oracle security

Oracle SecurityOracle Security

Mary Ann DavidsonDirector, Security Product Management Server Technologies

2

Agenda

Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary

Internet Security Issues (1 of 2)

Privacy of Communications

Sensitive Data Storage

Granular Access Control

Know your Users

Is an order read or modified in transit?

Is your credit card # stored in clear?

Can a customer see only her own order?

Network encryption

Encryption of stored data

Virtual Private Database

Who is accessing the data from the web?

Strong authentication

4

Internet Security Issues (2 of 2)

Scalability

Ease of Use

Flexibility

Can you support 100,000s of users?

Can you support different security needs for employees & customers?

Directory integration

Is it easy to use for users & administrators?

Directory integration

Flexible configurations

5

Agenda


6

Database Security Basics Oracle8i Standard Edition and Enterprise Edition basic security

features– password-based authentication (pre-Oracle7)– password management (Oracle8.0)– table and/or view-based security (Oracle7)

content- and context-based security

– stored procedures (Oracle7) business logic-based security

– system and object privileges (Oracle 7)– roles (Oracle7)– granular audit options (Oracle7)– proxy authentication (Oracle8i)– selective data encryption (DES and triple DES) (Oracle8i)

7

Database Security Extras Oracle8i Enterprise Edition adds

– row-based, fine-grained security (Virtual Private Database)

Oracle Advanced Security option to Enterprise Edition adds

– network encryption (all protocols into the database)

– strong authentication (e.g. tokens, smart cards)

– PKI-based authentication

– centralized user management

Oracle Military Security option to Enterprise Edition adds

– label-based access control

8

e-business problem:Data-driven Security Needed

E-commerce demands data-driven, user-based security

– Customers must see their own orders only

Cost of ownership– Build security in one place, not many

– Web-hosting: Only invest in one deployment, not multiple expensive subnets

Application-based security is insecure!– Ad hoc query problem: bypass the application and there

is no security!

9

e-business problem:Security Policy Needs

Merchants – Customers can see their own orders only

Banks – Online banking customers can access their own

accounts only

Government– Benefits recipients can see their own Social Security

information only

10

The solution: Virtual Private Database

Users only see data that they have access to– Conditions can differ by users

Data access is managed at the database level– Fine-Grained Access Control: Enforced at server

– Application Context: Determines access control condition

SELECT *

FROM ORDERS;

SELECT *

FROM ORDERS;

Sales Rep

Customer

Sales rep sees orders for his own customers only

Customer sees only their own orders

ORDERS

11

Virtual Private Database

• Associate security policies (implemented by functions) with tables or views

• Server automatically enforces security policies (no matter how data is accessed)

• Application context provides flexible access control definition

• Non-bypassable security eliminates the need of using many views to implement security

SELECT *

FROM ORDERS;

SELECT *

FROM ORDERS;

ORDERS

SELECT *

FROM ORDERS;

SELECT *

FROM ORDERS;

12

Virtual Private Database Benefits to customers

Works in 2-tier or 3-tier systems Highly scalable for Internet applications

– Rewritten queries are fully optimized and can be shared

– e.g. 1 SQL statement executes differently for 50,000 users

Application context provides flexibility– Each application can have its own ‘security attributes’ (e.g.

employee number, country code, position, etc.)

– Built-in security attributes for IP address, username, DN from certificate, etc. to use for access control

13

Virtual Private Database Benefits to customers

Lower cost of ownership– Build security once, in the data server

– Certify core security code, not multiple applications

Remove ‘application security problem’– Enforce same security, no matter how user accesses

data

Hosting opportunities– Host multiple companies’ data in same database,

instead of in different subnets

– OracleSalesOnline.com (7,000 customers, 100,000 users)

14

e-business problem:Storing Sensitive Information

Many businesses store sensitive financial and personal information in databases

– credit card numbers

– social security numbers

Access control the first line of defense– does not protect against break-ins from operating system

hacks

15

The solution:Stored Data Encryption

Oracle8i has a simple encrypt/decrypt interface (DBMS_OBFUSCATION_TOOLKIT)

– DES (8.1.6)

– Triple DES (2-key and 3-key) (8.1.7)

– MD5 cryptographic checksum

Application must provide key generation, key management, recovery

– Encryption keys must be stored somewhere (e.g., in a database file, on the OS)

Not difficult to provide secure encrypted data storage

16

e-business Problem:Security Challenges of Middle-Tiers

Who is the real user? Does middle tier have too much privilege? Can I keep users from accessing data directly? How/who do I audit? Can I/should I re-authenticate the client?

