2. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. 2

3. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Real Application Security Oracle Database 12c Next Generation Data Security Vikram Pesati Senior Director Database Security, Oracle Manish Kakade Director, Enterprise Solutions Architect NUBO Technologies 3

4. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Program Agenda Oracle Real Application Security Demo: Human Resource Application RAS Features and Benefits RAS with Oracle APEX and Fusion Middleware Customer Case Study 4 1 2 3 4 5

5. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Typical Application Architecture Database Administrator HCM_APP CRM_APP Application Servers Web User Database Logs/Audit Trail

6. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Application Data Access Control Today Users and Roles – Managed by the application and not the database – Executes under privileged db user Custom Security Models – Each application handles authorization – Programmatically sets security context – Limited use of the database access control Application-Driven Fragmented Security CRM HCM Middle Tier One Big Privileged User PL/SQL package and metadata for custom security

7. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Introducing Oracle Real Application Security HCM Application Shared, All- Powerful Connection Direct, Uncontrolled Access Business Logic Security Policy Users and Roles Business Logic CRM Application Security Policy Users and Roles Light-weight User Sessions Security enforced on direct connections Identity/Policy Store 7 Application Security Today

8. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Real Application Security Key Features Provided in the Database 8 Support Application Users and Sessions – Schema-less user, Security and application context in DB Support Application Privileges and Roles – E.g., ViewSalary, RequestLeave, ApproveLeave privileges – E.g., Manager, HR_Rep, Approver roles Support fine-grained data access control on rows and columns – Based on user operation execution context – Enforce security close to data

9. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Example Application Security Requirements: HR Name ManagerSSNSalaryPhone Number AdamSteven515.123.4567 NeenaSteven515.123.4568 NancyNeena515.124.4569 LuisNancy515.124.4567 JohnNancy515.124.4269 DanielNancy515.124.4469 - Employees can view public information NancyNeena108-51-456912030650.111.3300 6900 8200 9000 - An employee can view own record, update contact information - Manager can view salary of his/her reports 9

10. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Real Application Security Concepts Data Realms A group of rows representing a business object – All employees – My own employee record – All employees under my report Assign privileges to columns – viewSSN for SSN column – viewSalary for Salary column Employee table My own My reports v iewSSN v iewSalary All records

11. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Access Control List (ACL) -Grant select to Manager -Grant viewSalary to Manager Application Privilege -select,viewSalary Application Privilege -select,viewSalary Application Role - Manager Application Role - Manager Data Realm - Employees under my report Data Realm - Employees under my report Real Application Security Data Security Policy Components 11 Access Control List (ACL) -Grant select to Manager -Grant viewSalary to Manager Data Realm - Employees under my report  Each Data Realm has an associated ACL with grants  Data Security policy is a collection of Data Realms and ACLs Application Role - Manager Application Privilege -select,viewSalary

12. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool Data Security 1. All records 2. My record 3. My reports Employees Table Restricted Salary & SSN Columns Privilege Grants 12

13. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool ACLs Grants on my record Grants on all records 13 Grants on my reports

14. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool Application Roles HR Representatives can view SSN Employees can view and update their own records Managers can view salaries of their reports 14

15. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Sample HR Application secured with RAS Regular Employee ‘Luis’ Can update certain columns 15

16. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Sample HR Application secured with RAS Manager ‘Nancy’ 16 View salaries of my reports

17. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Sample HR Application secured with RAS Uniform Authorization on All Access Paths 17 Direct connect to DB with SQLPLUS as Manager Nancy

18. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool Policy Creation Protected Object Policy Wizard 18

19. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool Policy Creation Using Predicate Builder Defining a data realm 19

20. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS Administration Tool Policy Creation Granting privileges to users or roles Defining an ACL 20

21. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Data Security Patterns VP can view employee salaries of his organization Session attribute based An Employee record and its Job History line items are protected as a single logical record Master/Detail Managers in each region, e.g., East and West, access employee records, striped based on region Parameterized Grant HR representative can change job designation, if the employee is assigned to him Conditionally related A contract worker needs temporary access to certain employee records Exceptions 21

22. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Real Application Security Rich Application Security Features VP delegating calendar management function to an Assistant Controlled Delegation Contractor getting access for a specific duration Effective-date support Access to certain reports allowed only on intranet Negative grants Batch programs with elevated privileges to summarize data Code-based security Conditional rendering of User Interface Function Security Application users, privileges, roles are known to database Auditing 22

23. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Architecture Data Security Policy Database Sessions RAS Sessions Applications Authorization Service Interfaces Auth Access Server Identity Manager Connection Pool Sessions DB Sessions RAS Sessions SQL*Plus APEX apps Web users 23 JDBC Entitlement Server Policy Manager

24. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Integration with APEX and Fusion Middleware Runtime Integration 24 Application users continue to be provisioned in identity stores – User authentication remains in Application Server RAS session contains application user, its roles, and session context – Based on authenticated user’s security context Application code executes within RAS session – Attached and detached to a db session Page Request Application Session Page Display Application code Detach RAS Session Attach RAS Session

25. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | RAS with Fusion Middleware 12.1.3 Integrated with Oracle Platform Security Service (OPSS) RAS Session Service module transparently manage RAS sessions – RAS Servlet Filter setups RAS sessions based on OPSS JpsSubject Application attaches a RAS Session to a JDBC connection ApplicationSessionService.attachSession(conn); … stmt = conn.createStatement(); // application rs = stmt.executeQuery(query); // code

26. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Integration with Oracle APEX 5.0 Native and Transparent Session Integration APEX can use RAS users, roles, and data security policy – Instead of custom authorization using VPD RAS Session is transparently created based on APEX session For APEX authorization schemes, use RAS ACL check operators 26

27. Copyright © 2014 NUBO All Rights Reserved. NUBO Oracle Real Application Security Case Study

28. NUBO Technologies  Established on 2010, Offices in Mexico, India and USA  Utility centric vertical solutions  Enterprise customers such as CFE, one of the largest utility company in the world Copyright © 2014 NUBO All Rights Reserved.

