1
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Database Vault – DBA Best Practices
2
Kamal Tbeileh, Sr. Principal Product Manager, Database Security
Chi Ching Chui, Sr. Development Manager, Database Security
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
3
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Oracle Database Vault – Overview
• Managing Database Users and Security
• Controlling Sensitive Database Operations
4
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Oracle Database Vault – Overview
• Managing Database Users and Security
• Controlling Sensitive Database Operations
5
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Database Vault
Privileged User Controls
Application
Procurement
Application DBA
HR
Finance
select * from finance.customers
DBA
• Enforce who, where, when, and how data can be accessed using rules and factors
• Enforce least privilege and prevent privileged users from accessing apps data
• Prevent application by-pass and enforce enterprise data governance
• Restrict ad hoc database changes
6
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Impact on Database Operations
Administration Task
Oracle Database
Vault Control?
Comments
Startup, shutdown
No
Creating databases
No
Cloning databases
No
Configuring DB network connectivity
No
Managing initialization parameters
Yes
ALTER SYSTEM Command Rule
protects some parameters
Scheduling database jobs on
protected schemas
Yes
Oracle Database Vault
authorization is needed
7
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Program Agenda
• Oracle Database Vault – Overview
• Managing Database Users and Security
• Controlling Sensitive Database Operations
8
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users
Database Accounts Administrator
• Oracle Database Vault Creates an Accounts Administrator in
the database with the DV_ACCTMGR role
• Responsible for creating new users and profiles and
managing existing ones
• Can grant the CONNECT role to users
• Can change password for all users except for Security Admins
• As a best practice, customer should create personalized
accounts for Accounts Admins
9
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users
Database Security Administrator
• Oracle Database Vault creates a Security Administrator in the
database with the DV_OWNER role
• Manages creation of protection policies including Realms and
Command Rules
• Does not have access to data
• Manages his/her own password
• As a best practice, customer should create personalized
accounts for Security Admins
10
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
Tuning
Recovery
Managing DBAs
Create Security
Policies to protect data
Security
Admin
Senior
DBA
Accounts
Admin
Create and manage
Database Users
Junior
DBA
Backup
Patch
Install
11
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Application
user
Managing Database Users
Senior DBAs and Junior DBAs
• Oracle Database Vault allows customers to control DBA actions
– Distinguish between Senior and Junior DBAs
– Distinguish between in-house DBA and outsourced or off-shored DBA
• Senior DBA is a user who:
– Has been granted system privileges and roles with ADMIN OPTION
– Has been authorized as OWNER to the Oracle Data Dictionary realm
– Can grant system privileges to new users
• Junior DBA, outsourced DBA, or off-shored DBA can be
controlled on what he/she can or cannot do
12
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
For Small IT Organization
• In a small organization where customers have a single DBA
– The same person will be handling multiple tasks
• As a best practice, customer should
– Create separate dedicated accounts for different responsibilities like:
DBA_DEBRA, ACCTS_ADMIN_DEBRA, SEC_ADMIN_DEBRA
– Lock default accounts including Database Vault default accounts
• This allows customer to:
– Prevent compromised privileged accounts from accessing application data
– Track each account’s actions for auditing and compliance
13
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
For Medium Size IT Organizations
• In a medium size organization with a handful of DBAs
– DBAs will be multi-tasking and one senior DBA will be a db Security Admin
– Customer might be outsourcing some IT operations
• As a best practice, customer should
– Create separate dedicated accounts for different responsibilities
– Lock default accounts
• This allows customer to:
– Prevent compromised privileged accounts from accessing application data
– Outsource some IT operations and control outsourced DBAs actions
– Protect the database from unauthorized changes
14
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
For Large IT Organizations
• For large customers
– Dedicated staff can be assigned to database security
– Customer has contractors and may be doing some outsourcing / off-shoring
• As a best practice, customer should
– Create separate dedicated accounts
– Lock default accounts
• This helps customer:
– Prevent hackers from accessing application data
– Control what junior DBAs, outsourced DBAs, or off-shored DBAs can do
– Protect the database from unauthorized changes
15
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
For SAAS and Cloud Services Providers
• Cloud services provider
– Can delegate Security Administration and Accounts Administration to
customers so they manage who can access their data
– Provider’s own security staff can be given access in emergency
• As a best practice, cloud services provider should
– Create separate dedicated accounts for customers and own staff
– Lock default accounts
• This helps cloud services provider:
– Improve SLA when it comes to security
– Empower end customers and give them final say on who can access data
16
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Managing Database Users and Security
IT Organization Separation of Duty
Company CIO
Database Administration
Information Security
Management
User
Provisioning
Development
QA
Database Security
• Develop and
communicate security
policies
• Conduct internal audits
with the security group
• Work with external
auditors
• Work with the security
team to remedy any
audit finding
17
• Provision new users
• Assign roles and
responsibilities
• De-provision users
who leave the
company
• Manage Database
accounts
• Manage passwords
for default accounts
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
• Manage Oracle Database
Vault Realms and
Command rules
• Review security reports
• Work with business
owners to authorize
exceptions and monitoring
• Work with Information
Security on internal audits
•
•
•
•
Backup
Tuning
Patching and upgrade
Replication and High
Availability
• Work with security