Application Server or TP

MonitorDatabaseDatabase

Client A

Client A, B, or C?Client B

Client C

17

The solution:Proxy Authentication

Who is the real user?– Pass through identity of real user to data server

Does middle tier have too much privilege?– Limit privilege of middle tier to connect as certain users only, using certain roles only

Can I keep the user from directly accessing data? – Yes, using VPD (“Did user connect through APPSERVER? If not, no data access!”)

How to audit?– Audit actions “on behalf of” real user

Can I/should I re-authenticate the client?– Not possible for SSL, optional password-based reauthentication

18

Proxy Authentication (plus VPD)

Oracle8i

1. User authenticates to middle tier

2. Middle tier proxies user identity to database

User A

User B

User C

User F

User D

User E

User AUser BUser CUser DUser EUser F

3. VPD limits access to data (optionally)

Application Server

19

Proxy AuthenticationBenefits to customers

Limited trust model – No more super-privileged middle tiers

Scalability– Supports “lightweight” user sessions

– No network overhead from re-authenticating client

Accountability– Preserves identity of real user

– Audit actions taken “on behalf of” user

20

Agenda


21

1. Data Theft

I see my competitor ordering from XYZ corp.

e-business Problem:Threats to Networks and the Internet

x

2. Data Modification or Replay

$500 deposit becomes

$50,000, or it is sent 100 times

x3. Data Disruption Packets can be

stolen -- Order never arrives

22

The Solution:Oracle Advanced Security

Encrypts all communications with the database– From clients

– From middle tiers

Secures all protocols into the database– Net8

Native encryption Secure Sockets Layer (SSL)

– IIOP SSL

– Thin JDBC Clients 100% Java version of Oracle Advanced Security

23

Oracle Advanced Security Encryption

ASO uses industry-standard algorithms to encrypt communications with Oracle8i

– RSA RC4 (40-, 56-, and 128-bit keys)

– DES (40-, 56-bit) and 3DES

– Diffie-Hellman key exchange

Strength of cryptosystem depends on key management

– Automatic, eliminating administrative issues associated with encryption

Now Available

Worldwide

24

Oracle Advanced SecurityData Integrity

• Oracle Advanced Security includes a sequenced, cryptographic checksum with every packet before it is sent

– MD5

– SHA-1

• Automatically detects

– Modifications

– Replays of packets

– Missing packets

• Violations terminate the operation in progress and are logged in server log files

25

e-business Problem:Knowing Your Users

Users have too many passwords– they write them down

– they make them easy to guess

– they use the same password in multiple locations

Higher value applications require stronger authentication

26

The Solution: Strong Authentication, Single Sign-On

Oracle Advanced Security offers strong authentication through– Token cards (SecurID)

– Biometrics (Identix)

– RADIUS (supports multiple smart cards, fingerprints, etc.)

– PKI X.509v3 certificates in Oracle Wallets Entrust PKI (8.1.7)

Oracle Advanced Security supports single sign-on through– Kerberos

– DCE

– PKI

27

e-business Problem:Too Many User Accounts

Application Server or TP Monitor

User A

User B

User C

Name, Address, Mailstop

HR Database

Mail Database

Name, Address, Mailstop

Connect C/pwdc

Connect B/pwdb

Connect A/pwdaConnect C

/pwdcConnect B/pwdb

Connect A/pwda

28

The Solution:Enterprise User Management

Oracle Internet

Directory

User A

User B

User C

HR Database

Mail Database

Name, Address, Mailstop...

Connect /Connect /

Connect /Connect /

Connect /

Connect /

29

Enterprise User Management

User management in LDAP-based directory– User definition

– User authorizations (database roles)

– Multiple enterprise users can connect to/share the same database schema

No need to create users in each database user accesses!

