Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Slides:



Advertisements
Similar presentations
ITEC474 INTRODUCTION.
Advertisements

Chapter 20 Oracle Secure Backup.
18 Copyright © Oracle Corporation, All rights reserved. Transporting Data Between Databases.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
The twenty-four/seven database Oracle Database Security David Yahalom Senior database consultant
Oracle Database Security
A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.
Self-Validation Tech Guide
Database Vault Marco Alamanni
Miss Scarlet with a lead pipe, in the library Players: 3 to 6 Contents: Clue game board, six suspect tokens, six murder weapons, 21 cards, secret envelope,
Oracle Database Vault – DBA Best Practices
Author : Nguyễn Ngọc Linh Advisor: Mr. Nguyễn Huy Vũ.
Privileged Account Management Jason Fehrenbach, Product Manager.
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Database Management System
System Administration Accounts privileges, users and roles
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Administering User Security
2 Copyright © 2009, Oracle. All rights reserved. Installing your Oracle Software.
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Getting Started with Oracle11g Abeer bin humaid. Create database user You should create at least one database user that you will use to create database.
Oracle Database Security …from the application perspective Martin Nystrom September 2003.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Chapter Oracle Server An Oracle Server consists of an Oracle database (stored data, control and log files.) The Server will support SQL to define.
By Lecturer / Aisha Dawood 1.  Administering Users  Create and manage database user accounts.  Create and manage roles.  Grant and revoke privileges.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
9 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Module 14: Configuring Server Security Compliance
The protection of the DB against intentional or unintentional threats using computer-based or non- computer-based controls. Database Security – Part 2.
Controlling User Access. Objectives After completing this lesson, you should be able to do the following: Create users Create roles to ease setup and.
IT Database Administration SECTION 01. Starting Up and Shutting Down the Database Database Administration Facilities – A number of tools are available.
Roles & privileges privilege A user privilege is a right to execute a particular type of SQL statement, or a right to access another user's object. The.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Dale Roberts 1 Department of Computer and Information Science, School of Science, IUPUI Dale Roberts, Lecturer Computer Science, IUPUI
Controlling User Access Fresher Learning Program January, 2012.
What is a Package? A package is an Oracle object, which holds other objects within it. Objects commonly held within a package are procedures, functions,
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Module 6: Data Protection. Overview What does Data Protection include? Protecting data from unauthorized users and authorized users who are trying to.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Increasing security by disabling DML statements to a dba user in Oracle database Hakik PACI Polytechnic University of Tirana.
Module 10: Windows Firewall and Caching Fundamentals.
IST 318 Database Administration Lecture 9 Database Security.
Oracle 11g: SQL Chapter 7 User Creation and Management.
Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:
7 Copyright © 2007, Oracle. All rights reserved. Administering User Security.
Intro To Oracle :part 1 1.Save your Memory Usage & Performance. 2.Oracle Login ways. 3.Adding Database to DB Trees. 4.How to Create your own user(schema).
11 Copyright © 2007, Oracle. All rights reserved. Implementing Oracle Database Security.
19 Managing Privileges Objectives Identifying system and object privileges Granting and revoking privileges Controlling operating system or password.
Dr. Chen, Oracle Database System (Oracle) 1 Chapter 7 User Creation and Management Jason C. H. Chen, Ph.D. Professor of MIS School of Business Gonzaga.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
C Copyright © 2007, Oracle. All rights reserved. Security New Features.
Database Systems Slide 1 Database Systems Lecture 4 Database Security - Concept Manual : Chapter 20 - Database Security Manual : Chapters 5,10 - SQL Reference.
ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.
6 Copyright © 2005, Oracle. All rights reserved. Administering User Security.
Review of IT General Controls
Controlling User Access
Introduction.
Oracle structures on database applications development
Managing Privileges.
Securing the Network Perimeter with ISA 2004
Author – Akash Pramanik
Database Security OER- Unit 1-Authentication
Managing Privileges.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product in late April at the huge Oracle user group conference called Collaborate 06 in Nashville, TN. You may have seen some press releases for Oracle and our partners around this exciting new product.

