Oracle Security
Mary Ann Davidson
Director, Security Product Management
Server Technologies
Agenda
2

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
Internet Security Issues (1 of 2)

Privacy of
Communications
Is an order read or
modified in transit?
Network encryption

Sensitive Data
Storage
Is your credit card #
stored in clear?
Encryption of stored data

Granular Access
Control

Know your Users
Can a customer see only
her own order?
Virtual Private Database
Who is accessing the data
from the web?
Strong authentication
Internet Security Issues (2 of 2)
4

Scalability
Can you support 100,000s of
users?
Directory integration

Ease of Use
Is it easy to use for users &
administrators?
Directory integration

Flexibility
Can you support different
security needs for
employees & customers?
Flexible configurations
Agenda
5

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
Database Security Basics

Oracle8i Standard Edition and Enterprise Edition basic security
features
–
–
–
password-based authentication (pre-Oracle7)
password management (Oracle8.0)
table and/or view-based security (Oracle7)
l
–
stored procedures (Oracle7)
l
–
–
–
–
–
6
content- and context-based security
business logic-based security
system and object privileges (Oracle 7)
roles (Oracle7)
granular audit options (Oracle7)
proxy authentication (Oracle8i)
selective data encryption (DES and triple DES) (Oracle8i)
Database Security Extras

Oracle8i Enterprise Edition adds
–


Oracle Advanced Security option to Enterprise
Edition adds
–
network encryption (all protocols into the database)
–
strong authentication (e.g. tokens, smart cards)
–
PKI-based authentication
–
centralized user management
Oracle Military Security option to Enterprise Edition
adds
–
7
row-based, fine-grained security (Virtual Private
Database)
label-based access control
e-business problem:
Data-driven Security Needed

E-commerce demands data-driven, user-based
security
–


Cost of ownership
–
Build security in one place, not many
–
Web-hosting: Only invest in one deployment, not multiple
expensive subnets
Application-based security is insecure!
–
8
Customers must see their own orders only
Ad hoc query problem: bypass the application and there
is no security!
e-business problem:
Security Policy Needs

Merchants
–

Banks
–

Online banking customers can access their own accounts
only
Government
–
9
Customers can see their own orders only
Benefits recipients can see their own Social Security
information only
The solution:
Virtual Private Database

Users only see data that they have access to
–

Conditions can differ by users
Data access is managed at the database level
–
Fine-Grained Access Control: Enforced at server
–
Application Context: Determines access control condition
Sales
Rep
Sales rep sees orders for his
own customers only
SELECT *
FROM ORDERS;
Customer
10
Customer sees only their own orders
Virtual Private Database
SELECT *
FROM ORDERS;
SELECT *
FROM ORDERS;
11
•
Associate security policies
(implemented by functions)
with tables or views
•
Server automatically enforces
security policies (no matter
how data is accessed)
•
Application context provides
flexible access control
definition
•
Non-bypassable security
eliminates the need of using
many views to implement
security
Virtual Private Database
Benefits to customers

Works in 2-tier or 3-tier systems

Highly scalable for Internet applications

12
–
Rewritten queries are fully optimized and can be shared
–
e.g. 1 SQL statement executes differently for 50,000 users
Application context provides flexibility
–
Each application can have its own ‘security attributes’ (e.g.
employee number, country code, position, etc.)
–
Built-in security attributes for IP address, username, DN from
certificate, etc. to use for access control
Virtual Private Database
Benefits to customers


Lower cost of ownership
–
Build security once, in the data server
–
Certify core security code, not multiple applications
Remove ‘application security problem’
–

13
Enforce same security, no matter how user accesses
data
Hosting opportunities
–
Host multiple companies’ data in same database,
instead of in different subnets
–
OracleSalesOnline.com (7,000 customers, 100,000
users)
e-business problem:
Storing Sensitive Information


Many businesses store sensitive financial and
personal information in databases
–
credit card numbers
–
social security numbers
Access control the first line of defense
–
14
does not protect against break-ins from operating system
hacks
The solution:
Stored Data Encryption


Oracle8i has a simple encrypt/decrypt interface
(DBMS_OBFUSCATION_TOOLKIT)
–
DES (8.1.6)
–
Triple DES (2-key and 3-key) (8.1.7)
–
MD5 cryptographic checksum
Application must provide key generation, key
management, recovery
–

15
Encryption keys must be stored somewhere (e.g., in a
database file, on the OS)
Not difficult to provide secure encrypted data
storage
e-business Problem:
Security Challenges of Middle-Tiers
Client A
Application
Server or TP
Client B
Client A, B, or C?
Monitor
Database
Client C
16

Who is the real user?

