Presentation is loading. Please wait.

Presentation is loading. Please wait.

یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian.

Published byJade Spencer Modified over 9 years ago

Similar presentations

Presentation on theme: "یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian."— Presentation transcript:

1 یا ذالامن و الامان

2 Virtual Private Database Mohammad Amin Sabbaghian

3  What is VPD?  Why use VPD?  History of VPD  Overview of Virtual Private Databases  VPD components  Benefits of using VPD  Drawbacks of using VPD  Summary Agenda Winter 2015Database Security – Virtual Private Database3

4 What is VPD?

5  Acronym for Virtual Private Database  VPD enables you to enforce security, directly on tables, views or synonyms  Sometimes referred to as Oracle Row-Level Security (RLS) or Fine Grained Access Control (FGAC) What is VPD? Winter 2015Database Security – Virtual Private Database5

6  Allows to define which rows users may have access to  Dynamically returns a predicate against a target table  This activity is transparent to the user executing the SQL What is VPD? Winter 2015Database Security – Virtual Private Database6

7 Why use VPD?

8  Protect confidential and secret information  Regulations such as HIPAA and SOX  You can have one database and control the delivery of the data to the right people Why use VPD? Winter 2015Database Security – Virtual Private Database8

9 History of VPD

10  Oracle VPD was introduced in Oracle 8i Version 8.1.5 as a new solution to enforce granular access control of data at server level  In Oracle8i, the VPD provided the following key features: - Fine grained Access Control - Application Context - Row Level Security - VPD support for table and view History of VPD Winter 2015Database Security – Virtual Private Database10

11  Oracle9i expanded the Virtual Private Database features as follows: - Oracle Policy Manager - Partitioned fine-grained access control - Global application context - VPD support for synonyms History of VPD Winter 2015Database Security – Virtual Private Database11

12 Oracle 10g makes the following three major enhancements in Virtual Private Database:  Column-Level Privacy - It increases performance by limiting the number of queries that the database rewrites. Rewrites only occur when the statement references relevant columns. This feature also leads to more privacy.  Customization - With the introduction of four new types of policies, you can customize VPD to always enforce the same predicate with a static policy or you can have VPD predicates that change dynamically with a non-static policy.  Shared Policies - You can apply a single VPD policy to multiple objects, and therefore reduce administration costs. 11g provides integration for Enterprise manager for Row Level Security Policies. History of VPD Winter 2015Database Security – Virtual Private Database12

13 Overview of Virtual Private Databases

14  A VPD deals with data access  VPD controls data access at the row or column level  Oracle10/11g:  Fine-grained access control : associate security policies to database objects  Application Context : define and access application or session attributes  Combining these two features, VPD enables administrators to define and enforce row- level access control policies based on session attributes. Overview of Virtual Private Databases Winter 2015Database Security – Virtual Private Database14

15 Overview of Virtual Private Databases (continued) Winter 2015Database Security – Virtual Private Database15

16 Overview of Virtual Private Databases (continued) Step 0. Owner gives the policy and its function Step 1 User sends SQL to the database server. Step 2 The associated table triggers a pre-defined policy function. Step 4. The server dynamically rewrites the submitted query by appending the returned predicate to the WHERE clause Step 5. The modified SQL query is executed. Step 3. The policy function returns a predicate, based on session attributes or database contents. Winter 2015Database Security – Virtual Private Database16

17 BEGIN Dbms_rls.add_policy (object_schema=>'ret_schema', Object_name=>'retiree', Policy_name=>'retiree_policy', Function_schema=>'retiree', Policy_function=>'f_retiree_01', Statement_types=>'select', Sec_relevant_cols=>'ssn, sal'); END; Winter 2015Database Security – Virtual Private Database17 Example

18 VPD Components

19  Application Context  PL/SQL Function  Security Policies VPD Components Winter 2015Database Security – Virtual Private Database19

20  Holds environmental variables - Application name - Username  Gathers information using Dbms_session.set_context Application Context Winter 2015Database Security – Virtual Private Database20

21  Functions are used to construct and return the Predicates that enforce the row-level security  The function must be called in the correct standard, to ensure that the policy can call the function correctly  Function returns a value PL/SQL Function Winter 2015Database Security – Virtual Private Database21

