Title: Oracle9i Security
1Oracle Security Identity Management July 20,
2005
Gary Quarles Sr. Solutions Architect Columbus,
OH 614-280-6500 gary.quarles_at_oracle.com
Rafael Torres Sr. Solutions Architect Cincinnati,
OH 513-768-6856 rafael.torres_at_oracle.com
2Agenda
- 9am-1015am
- Identity Management
- OID, User Provisioning, Directory Integration,
Proxy Authentication - Virtual Private Database
- Securing Data Access
- Secure Application Roles
- BREAK (15 mins)
3Agenda (cont)
- 1030am-1145am
- Label Security
- Fine Grained Auditing
- Stored Data Encryption
- Detecting Security Breaches
- Data Privacy Compliance
- Network Encryption
- User Security
- Oblix Roadmap
- 1145am-1pm Buffet Luncheon
- 1pm-115pm Raffle
4Security Legislation
- Sarbanes-Oxley
- Everyone
- Financial statements contain no errors
- Gramm-Leach-Bliley
- Fin Services, Healthcare
- Ensure privacy, security, confidentiality
- Californias Breach Disclosure Law
- Anyone with customers in California
- Audit breach of PII, notify those affected
- Safe Harbor
- Anyone doing business in Europe
- Reasonable steps to secure from unauthorized
access
5Data Privacy Concerns
- Customer information
- protecting customer personally identifiable
information (PII) - Employee information
- majority of privacy regulations provide equal or
greater rights of privacy to employees - Third Party information
- protecting PII of third persons provided to you
by customers or employees
6Data Privacy Compliance
- 25 technical
- 75 policy and procedures
www.oracle.com/consulting
7The Expert View
90 detected computer security breaches in the
past year. 80 acknowledged financial losses
due to computer breaches.
- CSI/FBI Computer Crime and Security Survey
8If you spend more on coffee than on IT security,
then you will be hackedwhat's more, you deserve
to be hacked!Richard ClarkeSpecial Advisor
to the President, Cyberspace Security
9State of Security United States
- 90 of respondents detected computer security
breaches within the last twelve months. - 80 of respondents acknowledged financial losses
due to computer breaches. - 455,848,000 in quantifiable losses
- 170,827,000 theft of proprietary information
- 115,753,000 in financial fraud
- 74 cited their Internet connection as a frequent
point of attack - 33 cited internal systems as a frequent point of
attack
Source CSI/FBI Computer Crime and Security
Survey
10Why Oracle for Security and Identity Management?
- 25 year history
- First Oracle customer was a government customer
- Information Assurance
- 17 independent security evaluations over past
decade - Substantial financial commitment to independent
security evaluations - More evaluations than any other major database
vendor - Culture of security at Oracle
- Robust security features and Identity Management
Infrastructure - Row level security
- Fine Grained Auditing
- Integrated database security and identity
management - Web Single Sign-on, Oracle Internet Directory
- Strong authentication
11Oracle Database 25 years of security leadership
Label Sec ID Mgmt
Column Sec Policies
Security
Evaluation 17
Identity Mgmt Release
Fine Grained
Auditing
Common Criteria (EAL4)
Oracle9iAS JAAS
Oracle9iAS Single Sign-On
Oracle Label Security (2000)
Virtual Private Database (1998)
Enterprise User Security
Oracle Internet Directory
Database Encryption
API
Kerberos framework
Support for
PKI
Radius Authentication
Network Encryption
Oracle Advanced
Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure
Database (1992) Government
customer
1977
2004
12Oracle Application Server 10g
13Identity Management
14Identity Management
- process by which the complete security lifecycle
for users and other entities is managed for an
organization or community of organizations. - management of an organization's application
users, where steps in the security lifecycle
include account creation, suspension, privilege
modification, and account deletion.
