Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Business & Decision Life Sciences
Creating a personal view on the data via using a
Virtual Private Database Sébastien Roland 13 October
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
User Interface
Controllers layer
Services layer
Data Layer
DB
Introduction
• Applications are viewed as monolithic block
Threat!
Spy
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Security issues
-‐ Rela)onal database -‐ 52 tables -‐ Data & metadata -‐ Clinical studies -‐ Users & groups
STUDY
CODEVALVLMVALTRIALARM
XMLDOC...
DOMAINEPOCHCDASHVLMNAM
CODELIST
STUDY_ID STUDY_NAME ...
201 ST_CRO_B1 Confidential data !
202 ST_CRO_B2 Confidential data !
207 ST_CRO_ZA Confidential data !
245 ST_CRO_KU Confidential data !
GROUP
DM1
DM1
DM2
DM3
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Security issues
-‐ Rela)onal database -‐ 52 tables -‐ Data & metadata -‐ Clinical studies -‐ Users & groups
STUDY
CODEVALVLMVALTRIALARM
XMLDOC...
DOMAINEPOCHCDASHVLMNAM
CODELIST
STUDY_ID STUDY_NAME ...
201 ST_CRO_B1 Confidential data !
202 ST_CRO_B2 Confidential data !
207 ST_CRO_ZA Confidential data !
245 ST_CRO_KU Confidential data !
GROUP
DM1
DM1
DM2
DM3
CUSTOM APPLICATION Logged in as: DM1
Login
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Security issues
• There are 2 major security issues – Security is handled by the application – Doesn’t take into account third-party accesses
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Issue 1: Application’s security
STUDY
CODEVALVLMVALTRIALARM
XMLDOC...
DOMAINEPOCHCDASHVLMNAM
CODELIST
STUDY_ID STUDY_NAME ...
201 ST_CRO_B1 Confidential data !
202 ST_CRO_B2 Confidential data !
207 ST_CRO_ZA Confidential data !
245 ST_CRO_KU Confidential data !
GROUP
DM1
DM1
DM2
DM3
CUSTOM APPLICATION Logged in as: DM1
Login
SELECT *FROM STUDY JOIN...WHERE STUDY_NAME LIKE ‘ST_CRO_B1’
ST_CRO_B1
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Issue 1: Application’s security
STUDY
CODEVALVLMVALTRIALARM
XMLDOC...
DOMAINEPOCHCDASHVLMNAM
CODELIST
STUDY_ID STUDY_NAME ...
201 ST_CRO_B1 Confidential data !
202 ST_CRO_B2 Confidential data !
207 ST_CRO_ZA Confidential data !
245 ST_CRO_KU Confidential data !
GROUP
DM1
DM1
DM2
DM3
CUSTOM APPLICATION Logged in as: DM1
Login ‘ or 1=1-‐-‐
SELECT *FROM STUDY JOIN...WHERE STUDY_NAME LIKE '' or 1=1-‐-‐'
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Issue 2: Third party access
File server
PROGRAMSSASPERL...
starts
- User has access to the password
- Hash it? E.g. PROC PWENCODE - Not safe
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Securing via views
• What is a view and how to secure?
CREATE VIEW staff AS SELECT employee_id, last_name, job_id, manager_id, department_id FROM employees;
access
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Securing via views
STUDY
CODEVALVLMVALTRIALARM
XMLDOC...
DOMAINEPOCHCDASHVLMNAM
CODELIST
STUDY_ID STUDY_NAME ...
201 ST_CRO_B1 Confidential data !
202 ST_CRO_B2 Confidential data !
207 ST_CRO_ZA Confidential data !
245 ST_CRO_KU Confidential data !
GROUP
DM1
DM1
DM2
DM3
STUDY_VIEW_DM1
GRANT select, update…
• To solve our practical example
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Securing via Virtual Private Database
• What is a Virtual Private Database? – Dynamic WHERE clause
SELECT * FROM EMPLOYEES;
SELECT * FROM EMPLOYEES WHERE EMPLOYEE_ID = 203;
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Securing via Virtual Private Database
• Policies can be added to tables, views or synonyms
CREATE OR REPLACE FUNCTION check_updates( schema_var IN VARCHAR2, table_var IN VARCHAR2
) RETURN VARCHAR2 IS return_val VARCHAR2 (400); BEGIN if UPPER(SYS_CONTEXT('USERENV', 'SESSION_USER')) = UPPER(SYS_CONTEXT('USERENV', 'CURRENT_SCHEMA')) then return_val := NULL; else return_val := ‘EMPLOYEE_ID = SYS_CONTEXT(''USERENV'', ''SESSION_USER'')'; end if; RETURN return_val; END check_updates;
BEGIN DBMS_RLS.ADD_POLICY(
object_schema => 'hr', object_name => 'employees', policy_name => 'secure_update', policy_func)on => 'check_updates', statement_types => 'SELECT');
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Content
Introduc)on
Security issues
Securing via Views
Securing via Virtual Private Database
Advantages and disadvantages
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Advantages and disadvantages
• Views Provide row level protection Maintability: number of views to create Security based on an extra-layer
• Virtual Private Database Provide row level protection Maintability: policies defined once Security in the kernel Complete range of motion
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Thank you for your attention. Join us for a coffee at our stand. London, United Kingdom, 13 OCT 2014
Restricted © Business & Decision Life Sciences 2014 All rights reserved.
Business & Decision Life Sciences Sint-Lambertusstraat 141 rue Saint-Lambert
B-1200 Brussels T: +32 2 774 11 00 F: +32 2 774 11 99
[email protected] http://www.businessdecision-lifesciences.com/
Sébastien Roland | Software Architect | [email protected]