Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development Manager Oracle Database Security October 1, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Applications Bypass and Configuration Drift Oracle Confidential – Internal/Restricted/Highly Restricted5 HR Application User with powerful system privileges select * from hr.salary ANALYZE TABLE HR Finance Procurement TRUNCATE TABLE
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Restrict Access to Application Data Oracle Confidential – Internal/Restricted/Highly Restricted6 Secure data against unauthorized access Secure entire schema or individual objects Support conditional authorization (Allowed access between 1-5am) Allow authorized operational tasks (Tuning, Data Pump, jobs) Fin Realm Fin HR Realm HR HR App Fin App Privileged User SELECT ANY
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Database Command Controls Oracle Confidential – Internal/Restricted/Highly Restricted7 Current Time Factor IP Address Factor Current Time between 1 to 5am Rule IP Address = ' ' Rule Limit Maintenance Window Rule Set ANALYZE TABLE, ALTER TABLE… Command Rule AND
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault Reports Oracle Confidential – Internal/Restricted/Highly Restricted8
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Enhancements in Oracle Database Vault 12c Oracle Confidential – Internal/Restricted/Highly Restricted10 Installed by default – Run two PL/SQL procedures (configure_dv, enable_dv) to enable Oracle Database Vault – No Oracle binary dependency Mandatory Realm – Restrict all types of access including object owners and users with object privileges Integrated with new unified auditing – Write to the database audit trail – Create and manage using the unified audit policy syntax
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle Database 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Deployment Guidelines for Oracle Database Vault Oracle Confidential – Internal/Restricted/Highly Restricted12 Who is responsible for Account mgmt Security admin Operations Separation of Duties How data should be accessed What to secure Who to authorize Design the Protection Create realms, command rules Authorize users based on their responsibility Document the security policies Implement Database Vault Functional testing Confirm protection works as designed Verify & Deploy
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted13 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS Connection Control
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted14 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Realm: Secure HR schema Oracle Confidential – Internal/Restricted/Highly Restricted15
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example - Secure an Application Oracle Confidential – Internal/Restricted/Highly Restricted16 Secure the application data Only the trusted application and users can connect to the database DBA_DEBRA maintains the database hosting the application "HR" Application DBA_DEBRA HR Realm HR APPS Connection Control
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule – Trusted Application Oracle Confidential – Internal/Restricted/Highly Restricted17
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule – Trusted Administrators Oracle Confidential – Internal/Restricted/Highly Restricted18
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Rule Set – Trusted Database Connections Oracle Confidential – Internal/Restricted/Highly Restricted19 Added two rules: Is Trusted Administrators Is Trusted Application Evaluation options for rules can be 'Any True' or 'All True' Audit options: Audit on Failure Audit on Success Always Audit
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Command Rule – Control Database Connection Oracle Confidential – Internal/Restricted/Highly Restricted20
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Example – Operational Task Authorizations Oracle Confidential – Internal/Restricted/Highly Restricted21
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis – New to Oracle Database Vault 12c Oracle Confidential – Internal/Restricted/Highly Restricted23 Runtime analysis of roles and privileges Identifies unused privileges and roles Helps reduce attack surface Select … Update … Drop … DBA role …. DBA_DEBRA Custom Applications Runtime Capture Unused/Used Reports
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privilege Analysis Features Oracle Confidential – Internal/Restricted/Highly Restricted24 Capture types – Database wide – Condition based (Example: login user is DBA_DEBRA) – Enabled database role (Example: DBA role is enabled) Runs inside the database authorization engine Lists used/unused privileges and roles and how they were granted Less than 5% overhead on runtime capture
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Steps for Analyzing Privileges in Oracle Database Oracle Confidential – Internal/Restricted/Highly Restricted25 Decide capture type Database-wide Condition based Enabled DB roles Create Capture Policy Enable the capture policy Run full applications tests to capture all use cases Start Capture Disable the runtime capture Generate capture reports Generate Reports Identify and remove unnecessary privileges Audit unused privileges Replace with less powerful privileges Analyze & Take Actions
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Create Capture Policy Oracle Confidential – Internal/Restricted/Highly Restricted26 DBMS_PRIVILEGE_CAPTURE.CREATE_CAPTURE('HR Analysis Policy', 'Analyze privilege usage in the HR applications', 3, 'SYS_CONTEXT('USERENV', 'SESSION_USER') = 'APPS'' );
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Start Runtime Capture Oracle Confidential – Internal/Restricted/Highly Restricted27 DBMS_PRIVILEGE_CAPTURE.ENABLE_CAPTURE('HR Analysis Policy');
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Stop Runtime Capture & Generate Report Oracle Confidential – Internal/Restricted/Highly Restricted28 DBMS_PRIVILEGE_CAPTURE.DISABLE_CAPTURE('HR Analysis Policy'); DBMS_PRIVILEGE_CAPTURE.GENERATE_RESULT('HR Analysis Policy');
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Privileges Analysis Reports Oracle Confidential – Internal/Restricted/Highly Restricted29
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Unused Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted30
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Used Privileges Report Oracle Confidential – Internal/Restricted/Highly Restricted31
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Summary of Oracle Database Vault Oracle Confidential – Internal/Restricted/Highly Restricted33 Control default power of privileges – Realms restrict access by privileged users – Multi-factor authorization and database command controls – Prevents configuration drift and accidental DDLs (drop table etc.) Ease of deployment – Installed by default – No application changes required – Certified policies for major applications Privilege Analysis – Runtime analysis of roles and privileges – Helps reduce attack surface
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Agenda Oracle Database Vault Controls Overview Enhancements in Oracle 12c Deployment Guidelines for Oracle Database Vault Privilege Analysis Summary Q&A
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Security at OpenWorld 2014 TimeSession TitleLocation Monday 2:45 – 3:30Oracle Database Security Innovations in the Year of the Megabreaches (CON8204)Moscone South 303 Monday 5:15 – 6:00Introducing Oracle Key Vault: Centralized Keys, Wallets, and Java Keystores (CON8189)Moscone South 305 Tuesday 10:45 – 11:30Oracle Database 12c: Defense-in-Depth Security (CON8194)Moscone South 306 Tuesday 3:45 – 4:30Oracle Audit Vault and Database Firewall: What’s New and Best Practices (CON8180)Moscone South 306 Tuesday 5:00 – 5:45Oracle Database 12c’s Real Application Security: Next-Generation VPD (CON8182)Moscone South 206 Wednesday 10:15 – 11:00Oracle Advanced Security: Best Practices for Database Encryption and Redaction (CON8166)Moscone South 306 Wednesday 12:45 – 1:30Oracle Database Security Strategy and Best Practices: Customer Case Study Panel (CON8192)Moscone South 306 Wednesday 3:30 – 4:15Oracle Database Vault with Oracle Database 12c (CON8197)Moscone South 306 Thursday 9:30 – 10:15What’s New and Best Practices for Oracle Data Masking and SubsettingMoscone South Plus: Visit the Oracle Database Security pods at the Demo Grounds for one-on-one discussions and demonstrations!
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Connect With Us oracle.com/database/security oracle.com/technetwork/database/security /OracleDatabase/OracleSecurityblogs.oracle.com/ SecurityInsideOut blogs.oracle.com/ KeyManagement Oracle Database Insider/Oracle/database /OracleLearning 36
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |37