Presentation on theme: "Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product."— Presentation transcript:
1Database VaultWelcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product in late April at the huge Oracle user group conference called Collaborate 06 in Nashville, TN. You may have seen some press releases for Oracle and our partners around this exciting new product.
2Why Database Vault? Protecting Access to Application Data “Legal says our DBA should not be able to read financial records, but the DBA needs to access the database to do her job. What do we do?”“Our auditors require that we separate account creation from granting privileges to accounts.”“No user should be able to by-pass our application to access information in the database directly.”“New DBAs should not be able to make database changes without a senior DBA being present.”
3Why Database Vault?Regulations such as Sarbanes-Oxley (SOX) and Graham-Leach Bliley Act (GLBA), and Basel II require Strong Internal Controls and Separation of DutyInternal threats are a much bigger concern today require enforcement of operational security policies - Who, When, Where can data be accessed?Database consolidation strategy requires preventive measures against access to application data by Powerful (DBA) usersDatabase Vault is designed to address what customers have told us are some of their most pressing security related business problems. At Oracle Headquarters in California, we frequently get the opportunity to talk to customers from around the world and virtually every industry imaginable and these are business problems seem to resonate with virtually every customer.I’m sure you’ve all heard the phrase “regulatory compliance”, who hasn’t, it’s certainly being used a lot. I think one of the biggest benefits of regulatory compliance has been awareness, it’s really forced customers to take a long hard look at their business practices. Two of the common themes in many regulations are strong internal controls and separation of duty. Database Vault provides the technology to address these two security problems.In addition, customers are much more concerned about the internal threat today. I don’t mean to say that everyone’s DBA is up to no good, but rather customers are looking for preventative measures to put in place. They want the ability to enforce operational policies on who, when and where data can be accessed,Another common security problem is the powerful DBA. Most applications out there today were not designed with the principle of least privilege – meaning that the application owner only has the minimum privileges necessary. In fact, it’s exactly the opposite. Database Vault provides the ability to restrict the powerful application owners and DBA which reside in a consolidated database environment.
4Common Security Problems On Financial DataI have requirements around SOX and PCI, how can I prevent my DBA from looking at the application data, including Credit Cards and Personal Information?How can I prevent un-authorized modifications to my application and database?Tool
5Oracle Database Vault Feature Overview Controls on privileged usersRestrict privileged users from accessing application dataEnforces separation of dutyReal time access controlsControls access based on IP address, authentication method, time of day,….TransparencyNo changes to applications required
6Database Vault True “Separation of Duty” Protect any database object from any users (realm)Function, job, package, synonym, trigger, view, tablePrevent users from viewing application dataPrevent DBA users from creating powerful usersAny user from executing a command (command rule)Alter table, drop user, insert, create index, analyzeProtect object from schema ownerHR user cannot modify HR objectsLeverage sys_context (multi-factor authorization)Only modify database structure from local IPOnly accept DML statement based on date or timeLeverage built-in or user defined factorsMachine, User, Domain, Language, Protocol, etc.Oracle Database Vault provides 6 key pieces of security functionality. The concept of a REALM is the most important. You can think of a REALM as a protection boundary or firewall you define inside the database. Realms are easy to define and once in place, they prevent powerful users such as the DBA from getting at application data.Multi-Factor Authorization is another extremely important addition provided by Database Vault. Some of you may be familiar with the term multi-factor authentication. Multi-factor authorization is similar in that it enables a series of security checks prior to giving access to a database, application or application table. For example, you can tell Database Vault to check things like IP address and time of day prior before giving access to the database, application or a specific Realm, it’s very flexible.The security behind Database Vault is managed by a security account and not the Oracle DBA or SYSDBA, this provides separation of duty, meaning the DBA isn’t the one who controls the REALMS, FACTORS and so forth.Command rules are another important addition, this enables rules to be associated with database commands, the rule is evaluated prior to allowing the command to execute, a powerful feature.Oracle Database Vault also provides auditing, so that you can track when a REALM has blocked someone from attempting to access an application. In addition, over 3 dozen security related reports are provided out-of-the-box.
7Command Rule Flexibility Alter Database Alter Database Alter TableAlter Function Audit Alter TablespaceAlter Package Body Alter Procedure Alter ProfileAlter Session Alter System Alter SynonymAlter Table Alter Trigger Alter UserPassword Alter Tablespace Alter ViewChange Password Connect CommentCreate Function Create Index Create PackageCreate Database Link Create Procedure Create RoleCreate Package Body Create User Create ViewCreate Table Grant InsertNoaudit Rename Lock TableCreate Tablespace Create Trigger Truncate TableUpdate Insert DeleteExecute SelectEarlier we showed how a command rule can be associated with the Alter System command. Here’s a list of some of the other commands which can have rules associated. As you can see the list is quite extensive.
