oracle database security …from the application perspective
TRANSCRIPT
Oracle Database Oracle Database SecuritySecurity
……from the application perspectivefrom the application perspective
AgendaAgenda
Oracle architectureOracle architecture System architectureSystem architecture Network architectureNetwork architecture
Common Oracle objectsCommon Oracle objects Schema/object securitySchema/object security Java securityJava security Application integration techniquesApplication integration techniques
Authentication & credentialsAuthentication & credentials
Can be…Can be… OS authenticationOS authentication Userid/passwordUserid/password X.509 certificatesX.509 certificates Smart cardSmart card Etc.Etc.
Stored in OracleStored in Oracle As MD5 hashAs MD5 hash
Oracle architecture
Authentication & credentials (cont.)Authentication & credentials (cont.)
Transport encryptionTransport encryption DES encryption of db-selected random number DES encryption of db-selected random number
w/user’s password hashw/user’s password hash OS-integrated authentication available tooOS-integrated authentication available too Password changes travel unencryptedPassword changes travel unencrypted
Password management features availablePassword management features available Aging & expirationAging & expiration History (e.g., can prohibit reuse of last 3 passwords)History (e.g., can prohibit reuse of last 3 passwords) Composition & complexity (e.g., require letters + Composition & complexity (e.g., require letters +
numbers)numbers) Account lockoutAccount lockout
Oracle object securityOracle object securitygrant select on EMPLOYEES to ASOK;
alice’s schema
employees
candidates
asok’s schema
orderscustomers
Public objects
all_users
Oracle role-based securityOracle role-based security
hrdata schema
employees
candidates
hr_steward grant all privileges on EMPLOYEES to role HR_STEWARD;
grant HR_STEWARD to CATBERT;
DBA
AuditingAuditing
Obviously impacts database performanceObviously impacts database performance Writes high-level info to a common tableWrites high-level info to a common table
Database userDatabase user Object (table, role, etc.)Object (table, role, etc.) Action (select, insert, etc.)Action (select, insert, etc.) Date/timeDate/time
Currently enabled on-request to DBA teamCurrently enabled on-request to DBA team Difficult to trace actions to a live humanDifficult to trace actions to a live human
Can correlate with IP addressCan correlate with IP address
Typical modern applicationTypical modern application
application schema
orders customers
application
Shared schemasShared schemas
application #2’s schema
orderscustomers
Application#1
Application#2
selectinsertupdate
insertupdatedeleteselectgrant
select
SummarySummary
Oracle provides a variety of security features Oracle provides a variety of security features including:including:
Identification/AuthenticationIdentification/Authentication Authorization via privileges, roles, and fine Authorization via privileges, roles, and fine
grained securitygrained security EncryptionEncryption Audit trailsAudit trails
SQL Security BackgroundSQL Security Background● Windows Live Security MissionWindows Live Security Mission
Platform SecurityPlatform Security
SQL Server SQL Server Follow best practices for application and Follow best practices for application and
database configurationdatabase configuration• Roles and permissionsRoles and permissions• AuthenticationAuthentication• ValidationValidation• AdministrationAdministration• Server structureServer structure• PropagationPropagation• EncryptionEncryption