Oracle Security Mary Ann Davidson Director, Security Product Management Server Technologies Agenda 2 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary Internet Security Issues (1 of 2) Privacy of Communications Is an order read or modified in transit? Network encryption Sensitive Data Storage Is your credit card # stored in clear? Encryption of stored data Granular Access Control Know your Users Can a customer see only her own order? Virtual Private Database Who is accessing the data from the web? Strong authentication Internet Security Issues (2 of 2) 4 Scalability Can you support 100,000s of users? Directory integration Ease of Use Is it easy to use for users & administrators? Directory integration Flexibility Can you support different security needs for employees & customers? Flexible configurations Agenda 5 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary Database Security Basics Oracle8i Standard Edition and Enterprise Edition basic security features – – – password-based authentication (pre-Oracle7) password management (Oracle8.0) table and/or view-based security (Oracle7) l – stored procedures (Oracle7) l – – – – – 6 content- and context-based security business logic-based security system and object privileges (Oracle 7) roles (Oracle7) granular audit options (Oracle7) proxy authentication (Oracle8i) selective data encryption (DES and triple DES) (Oracle8i) Database Security Extras Oracle8i Enterprise Edition adds – Oracle Advanced Security option to Enterprise Edition adds – network encryption (all protocols into the database) – strong authentication (e.g. tokens, smart cards) – PKI-based authentication – centralized user management Oracle Military Security option to Enterprise Edition adds – 7 row-based, fine-grained security (Virtual Private Database) label-based access control e-business problem: Data-driven Security Needed E-commerce demands data-driven, user-based security – Cost of ownership – Build security in one place, not many – Web-hosting: Only invest in one deployment, not multiple expensive subnets Application-based security is insecure! – 8 Customers must see their own orders only Ad hoc query problem: bypass the application and there is no security! e-business problem: Security Policy Needs Merchants – Banks – Online banking customers can access their own accounts only Government – 9 Customers can see their own orders only Benefits recipients can see their own Social Security information only The solution: Virtual Private Database Users only see data that they have access to – Conditions can differ by users Data access is managed at the database level – Fine-Grained Access Control: Enforced at server – Application Context: Determines access control condition Sales Rep Sales rep sees orders for his own customers only SELECT * FROM ORDERS; Customer 10 Customer sees only their own orders Virtual Private Database SELECT * FROM ORDERS; SELECT * FROM ORDERS; 11 • Associate security policies (implemented by functions) with tables or views • Server automatically enforces security policies (no matter how data is accessed) • Application context provides flexible access control definition • Non-bypassable security eliminates the need of using many views to implement security Virtual Private Database Benefits to customers Works in 2-tier or 3-tier systems Highly scalable for Internet applications 12 – Rewritten queries are fully optimized and can be shared – e.g. 1 SQL statement executes differently for 50,000 users Application context provides flexibility – Each application can have its own ‘security attributes’ (e.g. employee number, country code, position, etc.) – Built-in security attributes for IP address, username, DN from certificate, etc. to use for access control Virtual Private Database Benefits to customers Lower cost of ownership – Build security once, in the data server – Certify core security code, not multiple applications Remove ‘application security problem’ – 13 Enforce same security, no matter how user accesses data Hosting opportunities – Host multiple companies’ data in same database, instead of in different subnets – OracleSalesOnline.com (7,000 customers, 100,000 users) e-business problem: Storing Sensitive Information Many businesses store sensitive financial and personal information in databases – credit card numbers – social security numbers Access control the first line of defense – 14 does not protect against break-ins from operating system hacks The solution: Stored Data Encryption Oracle8i has a simple encrypt/decrypt interface (DBMS_OBFUSCATION_TOOLKIT) – DES (8.1.6) – Triple DES (2-key