overview
SQL Injection Attack
Via Brower

Instance

Internet MySQL Enterprise Firewall

1 ALLOW

Web
Inbound 2 BLOCK
Applications
SQL Traffic

3 DETECT

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Operating Modes

ALLOW
1 ALLOW – Execute SQL Allows “Matching” SQL In Whitelist Table
- SQL Matches Whitelist
Table

Table

2 BLOCK – Block the request Blocks SQL Attacks BLOCK Table

NOT In Whitelist
- Not in Whitelist BLOCK and ALERT Table

Table

DETECT (IDS) Table

3 DETECT – Execute SQL & Alert Allows SQL & Alerts NOT In Whitelist
- Not in Whitelist ALLOW and ALERT Table

Table

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

 Receive SQL Digest into Firewall
from client parser tokens

Store SQL digest Recording Off

Check user
in Firewall
Firewall mode
whitelist
Protect or Detect
Yes
In whitelist?
MySQL Enterprise Firewall No
Send
Workflow Firewall alert to
error log

Detect Detect or
protect mode
Protect

Execute SQL Reject SQL

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall Details
• Firewall operation is turned on at a per user level
• Per User States are
–RECORDING
–PROTECTING
–DETECTING
–OFF

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Workbench: Firewall Status

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Per User Whitelists

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall:
What happens when SQL is blocked in Protect Mode?
• The client application gets an ERROR
mysql> SELECT first_name, last_name FROM customer WHERE customer_id = 1 OR TRUE;
ERROR 1045 (28000): Statement was blocked by Firewall
mysql> SHOW DATABASES;
ERROR 1045 (28000): Statement was blocked by Firewall
mysql> TRUNCATE TABLE mysql.user;
ERROR 1045 (28000): Statement was blocked by Firewall

• Reported to the Error Log

• Increment Counter

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Monitoring
Firewall Status Counters

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Firewall: Whitelist Example
• mysql> SELECT userhost, substr(rule,1,80) FROM mysql.firewall_whitelist WHERE userhost=
'wpuser@localhost';
+------------------+----------------------------------------------------------------------------------+
| userhost | substr(rule,1,80) |
+------------------+----------------------------------------------------------------------------------+
| wpuser@localhost | SELECT * FROM `wp_posts` WHERE `ID` = ? LIMIT ? |
| wpuser@localhost | SELECT `option_value` FROM `wp_options` WHERE `option_name` = ? LIMIT ? |
| wpuser@localhost | SELECT `wp_posts` . * FROM `wp_posts` WHERE ? = ? AND `wp_posts` . `ID` = ? AND |
...
| wpuser@localhost | UPDATE `wp_posts` SET `comment_count` = ? WHERE `ID` = ? |
| wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A |
| wpuser@localhost | SELECT `t` . * , `tt` . * FROM `wp_terms` AS `t` INNER JOIN `wp_term_taxonomy` A |
+------------------+----------------------------------------------------------------------------------+

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

 Integrates MySQL with existing
MySQL Enterprise Authentication security infrastructures

• Integrate with Centralized Authentication Infrastructure

– Centralized Account Management
– Password Policy Management
– Groups & Roles
• PAM (Pluggable Authentication Modules)
– Standard interface (Unix, LDAP, Kerberos, others)
– Windows
• Access native Windows service - Use to Authenticate users using Windows
Active Directory or to a native host

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Authentication: PAM
• Standard Interface
– LDAP
– Unix/Linux
• Proxy Users

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Authentication: Windows
• Windows Active Directory
• Windows Native Services

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Encryption
• MySQL encryption functions
– Symmetric encryption AES256 (All Editions)
– Public-key / asymmetric cryptography – RSA
• Key management functions
– Generate public and private keys
– Key exchange methods: DH
• Sign and verify data functions
– Cryptographic hashing for digital signing, verification, & validation – RSA,DSA

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Encryption
Encryption/Decryption within MySQL

Encryption Encrypted Decryption Sensitive Data

Sensitive Data
Public Key Data Private Key

Private / Public Key Pairs

- Generate using MySQL Enterprise Encryption Functions
- Use externally generated (e.g. OpenSSL)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Encryption
App Encrypts/MySQL Decrypts

Applications

Sensitive Data Encryption Encrypted Decryption Sensitive Data

Public Key Data Private Key

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Encryption
App Encrypts / MySQL Stores / MySQL Decrypts

Applications Applications

Sensitive Data Encryption Encrypted Decryption Sensitive Data

Public Key Data Private Key

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Encryption
Oracle Key Vault Generates Keys (or externally generated)

Applications

Sensitive Data Encryption Encrypted Decryption Sensitive Data

Public Key Data Private Key

Oracle Key Vault

- Generate keys using Oracle Key Vault
- Use externally generated (e.g. OpenSSL)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Audit
• Out-of-the-box logging of connections, logins, and query
• User defined policies for filtering, and log rotation
• Dynamically enabled, disabled: no server restart
• XML-based audit stream per Oracle Audit Vault spec

Adds regulatory compliance to

MySQL applications
(HIPAA, Sarbanes-Oxley, PCI, etc.)

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Audit 3. Joe’s connection & query logged

1. DBA enables Audit plugin

2. User Joe connects and runs a query

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Backup
• Online Backup for InnoDB (scriptable interface)
• Full, Incremental, Partial Backups (with compression)
• Strong Encryption (AES 256)
• Point in Time, Full, Partial Recovery options
• Metadata on status, progress, history
• Scales – High Performance/Unlimited Database Size
• Windows, Linux, Unix
• Certified with Oracle Secure Backup, NetBackup, Tivoli, others

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

MySQL Enterprise Oracle Certifications
• Oracle Enterprise Manager for • Oracle Audit Vault and Database Firewall
MySQL • Oracle Secure Backup
• Oracle Linux (w/DRBD stack) • Oracle Fusion Middleware
• Oracle VM • Oracle GoldenGate
• Oracle Solaris • My Oracle Support
• Oracle Solaris Clustering
• Oracle Clusterware

MySQL integrates into your Oracle environment

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |

Oracle Audit Vault and Database Firewall
• Oracle DB Firewall
– Oracle, MySQL, SQL Server, IBM DB2, Sybase
– Activity Monitoring & Logging
– White List, Black List, Exception List
• Audit Vault
– Built-in Compliance Reports
– External storage for audit archive

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. |