MySQL 的安全性和合規性.pdf

《MySQL 的安全性和合規性.pdf》由會員分享，可在線閱讀，更多相關《MySQL 的安全性和合規性.pdf（74頁珍藏版）》請在三個皮匠報告上搜索。

1、Security and Compliance with MySQLCopyright 2024 Oracle and/or its affiliates.Mike Frank,MySQL Product Management Director|OracleAgendaCopyright 2024 Oracle and/or its affiliates.Compliance Overview How to Examples Architectural Review Latest Enhancements Security Guidelines MySQL Secure Deployment

2、Guide CIS Benchmark for MySQL 8.0 EE DISA STIG Resources Tell us what you needSecurity is Job#1Data is the Most Valuable Asset3“Keep the organization safe(cybersecurity/cyber resilience/GDPR compliance/data protection compliance)“Almost all breaches-preventable.Was#1 Security in 2019Still#1 Security

3、And on par for spending Increase with CloudGlobal Partner Summit-Munich,2019Data Security&Privacy Regulations are ProlilferatingCo DPLCl PPLAr PDPLAu APPNz PASa ECTAMx PDPLMa DPARu DPATh PDAIn PDPBSi PDPAJp APPICn GDPLHk PDPOBr GDPLGLBAHIPAAPatriot ActPIPEDACIPNY DFS500FOIPPA50 State Data Privacy La

4、wsFS-ISACNCUAFFIECDodd FrankBASEL IIIEU GDPRPCICCPAData Breaches keep increasing 2021 a record year for data breachesManufacturing&utilities48 compromises and a total of 48,294,629 victims.1,291 breaches in 2021 compared to 1,108 breaches in 2020Healthcare sector78 compromises and over 7 million vic

5、tims.https:/ require these Security StepsAssessLocate Risks and Vulnerabilities,Ensure that necessary security controls arePreventUsing Cryptography,User Controls,Access Controls,etcDetectStill a possibility of a breach so Audit,Monitor,AlertRecoverEnsure service is not interrupted as a result of a

6、security incidentEven through the outage of a primary databaseForensics postmortem fix vulnerabilityMySQL Security OverviewAuthenticationAuthorizationEncryptionFirewallMySQL SecurityAuditingMasking/De-Identificationhttps:/ Architecture Enterprise MonitorData EncryptionTDEEncryptionPKI Firewall Enter

7、prise AuthenticationSSO-LDAP,AD,PAM,Native Kerberos,FIDO2,WebAuthn,MFA Network Encryption Enterprise AuditPowerful Rules Engine Audit Vault Strong Authentication Access Controls Assess Prevent Detect Recover Enterprise BackupEncrypted HAInnodb ClusterThread PoolAttack minimization Key VaultProtect K

8、eys(KMIP,Rest APIs)EnterpriseMasking&De-IdentificationMaskingSubstitute/SubsetRandom Formatted DataBlacklisted DataUsersHow to ExamplesMuch can be done using SQL and 1.DBA does not need to SSH/Login to the OS where mysql is runningThis is common.2.All DBA actions must be auditedMySQL Auditing can ca

9、pture all statements performed by DBAs via SQL.3.OS Admins dont need to be touching MySQLOS Auditing should show little past the initial installationCommands not exposed4.DevOps Friendly Service oriented.5.Great for repeatable assessment and fix automation.First thingDid you type in the initial root

10、 passwordDepends on the installation packageWindows Installer and DEB Packages promptRPM does notIn not immediately reset the root passwordSecure the Root passwordRead the Post-Installation InstructionsReset the“root”Password$mysql-u root-password=sudo cat/root/.mysql_secret|cut c 87-SQL SELECT 1Mus

11、t fail with you must set passwordSQL ALTER USER rootlocalhost IDENTIFIED BY;SQL EXIT;$mysql-u root-passwordenter your new password at the promptSQL EXIT;Multiple roots?SELECT user,host FROM mysql.user where user=root and hostlocalhost;Multiple root accounts!Is the host name constrained or is it glob

12、al%Remove and”global”host roots.Limit access if remote is necessary.Note that only rootlocalhost is with a changed password!Password Policies In Place?SELECT component_urn,PASSWORD Policy Component Installed?as Note,if(count(component_urn)0,YES,NO)as Answer FROM ponent where component_urn=file:/comp

