Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oracle Database Vault – DBA Best Practices

Published byJanice Kenfield Modified over 9 years ago

Similar presentations

Presentation on theme: "Oracle Database Vault – DBA Best Practices"— Presentation transcript:

1

2 Oracle Database Vault – DBA Best Practices
Kamal Tbeileh, Sr. Principal Product Manager, Database Security Chi Ching Chui, Sr. Development Manager, Database Security

3

4 Program Agenda Oracle Database Vault – Overview
Managing Database Users and Security Controlling Sensitive Database Operations

5 Program Agenda Oracle Database Vault – Overview
Managing Database Users and Security Controlling Sensitive Database Operations

6 Oracle Database Vault Privileged User Controls
Application Application DBA Procurement HR select * from finance.customers DBA Finance Enforce who, where, when, and how data can be accessed using rules and factors Enforce least privilege and prevent privileged users from accessing apps data Prevent application by-pass and enforce enterprise data governance Restrict ad hoc database changes

7 Impact on Database Operations
Administration Task Oracle Database Vault Control? Comments Startup, shutdown No Creating databases Cloning databases Configuring DB network connectivity Managing initialization parameters Yes ALTER SYSTEM Command Rule protects some parameters Scheduling database jobs on protected schemas Oracle Database Vault authorization is needed

8 Program Agenda Oracle Database Vault – Overview
Managing Database Users and Security Controlling Sensitive Database Operations

9 Managing Database Users
Database Accounts Administrator Oracle Database Vault Creates an Accounts Administrator in the database with the DV_ACCTMGR role Responsible for creating new users and profiles and managing existing ones Can grant the CONNECT role to users Can change password for all users except for Security Admins As a best practice, customer should create personalized accounts for Accounts Admins

10 Managing Database Users
Database Security Administrator Oracle Database Vault creates a Security Administrator in the database with the DV_OWNER role Manages creation of protection policies including Realms and Command Rules Does not have access to data Manages his/her own password As a best practice, customer should create personalized accounts for Security Admins

11 Managing Database Users and Security
Tuning Recovery Managing DBAs Create Security Policies to protect data Security Admin Senior DBA Application user Accounts Admin Junior DBA Create and manage Database Users Backup Patch Install

12 Managing Database Users
Senior DBAs and Junior DBAs Oracle Database Vault allows customers to control DBA actions Distinguish between Senior and Junior DBAs Distinguish between in-house DBA and outsourced or off-shored DBA Senior DBA is a user who: Has been granted system privileges and roles with ADMIN OPTION Has been authorized as OWNER to the Oracle Data Dictionary realm Can grant system privileges to new users Junior DBA, outsourced DBA, or off-shored DBA can be controlled on what he/she can or cannot do

13 Managing Database Users and Security
For Small IT Organization In a small organization where customers have a single DBA The same person will be handling multiple tasks As a best practice, customer should Create separate dedicated accounts for different responsibilities like: DBA_DEBRA, ACCTS_ADMIN_DEBRA, SEC_ADMIN_DEBRA Lock default accounts including Database Vault default accounts This allows customer to: Prevent compromised privileged accounts from accessing application data Track each account’s actions for auditing and compliance

14 Managing Database Users and Security
For Medium Size IT Organizations In a medium size organization with a handful of DBAs DBAs will be multi-tasking and one senior DBA will be a db Security Admin Customer might be outsourcing some IT operations As a best practice, customer should Create separate dedicated accounts for different responsibilities Lock default accounts This allows customer to: Prevent compromised privileged accounts from accessing application data Outsource some IT operations and control outsourced DBAs actions Protect the database from unauthorized changes

15 Managing Database Users and Security
For Large IT Organizations For large customers Dedicated staff can be assigned to database security Customer has contractors and may be doing some outsourcing / off-shoring As a best practice, customer should Create separate dedicated accounts Lock default accounts This helps customer: Prevent hackers from accessing application data Control what junior DBAs, outsourced DBAs, or off-shored DBAs can do Protect the database from unauthorized changes

