Presentation on theme: "Database Vault Marco Alamanni"— Presentation transcript:
1Database Vault Marco Alamanni Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product in late April at the huge Oracle user group conference called Collaborate 06 in Nashville, TN. You may have seen some press releases for Oracle and our partners around this exciting new product.
2Why Database Vault? Compliance to regulations such as Sarbanes-Oxley (SOX), European Data Protection Directive(95/46/EC) and Health Insurance Portability andAccountability Act (HIPAA) require Strong InternalControls and Separation of DutyInternal threats are a much bigger concern today require enforcement of operational security policies - Who, When, Where can data be accessed?Database consolidation strategy requires preventive measures against access to application data by Powerful (DBA) usersDatabase Vault is designed to address what customers have told us are some of their most pressing security related business problems. At Oracle Headquarters in California, we frequently get the opportunity to talk to customers from around the world and virtually every industry imaginable and these are business problems seem to resonate with virtually every customer.I’m sure you’ve all heard the phrase “regulatory compliance”, who hasn’t, it’s certainly being used a lot. I think one of the biggest benefits of regulatory compliance has been awareness, it’s really forced customers to take a long hard look at their business practices. Two of the common themes in many regulations are strong internal controls and separation of duty. Database Vault provides the technology to address these two security problems.In addition, customers are much more concerned about the internal threat today. I don’t mean to say that everyone’s DBA is up to no good, but rather customers are looking for preventative measures to put in place. They want the ability to enforce operational policies on who, when and where data can be accessed,Another common security problem is the powerful DBA. Most applications out there today were not designed with the principle of least privilege – meaning that the application owner only has the minimum privileges necessary. In fact, it’s exactly the opposite. Database Vault provides the ability to restrict the powerful application owners and DBA which reside in a consolidated database environment.
3Common Security Problems I have requirements around SOX and PCI, how can I prevent my DBA from looking at the application data, including Credit Cards and Personal Information?No protection from users with DBA privilegesDBA role with full access to user and business dataOnly few apps built with least-privilege model:various utilities require powerful administrator privilegesCannot meet new compliance requirements:separation of duty not enforcedCannot control user creation, role assignment, etc.
4Oracle Database Vault Goals Integrated security framework to provide full control:Network, users, DBA, data, roles, SQL Multi-factor Authorization and Policies across various checksCompliance requirements:Built-in Separation of DutyPrevent misuse of powerful privilegesSupport Database consolidation
5Database Vault Versus VPD and OLS Virtual Private Database (VPD):Restricts access to certain rows for a user by modifying the WHERE clauseOracle Label Security (OLS):Mediates access to a given row, based on the label on the row and the security level of the userVPD and OLS restrict access at the row level, whereas Database Vault restricts access at the object and command levels.DBV is integrable with both VPD and OLS
6DBV Administration Model DV Administrative roles:DV_SECANALYST: Reporting onlyDV_ACCTMGR: Maintain db accounts/profiles (but no roles)DV_OWNER: Big boss but cannot grant any direct access rightsDV Realm Roles:DV_REALM_OWNER: Manages realm and associated rolesSecurity:Provide separation of duties with different admin roles sys, system, sysdba and sysoper cannot grant DV_OWNER, DV_ADMIN roles
9Realms Collections of schemas, objects and roles to be secured Controls SELECT, DML, DDL, EXECUTE on protected objectsPrevents super user (ANY) access to security sensitive dataDoes not impact direct object privilegesRealm owner determines:Who can access the realm using system privilegesGrants/revokes applicable rolesAuthorization enforced at every data object access during SQL execution
10Default RealmsDatabase Vault Account Management: Protects user accounts/profiles and account management roleData Dictionary: Protects all DBMS meta-dataEnterprise Manager: Protects all objects required by Enterprise ManagerDatabase Vault:Protects all Database Vault meta-dataAll object owned by Database Vault schemasAll objects owned by LBACSYSAll Security Administration Roles
11Benefits of Data Protection with Realms Ability to restrict access to privileged users based upon a collection of objectsSeparation of Duty regarding user administration, and role managementAbility to define additional realm authorization rules based upon requirementsLimit damage even if privileges escalate to DBAMinimize risks associated with an army of DBAs for 7 * 24 operation whether in-house, outsourcedNo changes required to applications
14Command Rules Mechanics Works very similar to DDL event triggersBuilt into the SQL engine for optimization and securityCover all basic DDL and DML commands
15Command Rule Flexibility Alter Database Alter Database Alter TableAlter Function Audit Alter TablespaceAlter Package Body Alter Procedure Alter ProfileAlter Session Alter System Alter SynonymAlter Table Alter Trigger Alter UserPassword Alter Tablespace Alter ViewChange Password Connect CommentCreate Function Create Index Create PackageCreate Database Link Create Procedure Create RoleCreate Package Body Create User Create ViewCreate Table Grant InsertNoaudit Rename Lock TableCreate Tablespace Create Trigger Truncate TableUpdate Insert DeleteExecute SelectEarlier we showed how a command rule can be associated with the Alter System command. Here’s a list of some of the other commands which can have rules associated. As you can see the list is quite extensive.
