Download - IOUG SAP SIG Oracle Database Vault for SAP
IOUG SAP SIGOracle Database Vault for SAP
Kamal Tbeileh, Principal Product Manager, Oracle Database SecurityAndreas Becker, Principal Member, Oracle/SAP Development
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Agenda
• Database Vault Overview
• Realms, Command Rules, and Separation Of Duty
• Database Vault Certification for SAP – Project Details
• Overview
• Technical Details
• Best Practices and more
• Database Vault Best Practices
• Database Vault Performance Numbers
• Feedback and Questions
EM Data Masking
TDE Tablespace Encryption
Oracle Audit Vault
Oracle Database Vault
Secure Backup (Tape)
TDE Column Encryption
VPD Column Masking
VPD Column Relevant
EM Secure Config Scanning
Client Identity Propagation
Fine Grained Auditing
Oracle Label Security
Proxy authentication
Enterprise User Security
Virtual Private Database (VPD)
Database Encryption API
Strong Authentication
Native Network Encryption
Database Auditing
Government customer
Oracle Database SecurityContinuous Innovation
Oracle7
Oracle8i
Oracle Database 9i
Oracle Database 10g
Oracle Database 11g
Data Security Business Drivers
• Regulatory and Privacy Requirements • Sarbanes-Oxley (SOX), GLBA, HIPAA, PCI
• Japan, Korea have similar versions of SOX
• Regulations continue to expand in global economy
• Privacy breach disclosure laws
• 40+ US States have such laws
• EU Data Privacy
• Strong IT / Internal Security Controls• Customers looking for real-time preventive controls
• Separation of duty
• Strong security in outsourcing and off-shoring environments
• COSO, ITIL, COBIT frameworks
Customer Security Requirements
• Restrict full access of privileged users• Restrict access to application data stored in the database
• Separation of duty controls
• Easily implement environment based access control• User parameters
• Network parameters
• Database parameters
• Applying on existing and legacy applications• Highly transparent
• Minimal performance impact• Less than 5%
Database Vault
Oracle Database SecuritySolutions for Privacy and Compliance
Data Masking
Advanced Security
Label Security
SecureBackup
Audit Vault
Configuration Management
47986 $5%&*
TotalRecall
Oracle Database Vault
• Controls on privileged users• Restrict highly privileged
users from application data
• Provide Separation of Duty
• Security for database and information consolidation
• Real time access controls• Control who, when, where
and how data is accessed
• Make decision based on IP address, time, auth…
Reports
Protection Realms
Multi-FactorAuthorization
Separationof Duty
CommandRules
Oracle Database Vault Realms
DBA
HR DBAHR
HR Realm
HR
• Database DBA views HR data
select * from HR.empCompliance and protection from insiders
Fin
FIN DBA
• HR DBA views Fin. data
Eliminates security risks from server consolidation
Fin Realm
Fin
Realms can be easily applied to existing applicationswith minimal performance impact
Oracle Database VaultTransparent Multi-factor Authorization
HR account
FIN DBA
HR
FIN
SELECT….
CREATE…
Business hours
Unexpected IP address
<Insert Picture Here>
Database Vault Certification for SAPProject Details
• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPProject Overview
• December 2007 - started• First Database Vault Integration and Evaluation Tests started
• Oracle Release 10.2.0.4 Beta
• DBV 10.2.0.4 Beta Shiphome
• SAP NetWeaver (ABAP+Java) on Linux 32bit
• May 2008 - continued• Oracle Release 10.2.0.4 Beta/DBV 10.2.0.4 Beta Shiphome
• SAP NetWeaver (ABAP+Java) on Linux 32bit
• SAP NetWeaver (ABAP+Java) on Windows 32bit
• August 2008 – continued• Oracle Release 10.2.0.4 + DBV 10.2.0.4 (Production)
• SAP NetWeaver (ABAP+Java) on AIX 64Bit
Database Vault Certification for SAPProject Overview (cont’d)
• August/September 2008 – Today• Start of Pilot program
Plan:
• Pilot program with ~5 pilot customers until end of 2008
• 2009: DBV Certification for SAP Generally Available
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPTechnical Prerequisites and Requirements
• Oracle Database Release 10.2.0.4