Does middle tier have too much privilege?

Can I keep users from accessing data directly?

How/who do I audit?

Can I/should I re-authenticate the client?
The solution:
Proxy Authentication

Who is the real user?
–

Does middle tier have too much privilege?
–

17
Yes, using VPD (“Did user connect through APPSERVER? If
not, no data access!”)
How to audit?
–

Limit privilege of middle tier to connect as certain users only,
using certain roles only
Can I keep the user from directly accessing data?
–

Pass through identity of real user to data server
Audit actions “on behalf of” real user
Can I/should I re-authenticate the client?
–
Not possible for SSL, optional password-based reauthentication
Proxy Authentication (plus VPD)
User A
User B
1. User authenticates
to middle tier
2. Middle tier
proxies user
identity to database
User C
User D
Application
Server
User A
User B
User C
User D
User E
User F
Oracle8i
User E
User F
18
3. VPD limits
access to data
(optionally)
Proxy Authentication
Benefits to customers

Limited trust model
–


19
No more super-privileged middle tiers
Scalability
–
Supports “lightweight” user sessions
–
No network overhead from re-authenticating client
Accountability
–
Preserves identity of real user
–
Audit actions taken “on behalf of” user
Agenda
20

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
e-business Problem:
Threats to Networks and the Internet
2. Data Modification or Replay
1. Data Theft
I see my
competitor
ordering from
XYZ corp.
3. Data Disruption
21
x
x
Packets can be
stolen -- Order
never arrives
$500 deposit
becomes
$50,000, or it is
sent 100 times
The Solution:
Oracle Advanced Security


Encrypts all communications with the database
–
From clients
–
From middle tiers
Secures all protocols into the database
–
–
Net8
l
Native encryption
l
Secure Sockets Layer (SSL)
IIOP
l
–
Thin JDBC Clients
l
22
SSL
100% Java version of Oracle Advanced Security
Oracle Advanced Security
Encryption


ASO uses industry-standard algorithms to encrypt
communications with Oracle8i
–
RSA RC4 (40-, 56-, and 128-bit keys)
–
DES (40-, 56-bit) and 3DES
–
Diffie-Hellman key exchange
Strength of cryptosystem depends on key
management
–
23
Now
Available
Worldwide
Automatic, eliminating administrative issues associated
with encryption
Oracle Advanced Security
Data Integrity
• Oracle Advanced Security includes a sequenced,
cryptographic checksum with every packet before it
is sent
–
MD5
–
SHA-1
• Automatically detects
– Modifications
– Replays of packets
– Missing packets
• Violations terminate the operation in progress and
are logged in server log files
24
e-business Problem:
Knowing Your Users


25
Users have too many passwords
–
they write them down
–
they make them easy to guess
–
they use the same password in multiple locations
Higher value applications require stronger
authentication
The Solution:
Strong Authentication, Single SignOn


26
Oracle Advanced Security offers strong authentication
through
–
Token cards (SecurID)
–
Biometrics (Identix)
–
RADIUS (supports multiple smart cards, fingerprints, etc.)
–
PKI
l
X.509v3 certificates in Oracle Wallets
l
Entrust PKI (8.1.7)
Oracle Advanced Security supports single sign-on through
–
Kerberos
–
DCE
–
PKI
e-business Problem:
Too Many User Accounts
Name, Address, Mailstop
User A
Application
Server or
TP Monitor
Mail
Database
User B
Name, Address, Mailstop
User C
27
HR
Database
The Solution:
Enterprise User Management
Name, Address, Mailstop...
Oracle
Internet
Directory
User A
Connect /
Mail
Database
User B
User C
28
Connect /
HR
Database
Enterprise User Management

User management in LDAP-based directory
–
User definition
–
User authorizations (database roles)
–
Multiple enterprise users can connect to/share the same
database schema
l
29
No need to create users in each database user accesses!