15Identity Management Components
16The Identity Challenge
- Redundant, silod application development
- Non-uniform access policies
- Orphan accounts
- Audit/Log information fragmented
17Bring Order to Chaos with Identity
- Centralized, policy-based management of access
authorization - Faster development and deployment
- Centralized audit and logging
18Oracle ID Mgmt Typical Deployments
- Enterprise provisioning
- Heterogeneous integration
- Telco provisioning
- Scalability HA
- Enterprise Portal
- Single Sign-on, administrative delegation
- Government RD Organization, Corporate
Conglomerates - Centralized Identities with autonomous
administration of departmental applications - Multi-hosting with delegated subscriber admin
- Multiple identity realms in one physical
infrastructure HA
19Platform Security Architecture
BPEL Prcs Mgr, BI, Portal, ADF
E-Business Suite
Collaboration Suite
ISV Custom Applications
Application Security
Oracle Application Server
Oracle Application Server
Oracle Application Server
Oracle Database
Oracle Database
Oracle Database
External Security Services
Oracle Platform Security
Oracle Identity Management
Public Key Infrastructure
RBAC Web Authorization
Provisioning Delegated Administration
Directory Integration
SSO Identity Federation
Access Management
Provisioning Services
Directory Services
Oracle Internet Directory
20Internet Directory
- Scalability
- Millions of users
- 1000s of simultaneous clients
- High availability
- Multimaster Fan-out replication
- Hot backup/recovery, RAC, etc.
- Manageability
- Grid Control multi-node monitoring
- Security
- Comprehensive password policies
- Role policy based access control
- Auditability
- Extensibility Virtualization
- Plug-in Framework
- Attribute and namespace virtualization
- External authentication
- Custom password policies
LDAP Clients
OID Server
Directory Admin Console
Oracle Database
21Directory Integration
External Directories
DirectoryIntegrationService
SunOne
Active Directory
OracleInternet Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
Connectors
22Provisioning Integration
Corporate HR (Employee Enrollment)
Portal
eMail
ERP,CRM,
OID
Helpdesk Admin
Event Notification Engine
Policy Workflow Engine
Portal Admin
Partner Provisioning System
eMail Admin
Oracle Provisioning Integration Service
Self-service (Pswds, preferences)
23Single Sign-On
OracleAS Enabled Environment
ERP, CRM,
OracleAS Single Sign-on
Portal
PKI, pwd, Win2K Native Auth
Partner SSO (Netegrity, RSA, Oblix)
SecureID, Biokey,
- Integrates Oracle and partner-SSO enabled apps
- Transparent access to DB Tier, 3rd party web apps
- Multiple AuthN options
- Different auth modes to match application
security levels
Federation / Liberty
Partner SSO Enabled Environment
Extranet
24Demonstration
25SSO Benefits
- 1) Tightly integrated with the Oracle product
stack - 2) Easy to deploy, part of Oracle Identity
Management - 3) Supports PKI authentication with industry
standard X.509V3 certificates - 4) Accepts Microsoft Kerberos tokens for easy
authentication in a windows environment - 5) Integrated with Oracle Certificate Authority
(OCA) for easy provisioning of X.509V3
certificates using OCA
26Certificate Authority
Oracle Internet Directory
- Solution for strong authentication / PKI
- Easy provisioning of X.509v3 digital certificates
for end users - Web Based certificate management and
administration - Seamless integration with Oracle Application
Server Single Sign-On OID
User
Oracle Single Sign-On
Metadata Repository
Oracle Certificate Authority
Secure IT Facility
27Future support
- SAML (Security Assertions Meta Language)
- facilitates interoperation and federation among
security services. - SPML (Service Provisioning Meta Language)
- XML standard that facilitates integration among
provisioning environments by defining the
protocol for interaction between provisioning
service components and agents representing
provisioned services. - DSML
- XML standard for exchanging directory data as
well as invoke directory operations over the
Internet.
28Future support (cont)
- XKMS
- XML Key Management Specification. It is intended
to simplify deployment of PKI in a web services
environment. - WS-Security
- defines a set of SOAP extensions that can be used
to provide message confidentiality, message
integrity, and secure token propagation between
Web Services and their clients - Liberty Alliance standards define the framework
and protocol for network identity based
interactions among users and services within a
federated identity management environment.