• Oracle database is installed and configured according to joint Oracle/SAP recommendations• Database patches � SAP note 1137346
• Database parameters � SAP note 830576
• SAP NetWeaver with SAP Kernel Release 7.00+
• SAP BR*Tools Release 7.00 Patchlevel 36+
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPDBV software and documentation
• Oracle software for RDBMS and Database Vault can be downloaded from SAP Service Marketplace
• http://service.sap.com/oracle-download� Oracle 10.2.0.4� RDBMS 10.2.0.4 Patchset, RDBMS Patches� DBV 10.2.0.4 Software, DBV Patches� DBV scripts
• Documentation about Oracle Database Vault for SAP
• SAP note 1241462 (accessible for Pilot customers only)
• Planned: Oracle whitepaper about SAP on Oracle with DV
• Oracle documentation (Install Guides, Admin Guide, Release notes, White papers on OTN)
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPDBV Installation Preparation Steps
Installation of DBV will affect
• Database Software (ORACLE_HOME)
• Database (Installation of new db components)
• Database Parameters
1. Backup ORACLE_HOME and Oracle Inventory
2. Backup your database (brbackup)
3. Backup your database configuration files (OH/dbs, OH/network/admin)(init.ora, sqlnet.ora, tnsnames.ora, listener.ora)
Database Vault Certification for SAPDBV Installation Preparation Steps (2)
Preparation Steps:
• Create a working directory for the installation (spool output, install logs, software, patches, stages, …)
• Ensure that all database connections are working as expected• Check database connections (as ora<sid> <sid>adm user
before DBV is installed)
• Verify database connection via R3trans –d
• Turn off database auditing• can be turned on again after DBV installation
• Rename temporary tablespace• SQL> ALTER TABLE PSAPTEMP RENAME TO TEMP;
Database Vault Certification for SAPDBV Installation Preparation Steps (3)
Preparation Steps:
• Configure Oracle Enterprise Manager DB Control
• EM DB Control is per default not configured in SAP envs.
• Prerequisite for Database Vault Administrator (DVA) Gui
• DVA uses same OC4J configuration as DB Control
• Run Database Configuration Assistant DBCA to install EM DB Control
• %dbca
Database Vault Certification for SAPDBV Installation Preparation Steps (4)
Preparation Steps:
• Download and extract Database Vault Policy Scripts for SAP
sqlplus / as sysdba SQL> @dbv_sap_prerequisite_script.sql
� creates new database accountsbefore installing DV
Database Vault Certification for SAPDBV Installation Preparation Steps (5)
Last preparation Steps:
• Download Database Vault Software from SAP Service Marketplace and extract to a staging area
• Stop SAP Application
• Shutdown Oracle Instance and all Oracle processes running from the ORACLE_HOME
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPDBV Installation Steps (1)
• Start runInstaller from DBV stage./runInstaller (interactive or silent install)
Database Vault Certification for SAPDBV Installation Steps (1)
Database Vault Administrator URL:
https://<hostname>:1158/dva
Enterprise Manager Database Control URL:
https://<hostname>:1158/em
Database Vault Certification for SAPDBV Installation Steps (2)
Post-Installation Steps
• Rename temporary tablespace back• SQL> ALTER TABLESPACE …
• Adapt certain database parameters that were changed during DBV installation• os_authent_prefix, remote_os_authent
• Start EM DB Control:• % emctl start dbconsole
• Run DBV Post-Install Script for SAP• post_dbv_install_secadmin.sql
• post_dbv_install_secacctmgr.sql
• Logon to DBV Administrator
Database Vault Certification for SAPDBV Installation Steps (3)
Logon to DBV Admininstrator as SECADMIN
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPDBV Configuration Steps (1)
Run DBV configuration scripts for SAP
sqlplus /nolog
SQL> connect SECADMIN/<pwd>
SQL> spool create_dbv_sap_policies.log
SQL> @create_dbv_sap_policies.sql
SQL> spool off
Database Vault Certification for SAPDBV Configuration Steps (2)
Run tests
• Basic Database connection tests
• SAP Application• Start/stop
• Database Administration Tasks• SAP BR*Tools
• Backup/Recovery
• Daily Database Administration Tasks
• SAP Administration Tasks
• ...
