Oracle OpenWorld 1999 Template

1
Oracle Security
Mary Ann Davidson Director, Security Product
Management Server Technologies
2
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

3
Internet Security Issues (1 of 2)

• Privacy of Communications
• Sensitive Data Storage
• Granular Access Control
• Know your Users

Is an order read or modified in transit?
Network encryption
Is your credit card stored in clear?
Encryption of stored data
Can a customer see only her own order?
Virtual Private Database
Who is accessing the data from the web?
Strong authentication
4
Internet Security Issues (2 of 2)

• Scalability
• Ease of Use
• Flexibility

Can you support 100,000s of users?
Directory integration
Is it easy to use for users administrators?
Directory integration
Can you support different security needs for
employees customers?
Flexible configurations
5
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

6
Database Security Basics

• Oracle8i Standard Edition and Enterprise Edition
  basic security features
• password-based authentication (pre-Oracle7)
• password management (Oracle8.0)
• table and/or view-based security (Oracle7)
• content- and context-based security
• stored procedures (Oracle7)
• business logic-based security
• system and object privileges (Oracle 7)
• roles (Oracle7)
• granular audit options (Oracle7)
• proxy authentication (Oracle8i)
• selective data encryption (DES and triple DES)
  (Oracle8i)

7
Database Security Extras

• Oracle8i Enterprise Edition adds
• row-based, fine-grained security (Virtual Private
  Database)
• Oracle Advanced Security option to Enterprise
  Edition adds
• network encryption (all protocols into the
  database)
• strong authentication (e.g. tokens, smart cards)
• PKI-based authentication
• centralized user management
• Oracle Military Security option to Enterprise
  Edition adds
• label-based access control

8
e-business problemData-driven Security Needed

• E-commerce demands data-driven, user-based
  security
• Customers must see their own orders only
• Cost of ownership
• Build security in one place, not many
• Web-hosting Only invest in one deployment, not
  multiple expensive subnets
• Application-based security is insecure!
• Ad hoc query problem bypass the application and
  there is no security!

9
e-business problemSecurity Policy Needs

• Merchants
• Customers can see their own orders only
• Banks
• Online banking customers can access their own
  accounts only
• Government
• Benefits recipients can see their own Social
  Security information only

10
The solution Virtual Private Database

• Users only see data that they have access to
• Conditions can differ by users
• Data access is managed at the database level
• Fine-Grained Access Control Enforced at server
• Application Context Determines access control
  condition

ORDERS
Sales rep sees orders for his own customers only
Sales Rep
SELECT FROM ORDERS
Customer
Customer sees only their own orders
11
Virtual Private Database

• Associate security policies (implemented by
  functions) with tables or views
• Server automatically enforces security policies
  (no matter how data is accessed)
• Application context provides flexible access
  control definition
• Non-bypassable security eliminates the need of
  using many views to implement security

SELECT FROM ORDERS
ORDERS
SELECT FROM ORDERS
12
Virtual Private Database Benefits to customers

• Works in 2-tier or 3-tier systems
• Highly scalable for Internet applications
• Rewritten queries are fully optimized and can be
  shared
• e.g. 1 SQL statement executes differently for
  50,000 users
• Application context provides flexibility
• Each application can have its own security
  attributes (e.g. employee number, country code,
  position, etc.)
• Built-in security attributes for IP address,
  username, DN from certificate, etc. to use for
  access control

13
Virtual Private Database Benefits to customers

• Lower cost of ownership
• Build security once, in the data server
• Certify core security code, not multiple
  applications
• Remove application security problem
• Enforce same security, no matter how user
  accesses data
• Hosting opportunities
• Host multiple companies data in same database,
  instead of in different subnets
• OracleSalesOnline.com (7,000 customers, 100,000
  users)

14
e-business problemStoring Sensitive Information

• Many businesses store sensitive financial and
  personal information in databases
• credit card numbers
• social security numbers
• Access control the first line of defense
• does not protect against break-ins from operating
  system hacks

15
The solutionStored Data Encryption

• Oracle8i has a simple encrypt/decrypt interface
  (DBMS_OBFUSCATION_TOOLKIT)
• DES (8.1.6)
• Triple DES (2-key and 3-key) (8.1.7)
• MD5 cryptographic checksum
• Application must provide key generation, key
  management, recovery
• Encryption keys must be stored somewhere (e.g.,
  in a database file, on the OS)
• Not difficult to provide secure encrypted data
  storage

16
e-business ProblemSecurity Challenges of
Middle-Tiers
Client A
Application Server or TP Monitor
Database
Client A, B, or C?
Client B
Client C

• Who is the real user?
• Does middle tier have too much privilege?
• Can I keep users from accessing data directly?
• How/who do I audit?
• Can I/should I re-authenticate the client?

