Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.
-
Upload
jonathan-duffett -
Category
Documents
-
view
219 -
download
1
Transcript of Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.
![Page 1: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/1.jpg)
Oracle SecurityOracle Security
Mary Ann DavidsonDirector, Security Product Management Server Technologies
![Page 2: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/2.jpg)
2
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 3: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/3.jpg)
Internet Security Issues (1 of 2)
Privacy of Communications
Sensitive Data Storage
Granular Access Control
Know your Users
Is an order read or modified in transit?
Is your credit card # stored in clear?
Can a customer see only her own order?
Network encryption
Encryption of stored data
Virtual Private Database
Who is accessing the data from the web?
Strong authentication
![Page 4: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/4.jpg)
4
Internet Security Issues (2 of 2)
Scalability
Ease of Use
Flexibility
Can you support 100,000s of users?
Can you support different security needs for employees & customers?
Directory integration
Is it easy to use for users & administrators?
Directory integration
Flexible configurations
![Page 5: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/5.jpg)
5
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 6: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/6.jpg)
6
Database Security Basics Oracle8i Standard Edition and Enterprise Edition basic security
features– password-based authentication (pre-Oracle7)– password management (Oracle8.0)– table and/or view-based security (Oracle7)
content- and context-based security
– stored procedures (Oracle7) business logic-based security
– system and object privileges (Oracle 7)– roles (Oracle7)– granular audit options (Oracle7)– proxy authentication (Oracle8i)– selective data encryption (DES and triple DES) (Oracle8i)
![Page 7: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/7.jpg)
7
Database Security Extras Oracle8i Enterprise Edition adds
– row-based, fine-grained security (Virtual Private Database)
Oracle Advanced Security option to Enterprise Edition adds
– network encryption (all protocols into the database)
– strong authentication (e.g. tokens, smart cards)
– PKI-based authentication
– centralized user management
Oracle Military Security option to Enterprise Edition adds
– label-based access control
![Page 8: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/8.jpg)
8
e-business problem:Data-driven Security Needed
E-commerce demands data-driven, user-based security
– Customers must see their own orders only
Cost of ownership– Build security in one place, not many
– Web-hosting: Only invest in one deployment, not multiple expensive subnets
Application-based security is insecure!– Ad hoc query problem: bypass the application and there
is no security!
![Page 9: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/9.jpg)
9
e-business problem:Security Policy Needs
Merchants – Customers can see their own orders only
Banks – Online banking customers can access their own
accounts only
Government– Benefits recipients can see their own Social Security
information only
![Page 10: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/10.jpg)
10
The solution: Virtual Private Database
Users only see data that they have access to– Conditions can differ by users
Data access is managed at the database level– Fine-Grained Access Control: Enforced at server
– Application Context: Determines access control condition
SELECT *
FROM ORDERS;
SELECT *
FROM ORDERS;
Sales Rep
Customer
Sales rep sees orders for his own customers only
Customer sees only their own orders
ORDERS
![Page 11: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/11.jpg)
11
Virtual Private Database
• Associate security policies (implemented by functions) with tables or views
• Server automatically enforces security policies (no matter how data is accessed)
• Application context provides flexible access control definition
• Non-bypassable security eliminates the need of using many views to implement security
SELECT *
FROM ORDERS;
SELECT *
FROM ORDERS;
ORDERS
SELECT *
FROM ORDERS;
SELECT *
FROM ORDERS;
![Page 12: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/12.jpg)
12
Virtual Private Database Benefits to customers
Works in 2-tier or 3-tier systems Highly scalable for Internet applications
– Rewritten queries are fully optimized and can be shared
– e.g. 1 SQL statement executes differently for 50,000 users
Application context provides flexibility– Each application can have its own ‘security attributes’ (e.g.
employee number, country code, position, etc.)
– Built-in security attributes for IP address, username, DN from certificate, etc. to use for access control
![Page 13: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/13.jpg)
13
Virtual Private Database Benefits to customers
Lower cost of ownership– Build security once, in the data server
– Certify core security code, not multiple applications
Remove ‘application security problem’– Enforce same security, no matter how user accesses
data
Hosting opportunities– Host multiple companies’ data in same database,
instead of in different subnets
– OracleSalesOnline.com (7,000 customers, 100,000 users)
![Page 14: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/14.jpg)
14
e-business problem:Storing Sensitive Information
Many businesses store sensitive financial and personal information in databases
– credit card numbers
– social security numbers
Access control the first line of defense– does not protect against break-ins from operating system
hacks
![Page 15: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/15.jpg)
15
The solution:Stored Data Encryption
Oracle8i has a simple encrypt/decrypt interface (DBMS_OBFUSCATION_TOOLKIT)
– DES (8.1.6)
– Triple DES (2-key and 3-key) (8.1.7)
– MD5 cryptographic checksum
Application must provide key generation, key management, recovery
– Encryption keys must be stored somewhere (e.g., in a database file, on the OS)
Not difficult to provide secure encrypted data storage
![Page 16: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/16.jpg)
16
e-business Problem:Security Challenges of Middle-Tiers
Who is the real user? Does middle tier have too much privilege? Can I keep users from accessing data directly? How/who do I audit? Can I/should I re-authenticate the client?
