1. Oracle Database Security …from the application perspective

2. Agenda  Oracle architecture System architecture System architecture Network architecture Network architecture  Common Oracle objects  Schema/object security  Java security  Application integration techniques

3. Authentication & credentials  Can be… OS authentication OS authentication Userid/password Userid/password X.509 certificates X.509 certificates Smart card Smart card Etc. Etc.  Stored in Oracle As MD5 hash As MD5 hash Oracle architecture

4. Authentication & credentials (cont.)  Transport encryption DES encryption of db-selected random number w/user’s password hash DES encryption of db-selected random number w/user’s password hash OS-integrated authentication available too OS-integrated authentication available too Password changes travel unencrypted Password changes travel unencrypted  Password management features available Aging & expiration Aging & expiration History (e.g., can prohibit reuse of last 3 passwords) History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + numbers) Composition & complexity (e.g., require letters + numbers) Account lockout Account lockout

5. Oracle object security grant select on EMPLOYEES to ASOK; alice’s schema employees candidates asok’s schema orderscustomers Public objects all_users

6. Oracle role-based security hrdata schema employees candidates hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD; grant HR_STEWARD to CATBERT; DBA

7. Auditing  Obviously impacts database performance  Writes high-level info to a common table Database user Database user Object (table, role, etc.) Object (table, role, etc.) Action (select, insert, etc.) Action (select, insert, etc.) Date/time Date/time  Currently enabled on-request to DBA team  Difficult to trace actions to a live human Can correlate with IP address Can correlate with IP address

8. Typical modern application application schema orderscustomers application

9. Shared schemas application #2’s schema orderscustomers Application #1 Application #2 select insert update insert update delete select grant select

10. Summary Oracle provides a variety of security features including:  Identification/Authentication  Authorization via privileges, roles, and fine grained security  Encryption  Audit trails

11. SQL Security Background ● Windows Live Security Mission Analyze Threats and Risks Define Policy Asses and Audit Compliance Monitor and Operate

12. Platform Security  SQL Server Follow best practices for application and database configuration Follow best practices for application and database configuration Roles and permissionsRoles and permissions AuthenticationAuthentication ValidationValidation AdministrationAdministration Server structureServer structure PropagationPropagation EncryptionEncryption