13、onent_validate_password group by component_urn;IS THE COMPONENT INSTALLED?Password PoliciesSELECT VARIABLE_NAME,VARIABLE_VALUE FROM performance_schema.global_variables where VARIABLE_NAME like valid%password%OR VARIABLE_NAME=default_password_lifetime;If neededINSTALL COMPONENT file:/component_valida

14、te_password;Set Password Policiesset persist validate_password.check_user_name=ON;set persist validate_password.dictionary_file=0 and VARIABLE_VALUE!=NULL,FAIL,PASS)as SecFileCheckFROM performance_schema.global_variables where variable_name=secure_file_priv;Turn off what you are using reduce the att

15、ack surfaceLOCAL Load Data INFILECheck local_infileselect if(local_infile,ON,OFF)as LOCAL_LOAD_DATA_ALLOWED;By Default in 8.0 this is offset persist local_infile=OFF;Secure by default-OFFUSERSInternal UsersInternal using X.509Externally Authenticating UsersProxy UsersWho,What Kind,Where/How do they

16、authenticateInternal Usersselect host,user,plugin,if(plugin=mysql_native_password,WEAK SHA1,STRONG SHA2)AS HASHTYPE FROM mysql.user WHERE user not in(mysql.infoschema,mysql.session)and(plugin not like auth%and plugin mysql_no_login)and length(authentication_string)0 order by plugin;Authenticated int

17、ernallyTo DosLock Accounts that are unknown then drop once sureDrop and create new user accounts with stricter host specificationUsers with native typically are from MySQL 5.7 upgrade to 8.0https:/ UsersSELECT user.Host,user.User,user.ssl_type,CAST(user.x509_issuer as CHAR)as Issuer,CAST(user.x509_s

18、ubject as CHAR)as Subject FROM mysql.user where(user not like mysql.%)AND ssl_type=X509;REQUIRING X509 CERTIFICATEExternal AuthenticationSELECT user.Host,user.User,user.plugin,user.authentication_string from mysql.user where plugin like auth%;Many companies are going to external authentication espec

19、ially for internal users DBAs and Developers Map and manage in LDAP,Actual User in Audit TrailMake sure users or mapped organizations should have MySQL Access.Globally manage map to Enterprise,Use stronger OptionsLDAP,Windows AD SSPI,Kerberos,FIDO2 Many OptionsMulti-Factor AuthenticationCreate with

20、2 CREATE USER alicelocalhost IDENTIFIED WITH caching_sha2_password BY sha2_password AND IDENTIFIED WITH authentication_ldap_sasl AS uid=u1_ldap,ou=People,dc=example,dc=com;Can add a second or here a third factor later with ALTERALTER USER alicelocalhost ADD 3 FACTOR IDENTIFIED WITH authentication_fi

21、do;“Assure that strong multi-factor authentication is pervasive to protect against common attacks against the credentials of consumers,merchants,and service providers”“The PCI DSS requires multi-factor authentication(MFA)mechanism for remote access to the Cardholder Data Environment(CDE).”Up to 3 va

22、rious regulations requiring MFA,2FA,-PCI DSS 8.3 for examplehttps:/www.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf https:/ and Proxy UsersSELECT*FROM mysql.proxies_priv where grantorboot;To inspect specific user,role or user using roleUser or for a roleSHOW GRANTS FOR app_developer%;User w

23、ith RoleSHOW GRANTS FOR u1localhost USING r1;User RightsFor example if your company policy is MAX 210SELECT VARIABLE_NAME,VARIABLE_VALUE,MUST be 210 or less as Note,IF(VARIABLE_VALUE 211,PASS,FAIL)FROM performance_schema.global_variables WHERE VARIABLE_NAME LIKE max_connections;If the result is FAIL

24、 then FIX SET PERSIST max_connections=210;Max ConnectionsMySQL Schema dbtables_priv;columns_priv;procs_priv;roles;usersInformation Schema(VIEWS)user_privilegestable_privilegesschema_privilegescolumn_privilegesUser Rights Granted Permissions MySQL Workbench Schema Inspector-GrantsMySQL Workbench Tabl

25、e Inspector-GrantsPermissions Reporting Direct GrantsWITHtableprivs AS(SELECT user,host,mysql.tables_priv as PRIV_SOURCE,DB as _db,Table_Name as _obj,as _col FROM mysql.tables_priv where Table_name like%),colprivs AS(SELECT User,Host,mysql.columns_priv as PRIV_SOURCE,DB as _db,table_name as _obj,col