29Delegated Administration Services
- Admin console w/ role-based customization
- User / group management
- End-user vs Admin views
- Admin delegation
- End-user self-service
- Self service provisioning
- Set preferences, Org-chart
- Pswd reset
- Embeddable admin components
- For integration with Apps
- Extensively configurable
- Accommodate new applications
- Customize UI views
30Demonstration
31Delegated Admin Benefits
- 1) Enables self service administration of
passwords and password resets - 2) Enables administrative granularity of Identity
Management components - 3) Centralized provisioning for web SSO and
enterprise user database access - 4) Supports password or PKI based authentication
- 5) Self Service password management without the
intervention of an administrator - 6) Delegated administrators, such as
non-technical managers, to create and manage both
users and groups - 7) Allows users to search parts of the directory
to which they have access
32Grid ComputingEnd-to-End Security
Data Grid
Application Grid
Securely Proxies User Identity to RDBMS
- Retrieve Authorizations for Users
- Connect users to Application Schema
Authenticate user
Client Authenticates To App Server
OID Identities, Roles Authorizations
33AS10g r2 New 3-tier features
- Via proxy authentication, including credential
proxy of X.509 certificates or Distinguished
Names (DN) to the Oracle Database - Support for Type 2 JDBC driver, connection
pooling for application users (Type 2 and Type
4 JDBC Drivers, OCI) - Integration with Oracle Identity Management for
Enterprise Users (EUS).
34Demonstration
35User Security Benefits
- 1) Enables centralized management of traditional
application users in Oracle Identity Management - 2) Oracle Identity Management directory
integration services can be used for
bi-directional synchronization with existing
Identity Management infrastructures (AD,
SunOne/iPlanet, Netscape) - 3) Optionally map users to shared schemes or
retain individual account mappings in database
for complete application transparency - 4) Optionally manage database roles in Oracle
Identity Management infrastructure - 5) Optionally can be used with Oracle Label
Security to maintain security clearances in
Oracle Identity Management
36Oracle IT Before ID Mgmt
IDs, passwords, profiles, prefs
HR
Oracle Files
IDs, passwords, profiles, prefs
IDs, passwords, profiles, prefs
Employees
E-Business Apps
Oracle Technology Network
IDs, passwords, profiles, prefs
My.oracle.com
IDs, passwords, profiles, prefs
Web Conferencing
Self-registered TechNet users
Web Mail / Calendar
IDs, passwords, profiles, prefs
Numerous Ids / Passwords Sign-On
Global Mail
IDs, passwords, profiles, prefs
Partners / Suppliers
Calendar
DMZ
Corporate Network
Extranet
37Oracle IT After ID Mgmt
HR
Oracle Files
Employees
E-Business Apps
Oracle Technology Network
My.oracle.com
Oracle IdM Infrastructure
Web Conferencing
Self-registered TechNet users
Web Mail / Calendar
Global Mail
Single ID/Pswd SSO
Partners / Suppliers
Calendar
DMZ
Extranet
Corporate Network
38Oracle IdM Summary
- Oracle Identity Management is a complete
infrastructure providing - directory services
- directory synchronization
- user provisioning
- delegated administration
- web single sign-on
- and an X.509v3 certificate authority.
- Oracle Identity Management is designed to provide
ready, out-of-the-box deployment for Oracle
applications, as well as serve as a
general-purpose identity management
infrastructure for the enterprise and beyond.
39Break
40Privacy Access Control
41Oracle9i/10g Secure Application Role
CREATE ROLE SAR identified using
SCHEMA_USER.PACKAGE_NAME
JDBC / Net8 / ODBC
User A, HR Application
User A, Financials Application
Oracle9i 10g
User A, Ad-Hoc Reports
- Secure application role is a role enabled by
security code - Application asks database to enable role (can be
called transparently) - Security code performs desired validation before
setting role (privileges)
42Secure Application Role Benefits
- Security policy can check anything
- time of day
- day of week
- IP address/domain
- Local or remote connection
- user connected through application
- X.509 data, etc.