Application Server or TP
MonitorDatabaseDatabase
Client A
Client A, B, or C?Client B
Client C
![Page 17: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/17.jpg)
17
The solution:Proxy Authentication
Who is the real user?– Pass through identity of real user to data server
Does middle tier have too much privilege?– Limit privilege of middle tier to connect as certain users only, using certain roles only
Can I keep the user from directly accessing data? – Yes, using VPD (“Did user connect through APPSERVER? If not, no data access!”)
How to audit?– Audit actions “on behalf of” real user
Can I/should I re-authenticate the client?– Not possible for SSL, optional password-based reauthentication
![Page 18: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/18.jpg)
18
Proxy Authentication (plus VPD)
Oracle8i
1. User authenticates to middle tier
2. Middle tier proxies user identity to database
User A
User B
User C
User F
User D
User E
User AUser BUser CUser DUser EUser F
3. VPD limits access to data (optionally)
Application Server
![Page 19: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/19.jpg)
19
Proxy AuthenticationBenefits to customers
Limited trust model – No more super-privileged middle tiers
Scalability– Supports “lightweight” user sessions
– No network overhead from re-authenticating client
Accountability– Preserves identity of real user
– Audit actions taken “on behalf of” user
![Page 20: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/20.jpg)
20
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 21: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/21.jpg)
21
1. Data Theft
I see my competitor ordering from XYZ corp.
e-business Problem:Threats to Networks and the Internet
x
2. Data Modification or Replay
$500 deposit becomes
$50,000, or it is sent 100 times
x3. Data Disruption Packets can be
stolen -- Order never arrives
![Page 22: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/22.jpg)
22
The Solution:Oracle Advanced Security
Encrypts all communications with the database– From clients
– From middle tiers
Secures all protocols into the database– Net8
Native encryption Secure Sockets Layer (SSL)
– IIOP SSL
– Thin JDBC Clients 100% Java version of Oracle Advanced Security
![Page 23: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/23.jpg)
23
Oracle Advanced Security Encryption
ASO uses industry-standard algorithms to encrypt communications with Oracle8i
– RSA RC4 (40-, 56-, and 128-bit keys)
– DES (40-, 56-bit) and 3DES
– Diffie-Hellman key exchange
Strength of cryptosystem depends on key management
– Automatic, eliminating administrative issues associated with encryption
Now Available
Worldwide
![Page 24: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/24.jpg)
24
Oracle Advanced SecurityData Integrity
• Oracle Advanced Security includes a sequenced, cryptographic checksum with every packet before it is sent
– MD5
– SHA-1
• Automatically detects
– Modifications
– Replays of packets
– Missing packets
• Violations terminate the operation in progress and are logged in server log files
![Page 25: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/25.jpg)
25
e-business Problem:Knowing Your Users
Users have too many passwords– they write them down
– they make them easy to guess
– they use the same password in multiple locations
Higher value applications require stronger authentication
![Page 26: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/26.jpg)
26
The Solution: Strong Authentication, Single Sign-On
Oracle Advanced Security offers strong authentication through– Token cards (SecurID)
– Biometrics (Identix)
– RADIUS (supports multiple smart cards, fingerprints, etc.)
– PKI X.509v3 certificates in Oracle Wallets Entrust PKI (8.1.7)
Oracle Advanced Security supports single sign-on through– Kerberos
– DCE
– PKI
![Page 27: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/27.jpg)
27
e-business Problem:Too Many User Accounts
Application Server or TP Monitor
User A
User B
User C
Name, Address, Mailstop
HR Database
Mail Database
Name, Address, Mailstop
Connect C/pwdc
Connect B/pwdb
Connect A/pwdaConnect C
/pwdcConnect B/pwdb
Connect A/pwda
![Page 28: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/28.jpg)
28
The Solution:Enterprise User Management
Oracle Internet
Directory
User A
User B
User C
HR Database
Mail Database
Name, Address, Mailstop...
Connect /Connect /
Connect /Connect /
Connect /
Connect /
![Page 29: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/29.jpg)
29
Enterprise User Management
User management in LDAP-based directory– User definition
– User authorizations (database roles)
– Multiple enterprise users can connect to/share the same database schema
No need to create users in each database user accesses!