and 3-key) (8.1.7) – MD5 cryptographic checksum Application must provide key generation, key management, recovery – 15 Encryption keys must be stored somewhere (e.g., in a database file, on the OS) Not difficult to provide secure encrypted data storage e-business Problem: Security Challenges of Middle-Tiers Client A Application Server or TP Client B Client A, B, or C? Monitor Database Client C 16 Who is the real user? Does middle tier have too much privilege? Can I keep users from accessing data directly? How/who do I audit? Can I/should I re-authenticate the client? The solution: Proxy Authentication Who is the real user? – Does middle tier have too much privilege? – 17 Yes, using VPD (“Did user connect through APPSERVER? If not, no data access!”) How to audit? – Limit privilege of middle tier to connect as certain users only, using certain roles only Can I keep the user from directly accessing data? – Pass through identity of real user to data server Audit actions “on behalf of” real user Can I/should I re-authenticate the client? – Not possible for SSL, optional password-based reauthentication Proxy Authentication (plus VPD) User A User B 1. User authenticates to middle tier 2. Middle tier proxies user identity to database User C User D Application Server User A User B User C User D User E User F Oracle8i User E User F 18 3. VPD limits access to data (optionally) Proxy Authentication Benefits to customers Limited trust model – 19 No more super-privileged middle tiers Scalability – Supports “lightweight” user sessions – No network overhead from re-authenticating client Accountability – Preserves identity of real user – Audit actions taken “on behalf of” user Agenda 20 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary e-business Problem: Threats to Networks and the Internet 2. Data Modification or Replay 1. Data Theft I see my competitor ordering from XYZ corp. 3. Data Disruption 21 x x Packets can be stolen -- Order never arrives $500 deposit becomes $50,000, or it is sent 100 times The Solution: Oracle Advanced Security Encrypts all communications with the database – From clients – From middle tiers Secures all protocols into the database – – Net8 l Native encryption l Secure Sockets Layer (SSL) IIOP l – Thin JDBC Clients l 22 SSL 100% Java version of Oracle Advanced Security Oracle Advanced Security Encryption ASO uses industry-standard algorithms to encrypt communications with Oracle8i – RSA RC4 (40-, 56-, and 128-bit keys) – DES (40-, 56-bit) and 3DES – Diffie-Hellman key exchange Strength of cryptosystem depends on key management – 23 Now Available Worldwide Automatic, eliminating administrative issues associated with encryption Oracle Advanced Security Data Integrity • Oracle Advanced Security includes a sequenced, cryptographic checksum with every packet before it is sent – MD5 – SHA-1 • Automatically detects – Modifications – Replays of packets – Missing packets • Violations terminate the operation in progress and are logged in server log files 24 e-business Problem: Knowing Your Users 25 Users have too many passwords – they write them down – they make them easy to guess – they use the same password in multiple locations Higher value applications require stronger authentication The Solution: Strong Authentication, Single SignOn 26 Oracle Advanced Security offers strong authentication through – Token cards (SecurID) – Biometrics (Identix) – RADIUS (supports multiple smart cards, fingerprints, etc.) – PKI l X.509v3 certificates in Oracle Wallets l Entrust PKI (8.1.7) Oracle Advanced Security supports single sign-on through – Kerberos – DCE – PKI e-business Problem: Too Many User Accounts Name, Address, Mailstop User A Application Server or TP Monitor Mail Database User B Name, Address, Mailstop User C 27 HR Database The Solution: Enterprise User Management Name, Address, Mailstop... Oracle Internet Directory User A Connect / Mail Database User B User C 28 Connect / HR Database Enterprise User Management User management in LDAP-based directory – User definition – User authorizations (database roles) – Multiple enterprise users can connect to/share the same database schema l 29 No need to create users in each database user accesses! SSL client authentication and single sign-on Run-time use of Oracle Internet Directory – LDAPv3 compliant directory service – Leverages high scalability, reliability and security of Oracle8i Enterprise User Management Benefits to customers Stronger security – 30 SSL-based authentication and encryption Lower cost of ownership – Centralized user administration – Single enterprise user definition – Single