- Database controls whether privileges are enabled
- Multiple applications can access database
securely - Allows secure handshake between applications and
database
43Demonstration
44Oracle Database 10g Virtual Private Database
- Column Relevant Policies
- Policy enforced only if specific columns are
referenced - Increases row level security granularity
45Oracle Database 10g Virtual Private Database
- Column Filtering
- Optional VPD configuration to return all rows but
filter out column values in rows which dont meet
criteria
46Demonstration
47Object Access Control
DATA TABLE
48Oracle9i/10g Label Security
- Out-of-the-box, customizable row level security
- Design based on stringent commercial and
government requirements for row level security
Sensitivity Label Public Sensitive Highly
Sensitive Confidential Europe
Project AX703 B789C JFS845 SF78SD
Location Chicago Dallas Chicago Miami
Department Corporate Affairs Engineering
Legal Human Resource
49Components of Label Security
Label Components are the encoding within data
labels and user labels that determine access.
- Levels
- Sensitivity Level (e.g., Top Secret, Secret,
Unclassified) - Compartments
- (X,Y,Z), User must possess all
- Groups for Need to Know
- Hierarchical
- Supports Organization Infrastructure
50Oracle Label Security
Oracle9i OLS
Oracle Label Security Authorizations Confidential
Partners
Application Table
Sensitivity Label Public Confidential
Partners Company Confidential Company
Confidential
Project AX703 B789C JFS845 SF78SD
Location Boston Denver Boston Miami
Department Finance Engineering Legal HR
OK
OK
51Demonstration
52Fine-grained Auditing
53The Expert View
Companies that properly maintain the security
of their systems will eliminate 90 percent of all
potential exploits. Companies that fail to take
these precautions should prepare for breaches at
an increasing rate.
- Giga Information
54Stored Data Encryption
- DBMS_OBFUSCATION (9i)
- DBMS_CRYPTO (10g)
55Supported Encryption Standards
- AES (128, 192 and 256 Key)
- RC4 (40, 56, 128, 256 Key)
- 3DES (2 Key and 3 Key)
- MD5
- SHA1
56Demonstration
57Advanced Security Option
- Encryption for data in motion
- RSA RC4 Public Key Encryption
- 40, 56 and 128 bit key lengths
- Support for Data Encryption Standard (DES)
algorithm - Support for Message Digest 5 (MD5) checksumming
algorithm
58Advanced Security Option
- Authentication device support
- RADIUS device
- Token cards (securID for example)
- Biometric devices
- Secure Socket Layer
- With X.509 V3 certificate support
- Support for Open Software Foundations
Distributed Computing Environment (DCE)
59Threats to Networks and Internet
500 becomes 50,000
60Demonstration
61Oblix
- Brief Overview and Roadmap
62Oblix Pure-Play Product Leader
Ability To Execute
Source Gartner Research (June 2004)
63Oblix COREid
COREid Access
- Web Single Sign-On
- Flexible Authentication Methods
- Policy-based Authorization
COREid Identity
- User, Group, and Organization Management
- Delegated Administration
- Self Service and Self Registration
- Unified Workflow
- Identity Web Services Controls
- Password Management
COREid Reporting
- Centralized auditing
- Pre-built identity and security reports
- Global View user access
- Robust logging framework
64Oracle / Oblix IdM Integration Roadmap
Current Portfolios
Integration Roadmap
10g / 10.1.3
Oblix
Federation (Liberty / SAML-2.0)
SHAREid
OracleAS SSO
COREid Access
Web Authorization
Provisioning connectors
COREid Provisioning
Provisioning Integration (DIP)
Delegated Admin Service
COREid Identity
Cert. Authority / PKI (OCA)
Virtual Directory
Meta Directory (DIP)
COREsv Web Services Management
Directory (OID)
Identity Grid Control
65IdM What does Oracle offer today?