<Insert Picture Here>• Project Overview: Database Vault Integration Project: Project Status and Time Schedule
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• DBV Open issues
• Special configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPDBV Best Practices
• Configure glogin.sql for sqlplus• cd $ORACLE_HOME/sqlplus/admin
• Add the following lines to glogin.sql:
-- Set SQL prompt
SET sqlprompt "_user _privilege '@' _connect_identifier>„
Result:
sqlplus / as sysdba
SYS AS SYSDBA @ QO1> connect / as sysoper
PUBLIC AS SYSOPER @ QO1> connect /
OPS$ORAQO1 @ QO1>
<Insert Picture Here>• Project Overview: Database Vault Integration Project: Project Status and Time Schedule
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• DBV Open issues
• Special configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPOverview of changes
Installation of DBV changes and affects:
• New software component
• New database components and database users
Database Vault Certification for SAPOverview of changes
• New database schema for Database Vault• SYSMAN schema (EM Repository)
• DVSYS/DVF schema (DBV Repository)
• New Database Vault Accounts• SECADMIN: DBV Security Administrator
manages DBV security policy
• SECACCTMGR: DBV Account MgrCreate/drop/alter database users
Database Vault Certification for SAPOverview of changes
• New database accounts for SAP• ABAP_CRED_MGR: account to manage SAP account
password
• SUPPORT_USER: Login account for Oracle/SAP Support
• Login account for Oracle/SAP Support
• locked by default
• EMERGENCY_USER: Login account in an emergency / support situation
• Login account in an emergency situation
• Same privileges as SUPPORT_USER
Database Vault Certification for SAPOverview of changes
• New database accounts for SAP• BR_DBA: DBA account (instead of Oracle default account
SYSTEM)
• Account with DBA privilege for database administration with SAP BR*Tools
• Replaces Oracle Default DBA account SYSTEM
Database Vault Certification for SAPGOAL
• GOAL: Protection of SAP Application DataDBA/SYSDBA account can not see/access SAP data any more
sqlplus / as SYSDBASQL> select * from SAPSR3.T100;ORA-01031: insufficient privileges
Database Vault Certification for SAPDefined Realms
• Default Realms• Oracle Database Vault Account Management
• Oracle Database Vault
• Oracle Data Dictionary
• Oracle Enterprise Manager
• SAP Realms
• SAP Protection Realm for ABAP Stack
• SAP Protection Realm for Java Stack
• SAP Application Administration Realm for SAP BRTools
• SAP Application Credential Protection Realm
• SAP Application Protection Realm for SAP Admin Roles
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPMore advanced configurations
• Real Application Clusters / RAC
• Tranparent for DBV
• Data Guard Physical Standby
• Tranparent for DBV
• MCOD
• Customer input is needed
• 3rd-party application installed
• Generic guidelines
<Insert Picture Here>• Project Overview
• Technical Requirements
• DBV Software and Documentation
• DBV Installation Preparation
• DBV Installation Steps
• DBV Configuration Steps
• DBV Best practices
• DBV Overview of Changes
• More advanced configurations
• Summary
Database Vault Certification for SAPProject Details
Database Vault Certification for SAPSummary – Current Status – Plans
• Initial evaluation tests with DBV and SAP started December 2007
• Internal Integration tests with SAP and DBV still ongoing (2008) during pilot phase
• Pilot tests started in September 2008
Database Vault Separation of Duty
• Database Vault Defines Three main responsibilities• Account Management responsibility
• Security Administration responsibility
• Traditional DBA responsibility
• These responsibilities can be further subdivided• Security Administration responsibility
• Security Administration
• Security Reporting
• Traditional DBA responsibility: with rule sets and command rules, it can be subdivided to any required level.
• Optionally can be consolidated to :• Security and Account Management responsibility
• Resource Management responsibility
Separation of Duty Best Practice
• SOD is important for companies Big and Small
• Have separate accounts:• Named accounts for database account management
• Named accounts for Database Security Administration
• Named accounts for DBAs
• Create at least two named accounts for each responsibility
• Auditors look for • Separate database accounts for different responsibilities
• Being able to track the actions of each account
• Less important is the Number of people doing the tasks
• Database Vault audit events are protected
• Reports show any attempted violations
Best Practices For Deploying Database VaultMain Stages and their Steps
• Strategy Analysis and Design Stage
• Build and Document Stage
• Recommendations for
• Pre-Installation
• Installation
• Post Installation
• Naming Convention
• Transition and Production Stages
• Deployment Recommendations
Identifying Your Security RequirementsWhat to protect and who to authorize
• What databases and applications need to be protected?• Oracle Applications
• Partner Applications
• Custom Applications
• Who needs to be authorized to access business data?• Application Owners through middle tier processes
• Business Users through Application interface
• Who needs to manage the system without accessing business data?
• Back end users for:
• Backup
• Patching
• Tuning and Monitoring
Identifying Your Security Requirements How to implement Separation of Duty?
• Who will be setting up new database accounts?
• Who will be running security audit reports?
• Who will be doing security administration of the database?• Creating Realms and Command Rules
• Setting security policies for database users’ access
• Authorizing database users to what they are allowed to do
• Who are the Alternate accounts for management and security?