29. What is NUBO Application? Centralized Data Management and Storage Platform Centralized Integration Point Centralized Data Analysis and Analytics Data Validation, Profiling, Energy Settlement, Line Loss, Data presentation Load Research System Copyright © 2014 NUBO All Rights Reserved.

30. Centralized Integration Point Copyright © 2014 NUBO All Rights Reserved. Loa ding Tr an sf or m ati o n Ex tra cti on CIS System Billing Support Load Research System Distribution Planning Outage Mgmt System GIS System Meter Reading Devices Meter Reading System NUBO Upstream Systems Downstream Systems Other Systems

31. Project Requirements Consolidate data security – Many application modules and reports using the same data repository Fine-grained data access control – Row/column based on factors such as location, group Scalable, flexible multi-tier architecture – Terabytes of data, thousands of users User and hierarchy based authorization Copyright © 2014 NUBO All Rights Reserved.

32. Security Requirements Access control on multi-dimensional data – Regional and Organizational Hierarchy data – Electrical locations Access control on service delivery points – Tariff based (Residential, Industrial) – Virtual Groups: transformers, circuits, and their hierarchy Rich access control requirements – Billing data based on routes – Real time operations: meter connect/disconnect – Location-based – Controlled delegation Copyright © 2014 NUBO All Rights Reserved.

33. Why Oracle RAS? Data-level authorizations – Data realms based on service delivery points – Parameterized grants based on data dimensions such as Regions and organizations – Inheritance of data security policy from parent to child tables, e.g., from CUSTOMER to DEVICE, from DEVICE to READING Operational-level authorizations – RAS function privileges User group hierarchy based authorizations – RAS application roles Copyright © 2014 NUBO All Rights Reserved.

34. Our Approach Define application authorization requirements Create design and ER diagram for authorization Identify and define data realms based on requirements For Master-Detail data realms, start at parent and inherit them to other child and grand-child tables – Able to specify policies on all parent child relations without any table schema changes Validate policies and results Copyright © 2014 NUBO All Rights Reserved.

35. Conclusion With Oracle RAS, we are able to deploy reliable data security solutions that do not require any changes to existing Application Modules, saving time and money With rich and flexible set of functionalities of Oracle RAS, we are able to meet a wide range of application security requirements Data-centric security makes it easy to demonstrate compliance with security requirements even for new applications Copyright © 2014 NUBO All Rights Reserved.

36. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Real Application Security Benefits for Application Developers Stronger security – Enforced regardless of entry points: direct, APEX, or middleware – Audit end-user activity in database audit trail Simpler development – Declarative policy, relieves writing authorization code – Native support for application roles, application privileges, application users High Performance Access Control – Optimized for typical data access patterns within core database Simpler administration – Centralized management, end-to-end uniform security across mid-tier and database 36

37. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Real Application Security Highlights Features Declarative security in the database Supports master-detail, hierarchies, and session based context for authorized rows/columns Supports real-world authorization requirements Provides data, function, and code security for applications Supports new & existing applications Tools and Integration In Oracle Database 12c Enterprise Edition Transparent session creation with Oracle FMW 12.1.3 and APEX 5.0 PL/SQL and Java APIs Policy Administration tool (RASADM) preview coming soon 37

38. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Real Application Security Resources Oracle RAS Developer Guide docs.oracle.com/database/121 Oracle RAS Papers www.oracle.com/technetwork/database/security/real-application-security Demogrounds Moscone South, # SLD-147 38

39. Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Database Security at OpenWorld 2014 TimeSession TitleLocation Mon 2:45 – 3:30Oracle Database Security Innovations in the Year of Megabreaches (CON8204)Moscone South 303 Mon 5:15 – 6:00Introducing Oracle Key Vault: Centralize Keys, Wallets, and Java Keystores (CON8189)Moscone South 305 Tues 10:45 – 11:30Oracle Database 12c: Defense-in-Depth Security (CON8194)Moscone South 306 Tues 3:45 – 4:30Oracle Audit Vault and Database Firewall: What’s New and Best Practices (CON8180)Moscone South 306 Tues 5:00 – 5:45Oracle Real Application Security – Next Generation VPD (CON8182)Moscone South 308 Wed 10:15 – 11:00Oracle Advanced Security: Best Practices for Database Encryption and Redaction (CON8186)Moscone South 306 Wed 12:45 – 1:30Oracle Database Security Strategy and Best Practices: Customer Case Study Panel (CON8192) Moscone South 310 Wed 3:30 – 4:15Oracle Database Vault with Oracle Database 12c (CON8197)Moscone South 306 Thur 9:30 – 10:15What’s New and Best Practices for Oracle Data Masking and Subsetting (CON8184)Moscone South 306 39 Plus: Visit the Oracle Database Security pods at the Demo Grounds for discussions and demonstrations! Oracle Public