Privacy Compliance Management
Enterprise Provisioning Automation
Security Monitoring Audit Services
Web Authorizations
Identity Federation
SSO
Identity Access Mgmt
PKI Certificate Services
Delegated Admin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web 3rd party SSO
Password Management
Virtual Directory
Meta-Directory
Yes
Identity Integration
Directory
Oracle - Full Functionality
Partner Offering
Planned Functionality
Oracle - Limited Functionality
66Current offering with Oblix today
Privacy Compliance Management
Enterprise Provisioning Automation
Security Monitoring Audit Services
Web Authorizations
Identity Federation
SSO
Identity Access Mgmt
PKI Certificate Services
Delegated Admin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web 3rd party SSO
Password Management
Virtual Directory
Meta-Directory
Yes
Identity Integration
Directory
Partner Offering
Oracle - Full Functionality
Planned Functionality
Oracle - Limited Functionality
67Thursday, August 11, 2005800 am - 1100
am(Breakfast Registration at 800am) Oracle
Office - Cincinnati 312 Elm StreetSuite
1525Cincinnati, OH 45202
- Oracle COREid Access Identity
- Oracle COREid Federation
- Oracle COREid Provisioning
- Oracle Single Sign On/Oracle Internet Directory
- Oracle Application Server, Enterprise Edition
- Oracle Web Services Manager
http//www.oracle.com/webapps/events/EventsDetail.
jsp?p_eventId42000src3830746src3830746Act41
68A
69Additional Slides
70Security Tips 101
- Oracle Security Step-by-step
- By Pete Finnigan
- SANS Press
71Security Tips 101
- Keep up with security patches!
- Security alerts from Oracle Technology Network
site - Security Issues Website
72Security Tips 101
- Check your file system privileges
- If on Windows, use NTFS not FAT or FAT32
- Prevent seeing passwords with UNIX ps command
- Note 136480.1 or 1009091.6
- Check privileges on export files in OS
73Security Tips 101
- If a full export is done to populate a test
database, immediately change all passwords
- No database user except SYS must have
- ALTER SYSTEM
- ALTER SESSION
74Security Tips 101
- Change default passwords
- List of default users and passwords
- Where to get this list
- SYS should not be CHANGE_ON_INSTALL !!!!
- SYSTEM should not be MANAGER !!!!
75Security Tips 101
- Check scripts that are in the file system that
have embedded passwords!
- Make sure REMOTE_OS_AUTHENT FALSE
- (Allows login without password)
- REMOTE_OS_ROLES FALSE also
- Check for all users with DBA role
- Check for users or roles with an ANY privilege
- UPDATE ANY TABLE
- DROP ANY TABLE
76Security Tips 101
- Revoke RESOURCE role from normal users
- No users or roles should have access to
- dba_users
- Sys.link
- Sys.user
- Sys.user_history
- These have clear text passwords!
77Security Tips 101
- Make sure your listener has a password
- Use Current User database links if possible
- CONNECT TO CURRENT USER
- Check database links from Test, Dev and QA
- instances. Remove any that are not absolutely
necessary
- Avoid plain text passwords in batch files. Use
an - encryption utility
- Avoid external accounts for batch processes
78Security Tips 101
- Use the Oracle Security Checklists
- 9i R2 Security Checklist
- 9iAS Security Checklist
- Or third party utilities to check your security
- Oracle Enterprise Manager 10g includes Security
Checking
79Security Tips 101
- 1. Only two highly trusted DBAs have sys
privileges - 2. All other DBAs log in using unique user IDs
and those IDs be granted ONLY the privileges
needed to do their job. - 3. Partition responsibilities as much as possible
between the DBAs - 4. Security administration, not DBAs, have the
ability to grant or change access privileges - 5. Employ strong password policies
- 6. Audit ALL activities the DBAs do
- 7. Audit ALL activities the two trusted DBAs do
both in their regular login and when connected as
sys. (9iR2 and higher)
80Security Tips 101
- 8. Audit logs are locked out of DBAs reach and
monitored and reviewed by security
administration, possibly stored on a separate
system - 9. Replicate the logs to help identify if a log
has been tampered with - 10. Audit ALL DML on the audit logs
- 11. Set up fine grained auditing alerts on key
information when there is attempted access by
unauthorized persons. These alerts are sent to
the security administrator. - 12. If offshore DBA services are employed, track
everything they do very closely and restrict what
they can see or do.