8Built-In Factors Authentication Method Session User Client IP Database NameDomainMachineDatabase DomainDatabase InstanceNetwork ProtocolDatabase IPEnterprise IdentityProxy Enterprise IdentityLanguageDatabase HostnameDateTimeHere’s a list of the built-in Database Vault factors that can be used in conjunction with Database Vault Realms and Command Rules. You can also add your own factors through the GUI.Authentication Method: Returns the method ofauthentication. Password-authenticated enterprise user, local database user,or SYSDBA or SYSOPER using Password File or proxy with username using passwordreturns PASSWORD. Kerberos-authenticated enterprise or external user returns KERBEROS.SSL-authenticated enterprise or external user returns SSL. Radius-authenticated externaluser returns RADIUS. OS-authenticated external user or SYSDBA or SYSOPER returns OS.DCE-authenticated external user returns DCE. Proxy with certificate, DN, or usernamewithout using password returns NONE. You can use IDENTIFICATION_TYPE to distinguishbetween external and enterprise users when the authentication method is Password, Kerberos, or SSL.Session User:For enterprises users, returns the schema. Database user name bywhich the current user is authenticated. This value remains the same throughoutthe duration of the session.Database Domain: Domain of the database as specified in the DB_DOMAIN initialization parameter.Machine: Provides the machine name for the current sessionEnterprise Identity: The user's enterprise-wide identity. For enterprise users this returns theOracle Internet Directory DN. For external this user returns the external identity (Kerberos principal name, Radius andDCE schema names, OS user name, Certificate DN). For local users and SYSDBA and SYSOPER logins returns NULL. The value of the attribute differs by proxy method. For a proxy with DN, the Oracle Internet Directory DN of the client.For a proxy with certificate, the certificate DN of the client for external users; the Oracle Internet Directory DN for global users. For a proxy with username, theOracle Internet Directory DN if the client is an enterprise users; NULL if the client is a local database user.Proxy Enterprise Identity: Returns the Oracle Internet Directory DN when the proxy user is an enterprise user.* Additional factors can be defined
9Web Based Administrative Interface Web Based ManagementRealmsRulesFactorsReportsDashboardThis is the web based administration console. Please note that the product name is “Database Vault” and not “Data Vault”. The screen shots were taken before the final product name was determined.From here you can manage Realms, Factors, Rule Sets, Command Rules as well as integration points with Oracle Label Security.You also have access two more than 3 dozen security related reports via the two report tabs.The monitor tab provides some graphs as well as direct access to some reports. This tab will be enhanced as we move forward with future releases.
10Oracle Database Vault Reports Database Vault ReportingOver 3 dozen security reports for complianceAudit violation attemptsRealm, Rule and Factor ReportsSystem and Public PrivilegesHere’s a more detailed look at the Database Vault specific reports tab. You can see a Realm Audit report selection toward the bottom. This report will display audit records where the Realm has blocked an action.
11Oracle Database Vault Realms Database DBA views HR dataselect * from HR.empDBACompliance and protection from insidersHR DBAHRHR RealmHRHR DBA views Fin. dataEliminates security risks from server consolidationFinFIN DBALet’s first take a look at Database Vault Realms. Here we have a database, let’s assume that this is a consolidated database. As you would expect you have the DBA as well as several other applications, here we’ve included an HR and Financial application. One of the problems faced in this type of situation is that the DBA can, if he or she wished to do so, use their powerful privileges to take a look at application data. Even the possibility of this happening can be prevented using Database Vault Realms. Simply place a Realm around the HR application and the DBA will no longer be able to use his powerful privileges to access the application.The other situation is one I eluded to earlier. Application owners tend to have very powerful privileges. In a consolidated environment, it’s very likely that you’ll have more than one application and thus several powerful users in the database above and beyond the DBA. In this example, it’s possible for the HR DBA to look at the Financial application data. Obviously this wouldn’t be a good situation, especially if it was during the financial reporting quite period. Using a Database Vault Realm, the Financial application can be protected from powerful application owners.Summary, Realms can be easily applied to existing applications and with minimal performance impact.Fin RealmFinRealms can be easily applied to existing applicationswith minimal performance impact
12Oracle Database Vault Rules & Multi-factor Authorization Database DBA attempts remote “alter system”alter system…….DBARule based on IP Address blocks actioncreate …HR DBA performs unauthorized actions during production3pm MondayHR RealmHRRule based on Date and Time blocks actionHRHR DBAIn addition, to Realms, Database Vault also delivers Command Rules and Multi-Factor Authorization. Command Rules provide the ability to instruct the database to evaluate conditions prior to allowing a database command to execute. Combined with Multi-Factor authorization, this provides an extremely powerful tool to limit and restrict access to databases and applications. Let’s take another example. Here I’m showing a database with a single application and the DBA. One of the common problems customers have faced from a compliance perspective is unauthorized activity in the database. This may mean that additional database accounts or application tables have been created. This can raise alarms with auditors because it can point toward lax internal controls. Using a command rule, Database Vault gives the ability to control the conditions under which a command is allowed to execute. For example, a command rule can be associated with the database “Alter System….” command. Perhaps your policy states that all ‘alter system’ commands have to be executed from a connection originating from the server hosting the database. The command rule can check the IP address and reject the command. So the rule based on IP address blocks the action. Perhaps a powerful application DBA creates a new table, command rules combined with multi-factor authorization can block this action.In summary, command rules and multi-factor provide the flexibility to meet operational security requirements.Factors and Command Rules provideflexible and adaptable security controls
16Hands-on Resources Oracle Database Vault: Oracle Security Overview:Lab3-1: Protect Application Data from DBA and Privileged Users (no submission)Lab3-2: Restrict DBA commands based on IP address (no submission)
17Oracle Database Vault Secured Installation Disallows connections with SYSDBAWill affectOracle Data Guard and Data Guard Broker command line utilitiesOracle Recovery Manager command line utilityOracle Real Application Clusters svrctl utilityOracle ASM command line utilitiesCustom DBA scriptsCan be re-enabled with the orapwd utilityEnables password file and Turns off OS authentication(e.g. sqlplus “/” as SYSDBA)
18Oracle Database Vault Secured Installation Requires Oracle Label Security versionRequires one of the following:Enterprise Manager10g Application Server Containers for J2EE (OC4J)Cannot be installed into an Oracle home that contains an ASM instanceBest practice is to create a database vault owner and database vault managerRequires 270 MB of disk space for DB Vault softwareRequires 400 MB of /tmp disk spaceOS authentication is turned off for all databases in the Oracle homeDatabase vault can be enabled for each database in the Oracle home (optional)