16 Managing Database Users and Security
For SAAS and Cloud Services Providers Cloud services provider Can delegate Security Administration and Accounts Administration to customers so they manage who can access their data Provider’s own security staff can be given access in emergency As a best practice, cloud services provider should Create separate dedicated accounts for customers and own staff Lock default accounts This helps cloud services provider: Improve SLA when it comes to security Empower end customers and give them final say on who can access data

17 Managing Database Users and Security
IT Organization Separation of Duty Company CIO Database Administration Information Security Management User Provisioning Development QA Database Security Develop and communicate security policies Conduct internal audits with the security group Work with external auditors Work with the security team to remedy any audit finding Provision new users Assign roles and responsibilities De-provision users who leave the company Manage Database accounts Manage passwords for default accounts Develop new applications Maintain existing applications Provide patches to DBAs to apply on production Test applications and patches with Oracle Database Vault Manage Oracle Database Vault Realms and Command rules Review security reports Work with business owners to authorize exceptions and monitoring Work with Information Security on internal audits Backup Tuning Patching and upgrade Replication and High Availability Work with security and data owners for emergency access

18 Program Agenda Oracle Database Vault – Overview
Managing Database Users and Security Controlling Sensitive Database Operations Changing Init Parameters Job Scheduling Oracle Data Pump Oracle Streams Oracle Data Guard Explain Plan, Analyze Table Database Patching

19 Controlling Changes to DB Init Parameters
ALTER SYSTEM Command Rule Created by default when Oracle Database Vault is installed Prevents changes to DB parameters related to security, audit, and file locations This tightens the security of the database As a best Practice, Users or roles who should be authorized to change these init parameters, need to be: Granted the ALTER SYSTEM privilege Added to the “Allow Fine Grained Control of System Parameters” Rule Set

20 Controlling Changes to DB Init Parameters
Authorizing a DBA to Change Parameters Example

21 Controlling Database Job Scheduling
To schedule database jobs, DBA needs privileges like: CREATE JOB, CREATE ANY JOB, MANAGE SCHEDULER Security Administrator needs to authorize DBA to be able to schedule jobs on realm protected schemas Authorization can be granted on the entire database or on a schema or table level Authorization can be revoked from the user once done

22 Controlling Database Job Scheduling
Best Practice Example

23 Controlling Database Job Scheduling
Best Practice Example

24 Controlling Oracle Data Pump
Best Practices DBA needs to be granted EXP_FULL_DATABASE / IMP_FULL_DATABASE roles For realm-protected data, more authorization is needed: Security Administrator can give authorization on a specific database object, a whole schema, or on the entire database To export / import the whole database, user needs to be granted DV_OWNER role for the duration of the operation Data Pump authorization should be revoked once export / import is done

25 Controlling Oracle Data Pump
Best Practices Example

26 Controlling Oracle Data Pump
Best Practices Example

27 Controlling Oracle Streams
Best Practices To replicate realm-protected data using Oracle Streams grant DV_STREAMS_ADMIN role to the user who manages it

28 Oracle Data Guard Best Practices
For Oracle Active Data Guard and Oracle Data Guard Physical Standby: install Oracle Database Vault software on primary database and all standby databases Follow Oracle support note instructions Oracle Data Guard Logical Standby is not currently supported with Oracle Database Vault

29 Running EXPLAIN PLAN Best Practice
DBA can run EXPLAIN PLAN on realm-protected tables without having Realm authorization or access to apps data PLAN_TABLE should be created in DBA’s own schema Or in a schema where the DBA has INSERT and SELECT privileges to the table

30 Running EXPLAIN PLAN Best Practice Example

31 Running ANALYZE TABLE Best Practice
DBA can run ANALYZE TABLE on realm-protected tables without having Realm authorization or access to apps data CHAINED_ROWS table should be created in DBA’s own schema Or in a schema where the DBA has INSERT and SELECT privileges to the table

32 Running ANALYZE TABLE Best Practice Example

33 Database Patching Best Practices
Grant DV_PATCH_ADMIN role to user doing database patching – SYS user typically Protection for apps data remains in effect during patching Revoke DV_PATCH_ADMIN role once patching is done