and data owners for
emergency access
• Develop new
applications
• Maintain existing
applications
• Provide patches to
DBAs to apply on
production
• Test applications and
patches with Oracle
Database Vault
Program Agenda
• Oracle Database Vault – Overview
• Managing Database Users and Security
• Controlling Sensitive Database Operations
–
–
–
–
–
–
–
18
Changing Init Parameters
Job Scheduling
Oracle Data Pump
Oracle Streams
Oracle Data Guard
Explain Plan, Analyze Table
Database Patching
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Changes to DB Init Parameters
ALTER SYSTEM Command Rule
• Created by default when Oracle Database Vault is installed
• Prevents changes to DB parameters related to security, audit,
and file locations
– This tightens the security of the database
• As a best Practice, Users or roles who should be authorized to
change these init parameters, need to be:
– Granted the ALTER SYSTEM privilege
– Added to the “Allow Fine Grained Control of System Parameters”
Rule Set
19
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Changes to DB Init Parameters
Authorizing a DBA to Change Parameters Example
20
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Database Job Scheduling
• To schedule database jobs, DBA needs privileges like:
– CREATE JOB, CREATE ANY JOB, MANAGE SCHEDULER
• Security Administrator needs to authorize DBA to be able
to schedule jobs on realm protected schemas
• Authorization can be granted on the entire database or on
a schema or table level
• Authorization can be revoked from the user once done
21
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Database Job Scheduling
Best Practice Example
22
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Database Job Scheduling
Best Practice Example
23
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Oracle Data Pump
Best Practices
• DBA needs to be granted EXP_FULL_DATABASE /
IMP_FULL_DATABASE roles
• For realm-protected data, more authorization is needed:
– Security Administrator can give authorization on a specific
database object, a whole schema, or on the entire database
– To export / import the whole database, user needs to be granted
DV_OWNER role for the duration of the operation
• Data Pump authorization should be revoked once export /
import is done
24
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Oracle Data Pump
Best Practices Example
25
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Oracle Data Pump
Best Practices Example
26
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling Oracle Streams
Best Practices
• To replicate realm-protected data using Oracle Streams grant
DV_STREAMS_ADMIN role to the user who manages it
27
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Data Guard
Best Practices
• For Oracle Active Data Guard and Oracle Data Guard
Physical Standby:
– install Oracle Database Vault software on primary database and
all standby databases
– Follow Oracle support note 754065.1 instructions
• Oracle Data Guard Logical Standby is not currently
supported with Oracle Database Vault
28
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Running EXPLAIN PLAN
Best Practice
• DBA can run EXPLAIN PLAN on realm-protected tables
without having Realm authorization or access to apps data
• PLAN_TABLE should be created in
– DBA’s own schema
– Or in a schema where the DBA has INSERT and SELECT
privileges to the table
29
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Running EXPLAIN PLAN
Best Practice Example
30
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Running ANALYZE TABLE
Best Practice
• DBA can run ANALYZE TABLE on realm-protected tables
without having Realm authorization or access to apps data
• CHAINED_ROWS table should be created in
– DBA’s own schema
– Or in a schema where the DBA has INSERT and SELECT
privileges to the table
31
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Running ANALYZE TABLE
Best Practice Example
32
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Database Patching
Best Practices
• Grant DV_PATCH_ADMIN role to user doing database
patching – SYS user typically
• Protection for apps data remains in effect during patching
• Revoke DV_PATCH_ADMIN role once patching is done
33
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Database Patching
Best Practices Example
34
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Database Vault – DBA Best Practices
Additional Resources
• Oracle Technology Network link
oracle.com/technetwork/database/options/database-vault/index.html
– Download white papers and watch demos
– Download protection policies for Applications
• PeopleSoft, Siebel, JD Edwards EnterpriseOne and more
– Download information on SAP certification
35
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Open World – Thursday, October 6
TIME
TITLE
L O C AT I O N
9:00 am – 10:00 am
Hands-On Lab: Oracle Audit Vault (29964)
Tammy Bednar, Sr. Principal Product Manager, Oracle
Marriott Marquis
Room: Salon 12/13
9:00 am – 10:00 am
Session: Improving Your Security Posture (13220)
Bruce Lowenthal, Director of Security Alerts, Oracle
Eric Maurice, Director of Software Security Assurance, Oracle
Moscone South
Room: 300
10:30 am – 11:30 am
Oracle Exadata: Enabling Research at Merck (9687)
Michael Tucker Database Administrator, Merck, Inc
Vinoy Lanjwal Database Administrator, Merck, Inc
Moscone South
Room: 302
12:00 pm – 1:00 pm
Hands-On Lab: Oracle Database Vault (29962)
Kamal Tbeileh, Sr. Principal Product Manager, Oracle
Ken Zeng, Sr. Business Development Director, Oracle
Marriott Marquis
Room: Salon 12/13
1:30 pm – 2:30 pm
Session: All About Oracle Database Security (14123)
Thomas Kyte, Architect, Oracle
Moscone South
Room: 103
3:00 am – 4:00 pm
Session: Oracle Database Security Performance: Best Practices (13600)
Kurt Lysy, Principal Product Manager, Oracle
Moscone South
Room: 104
36
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Q&A
37
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Latin America 2011
December 6–8, 2011
Tokyo 2012
April 4–6, 2012
38
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle OpenWorld Bookstore
• Visit the Oracle OpenWorld Bookstore for a fabulous
selection of books on many of the conference topics
and more!
• Bookstore located at Moscone West, Level 2
• All Books at 20% Discount
39
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Oracle Products Available Online
Oracle Store
Buy Oracle license and support
online today at
oracle.com/store
40
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
41
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
42
Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.