Oracle Database Oracle Database SecuritySecurity

……from the application perspectivefrom the application perspective

AgendaAgenda

Oracle architectureOracle architecture System architectureSystem architecture Network architectureNetwork architecture

Common Oracle objectsCommon Oracle objects Schema/object securitySchema/object security Java securityJava security Application integration techniquesApplication integration techniques

Authentication & credentialsAuthentication & credentials

Can be…Can be… OS authenticationOS authentication Userid/passwordUserid/password X.509 certificatesX.509 certificates Smart cardSmart card Etc.Etc.

Stored in OracleStored in Oracle As MD5 hashAs MD5 hash

Oracle architecture

Authentication & credentials (cont.)Authentication & credentials (cont.)

Transport encryptionTransport encryption DES encryption of db-selected random number DES encryption of db-selected random number

w/user’s password hashw/user’s password hash OS-integrated authentication available tooOS-integrated authentication available too Password changes travel unencryptedPassword changes travel unencrypted

Password management features availablePassword management features available Aging & expirationAging & expiration History (e.g., can prohibit reuse of last 3 passwords)History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + Composition & complexity (e.g., require letters +

numbers)numbers) Account lockoutAccount lockout

Oracle object securityOracle object securitygrant select on EMPLOYEES to ASOK;

alice’s schema

employees

candidates

asok’s schema

orderscustomers

Public objects

all_users

Oracle role-based securityOracle role-based security

hrdata schema

employees

candidates

hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD;

grant HR_STEWARD to CATBERT;

DBA

AuditingAuditing

Obviously impacts database performanceObviously impacts database performance Writes high-level info to a common tableWrites high-level info to a common table

Database userDatabase user Object (table, role, etc.)Object (table, role, etc.) Action (select, insert, etc.)Action (select, insert, etc.) Date/timeDate/time

Currently enabled on-request to DBA teamCurrently enabled on-request to DBA team Difficult to trace actions to a live humanDifficult to trace actions to a live human

Can correlate with IP addressCan correlate with IP address

Typical modern applicationTypical modern application

application schema

orders customers

application

Shared schemasShared schemas

application #2’s schema

orderscustomers

Application#1

Application#2

selectinsertupdate

insertupdatedeleteselectgrant

select

SummarySummary

Oracle provides a variety of security features Oracle provides a variety of security features including:including:

Identification/AuthenticationIdentification/Authentication Authorization via privileges, roles, and fine Authorization via privileges, roles, and fine

grained securitygrained security EncryptionEncryption Audit trailsAudit trails

SQL Security BackgroundSQL Security Background● Windows Live Security MissionWindows Live Security Mission

Platform SecurityPlatform Security

SQL Server SQL Server Follow best practices for application and Follow best practices for application and

database configurationdatabase configuration• Roles and permissionsRoles and permissions• AuthenticationAuthentication• ValidationValidation• AdministrationAdministration• Server structureServer structure• PropagationPropagation• EncryptionEncryption