Embed Size (px)
Citation preview
Database Vault
Marco Alamanni
Why Database Vault?
• Compliance to regulations such as Sarbanes-Oxley (SOX), European Data Protection Directive (95/46/EC) and Health Insurance Portability and Accountability Act (HIPAA) require Strong Internal Controls and Separation of Duty
• Internal threats are a much bigger concern today require enforcement of operational security policies - Who, When, Where can data be accessed?
• Database consolidation strategy requires preventive measures against access to application data by Powerful (DBA) users
Common Security Problems• I have requirements around SOX and PCI, how can I
prevent my DBA from looking at the application data, including Credit Cards and Personal Information?
• No protection from users with DBA privileges
DBA role with full access to user and business data• Only few apps built with least-privilege model:
various utilities require powerful administrator privileges
• Cannot meet new compliance requirements:
separation of duty not enforced• Cannot control user creation, role assignment, etc.
Oracle Database Vault Goals
• Integrated security framework to provide full control:
Network, users, DBA, data, roles, SQLMulti-factor Authorization and Policies across
various checks
• Compliance requirements:
Built-in Separation of Duty
Prevent misuse of powerful privileges
Support Database consolidation
Database Vault VersusVPD and OLS
• Virtual Private Database (VPD):Restricts access to certain rows for a user by modifying
the WHERE clause
• Oracle Label Security (OLS):Mediates access to a given row, based on the label on
the row and the security level of the user
• VPD and OLS restrict access at the row level, whereas Database Vault restricts access at the object and command levels.
• DBV is integrable with both VPD and OLS
DBV Administration Model• DV Administrative roles:
DV_SECANALYST: Reporting onlyDV_ACCTMGR: Maintain db accounts/profiles
(but no roles)DV_OWNER: Big boss but cannot grant any
direct access rights• DV Realm Roles:
DV_REALM_OWNER: Manages realm and associated roles
• Security:Provide separation of duties with different
admin rolessys, system, sysdba and sysoper cannot grant
DV_OWNER, DV_ADMIN roles
Separation of Duty
Key Components
• Realms• Command Rules• Rule sets• Factors• Secure application roles
Realms
• Collections of schemas, objects and roles to be secured
• Controls SELECT, DML, DDL, EXECUTE on protected objects
• Prevents super user (ANY) access to security sensitive data
• Does not impact direct object privileges• Realm owner determines:
Who can access the realm using system privileges
Grants/revokes applicable roles• Authorization enforced at every data object access
during SQL execution
Default Realms
• Database Vault Account Management:Protects user accounts/profiles and account
management role• Data Dictionary:
Protects all DBMS meta-data• Enterprise Manager:
Protects all objects required by Enterprise Manager
• Database Vault:Protects all Database Vault meta-dataAll object owned by Database Vault schemasAll objects owned by LBACSYSAll Security Administration Roles
Benefits of Data Protection with Realms
• Ability to restrict access to privileged users based upon a collection of objects
• Separation of Duty regarding user administration, and role management
• Ability to define additional realm authorization rules based upon requirements
• Limit damage even if privileges escalate to DBA• Minimize risks associated with an army of DBAs for 7
* 24 operation whether in-house, outsourced• No changes required to applications
Command rules
Command Rules Mechanics
• Works very similar to DDL event triggers
• Built into the SQL engine for optimization and security
• Cover all basic DDL and DML commands
Command Rule Flexibility
Alter Database Alter Database Alter TableAlter Function Audit Alter TablespaceAlter Package Body Alter Procedure Alter ProfileAlter Session Alter System Alter SynonymAlter Table Alter Trigger Alter UserPassword Alter Tablespace Alter ViewChange Password Connect CommentCreate Function Create Index Create PackageCreate Database Link Create Procedure Create RoleCreate Package Body Create User Create ViewCreate Table Grant InsertNoaudit Rename Lock TableCreate Tablespace Create Trigger Truncate TableUpdate Insert DeleteExecute Select
Rules and Rule Set
Factors
• A factor:
Is an attribute of a database session
Can have a value, which can be labeled as an identity
• Can easily be referenced in other Database Vault components to discern access
• Can be combined with other factors to provide for multifactored authentication
Factor’s Identity
• An identity:
Is a value
Is associated to a factor
Has a trust level
Can have a label• Can be resolved from other factors• Can be retrieved with PL/SQL functions
associated with the factor
Built-In Factors
• User Factors:NameAuthentication
typeSession User
• Network Factors:Machine nameClient IPNetwork
Protocols
• Database Factors:Database IPDatabase
Instance
DatabaseHostname
• Runtime Factors:LanguageDateTime
Examples of Security Policies
• IP address based policy:Allow access from intranet IP addressesAllow access only from application servers
• DBA policies:Allow updates to the database structure only on the
weekendAllow DBA access only with PKI/Kerberos authenticationAllow DDL but only with strong authenticationPermit DDL (CREATE INDEX) but not SELECTImplement a different set of policies for different types of
DBAs• Time/date based policies• Disallow access from ad-hoc tools (SQL*plus)
Oracle Database Vault Rules & Multi-factor
Authorization
DBA
HR DBA
HR
• Database DBA attempts remote “alter system”
alter system…….
Rule based on IP Address blocks action
create …• HR DBA performs
unauthorized actions during production
3pm Monday
Rule based on Date and Time blocks action
HR Realm
HR
Factors and Command Rules provide flexible and adaptable security controls
Deployment Flow
Database Vault Access Algorithm
Integration with OLS and VPD
• Oracle Label Security: Association of factors identities with
OLS labels to enforce row-level security policies
• Virtual Private Database:Factors can be used in PL/SQL
functions that implement VPD policies
PL/SQL API to Database Vault
• PL/SQL interface for scriptable administration and tools
• API includes:Create, modify, and delete Database Vault componentsAllow a session to define their security environmentQuery the state and values of componentsAdminister and configure system-wide Database Vault parameters
Oracle Database Vault Summary
• Integrated security framework to provide full control:Control access based upon Network, users, DBA,
data, roles, SQL accessMulti-factor Authorization and Policies across various
checksBaked-in Security controls
• Compliance requirements:Built-in Separation of Duty (Users mgmt, data mgmt,
apps mgmt)Prevent misuse of powerful privileges
• Operational requirements:No application changes requiredMinimal Performance impactEasy-to-use PLUS customization flexibilitySupport Database consolidation
Credits and references
• Oracle Database Vault – Under the covers, Vipin Samar, Oracle
• Dividing the Keys to the Kingdom - Separation of Duties with Oracle 10g Database Vault,Eric Siglin, Oracle
• Patricia Huey, Oracle Database Vault Administrator’s Guide 11g Release 2 (11.2),Oracle, 2010
