Sharing keys, passphrases with applications is problematic, especially with regard to encrypting data. Too often applications are developed where “the keys are left in the door” or at best “under the mat” – hard coded, in a clear text property file… exposed and vulnerable. …
Category Archives: Security
MySQL 8.0: Making User Management DDLs Atomic
With MySQL 8.0, we are bringing in an important change in the way user management DDLs are executed.
Background
User management DDLs cover following user management actions:
- Creating user/role (CREATE USER [IF NOT EXISTS] / CREATE ROLE [IF NOT EXISTS])
- Altering user account properties (ALTER USER [IF EXISTS])
- Dropping user/role from database (DROP USER [IF EXISTS] / DROP ROLE [IF EXISTS])
- Granting/Revoking privileges to/from a user/role (GRANT/REVOKE)
Each of these administrative action can handle multiple entities as a part of single command.…
MySQL 5.7: New Audit Log Filtering Feature – Part 1
Security auditing plays important role in the process of securing a database system. Thanks to the MySQL Enterprise Audit extension, we can record all activities, such as client connections and execution of queries into a single log file, for later inspection.…
Keyring framework
Security these days is bigger than ever. This statement needs no proof. It seems like it is getting easier and easier to get access to ‘secure data’. As system grows it becomes really hard to secure all endpoints. This is why encrypting data is now the hot topic in the database world.…
Restricting Connections to Secure Transport
MySQL 5.7 makes secure connections easier with streamlined key generation for both MySQL Community and MySQL Enterprise, improves security by expanding support for TLSv1.1 and TLSv1.2, and helps administrators assess whether clients are connecting securely or not with new visibility into connection types. …
Simplified SSL/TLS Setup for MySQL Community
Transport Layer Security (TLS, also often referred to as SSL) is an important component of a secure MySQL deployment, but the complexities of properly generating the necessary key material and configuring the server dissuaded many users from completing this task. MySQL Server 5.7 simplifies this task for both Enterprise and Community users. …
An update on default_password_lifetime
With MySQL 5.7, our goal is to be secure by default. This means that without having to change configuration settings or perform any additional steps, your fresh installation should be safe for production use.
As part of this security initiative, MySQL 5.7 shipped with a new feature where user accounts will be disabled if the password has not been changed in a number of days.…
Protecting MySQL Passwords With the sha256_password Plugin
Over the years, MySQL has used three different mechanisms for securing passwords both for storage and for transmission across networks. This blog post aims to provide a brief history of the various mechanisms and highlight reasons to migrate accounts to use the sha256_password mechanism introduced in MySQL Server 5.6.…
Track and Optimize Server Connection Methods
The MySQL server supports a variety of client connection methods. To summarize: you have TCP/IP (v4 and v6) on all OSes (with or without TLS/SSL encryption), Unix Domain Sockets on Unix/Linux, and Named Pipes and/or Shared Memory on Windows.
Each of these connection methods has its own set of pros and cons: speed, security, portability, and ease-of-use.…
Identifying Insecure Connections
A key theme of the MySQL Server 5.7 release is much improved security. Earlier releases of MySQL 5.7 have introduced features supporting this initiative including automatic generation and detection of TLS key material and client-side preference for TLS connections. The recent MySQL 5.7.8 release builds upon this and provides additional monitoring and audit capabilities that make it easy to answer the question: “How secure are my client connections?”.…