17
The solutionProxy Authentication

• Who is the real user?
• Pass through identity of real user to data server
• Does middle tier have too much privilege?
• Limit privilege of middle tier to connect as
  certain users only, using certain roles only
• Can I keep the user from directly accessing data?
  
• Yes, using VPD (Did user connect through
  APPSERVER? If not, no data access!)
• How to audit?
• Audit actions on behalf of real user
• Can I/should I re-authenticate the client?
• Not possible for SSL, optional password-based
  reauthentication

18
Proxy Authentication (plus VPD)
2. Middle tier proxies user identity to database
1. User authenticates to middle tier
User A
User B
User A
User C
User B
User C
Application Server
User D
Oracle8i
User D
User E
User F
User E
3. VPD limits access to data (optionally)
User F
19
Proxy AuthenticationBenefits to customers

• Limited trust model
• No more super-privileged middle tiers
• Scalability
• Supports lightweight user sessions
• No network overhead from re-authenticating client
• Accountability
• Preserves identity of real user
• Audit actions taken on behalf of user

20
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

21
e-business ProblemThreats to Networks and the
Internet
22
The SolutionOracle Advanced Security

• Encrypts all communications with the database
• From clients
• From middle tiers
• Secures all protocols into the database
• Net8
• Native encryption
• Secure Sockets Layer (SSL)
• IIOP
• SSL
• Thin JDBC Clients
• 100 Java version of Oracle Advanced Security

23
Oracle Advanced Security Encryption
Now Available Worldwide

• ASO uses industry-standard algorithms to encrypt
  communications with Oracle8i
• RSA RC4 (40-, 56-, and 128-bit keys)
• DES (40-, 56-bit) and 3DES
• Diffie-Hellman key exchange
• Strength of cryptosystem depends on key
  management
• Automatic, eliminating administrative issues
  associated with encryption

24
Oracle Advanced Security Data Integrity

• Oracle Advanced Security includes a sequenced,
  cryptographic checksum with every packet before
  it is sent
• MD5
• SHA-1
• Automatically detects
• Modifications
• Replays of packets
• Missing packets
• Violations terminate the operation in progress
  and are logged in server log files

25
e-business ProblemKnowing Your Users

• Users have too many passwords
• they write them down
• they make them easy to guess
• they use the same password in multiple locations
• Higher value applications require stronger
  authentication

26
The Solution Strong Authentication, Single
Sign-On

• Oracle Advanced Security offers strong
  authentication through
• Token cards (SecurID)
• Biometrics (Identix)
• RADIUS (supports multiple smart cards,
  fingerprints, etc.)
• PKI
• X.509v3 certificates in Oracle Wallets
• Entrust PKI (8.1.7)
• Oracle Advanced Security supports single sign-on
  through
• Kerberos
• DCE
• PKI

27
e-business ProblemToo Many User Accounts
Name, Address, Mailstop
Connect A/pwda
User A
Application Server or TP Monitor
Connect B/pwdb
Mail Database
Connect C/pwdc
User B
Connect A/pwda
Connect B/pwdb
Name, Address, Mailstop
Connect C/pwdc
User C
HR Database
28
The SolutionEnterprise User Management
Name, Address, Mailstop...
Oracle Internet Directory
Connect /
Mail Database
Connect /
User A
Connect /
Connect /
User B
Connect /
HR Database
Connect /
User C
29
Enterprise User Management

• User management in LDAP-based directory
• User definition
• User authorizations (database roles)
• Multiple enterprise users can connect to/share
  the same database schema
• No need to create users in each database user
  accesses!
• SSL client authentication and single sign-on
• Run-time use of Oracle Internet Directory
• LDAPv3 compliant directory service
• Leverages high scalability, reliability and
  security of Oracle8i

30
Enterprise User Management Benefits to customers

• Stronger security
• SSL-based authentication and encryption
• Lower cost of ownership
• Centralized user administration
• Single enterprise user definition
• Single sign-on over SSL

31
Oracle Advanced Security

• The value-added Internet security bundle for
  Oracle8i
• Network Security
• Encryption (Net8 Native, SSL, Java)
• Strong Authentication (3rd Party Support)
• Single Sign-On (3rd Party, Entrust, PKI)
• Enterprise User Security
• Enterprise User Management
• GUI Tools
• Directory Integration

32
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

33
e-business ProblemLabeled Data Access

• Most organizations explicitly or implicitly label
  data
• Company Confidential, Releaseable under CDA
• How to enforce security by label?
• Privacy a huge consumer concern
• How to OPT OUT easily?
• How to OPT IN easily?