Why Database Vault? Protecting Access to Application Data “Legal says our DBA should not be able to read financial records, but the DBA needs to access the database to do her job. What do we do?” “Our auditors require that we separate account creation from granting privileges to accounts.” “No user should be able to by-pass our application to access information in the database directly.” “New DBAs should not be able to make database changes without a senior DBA being present.”

Why Database Vault? Regulations such as Sarbanes-Oxley (SOX) and Graham-Leach Bliley Act (GLBA), and Basel II require Strong Internal Controls and Separation of Duty Internal threats are a much bigger concern today require enforcement of operational security policies - Who, When, Where can data be accessed? Database consolidation strategy requires preventive measures against access to application data by Powerful (DBA) users Database Vault is designed to address what customers have told us are some of their most pressing security related business problems. At Oracle Headquarters in California, we frequently get the opportunity to talk to customers from around the world and virtually every industry imaginable and these are business problems seem to resonate with virtually every customer. I’m sure you’ve all heard the phrase “regulatory compliance”, who hasn’t, it’s certainly being used a lot. I think one of the biggest benefits of regulatory compliance has been awareness, it’s really forced customers to take a long hard look at their business practices. Two of the common themes in many regulations are strong internal controls and separation of duty. Database Vault provides the technology to address these two security problems. In addition, customers are much more concerned about the internal threat today. I don’t mean to say that everyone’s DBA is up to no good, but rather customers are looking for preventative measures to put in place. They want the ability to enforce operational policies on who, when and where data can be accessed, Another common security problem is the powerful DBA. Most applications out there today were not designed with the principle of least privilege – meaning that the application owner only has the minimum privileges necessary. In fact, it’s exactly the opposite. Database Vault provides the ability to restrict the powerful application owners and DBA which reside in a consolidated database environment.

Common Security Problems On Financial Data I have requirements around SOX and PCI, how can I prevent my DBA from looking at the application data, including Credit Cards and Personal Information? How can I prevent un-authorized modifications to my application and database? Tool

Oracle Database Vault Feature Overview Controls on privileged users Restrict privileged users from accessing application data Enforces separation of duty Real time access controls Controls access based on IP address, authentication method, time of day,…. Transparency No changes to applications required

Database Vault True “Separation of Duty” Protect any database object from any users (realm) Function, job, package, synonym, trigger, view, table Prevent users from viewing application data Prevent DBA users from creating powerful users Any user from executing a command (command rule) Alter table, drop user, insert, create index, analyze Protect object from schema owner HR user cannot modify HR objects Leverage sys_context (multi-factor authorization) Only modify database structure from local IP Only accept DML statement based on date or time Leverage built-in or user defined factors Machine, User, Domain, Language, Protocol, etc. Oracle Database Vault provides 6 key pieces of security functionality. The concept of a REALM is the most important. You can think of a REALM as a protection boundary or firewall you define inside the database. Realms are easy to define and once in place, they prevent powerful users such as the DBA from getting at application data. Multi-Factor Authorization is another extremely important addition provided by Database Vault. Some of you may be familiar with the term multi-factor authentication. Multi-factor authorization is similar in that it enables a series of security checks prior to giving access to a database, application or application table. For example, you can tell Database Vault to check things like IP address and time of day prior before giving access to the database, application or a specific Realm, it’s very flexible. The security behind Database Vault is managed by a security account and not the Oracle DBA or SYSDBA, this provides separation of duty, meaning the DBA isn’t the one who controls the REALMS, FACTORS and so forth. Command rules are another important addition, this enables rules to be associated with database commands, the rule is evaluated prior to allowing the command to execute, a powerful feature. Oracle Database Vault also provides auditing, so that you can track when a REALM has blocked someone from attempting to access an application. In addition, over 3 dozen security related reports are provided out-of-the-box.