SSL client authentication and single sign-on Run-time use of Oracle Internet Directory

– LDAPv3 compliant directory service

– Leverages high scalability, reliability and security of Oracle8i

30

Enterprise User Management Benefits to customers

Stronger security– SSL-based authentication and encryption

Lower cost of ownership– Centralized user administration

– Single enterprise user definition

– Single sign-on over SSL

31

Oracle Advanced Security The value-added Internet security bundle for

Oracle8i Network Security

– Encryption (Net8 Native, SSL, Java)

– Strong Authentication (3rd Party Support)

– Single Sign-On (3rd Party, Entrust, PKI)

Enterprise User Security– Enterprise User Management

– GUI Tools

– Directory Integration

32

Agenda


33

e-business Problem:Labeled Data Access

Most organizations explicitly or implicitly label data– “Company Confidential,” “Releaseable under CDA”

– How to enforce security by label?

Privacy a huge consumer concern– How to “OPT OUT” easily?

– How to “OPT IN” easily?

34

The Solution: Oracle Military Security

Mediation of data access based on:– what labels user is able to access

– label of the data

– label authorizations (e.g. ability to change the label)

Markets– Governments - for sensitive but unclassified data (e.g.

Top Secret: Alpha Project)

– Healthcare (Patient/Doctor)

– Hosting (Company A only, Partner Releaseable)

Built on VPD

Labels

Row Label

User Label Scott Confidential : Financial : Org 401

Unclassified

Unclassified

Unclassified

Sensitive

Confidential

Top Secret

: Financial

: Nuclear

: Financial

: Personnel

: Financial

: Pipeline

: Org 401

: Org 401

: Org 402

: HR

: Org 401

: Denver

Data Rows

Levels

Compartments

Groups

Label Components

Confidential

Financial, Strategic

US, UK, COALITION

One indication of thelabeled data’s orderedsensitivity ranking

Zero or more optionalcategories associated with the labeled data

Zero or more optionalidentifiers oforganizations owning oraccessing the data.

Level

Compartments

Groups

Component Description Examples

Confidential : Financial : Chicago

Levels Compartments Groups

37

Oracle Military SecurityBenefits to customers

Provides VPD out-of-the-box– no programming required

Extends VPD to include label-based access Runs on standard commercial operating systems Enables data privacy by default

– labels stay with data

– automatic security enforcement based on label (e.g. OPT OUT)

38

Agenda


39

Auditing Basics Over 180 configurable audit options in the server Audit trail location options

– Database, where it can be analyzed via SQL

– Operating System, where it can be consolidated with OS audit records

Audit records include– username (e.g. JSMITH)

– session and terminal identifier (e.g. 12345)

– name of object accessed (e.g. EMPLOYEES)

– operation performed/attempted (e.g. SELECT)

– completion code

– date and timestamp

40

Audit Details

Audit option granularity (examples)– by user (e.g. JANE)

– by privilege use (e.g. use of SELECT)

– by object accessed (e.g. SALARY table)

– by session/by access

– WHEN SUCCESSFUL/WHEN NOT SUCCESSFUL

SYSDBA and SYSOPER audit records– startup and shutdown of database

– connection AS SYDBA or AS SYSOPER audited to the OS record

– no audit of actions taken as SYS

41

Extensible Auditing

Database triggers (INSERT, UPDATE) can provide additional granularity

– e.g. capture old and new data values when records are updated and insert into custom history table

Database event triggers can further extend audit– e.g. create security context ON LOGON

42

Oracle audit is very efficient– Audit records are parsed once for both audit and

execution

– Auditing is implemented in the database, not in an additional, add-on server

– Performance may depend on how much data is being audited (e.g. auditing all access of all types will impact performance)

Audit Performance

43

Product Assurance - Security Evaluations

Only Oracle has multiple independent security evaluations of the data servers

– 12 independent security evaluations completed (Orange Book, ITSEC, Common Criteria) & first Common Criteria EAL4 of any type

– Standards-compliant (Common Criteria - ISO standard 15048)

– FIPS-140 Level 2 Certification for Oracle Advanced Security

Benefits to customers– Evaluations ensure that security claims of the Oracle server

are independently verified

– Evaluations improve product quality and security

44

Agenda


45

Summary: Oracle Security

Oracle has a multitude of security solutions and security features, unmatched by other vendors

– Strong, standards-based security

– Security value-add options for enhanced security

– Backed up by independent security evaluations

Security solutions establish Oracle8i as the Database for Internet Computing

– Makes Oracle8i a core component of the infrastructure for leveraging the Internet

oracle security

Documents

different security needs

social security information

usersdata access

access toconditions

access control conditionselect

userbased securitycustomers

employees customers

customers onlycustomer