34 Database Patching Best Practices Example

35 Oracle Database Vault – DBA Best Practices
Additional Resources Oracle Technology Network link oracle.com/technetwork/database/options/database-vault/index.html Download white papers and watch demos Download protection policies for Applications PeopleSoft, Siebel, JD Edwards EnterpriseOne and more Download information on SAP certification

36 Oracle Open World – Thursday, October 6
TIME TITLE LOCATION 9:00 am – 10:00 am Hands-On Lab: Oracle Audit Vault (29964) Tammy Bednar, Sr. Principal Product Manager, Oracle Marriott Marquis Room: Salon 12/13 Session: Improving Your Security Posture (13220) Bruce Lowenthal, Director of Security Alerts, Oracle Eric Maurice, Director of Software Security Assurance, Oracle Moscone South Room: 300 10:30 am – 11:30 am Oracle Exadata: Enabling Research at Merck (9687) Michael Tucker Database Administrator, Merck, Inc Vinoy Lanjwal Database Administrator, Merck, Inc Room: 302 12:00 pm – 1:00 pm Hands-On Lab: Oracle Database Vault (29962) Kamal Tbeileh, Sr. Principal Product Manager, Oracle Ken Zeng, Sr. Business Development Director, Oracle 1:30 pm – 2:30 pm Session: All About Oracle Database Security (14123) Thomas Kyte, Architect, Oracle Room: 103 3:00 am – 4:00 pm Session: Oracle Database Security Performance: Best Practices (13600) Kurt Lysy, Principal Product Manager, Oracle Room: 104

37 Q&A

38 Latin America 2011 December 6–8, 2011 Tokyo 2012 April 4–6, 2012

39 Oracle OpenWorld Bookstore
Visit the Oracle OpenWorld Bookstore for a fabulous selection of books on many of the conference topics and more! Bookstore located at Moscone West, Level 2 All Books at 20% Discount

40 Oracle Products Available Online
Oracle Store Buy Oracle license and support online today at oracle.com/store

41

42

Download ppt "Oracle Database Vault – DBA Best Practices"

Similar presentations

ITEC474 INTRODUCTION.

ITEC474 INTRODUCTION.
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.

Database Vault Welcome, today I’d like to present an overview of the latest security product from Oracle – Database Vault. We announced this new product.
1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,

1. Real-World Deployment and Best Practices with Oracle Database Vault at Customers: Ross Stores Covidien Kamal Tbeileh Sr. Principal Product Manager,
A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.

A First look at Database Vault David Bergmeier.  Overview  Installation  Limitations  Securing Data  Backups  A trigger problem Agenda.
Self-Validation Tech Guide

Self-Validation Tech Guide
Database Vault Marco Alamanni

Database Vault Marco Alamanni
Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.

Oracle9i Database Administrator: Implementation and Administration 1 Chapter 12 System and Object Privileges.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | Oracle Database Vault with Oracle Database 12c Chi Ching Chui Senior Development.
Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &

Securing Oracle Databases CSS-DSG JTrumbo. Audit Recommendations -Make sure databases are current with patches. -Ensure all current default accounts &
Database Management System

Database Management System
Database Administration ISQA 436 Fall 2006 Mark Freeman

Database Administration ISQA 436 Fall 2006 Mark Freeman
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Advanced Databases Basic Database Administration Guide to Oracle 10g 1.

Advanced Databases Basic Database Administration Guide to Oracle 10g 1.
Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle SQL Developer For the DBA Jeff Smith
Administering User Security

Administering User Security
Oracle Database Administration. Rana Almurshed 2 course objective After completing this course you should be able to: install, create and administrate.

Oracle Database Administration. Rana Almurshed 2 course objective After completing this course you should be able to: install, create and administrate.
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
1. Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security.

1. Oracle Database 11g Release 2 Security Update and Plans Defense-in-Depth Vipin Samar Vice President, Oracle Database Security.
Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Presented By: Matthew Garrison. Basics of Role Based Access Control  Roles are determined based on job functions within a given organization  Users.

Similar presentations

Ads by Google