22 Benefits of using VPD

23  Dynamic Security No need to maintain complex roles and grants  Multiple Security You can place more than one policy on each object, as well as stack them on other base polices.  Simplicity  No backdoors Users can no longer bypass security polices embedded in applications, as they are attached to the data Winter 2015Database Security – Virtual Private Database23

24 Drawbacks of using VPD

25  Requires Oracle User ID VPD requires that an Oracle user Id be defined to every person who connects to the database. This adds maintenance and overhead  Hard to audit It is hard to write an audit script that defines the exact access for each user Winter 2015Database Security – Virtual Private Database25

26 VPD Summary

27 Database Security – Virtual Private Database27 Summary  A virtual private database allows or prevents data access at the row or column level; implemented using VIEW database object  VPDs are also referred to as row-level security (RLS) or fine-grained access (FGA)  SQL Server does not support VPDs Winter 2015

28 Summary (continued)  Oracle Application context:  Allows setting of database application be retrieved by database sessions  SYS_CONTEXT function  PL/SQL package DBMS_SESSION  SET_CONTEXT procedure  Use Oracle-supplied package DBMS_RLS to add the VPD policy  Oracle data dictionary views Winter 2015Database Security – Virtual Private Database28

29 VPD Summary  Security By attaching security policies to tables, views, or synonyms, fine-grained access control ensures that the same security is in force, no matter how a user accesses the data.  Simplicity Adding the security policy to the table, view, or synonym means that you make the addition only once, rather than repeatedly adding it to each of your table-, view-, or synonym- based applications.  Flexibility You can have one security policy for SELECT statements, another for INSERT statements, and still others for UPDATE and DELETE statements. Winter 2015Database Security – Virtual Private Database29

30 Q&A

31  http://en.wikipedia.org/wiki/Virtual_private_da tabase http://en.wikipedia.org/wiki/Virtual_private_da tabase  http://docs.oracle.com/cd/B28359_01/networ k.111/b28531/vpd.htm  http://www.utc.edu/center-information- security-assurance/course-listing/4670- lecture8-vpd.ppt http://www.utc.edu/center-information- security-assurance/course-listing/4670- lecture8-vpd.ppt  http://theoicllc.com/R12_GL/VPD_Sparks_Ver2. 0.ppt Winter 2015Database Security – Virtual Private Database31 Resources

32 اللَّهُمَّ فُكَّ كُلَّ أَسِيرٍ اللَّهُمَّ أَصْلِحْ كُلَّ فَاسِدٍ مِنْ أُمُورِ الْمُسْلِمِينَ اللَّهُمَّ اشْفِ كُلَّ مَرِيضٍ

Download ppt "یا ذالامن و الامان. Virtual Private Database Mohammad Amin Sabbaghian."

Similar presentations

Implementing Fine Grained Access Control and Masking

Implementing Fine Grained Access Control and Masking
Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.

Prligence Empowering Intelligence All About Fine Grained Access Control by Arup Nanda.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
SQL Server Accelerator for Business Intelligence (SSABI)

SQL Server Accelerator for Business Intelligence (SSABI)
1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.

1 DB2 Access Recording Services Auditing DB2 on z/OS with “DBARS” A product developed by Software Product Research.
Database Management System

Database Management System
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 5 Database Application Security Models.
A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.

A Guide to Oracle9i1 Advanced SQL And PL/SQL Topics Chapter 9.
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.

Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
15 Copyright © 2006, Oracle. All rights reserved. Database Security.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Chapter 5 Database Application Security Models

Chapter 5 Database Application Security Models
ORACLE DATABASE SECURITY

ORACLE DATABASE SECURITY
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 6 Virtual Private Databases.
10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.

10 Copyright © 2005, Oracle. All rights reserved. Implementing Oracle Database Security.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.

Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
DAVID M. KROENKE’S DATABASE PROCESSING, 10th Edition © 2006 Pearson Prentice Hall 7-1 David M. Kroenke’s Chapter Seven: SQL for Database Construction and.

DAVID M. KROENKE’S DATABASE PROCESSING, 10th Edition © 2006 Pearson Prentice Hall 7-1 David M. Kroenke’s Chapter Seven: SQL for Database Construction and.
Database Security Antoine POTTIN.

Database Security Antoine POTTIN.

Similar presentations

Ads by Google