Command Rule Flexibility Alter Database Alter Database Alter Table Alter Function Audit Alter Tablespace Alter Package Body Alter Procedure Alter Profile Alter Session Alter System Alter Synonym Alter Table Alter Trigger Alter User Password Alter Tablespace Alter View Change Password Connect Comment Create Function Create Index Create Package Create Database Link Create Procedure Create Role Create Package Body Create User Create View Create Table Grant Insert Noaudit Rename Lock Table Create Tablespace Create Trigger Truncate Table Update Insert Delete Execute Select Earlier we showed how a command rule can be associated with the Alter System command. Here’s a list of some of the other commands which can have rules associated. As you can see the list is quite extensive.

Built-In Factors Authentication Method Session User Client IP Database Name Domain Machine Database Domain Database Instance Network Protocol Database IP Enterprise Identity Proxy Enterprise Identity Language Database Hostname Date Time Here’s a list of the built-in Database Vault factors that can be used in conjunction with Database Vault Realms and Command Rules. You can also add your own factors through the GUI. Authentication Method: Returns the method of authentication. Password-authenticated enterprise user, local database user, or SYSDBA or SYSOPER using Password File or proxy with username using password returns PASSWORD. Kerberos-authenticated enterprise or external user returns KERBEROS. SSL-authenticated enterprise or external user returns SSL. Radius-authenticated external user returns RADIUS. OS-authenticated external user or SYSDBA or SYSOPER returns OS. DCE-authenticated external user returns DCE. Proxy with certificate, DN, or username without using password returns NONE. You can use IDENTIFICATION_TYPE to distinguish between external and enterprise users when the authentication method is Password, Kerberos, or SSL. Session User:For enterprises users, returns the schema. Database user name by which the current user is authenticated. This value remains the same throughout the duration of the session. Database Domain: Domain of the database as specified in the DB_DOMAIN initialization parameter. Machine: Provides the machine name for the current session Enterprise Identity: The user's enterprise-wide identity. For enterprise users this returns the Oracle Internet Directory DN. For external this user returns the external identity (Kerberos principal name, Radius and DCE schema names, OS user name, Certificate DN). For local users and SYSDBA and SYSOPER logins returns NULL. The value of the attribute differs by proxy method. For a proxy with DN, the Oracle Internet Directory DN of the client. For a proxy with certificate, the certificate DN of the client for external users; the Oracle Internet Directory DN for global users. For a proxy with username, the Oracle Internet Directory DN if the client is an enterprise users; NULL if the client is a local database user. Proxy Enterprise Identity: Returns the Oracle Internet Directory DN when the proxy user is an enterprise user. * Additional factors can be defined

Web Based Administrative Interface Web Based Management Realms Rules Factors Reports Dashboard This is the web based administration console. Please note that the product name is “Database Vault” and not “Data Vault”. The screen shots were taken before the final product name was determined. From here you can manage Realms, Factors, Rule Sets, Command Rules as well as integration points with Oracle Label Security. You also have access two more than 3 dozen security related reports via the two report tabs. The monitor tab provides some graphs as well as direct access to some reports. This tab will be enhanced as we move forward with future releases.

Oracle Database Vault Reports Database Vault Reporting Over 3 dozen security reports for compliance Audit violation attempts Realm, Rule and Factor Reports System and Public Privileges Here’s a more detailed look at the Database Vault specific reports tab. You can see a Realm Audit report selection toward the bottom. This report will display audit records where the Realm has blocked an action.