SSL client authentication and single sign-on Run-time use of Oracle Internet Directory
– LDAPv3 compliant directory service
– Leverages high scalability, reliability and security of Oracle8i
![Page 30: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/30.jpg)
30
Enterprise User Management Benefits to customers
Stronger security– SSL-based authentication and encryption
Lower cost of ownership– Centralized user administration
– Single enterprise user definition
– Single sign-on over SSL
![Page 31: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/31.jpg)
31
Oracle Advanced Security The value-added Internet security bundle for
Oracle8i Network Security
– Encryption (Net8 Native, SSL, Java)
– Strong Authentication (3rd Party Support)
– Single Sign-On (3rd Party, Entrust, PKI)
Enterprise User Security– Enterprise User Management
– GUI Tools
– Directory Integration
![Page 32: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/32.jpg)
32
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 33: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/33.jpg)
33
e-business Problem:Labeled Data Access
Most organizations explicitly or implicitly label data– “Company Confidential,” “Releaseable under CDA”
– How to enforce security by label?
Privacy a huge consumer concern– How to “OPT OUT” easily?
– How to “OPT IN” easily?
![Page 34: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/34.jpg)
34
The Solution: Oracle Military Security
Mediation of data access based on:– what labels user is able to access
– label of the data
– label authorizations (e.g. ability to change the label)
Markets– Governments - for sensitive but unclassified data (e.g.
Top Secret: Alpha Project)
– Healthcare (Patient/Doctor)
– Hosting (Company A only, Partner Releaseable)
Built on VPD
![Page 35: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/35.jpg)
Labels
Row Label
User Label Scott Confidential : Financial : Org 401
Unclassified
Unclassified
Unclassified
Sensitive
Confidential
Top Secret
: Financial
: Nuclear
: Financial
: Personnel
: Financial
: Pipeline
: Org 401
: Org 401
: Org 402
: HR
: Org 401
: Denver
Data Rows
Levels
Compartments
Groups
![Page 36: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/36.jpg)
Label Components
Confidential
Financial, Strategic
US, UK, COALITION
One indication of thelabeled data’s orderedsensitivity ranking
Zero or more optionalcategories associated with the labeled data
Zero or more optionalidentifiers oforganizations owning oraccessing the data.
Level
Compartments
Groups
Component Description Examples
Confidential : Financial : Chicago
Levels Compartments Groups
![Page 37: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/37.jpg)
37
Oracle Military SecurityBenefits to customers
Provides VPD out-of-the-box– no programming required
Extends VPD to include label-based access Runs on standard commercial operating systems Enables data privacy by default
– labels stay with data
– automatic security enforcement based on label (e.g. OPT OUT)
![Page 38: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/38.jpg)
38
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 39: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/39.jpg)
39
Auditing Basics Over 180 configurable audit options in the server Audit trail location options
– Database, where it can be analyzed via SQL
– Operating System, where it can be consolidated with OS audit records
Audit records include– username (e.g. JSMITH)
– session and terminal identifier (e.g. 12345)
– name of object accessed (e.g. EMPLOYEES)
– operation performed/attempted (e.g. SELECT)
– completion code
– date and timestamp
![Page 40: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/40.jpg)
40
Audit Details
Audit option granularity (examples)– by user (e.g. JANE)
– by privilege use (e.g. use of SELECT)
– by object accessed (e.g. SALARY table)
– by session/by access
– WHEN SUCCESSFUL/WHEN NOT SUCCESSFUL
SYSDBA and SYSOPER audit records– startup and shutdown of database
– connection AS SYDBA or AS SYSOPER audited to the OS record
– no audit of actions taken as SYS
![Page 41: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/41.jpg)
41
Extensible Auditing
Database triggers (INSERT, UPDATE) can provide additional granularity
– e.g. capture old and new data values when records are updated and insert into custom history table
Database event triggers can further extend audit– e.g. create security context ON LOGON
![Page 42: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/42.jpg)
42
Oracle audit is very efficient– Audit records are parsed once for both audit and
execution
– Auditing is implemented in the database, not in an additional, add-on server
– Performance may depend on how much data is being audited (e.g. auditing all access of all types will impact performance)
Audit Performance
![Page 43: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/43.jpg)
43
Product Assurance - Security Evaluations
Only Oracle has multiple independent security evaluations of the data servers
– 12 independent security evaluations completed (Orange Book, ITSEC, Common Criteria) & first Common Criteria EAL4 of any type
– Standards-compliant (Common Criteria - ISO standard 15048)
– FIPS-140 Level 2 Certification for Oracle Advanced Security
Benefits to customers– Evaluations ensure that security claims of the Oracle server
are independently verified
– Evaluations improve product quality and security
![Page 44: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/44.jpg)
44
Agenda
Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary
![Page 45: Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies.](https://reader036.fdocuments.us/reader036/viewer/2022062407/56649c935503460f9494ee20/html5/thumbnails/45.jpg)
45
Summary: Oracle Security
Oracle has a multitude of security solutions and security features, unmatched by other vendors
– Strong, standards-based security
– Security value-add options for enhanced security
– Backed up by independent security evaluations
Security solutions establish Oracle8i as the Database for Internet Computing
– Makes Oracle8i a core component of the infrastructure for leveraging the Internet