26、umn_name as _col FROM mysql.columns_priv WHERE Table_name like%)SELECT user,host,PRIV_SOURCE,_db as _db,_obj,_col FROM(SELECT user,host,PRIV_SOURCE,_db,_obj,_col FROM colprivs UNIONSELECT user,host,PRIV_SOURCE,_db,_obj,_col FROM tableprivs)as tt group by user,host,PRIV_SOURCE,_db,_obj,_col;Which use

27、rs/roles have access to actoruse mysql;WITH globalprivs AS(SELECT user,host FROM mysql.user WHERE Y IN (Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Crea

28、te_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,Create_role_priv,Drop_role_priv),dbprivs AS(SELECT user,host FROM mysql.db WHERE Y I

29、N (Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Create_tmp_table_priv,Lock_tables_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Execute_priv,Event_priv,Trigger_priv),tableprivs AS(SELECT user,host

30、 FROM tables_priv WHERE Table_name=actor),colprivs AS(SELECT User,Host FROM mysql.columns_priv WHERE Table_name=actor)SELECT user,host FROM(SELECT user,host FROM globalprivs UNION SELECT user,host FROM dbprivs UNION SELECT user,host FROM colprivs UNION SELECT user,host FROM tableprivs)as tt group by

31、 user,host;Note:There are various mysql.*users used by internal componentsmysql.informationschemamysql.session,mysql.sysUsers that can select on a tableWITH globalprivs AS(SELECT user,host FROM mysql.user WHERE Select_priv=Y ),dbprivs AS(SELECT user,host FROM mysql.db WHERE Select_priv=Y ),colprivs

32、AS(SELECT user,host FROM mysql.columns_priv WHERE Table_name=actor AND FIND_IN_SET(Select,Column_priv),tableprivs AS(SELECT User,Host FROM mysql.tables_priv WHERE Table_name=actor AND FIND_IN_SET(Select,Table_priv)SELECT user,host FROM(SELECT user,host FROM globalprivs UNION SELECT user,host FROM db

33、privs UNION SELECT user,host FROM colprivs UNION SELECT user,host FROM tableprivs)as tt group by user,host;For table actor roles who can modify dataWITH globalprivs AS(SELECT user,host FROM mysql.user WHERE Y IN (Insert_priv,Update_priv,Delete_priv,Drop_priv,Alter_priv),dbprivs AS(SELECT user,host F

34、ROM mysql.db WHERE Y IN (Insert_priv,Update_priv,Delete_priv,Drop_priv,Alter_priv),tableprivs AS(SELECT user,host FROM tables_priv WHERE table_name=actor),colprivs AS(SELECT User,Host FROM mysql.columns_priv WHERE table_name=actor)SELECT from_user,from_host FROM(SELECT user,host FROM globalprivs UNI

35、ON SELECT user,host FROM dbprivs UNION SELECT user,host FROM colprivs UNION SELECT user,host FROM tableprivs)as tt RIGHT JOIN mysql.role_edges as tr ON tr.to_user=tt.user AND tr.to_host=tt.host GROUP BY from_user,from_host;Users with administrative/global permissionsSELECT user,host,Global Priv,Sele

36、ct_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_

37、priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,Create_role_priv,Drop_role_priv FROM mysql.user WHERE(Y IN (Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,Re

38、ferences_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routine_priv,Alter_routine_priv,Create_user_priv,Event_priv,Trigger_priv,Create_tablespace_priv,Create_role_priv,Dro

39、p_role_priv)and(user.user not like mysql.%);Review MySQL Plugins Install if missing or uninstall if unusedSELECT PLUGINS.PLUGIN_NAME,PLUGINS.PLUGIN_VERSION,PLUGINS.PLUGIN_STATUS,PLUGINS.PLUGIN_TYPE,PLUGINS.PLUGIN_TYPE_VERSION,PLUGINS.PLUGIN_LIBRARY,PLUGINS.PLUGIN_LIBRARY_VERSION,PLUGINS.PLUGIN_DESCR