SSL client authentication and single sign-on

Run-time use of Oracle Internet Directory
–
LDAPv3 compliant directory service
–
Leverages high scalability, reliability and security of
Oracle8i
Enterprise User Management
Benefits to customers

Stronger security
–

30
SSL-based authentication and encryption
Lower cost of ownership
–
Centralized user administration
–
Single enterprise user definition
–
Single sign-on over SSL
Oracle Advanced Security

The value-added Internet security bundle for Oracle8i

Network Security

31
–
Encryption (Net8 Native, SSL, Java)
–
Strong Authentication (3rd Party Support)
–
Single Sign-On (3rd Party, Entrust, PKI)
Enterprise User Security
–
Enterprise User Management
–
GUI Tools
–
Directory Integration
Agenda
32

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
e-business Problem:
Labeled Data Access


33
Most organizations explicitly or implicitly label data
–
“Company Confidential,” “Releaseable under CDA”
–
How to enforce security by label?
Privacy a huge consumer concern
–
How to “OPT OUT” easily?
–
How to “OPT IN” easily?
The Solution:
Oracle Military Security



34
Mediation of data access based on:
–
what labels user is able to access
–
label of the data
–
label authorizations (e.g. ability to change the label)
Markets
–
Governments - for sensitive but unclassified data (e.g.
Top Secret: Alpha Project)
–
Healthcare (Patient/Doctor)
–
Hosting (Company A only, Partner Releaseable)
Built on VPD
Labels
User
Scott
Label
Confidential : Financial : Org 401
Row Label
Data Rows
Unclassified : Financial : Org 401
Unclassified : Nuclear
: Org 401
Unclassified : Financial : Org 402
Sensitive
: Personnel: HR
Confidential : Financial : Org 401
Top Secret
Levels
: Pipeline : Denver
Groups
Compartments
Label Components
Confidential
Levels
Component
: Financial
Compartments
: Chicago
Groups
Description
Examples
Level
One indication of the
labeled data’s ordered
sensitivity ranking
Confidential
Compartments
Zero or more optional
categories associated with
the labeled data
Financial, Strategic
Groups
Zero or more optional
identifiers of
organizations owning or
accessing the data.
US, UK, COALITION
Oracle Military Security
Benefits to customers

Provides VPD out-of-the-box
–
37
no programming required

Extends VPD to include label-based access

Runs on standard commercial operating systems

Enables data privacy by default
–
labels stay with data
–
automatic security enforcement based on label (e.g. OPT
OUT)
Agenda
38

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
Auditing Basics

Over 180 configurable audit options in the server

Audit trail location options

39
–
Database, where it can be analyzed via SQL
–
Operating System, where it can be consolidated with OS
audit records
Audit records include
–
username (e.g. JSMITH)
–
session and terminal identifier (e.g. 12345)
–
name of object accessed (e.g. EMPLOYEES)
–
operation performed/attempted (e.g. SELECT)
–
completion code
–
date and timestamp
Audit Details


40
Audit option granularity (examples)
–
by user (e.g. JANE)
–
by privilege use (e.g. use of SELECT)
–
by object accessed (e.g. SALARY table)
–
by session/by access
–
WHEN SUCCESSFUL/WHEN NOT SUCCESSFUL
SYSDBA and SYSOPER audit records
–
startup and shutdown of database
–
connection AS SYDBA or AS SYSOPER audited to the
OS record
–
no audit of actions taken as SYS
Extensible Auditing

Database triggers (INSERT, UPDATE) can provide
additional granularity
–

Database event triggers can further extend audit
–
41
e.g. capture old and new data values when records are
updated and insert into custom history table
e.g. create security context ON LOGON
Audit Performance

42
Oracle audit is very efficient
–
Audit records are parsed once for both audit and
execution
–
Auditing is implemented in the database, not in an
additional, add-on server
–
Performance may depend on how much data is being
audited (e.g. auditing all access of all types will impact
performance)
Product Assurance - Security
Evaluations


43
Only Oracle has multiple independent security
evaluations of the data servers
–
12 independent security evaluations completed (Orange
Book, ITSEC, Common Criteria) & first Common Criteria
EAL4 of any type
–
Standards-compliant (Common Criteria - ISO standard
15048)
–
FIPS-140 Level 2 Certification for Oracle Advanced
Security
Benefits to customers
–
Evaluations ensure that security claims of the Oracle
server are independently verified
–
Evaluations improve product quality and security
Agenda
44

Internet Security Issues

Oracle Database Security

Oracle Advanced Security

Oracle Military Security

Audit and Assurance

Summary
Summary: Oracle Security


Oracle has a multitude of security solutions and
security features, unmatched by other vendors
–
Strong, standards-based security
–
Security value-add options for enhanced security
–
Backed up by independent security evaluations
Security solutions establish Oracle8i as the
Database for Internet Computing
–
45
Makes Oracle8i a core component of the
infrastructure for leveraging the Internet