sign-on over SSL Oracle Advanced Security The value-added Internet security bundle for Oracle8i Network Security 31 – Encryption (Net8 Native, SSL, Java) – Strong Authentication (3rd Party Support) – Single Sign-On (3rd Party, Entrust, PKI) Enterprise User Security – Enterprise User Management – GUI Tools – Directory Integration Agenda 32 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary e-business Problem: Labeled Data Access 33 Most organizations explicitly or implicitly label data – “Company Confidential,” “Releaseable under CDA” – How to enforce security by label? Privacy a huge consumer concern – How to “OPT OUT” easily? – How to “OPT IN” easily? The Solution: Oracle Military Security 34 Mediation of data access based on: – what labels user is able to access – label of the data – label authorizations (e.g. ability to change the label) Markets – Governments - for sensitive but unclassified data (e.g. Top Secret: Alpha Project) – Healthcare (Patient/Doctor) – Hosting (Company A only, Partner Releaseable) Built on VPD Labels User Scott Label Confidential : Financial : Org 401 Row Label Data Rows Unclassified : Financial : Org 401 Unclassified : Nuclear : Org 401 Unclassified : Financial : Org 402 Sensitive : Personnel: HR Confidential : Financial : Org 401 Top Secret Levels : Pipeline : Denver Groups Compartments Label Components Confidential Levels Component : Financial Compartments : Chicago Groups Description Examples Level One indication of the labeled data’s ordered sensitivity ranking Confidential Compartments Zero or more optional categories associated with the labeled data Financial, Strategic Groups Zero or more optional identifiers of organizations owning or accessing the data. US, UK, COALITION Oracle Military Security Benefits to customers Provides VPD out-of-the-box – 37 no programming required Extends VPD to include label-based access Runs on standard commercial operating systems Enables data privacy by default – labels stay with data – automatic security enforcement based on label (e.g. OPT OUT) Agenda 38 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary Auditing Basics Over 180 configurable audit options in the server Audit trail location options 39 – Database, where it can be analyzed via SQL – Operating System, where it can be consolidated with OS audit records Audit records include – username (e.g. JSMITH) – session and terminal identifier (e.g. 12345) – name of object accessed (e.g. EMPLOYEES) – operation performed/attempted (e.g. SELECT) – completion code – date and timestamp Audit Details 40 Audit option granularity (examples) – by user (e.g. JANE) – by privilege use (e.g. use of SELECT) – by object accessed (e.g. SALARY table) – by session/by access – WHEN SUCCESSFUL/WHEN NOT SUCCESSFUL SYSDBA and SYSOPER audit records – startup and shutdown of database – connection AS SYDBA or AS SYSOPER audited to the OS record – no audit of actions taken as SYS Extensible Auditing Database triggers (INSERT, UPDATE) can provide additional granularity – Database event triggers can further extend audit – 41 e.g. capture old and new data values when records are updated and insert into custom history table e.g. create security context ON LOGON Audit Performance 42 Oracle audit is very efficient – Audit records are parsed once for both audit and execution – Auditing is implemented in the database, not in an additional, add-on server – Performance may depend on how much data is being audited (e.g. auditing all access of all types will impact performance) Product Assurance - Security Evaluations 43 Only Oracle has multiple independent security evaluations of the data servers – 12 independent security evaluations completed (Orange Book, ITSEC, Common Criteria) & first Common Criteria EAL4 of any type – Standards-compliant (Common Criteria - ISO standard 15048) – FIPS-140 Level 2 Certification for Oracle Advanced Security Benefits to customers – Evaluations ensure that security claims of the Oracle server are independently verified – Evaluations improve product quality and security Agenda 44 Internet Security Issues Oracle Database Security Oracle Advanced Security Oracle Military Security Audit and Assurance Summary Summary: Oracle Security Oracle has a multitude of security solutions and security features, unmatched by other vendors – Strong, standards-based security – Security value-add options for enhanced security – Backed up by independent security evaluations Security solutions establish Oracle8i as the Database for Internet Computing – 45 Makes Oracle8i a core component of the infrastructure for leveraging the Internet