Oracle Database Vault Realms Database DBA views HR data select * from HR.emp DBA Compliance and protection from insiders HR DBA HR HR Realm HR HR DBA views Fin. data Eliminates security risks from server consolidation Fin FIN DBA Let’s first take a look at Database Vault Realms. Here we have a database, let’s assume that this is a consolidated database. As you would expect you have the DBA as well as several other applications, here we’ve included an HR and Financial application. One of the problems faced in this type of situation is that the DBA can, if he or she wished to do so, use their powerful privileges to take a look at application data. Even the possibility of this happening can be prevented using Database Vault Realms. Simply place a Realm around the HR application and the DBA will no longer be able to use his powerful privileges to access the application. The other situation is one I eluded to earlier. Application owners tend to have very powerful privileges. In a consolidated environment, it’s very likely that you’ll have more than one application and thus several powerful users in the database above and beyond the DBA. In this example, it’s possible for the HR DBA to look at the Financial application data. Obviously this wouldn’t be a good situation, especially if it was during the financial reporting quite period. Using a Database Vault Realm, the Financial application can be protected from powerful application owners. Summary, Realms can be easily applied to existing applications and with minimal performance impact. Fin Realm Fin Realms can be easily applied to existing applications with minimal performance impact

Oracle Database Vault Rules & Multi-factor Authorization Database DBA attempts remote “alter system” alter system……. DBA Rule based on IP Address blocks action create … HR DBA performs unauthorized actions during production 3pm Monday HR Realm HR Rule based on Date and Time blocks action HR HR DBA In addition, to Realms, Database Vault also delivers Command Rules and Multi-Factor Authorization. Command Rules provide the ability to instruct the database to evaluate conditions prior to allowing a database command to execute. Combined with Multi-Factor authorization, this provides an extremely powerful tool to limit and restrict access to databases and applications. Let’s take another example. Here I’m showing a database with a single application and the DBA. One of the common problems customers have faced from a compliance perspective is unauthorized activity in the database. This may mean that additional database accounts or application tables have been created. This can raise alarms with auditors because it can point toward lax internal controls. Using a command rule, Database Vault gives the ability to control the conditions under which a command is allowed to execute. For example, a command rule can be associated with the database “Alter System….” command. Perhaps your policy states that all ‘alter system’ commands have to be executed from a connection originating from the server hosting the database. The command rule can check the IP address and reject the command. So the rule based on IP address blocks the action. Perhaps a powerful application DBA creates a new table, command rules combined with multi-factor authorization can block this action. In summary, command rules and multi-factor provide the flexibility to meet operational security requirements. Factors and Command Rules provide flexible and adaptable security controls

Oracle System User Blocked

Database Vault Rules and Factors Block(Remote Intranet Connection)

Oracle secured DB environment

Hands-on Resources Oracle Database Vault: http://www.oracle.com/technetwork/database/options/database-vault/index.html Oracle Security Overview: http://www.oracle.com/technology/deploy/security/database-security/index.html Lab3-1: Protect Application Data from DBA and Privileged Users (no submission) http://st-curriculum.oracle.com/obe/db/11g/r1/prod/security/datavault/datavault.htm Lab3-2: Restrict DBA commands based on IP address (no submission) http://st-curriculum.oracle.com/obe/db/11g/r1/prod/security/datavault/datavault2.htm

Oracle Database Vault Secured Installation Disallows connections with SYSDBA Will affect Oracle Data Guard and Data Guard Broker command line utilities Oracle Recovery Manager command line utility Oracle Real Application Clusters svrctl utility Oracle ASM command line utilities Custom DBA scripts Can be re-enabled with the orapwd utility Enables password file and Turns off OS authentication (e.g. sqlplus “/” as SYSDBA)

Oracle Database Vault Secured Installation Requires Oracle Label Security version 10.2.0.2 Requires one of the following: Enterprise Manager 10.2.0.2 10g Application Server Containers for J2EE (OC4J) Cannot be installed into an Oracle home that contains an ASM instance Best practice is to create a database vault owner and database vault manager Requires 270 MB of disk space for DB Vault software Requires 400 MB of /tmp disk space OS authentication is turned off for all databases in the Oracle home Database vault can be enabled for each database in the Oracle home (optional)