Session 17

Download Report

Transcript Session 17 

Oracle Database
Security
…from the application perspective
Agenda
 Oracle


architecture
System architecture
Network architecture
 Common
Oracle objects
 Schema/object security
 Java security
 Application integration techniques
Authentication & credentials
 Can





be…
OS authentication
Userid/password
X.509 certificates
Smart card
Etc.
 Stored

in Oracle
As MD5 hash
Oracle architecture
Authentication & credentials (cont.)

Transport encryption




DES encryption of db-selected random number
w/user’s password hash
OS-integrated authentication available too
Password changes travel unencrypted
Password management features available




Aging & expiration
History (e.g., can prohibit reuse of last 3 passwords)
Composition & complexity (e.g., require letters +
numbers)
Account lockout
Oracle object security
grant select on
EMPLOYEES to ASOK;
orders
candidates
customers
employees
asok’s schema
alice’s schema
all_users
Public objects
Oracle role-based security
grant all privileges
on EMPLOYEES to role
HR_STEWARD;
hr_steward
grant HR_STEWARD to
CATBERT;
DBA
candidates
employees
hrdata schema
Auditing
 Obviously
impacts database performance
 Writes high-level info to a common table




Database user
Object (table, role, etc.)
Action (select, insert, etc.)
Date/time
 Currently
enabled on-request to DBA team
 Difficult to trace actions to a live human

Can correlate with IP address
Typical modern application
application
orders
application schema
customers
Shared schemas
Application
#1
select
insert
update
Application
#2
select
orders
customers
application #2’s schema
insert
update
delete
select
grant
Summary
Oracle provides a variety of security features
including:
 Identification/Authentication
 Authorization via privileges, roles, and fine
grained security
 Encryption
 Audit trails
SQL Security Background
●
Windows Live Security Mission
Analyze
Threats and
Risks
Define
Policy
Monitor and
Operate
Asses and
Audit
Compliance
Platform Security

SQL Server
 Follow best practices for application and
database configuration
•
•
•
•
•
•
•
Roles and permissions
Authentication
Validation
Administration
Server structure
Propagation
Encryption