Transcript Session 17
Oracle Database
Security
…from the application perspective
Agenda
Oracle
architecture
System architecture
Network architecture
Common
Oracle objects
Schema/object security
Java security
Application integration techniques
Authentication & credentials
Can
be…
OS authentication
Userid/password
X.509 certificates
Smart card
Etc.
Stored
in Oracle
As MD5 hash
Oracle architecture
Authentication & credentials (cont.)
Transport encryption
DES encryption of db-selected random number
w/user’s password hash
OS-integrated authentication available too
Password changes travel unencrypted
Password management features available
Aging & expiration
History (e.g., can prohibit reuse of last 3 passwords)
Composition & complexity (e.g., require letters +
numbers)
Account lockout
Oracle object security
grant select on
EMPLOYEES to ASOK;
orders
candidates
customers
employees
asok’s schema
alice’s schema
all_users
Public objects
Oracle role-based security
grant all privileges
on EMPLOYEES to role
HR_STEWARD;
hr_steward
grant HR_STEWARD to
CATBERT;
DBA
candidates
employees
hrdata schema
Auditing
Obviously
impacts database performance
Writes high-level info to a common table
Database user
Object (table, role, etc.)
Action (select, insert, etc.)
Date/time
Currently
enabled on-request to DBA team
Difficult to trace actions to a live human
Can correlate with IP address
Typical modern application
application
orders
application schema
customers
Shared schemas
Application
#1
select
insert
update
Application
#2
select
orders
customers
application #2’s schema
insert
update
delete
select
grant
Summary
Oracle provides a variety of security features
including:
Identification/Authentication
Authorization via privileges, roles, and fine
grained security
Encryption
Audit trails
SQL Security Background
●
Windows Live Security Mission
Analyze
Threats and
Risks
Define
Policy
Monitor and
Operate
Asses and
Audit
Compliance
Platform Security
SQL Server
Follow best practices for application and
database configuration
•
•
•
•
•
•
•
Roles and permissions
Authentication
Validation
Administration
Server structure
Propagation
Encryption