40、IPTION,PLUGINS.PLUGIN_LICENSE,PLUGINS.LOAD_OPTIONFROM information_schema.PLUGINS where plugin_library is Not null;Review User PortsSELECT VARIABLE_NAME,VARIABLE_VALUE,If the defined port is deemed prohibited,this is a FAIL.as NoteFROM performance_schema.global_variablesWHERE VARIABLE_NAME in(port,my

41、sqlx_port,admin_port);MySQL Port Reference Tableshttps:/ on where your files are storedSELECT VARIABLE_NAME,VARIABLE_VALUE FROM performance_schema.global_variablesWHERE(VARIABLE_NAME LIKE%dir or VARIABLE_NAME LIKE%file)and(VARIABLE_NAME NOT LIKE%core%AND VARIABLE_NAME local_infileAND VARIABLE_NAME r

42、elay_log_info_file)order by VARIABLE_NAME;Are your keys safe?Is keyring installed?Key manager?SELECT PLUGIN_NAME,PLUGIN_STATUS,PLUGIN_TYPE,PLUGIN_LIBRARY,PLUGIN_DESCRIPTION,LOAD_OPTION FROM information_schema.PLUGINS where PLUGIN_NAME LIKE keyring_file and plugin_status=ACTIVE;NOTE:keyring_file is n

43、ot for production.(Dev/QA only its in a Plain text file)KMIP,Encrypted Keyring,OCI Vault,Hashicorp,AWS KMS,etc.should be used in production.NOTE:Keyring installation is key manager specific.See https:/ REST Encryption ChecksInnoDB Tablespace ChecksSELECT INNODB_TABLESPACES.NAME,INNODB_TABLESPACES.EN

44、CRYPTION,IF(ENCRYPTION=Y,PASS,FAIL)as CHECK_VAL FROM information_schema.INNODB_TABLESPACES where ENCRYPTION=N;REQUIRE INNODB TDE(Are tables required to be encrypted?)SELECT VARIABLE_NAME,VARIABLE_VALUE,table_encryption_privilege_check-TABLE REQUIRE AT REST ENCRYPTION as Note,IF(VARIABLE_VALUE=ON,PAS

45、S,FAIL)as CHECK_VALFROM performance_schema.global_variables where variable_name=table_encryption_privilege_check;InnoDB REDO,UNDO,Binlog,Audit log Encrypted?SELECT VARIABLE_NAME,VARIABLE_VALUE,innodb_redo_log AT REST ENCRYPTION as Note,IF(VARIABLE_VALUE=ON,PASS,FAIL)as CHECK_VALFROM performance_sche

46、ma.global_variables where variable_name=innodb_redo_log_encrypt;-SELECT VARIABLE_NAME,VARIABLE_VALUE,innodb_undo_log AT REST ENCRYPTION as Note,IF(VARIABLE_VALUE=ON,PASS,FAIL)as CHECK_VAL FROM performance_schema.global_variables where variable_name=innodb_undo_log_encrypt;-SELECT VARIABLE_NAME,VARIA

47、BLE_VALUE,BINLOG-AT REST ENCRYPTION as Note,IF(VARIABLE_VALUE=ON,PASS,FAIL)as CHECK_VALFROM performance_schema.global_variables where variable_name=binlog_encryption;-SELECT VARIABLE_NAME,VARIABLE_VALUE,AUDIT LOG-AT REST ENCRYPTION as Note,IF(VARIABLE_VALUE=AES,PASS,FAIL)FROM performance_schema.glob

48、al_variables where variable_name=audit_log_encryption;Auditing Enabled?Is the audit plugin loadedSELECT PLUGIN_NAME,PLUGIN_STATUS,PLUGIN_TYPE,PLUGIN_LIBRARY,PLUGIN_DESCRIPTION,LOAD_OPTION FROM information_schema.PLUGINS where PLUGIN_NAME LIKE audit_log and plugin_status=ACTIVE;If not loaded then run

49、 the installations script it will add the plugin and meta tables#shell mysql-u root-p 0:print(GOOD-Connection controls are in place.)print(Showing top 50 failed login counts)r=session.run_sql(select*from information_schema.CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS order by failed_attempts desc limit

50、50)if shell.dump_rows(r)0:print()else:print(No failed logins found)else:print(RECOMMENDATION-ENABLE CONNECTION CONTROL PLUGINS)print(INSTALL PLUGIN CONNECTION_CONTROL SONAME connection_control.so;)print(INSTALL PLUGIN CONNECTION_CONTROL_FAILED_LOGIN_ATTEMPTS SONAME connection_control.so;)print(OR ad