17Factors A factor: Is an attribute of a database session Can have a value, which can be labeled as an identityCan easily be referenced in other Database Vault components to discern accessCan be combined with other factors to provide for multifactored authentication
18Factor’s Identity An identity: Is a value Is associated to a factor Has a trust levelCan have a labelCan be resolved from other factorsCan be retrieved with PL/SQL functions associated with the factor
19Built-In Factors User Factors: Name Authentication type Session User Network Factors: Machine name Client IP Network ProtocolsDatabase Factors: Database IP Database Instance DatabaseHostnameRuntime Factors: Language Date Time
20Examples of Security Policies IP address based policy:Allow access from intranet IP addressesAllow access only from application serversDBA policies:Allow updates to the database structure only on the weekendAllow DBA access only with PKI/Kerberos authenticationAllow DDL but only with strong authenticationPermit DDL (CREATE INDEX) but not SELECTImplement a different set of policies for different types of DBAsTime/date based policiesDisallow access from ad-hoc tools (SQL*plus)
21Oracle Database Vault Rules & Multi-factor Authorization Database DBA attempts remote “alter system”alter system…….DBARule based on IP Address blocks actioncreate …HR DBA performs unauthorized actions during production3pm MondayHR RealmHRRule based on Date and Time blocks actionHRHR DBAIn addition, to Realms, Database Vault also delivers Command Rules and Multi-Factor Authorization. Command Rules provide the ability to instruct the database to evaluate conditions prior to allowing a database command to execute. Combined with Multi-Factor authorization, this provides an extremely powerful tool to limit and restrict access to databases and applications. Let’s take another example. Here I’m showing a database with a single application and the DBA. One of the common problems customers have faced from a compliance perspective is unauthorized activity in the database. This may mean that additional database accounts or application tables have been created. This can raise alarms with auditors because it can point toward lax internal controls. Using a command rule, Database Vault gives the ability to control the conditions under which a command is allowed to execute. For example, a command rule can be associated with the database “Alter System….” command. Perhaps your policy states that all ‘alter system’ commands have to be executed from a connection originating from the server hosting the database. The command rule can check the IP address and reject the command. So the rule based on IP address blocks the action. Perhaps a powerful application DBA creates a new table, command rules combined with multi-factor authorization can block this action.In summary, command rules and multi-factor provide the flexibility to meet operational security requirements.Factors and Command Rules provideflexible and adaptable security controls
24Integration with OLS and VPD Oracle Label Security: Association of factors identities with OLS labels to enforce row-level security policiesVirtual Private Database: Factors can be used in PL/SQL functions that implement VPD policies
25PL/SQL API to Database Vault PL/SQL interface for scriptable administration and toolsAPI includes:Create, modify, and delete Database Vault componentsAllow a session to define their security environmentQuery the state and values of componentsAdminister and configure system-wide Database Vault parameters
26Oracle Database Vault Summary Integrated security framework to provide full control:Control access based upon Network, users, DBA, data, roles, SQL accessMulti-factor Authorization and Policies across various checksBaked-in Security controlsCompliance requirements:Built-in Separation of Duty (Users mgmt, data mgmt, apps mgmt)Prevent misuse of powerful privilegesOperational requirements:No application changes requiredMinimal Performance impactEasy-to-use PLUS customization flexibilitySupport Database consolidation
27Credits and references Oracle Database Vault – Under the covers, Vipin Samar, OracleDividing the Keys to the Kingdom - Separation of Duties with Oracle 10g Database Vault, Eric Siglin, OraclePatricia Huey, Oracle Database Vault Administrator’s Guide 11g Release 2 (11.2),Oracle, 2010