Infrastructure at your Service

Elisa Usai

My first presentation at the DOAG – “MySQL 8.0 Community: Ready for GDPR?”

This year I participated for the first time to the DOAG, the conference which takes place in November in Nuremberg. Here some key words about this event: Oracle and other technologies, 2000 visitors, more than 400 sessions, more than 800 abstracts sent, exhibitors…
And for me everything started when in June I decided to send an abstract for a MySQL session.

Preparation

I’ve been working on MySQL for several years. At the beginning of this year, I started testing the new 8.0 version. We live in an age where security is more important than ever, GDPR and other regulations force us to review some subjects such as privacy and data policies. MySQL put in place lots of improvements regarding security in this last version.
So my session proposal for the DOAG was the following one:

MySQL 8.0 Community – Ready for GDPR ?
One of the most topical subject today is security.
New MySQL 8.0 version introduces several improvements about that, such as:
Encryption of Undo and Redo Logs, which comes to enrich existing datafile encryption
Password rotation policy, to avoid a user to always use the same passwords
New caching_sha2_password plugin, which let you manage authentication in a faster and more secure way
SQL Roles, to simplify the user access right management
So… let’s have a look!

When I received the e-mail that told me that my abstract had been accepted, I was happy and stressed at the same time.
I directly started testing and studying more and more these new features, writing my slides and preparing some demos and my speech in English. I know, for the most of you this is simple, but – hey – this would have been my first session ever! ;)
Working at dbi services is also the possibility to present a session to colleagues and so to test it and have some feedback during our internal events, before presenting this same session to abroad/external events. So in September I could present my session a first time and this helped me to feel more comfortable about the fact of presenting something. Time passed and November was suddenly there…

Arriving to the DOAG

So on 19th November I caught my flight and at 7pm I was in Nuremberg. And the day after I arrived to the Conference Center.
badge
doag
My session was planned for 3pm so I had some time in the morning to visit some booths and people that I wanted to meet (Oracle MySQL, Quest, EDB, and my colleagues on booth of dbi services).
dbi services
And I also got some useful tips from my colleagues to calm my stress and better manage my session: take a few seconds before starting talking to catch the visual attention of the audience, breath correctly, visit the room before, and so on (thank you guys for your support during the last weeks!).

My session

The expected moment came, my VMs were running for demos and slides ready, and some people arrived in the room.
IMG_9528
I started my talk with a little introduction to GDPR explaining the importance of having some privacy and data policies in our hyper connected world. And this aspect let me doing a link with the fact that MySQL 8.0 came out with lots of improvements in terms of security.
So I finally could go deeper into technical part to explain these new important features:

- SQL Roles:
Thanks to roles, we could have a faster user administration and grant handling is managed in a centralized way. During the session I did a demo to explain how roles are created and activated in MySQL and I used the yEd desktop application to generate the diagram of the whole roles representation from a graphml file.
For more details about roles, read my previous blog and the MySQL Documentation.

- Password Reuse Policy:
It avoids users to use previous passwords. This can be activated in order of changes (with the system variable password_history) or time elapsed (password_reuse_interval) and it’s not valid for privileged accounts.

- Password Verification Policy:
If this feature is activated, attempts to change an account password require before to specify the current password to be replaced.
For more details about password verification policy, read my previous blog and the MySQL Documentation.

- Validate Password Component:
It was already there on previous versions but now this is not a plugin anymore but a component instead. For some statements like ALTER|CREATE USER, GRANT, SET PASSWORD, it checks the password of an user account against the policy that we defined (LOW, MEDIUM or HIGH) and rejects the password if it’s weak.

- InnoDB Tablespace Encryption:
It’s a 2-tier encryption architecture, based on a master key and tablespace keys. When a table is encrypted, a tablespace key is encrypted and stored into the tablespace header. When an user wants to access to his data, a master key is used to decrypt the tablespace key. So during the session I explained how it works, which are the requirements and how we can setup this feature. I also did a demo to show how we could extract some clear-text data without connecting to the MySQL Server in opposition to the fact that if encryption is activated that is not possible.
This feature is there starting from MySQL 5.7.11 but it helped me to introduce the next chapter.

- InnoDB Redo/Undo Log Encryption:
Redo log data is encrypted/decrypted with the tablespace encryption key which is stored in the header of ib_logfile0. Through a demo I explained, which are the requirements, how to setup it and what we have to think about before activating this option. And I showed how we could extract some sensitive data in the Redo Log Files if encryption is turned off.
IMG_9531
Same thing for the encryption of InnoDB Undo Log files, which can be activated with the system variable innodb_undo_log_encrypt.

- caching_sha2_password Plugin:
In MySQL 8.0 the new caching_sha2_password plugin makes the authentication strong as its predecessor (it still uses the SHA-256 password hashing method) but at the same time faster: a cache on the server side let the user accounts that already connected once bypass the full authentication.
Here the schema through which I explained the whole authentication process using RSA key pairs:
auth

A little conclusion

Participating to the DOAG and presenting there has been for me a very important professional, human and social experience. I went beyond my limits, I learned lots of news things thanks to the other speakers sessions, I met new people working on IT, had fun with colleagues sharing some spare time. This was my first participation to a conference , it will not be the last one. Why didn’t I start that before? ;)

4 Comments

Leave a Reply

Elisa Usai
Elisa Usai