51、d to f to force at startup)print(mysqld nplugin-load-add=connection_control.so nconnection-control=FORCE_PLUS_PERMANENT nconnection-control-failed-login-attempts=FORCE_PLUS_PERMANENT)print(Change from defaults values if desired-for example)print(SET PERSIST connection_control_failed_connections_thre

52、shold=4;)print(SET PERSIST connection_control_min_connection_delay=1500;)Upgrade,Upgrade,UpgradeStay up to dateNew LTS model makes upgrades far simpler.MySQL Security ArchitectureMySQL Enterprise Edition-SECURITYMySQL Enterprise TDEData-at-Rest EncryptionKey Management/SecurityKMIP,Hashicorp,OCI Vau

53、ltMySQL Enterprise AuthenticationExternal Authentication ModulesMicrosoft AD,Linux PAMs,LDAP,Native KerberosMySQL Enterprise EncryptionPublic/Private Key CryptographyAsymmetric EncryptionDigital Signatures,Data ValidationUser Activity Auditing,Regulatory Compliance MySQL Data MaskingMySQL Enterprise

54、 Firewall Block SQL Injection Attacks Intrusion Detection MySQL Enterprise AuditUser Activity Auditing,Regulatory ComplianceMySQL Enterprise Monitor Changes in Database Configurations,Users Permissions,Database Schema,PasswordsMySQL Enterprise Backup Securing Backups,AES 256 encryptionMySQL Enterpri

55、se Thread pool Attack HardeningEnterpriseSecurity ArchitectureData EncryptionTDEEncryptionPKI Firewall Enterprise AuthenticationSSO-LDAP,AD,PAM,Native Kerberos,FIDO2,WebAuthn,MFA Network Encryption Enterprise AuditPowerful Rules Engine Audit Vault Strong Authentication Access Controls Assess Prevent

56、 Detect Recover Enterprise BackupEncrypted HAInnodb ClusterThread PoolAttack minimization Key VaultProtect Keys(KMIP,Rest APIs)EnterpriseMasking&De-IdentificationMaskingSubstitute/SubsetRandom Formatted DataBlacklisted DataUsersAuthenticationCopyright 2024 Oracle and/or its affiliates.Plenty of opti

57、ons LDAP SASL/Kerberos Native Kerberos(8.0.26)MDS-OCI IAM/Identity Domains(8.0.26)Passwordless(FIDO U2F)For example Yubikeys MFA(up to 3 factors)(8.0.28)FIDO2 WebAuthn(8.2)Additional Authentication methods are in the works.MySQL Enterprise Authentication OptionsApplicationUsername/PasswordUsername/P

58、asswordCertificateFIDO2/U2F,WebAuthnTicketkinit-requestTicketAuth Methods(1 to 3)Challenge/ResponseLDAP/Active DirectoryX.509Fido2/WebAuthnKerberosUser/PassSASLGSSAPI/KerberosSSPI/KerberosLDAP orActive DirectoryCA CertificatesMulti-Factor up to 3KDC(Key Distribution Center)MySQL MDS AuthenticationOC

59、I SSOLDAP,Active DirectoryAzure ADOCI Identity DomainsOCIIdentity DomainsUIs/APIsOCICertificateServiceTokenCertAt Rest Encryption/TDE/KeyringCopyright 2024 Oracle and/or its affiliates.Already Complete at-restInnoDB,Redo/Undo,Binlogs,Audit Data Secure storage for sensitive system variables(8.0.29)Ex

60、tension to existing server configuration settings-determines how the SET PERSIST code will handle the backend storage of these settings.If a server variable is marked as sensitive,instead of going an OS file,it will be stored in a keyring using the keyring API.Support for more many KMIP failover ser

61、ver IPs(8.0.29)Currently 2.Expanding for up to 64.(9 was requested)FirewallCopyright 2024 Oracle and/or its affiliates.Whats added(8.0.26)Named allow list sets Turns the 1-to-1 between user accounts and Allow List rules into many-to-manyNamed group profiles can be created.A group profile can include