34
The Solution Oracle Military Security

• Mediation of data access based on
• what labels user is able to access
• label of the data
• label authorizations (e.g. ability to change the
  label)
• Markets
• Governments - for sensitive but unclassified data
  (e.g. Top Secret Alpha Project)
• Healthcare (Patient/Doctor)
• Hosting (Company A only, Partner Releaseable)
• Built on VPD

35
Labels
User Label Scott Confidential
Financial Org 401
Row Label
Unclassified Unclassified Unclassified Sensitive C
onfidential Top Secret
Financial Nuclear Financial Personnel
Financial Pipeline
Org 401 Org 401 Org 402 HR Org 401
Denver
Data Rows
Levels
Groups
Compartments
36
Label Components
Confidential Financial Chicago
Compartments
Levels
Groups
Component Description
Examples
Confidential Financial, Strategic US, UK,
COALITION
One indication of the labeled datas
ordered sensitivity ranking Zero or more
optional categories associated with the labeled
data Zero or more optional identifiers
of organizations owning or accessing the data.
Level Compartments Groups
37
Oracle Military SecurityBenefits to customers

• Provides VPD out-of-the-box
• no programming required
• Extends VPD to include label-based access
• Runs on standard commercial operating systems
• Enables data privacy by default
• labels stay with data
• automatic security enforcement based on label
  (e.g. OPT OUT)

38
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

39
Auditing Basics

• Over 180 configurable audit options in the server
• Audit trail location options
• Database, where it can be analyzed via SQL
• Operating System, where it can be consolidated
  with OS audit records
• Audit records include
• username (e.g. JSMITH)
• session and terminal identifier (e.g. 12345)
• name of object accessed (e.g. EMPLOYEES)
• operation performed/attempted (e.g. SELECT)
• completion code
• date and timestamp

40
Audit Details

• Audit option granularity (examples)
• by user (e.g. JANE)
• by privilege use (e.g. use of SELECT)
• by object accessed (e.g. SALARY table)
• by session/by access
• WHEN SUCCESSFUL/WHEN NOT SUCCESSFUL
• SYSDBA and SYSOPER audit records
• startup and shutdown of database
• connection AS SYDBA or AS SYSOPER audited to the
  OS record
• no audit of actions taken as SYS

41
Extensible Auditing

• Database triggers (INSERT, UPDATE) can provide
  additional granularity
• e.g. capture old and new data values when records
  are updated and insert into custom history table
• Database event triggers can further extend audit
• e.g. create security context ON LOGON

42

Audit Performance

• Oracle audit is very efficient
• Audit records are parsed once for both audit and
  execution
• Auditing is implemented in the database, not in
  an additional, add-on server
• Performance may depend on how much data is being
  audited (e.g. auditing all access of all types
  will impact performance)

43
Product Assurance - Security Evaluations

• Only Oracle has multiple independent security
  evaluations of the data servers
• 12 independent security evaluations completed
  (Orange Book, ITSEC, Common Criteria) first
  Common Criteria EAL4 of any type
• Standards-compliant (Common Criteria - ISO
  standard 15048)
• FIPS-140 Level 2 Certification for Oracle
  Advanced Security
• Benefits to customers
• Evaluations ensure that security claims of the
  Oracle server are independently verified
• Evaluations improve product quality and security

44
Agenda

• Internet Security Issues
• Oracle Database Security
• Oracle Advanced Security
• Oracle Military Security
• Audit and Assurance
• Summary

45
Summary Oracle Security

• Oracle has a multitude of security solutions and
  security features, unmatched by other vendors
• Strong, standards-based security
• Security value-add options for enhanced security
• Backed up by independent security evaluations
• Security solutions establish Oracle8i as the
  Database for Internet Computing
• Makes Oracle8i a core component of the
  infrastructure for leveraging the Internet