Identifying Your Security Requirements What is the current access structure?
• Who are all the users currently having access?
• What kind of access do they need?
• Application Owners -> data access
• Patching DBAs -> temporary access during patching time only
• Backup DBAs -> predefined time to do backup using predefined tools
• Tuning DBAs -> on-going performance monitoring and analysis
• Developers -> access to development instances only
• Data Masking or Scrambling is required
• Create a separation of duty matrix of • who will be doing what, When, and How?
• Create an Application Protection Matrix
Build and Document Stage
• Build your Security Policies using API scripts
• Document the Application Security policies with the:• The Separation of Duty Matrix
• The Application Protection Matrix
• Document processes and Procedures for daily use cases:• Backup
• Patching
• Tuning and Monitoring
• Document production database accounts• The responsibilities of each
• Which should be locked by default
• When to use sys or system logins
• Document Emergency or “Break the Glass” Scenarios
• Reporting in production environment:• Define Which reports to run and who runs them
• Identify the needed frequency for each report
• Identify the parties these reports need to go to
Transition and Production Stages
• Run a Full Test of Your Application
• Monitor Performance and tune your rule expressions
• Apply Your DBV API scripts to production environment
• Hand responsibilities to the production support and security groups• Hand Security responsibility to the Database Security Admin
• Hand Account Management to the Database Account Manager
• Hand Resource Management to the DBAs
• Backup Your DBV API scripts in a Secure Server
Database Vault Performance Numbers
• Performed OLTP tests on ALL versions of DB Vault• 9.2.0.8
• 10.2.0.3
• 11.1
• Each test had 6 different measure points:• Vanilla Database without DB Vault
• DB Vault enabled
• Setup Realm by itself
• Setup Command Rules without Realm
• Setup Realms and Command Rules
• Setup Command Rules, Realms, plus a CONNECT command rule
• 10.2.0.3 and 11.1:• Hardware profile:
• Linux 64 bit on Em64t Dell server
• 4 CPUs with 3.40 GH
• 4 GB of RAM
• Number of users:
• 20 dedicated users with multiple connections each
• Ramp up to over 400 concurrent database connections
• 9.2.0.8:• Hardware profile:
• Sun Solaris 9 Sparc, 64 bit on Sun4800-6 Sun-Fire server
• 8 CPUs
• 4 GB of RAM
• Number of users:
• 20 dedicated users with multiple connections each
• Ramp up to over 400 concurrent database connections
Database Vault Performance Numberstest profile
• 10.2.0.3 numbers:• Vanilla Database without DB Vault - Base
• DB Vault enabled
• zero overhead (within the margin of error 0.25 %)
• Setup a Realm by itself
• 1% overhead
• Setup Command Rules without Realm
• 1% overhead or less
• Setup Realms and Command Rules
• 1% to 1.5 % overhead
• Setup Command Rules, Realms, plus a CONNECT command rule
• 1% to 2% overhead
Database Vault Performance Numbersresults
• 9.2.0.8 and 11.1 numbers are comparable
• This is consistent with the fact that DB Vault 9i is a back port of 11g
• 9.2.0.8 and 11.1 numbers:
• Vanilla Database without DB Vault - Base
• DB Vault enabled
• zero overhead (within a margin of error 0.25 %)
• Setup Realm by itself
• less than 1% overhead
• Setup Command Rules without Realm
• 1% overhead or less
• Setup Realms and Command Rules
• 1% to 1.5% overhead
• Setup Command Rules, Realms, plus a CONNECT command rule
• 1% to 1.5% overhead
Database Vault Performance Numbersresults
• The numbers are great!
• There is still room for improvement – we are working on it
• Customers deploying DB Vault in production:• Should apply typical DB tuning if they face performance issues
• Should tune their rule expressions
• Should simplify their security policies
• Performance depends on many factors like:
• Network, Hardware, Operating System, etc.
• These need to be tuned as well
• should budget no or an extra 5% HW resources at max for DB Vault
Database Vault Performance NumbersConclusion and Best Practice
Database Vault certification with SAP
• Work has started
• Customer Pilot kick-off in June 2008
• Pilot Customers should have the following profile:
• Existing production customers with SAP on Oracle database
• Customers have to be on 10.2 database
• Customers have to be on SAP ERP 2005 (SAP 6.1) or higher
• Send your nominations to me: ([email protected])
Learn More
SAP Service Marketplace site
• Visit: http://service.sap.com/oracle-download
Oracle Technical Information, Demos, Software
• Visit OTN: otn.oracle.com -> products -> database -> security and compliance