62、 multiple accounts as membersAn account can be a member of multiple group profiles.Define named Allow lists and then assign them to user accountsAuditCopyright 2024 Oracle and/or its affiliates.Whats AddedANALYZE TABLE statements now produce read audit eventsAudit log connect events include any conn

63、ection attributes passed by the client.audit_api_message_emit component -enables applications to add their own message events to the audit logaudit_api_message_emit_udf()user-defined function.See The Audit Message Component.Audit Log event function reading starting from specified date/time Remove an

64、d groom audit data by time and size.https:/ 2024 Oracle and/or its affiliates.Whats Added Scrub sensitive data in the audit log Epoch time format (like linux)for simplification of audit data consolation Audit log grooming by age and/or sizeDBAs that cant get on the OS to remove audit data Global Sto

65、p/Start(8.0.28)Add performance metrics to audit logs Custom Schema allows user to define use for Replication FiltersYou can replicate audit filters or now.Can switch filters using schemas as templates-change and flush.Within the filter rule you can add metricsFor exampleSELECT audit_log_filter_set_f

66、ilter(QueryStatistics,filter:class:name:general,event:name:status,print:service:implementation:mysql_server,tag:query_statistics,element:name:query_time,type:double,name:bytes_sent,type:longlong,name:bytes_received,type:longlong,name:rows_sent,type:longlong,name:rows_examined,type:longlong );https:/

67、 Log Performance StatisticsCopyright 2024,Oracle and/or its affiliates63TLSCopyright 2024 Oracle and/or its affiliates.Whats New Reload TLS certificate online Support for TLS 1.3-tls_ciphersuites system variable enables explicitly specifying which TLSv1.3 ciphersuites the server permits.TLSv1 and TL

68、Sv1.1 connection protocols now are deprecated and support for them is subject to removal in a future MySQL version.On platforms on which OpenSSL libraries are bundled The linked OpenSSL library for MySQL Server has been updated to version 1.1.1k.Issues fixed in the new OpenSSL version are described

69、athttps:/www.openssl.org/news/cl111.txt and https:/www.openssl.org/news/vulnerabilities.htmlTLSCopyright 2024 Oracle and/or its affiliates.Whats NewRouter Connection multiplexing and TLS Endpoint Moves connection creation and TLS/SSL overhead from the Server to the Router Accept connections only if

70、destinations are availableWhats next Support for OpenSSL and FIPS Object ModelMySQL Enterprise Masking and De-IdentificationData De-identification helps database customers improve securityAccelerates compliance for Government GDPR,CHHSFinancial-PCIHealthcare HIPAA,Clinic Trials DataReduce IT costs b

71、y simplifying sanitizing production dataTransforming sensitive data for use in analytics,testing,development,and moreMySQL Enterprise Masking and De-IdentificationData Masking and Random Data GenerationData MaskingString maskingDictionary based replacementSpecific maskingSSNPayment card:Strict/Relax

72、edRandom Data GeneratorsRandom number within a rangeEmailPayment card(Luhn check compliant)SSNDictionary based generationMySQL Security GuidelinesCopyright 2024 Oracle and/or its affiliates.Recommendations from ushttps:/ of Defense(DoD)approved and published Security Technical Implementation Guide(S

73、TIG)Copyright 2024 Oracle and/or its affiliates.DISA STIG for MySQL 8.0 EEhttps:/ For Internet Security BenchmarkCopyright 2024 Oracle and/or its affiliates.CIS Benchmark for MySQL 8.0 EEhttps:/www.cisecurity.org/benchmark/oracle_mysql/ResourcesCopyright 2024 Oracle and/or its affiliates.MySQL Secur

74、e Deployment Guidehttps:/ to dive into specific topics and featureshttps:/ Demand Webinarshttps:/ us with emails,requirements documentsCopyright 2024 Oracle and/or its affiliates.New features you wantWhere are your painsWhat strategies do you want to see longer termIf I can get requests in emails -r

75、equirement,use case,time frame,etc.Copyright 2024,Oracle and/or its affiliates MySQL Summit 2024Wednesday,May 1st Oracle Conference Center,Redwood Shores,CaliforniaGenerative AI and Vector StoreRegister for this free event https:/ LearningPerformance Tuning Tips and TricksHigh Availability and Disaster RecoveryAnd many more popular topicsLakehouse and AnalyticsThank You!Copyright 2024,Oracle and/or its affiliatesQ&A