building secure database applicaons - rainfocus...copyright © 2017, oracle and/or its affiliates....
TRANSCRIPT
![Page 1: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/1.jpg)
![Page 2: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/2.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
BuildingSecureDatabaseApplicaCons
ScoDRotondoOracleDatabaseSecurityOctober4,2017
![Page 3: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/3.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecCon.ItisintendedforinformaConpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncConality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andCmingofanyfeaturesorfuncConalitydescribedforOracle’sproductsremainsatthesolediscreConofOracle.
3
![Page 4: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/4.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
CryptoToolkitforApplicaCons
RowLevelSecurityKeyManagement
DataEncrypCon
EVALUATE PREVENT DETECT DATADRIVENSECURITY
SecurityConfiguraCon
SensiCveDataDiscovery
PrivilegeAnalysis
DBA&OperaConControls
DatabaseAudiCng
Database/SQLFirewall
RealApplicaConSecurity
LabelbasedSecurity
CentralizedMonitoring
SecurityAssessment AlerCng&ReporCng
DataRedacCon
DataMaskingandSubseZng
Defense-in-DepthSecurityforDatabases
4
![Page 5: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/5.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
TypicalApplicaConArchitectureLDAP
User
ApplicaConServers
5
![Page 6: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/6.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ProblemswithTypicalImplementaCons• Alldataistreatedthesame
– RegardlessofsensiCvityorimportance
• ApplicaConalwaysrunswithalltheprivilegesitwilleverneed– Independentofend-useroroperaConbeingperformed
• DatabasesecurityprotecConsdon’tmatchtheapplicaCon– Needricher,applicaCon-specificpolicies
• InsufficientaudiCng– TomonitorapplicaConusersandthosewhobypassit
6
![Page 7: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/7.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
7
![Page 8: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/8.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
8
![Page 9: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/9.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DealingwithSensiCveData• ExamplesofsensiCvedata
– PersonallyidenCfiableinformaCon(e.g.name,phone,naConalid)– Privaterecords(e.g.medical,academic)– High-valueinformaCon(e.g.corporatefinancials,intellectualproperty)
• Keyissues– DiscoveringwhichinformaConinthedatabaseissensiCve– ExposingsensiCvedataonlyincontrolledways
9
![Page 10: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/10.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DiscoveringSensiCveData
• IdenCfyandcatalogsensiCvedata– EnterpriseManager– DBSecurityAssessmentTool(DBSAT)
• ApplicaConDataModeldescribessensiCvetypesandrelaConships
10
![Page 11: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/11.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Real-CmeredacConofsensiCvedatabasedoncontext
TransparenttoapplicaCons.Nocodechangesrequired
Consistentenforcementwithinthedatabase
NochangesinregulardatabaseoperaCons
OracleDataRedacCon
CallCenter
CreditCardProcessing
CreditCardNumbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827
4451-2172-9841-4368
xxxx-xxxx-xxxx-4368
11
![Page 12: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/12.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
052-51-2147 XXX-XX-2147
SupportedTransformaConsStoredData RedactedResults
10/09/1992
[email protected] [hidden]@acme.com
4451-2172-9841-4368 4943-6344-0547-0110
Full
ParIal
RegExp
Random
01/01/2001
12
![Page 13: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/13.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
13
![Page 14: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/14.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
PrincipleofLeastPrivilege• RuneachprogramwiththeminimumprivilegesneededtoperformitsintendedfuncCon
• Limitspossibledamageif– Theprogramcontainsabug– AvulnerabilityisexploitedbyanaDacker
• Soundsobvious,butthisprincipleisviolatedalltheCme
14
![Page 15: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/15.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ReviewofDatabasePrivilegesandRoles• TheOracledatabasesupportstwotypesofprivilege• ObjectprivilegesallowanoperaCononaspecificobject
– grantSELECTonHR.EMPLOYEEStoSCOTT
• Systemprivilegesapplytoanyobjectortothedatabaseasawhole– grantDROPANYTABLEtoSCOTT– grantALTERDATABASEtoSCOTT
• Canassignprivilegesdirectlytousersorindirectlyviaroles• PL/SQLcodecanuseeitherowner’sorcaller’sprivileges
– Definer’svs.invoker’srights
15
![Page 16: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/16.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
SchemaSeparaCon• Less powerful runtime account
– No system privileges or DDL
• Sensitive tables protected from runtime user – VPD, Label Security, RAS
• PL/SQL packages called by RUNTIME – Invoker’s rights
• Administrative packages run with HR privileges – Definer’s rights
User
HR Admin
App Server
RUNTIME
HR
DBA
Update Employee
Query Employee
Proxy
EMP Table
16
![Page 17: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/17.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Code-BasedAccessControl• StarCngwithOracle12c,awaytoassociateprivilegeswithcodeinsteadofusers
• GrantrolestoaPL/SQLprocedureorfuncCon– PrivilegesareacCveonlywhileexecuCngthisblockofcode
• Similarineffecttodefiner’srights,except– NormalDRprocedureusesonlyprivilegesdirectlygrantedtoowner,notroles– Differentprocedureswiththesameownercanhavedifferentroles– Workswithbothdefiner’sandinvoker’srightsprocedures
17
![Page 18: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/18.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhichPrivilegesDoINeed?• Wewanttograntspecificprivilegestoeachuserorschema• Buthowdoweknowwhichprivilegestogrant?• Startwithanalysisoftheprogram,but…
– Wanttoconfirmthatanalysisempirically– WhataboutexisCngprograms?
18
![Page 19: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/19.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DatabaseVaultPrivilegeAnalysis• CaptureandreportondatabaseprivilegeusageatrunCme
– Forusers,sessions,androles(incl.PUBLIC)– ShowusedSystem,Object,andPublicprivileges– Showhowtheusergottheprivilege
• Showunusedsystemandobjectprivileges• Administratorcanmodifyprivilegegrantsbasedonresults
19
![Page 20: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/20.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
UnusedPrivilegesReport
20
![Page 21: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/21.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
UsedPrivilegesReport
21
![Page 22: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/22.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
22
![Page 23: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/23.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
VirtualPrivateDatabase
• Restrictaccesstosubsetofdata– Rowfiltering– Columnmasking
• Customizablepolicies– ApplicaConcontextvalue– Currentsystemstate– Currentandforeigntables
DatabaseEnforcedRowLevelSecurity
VPDPolicySelect*fromOrders
WhereRegion='EU'
WhereRegion='US'
Select*fromOrders
ORDERSSalesRep
USRegion
EURegion
23
![Page 24: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/24.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
OracleLabelSecurity
• ClassifydatabasedonapplicaCon• Level,Compartment,Group
• AuthorizaConstoapplicaConordatabaseusers
• AuthorizaConscanbemanagedindirectory
LabelBasedAccessControl
OracleLabelSecurityPolicySelect*fromOrders
Select*fromOrders
ORDERS LabelSalesRep
USRegion
EURegion
CA
CA
USEU
EU
EUUS
24
![Page 25: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/25.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhoIsTryingtoAccessData?
• EnduseridenCtymustbeknowntothedatabase– Databasecanmanageusersforclient-serverapplicaCons– Three-CerapplicaConmustpropagateuseridenCtytodatabase
• AllowsdatabasetoenforceaccesscontrolbasedonuseridenCty• AllowsaudiCngtotrackwhoactuallyperformedtheoperaCon
AccessControlRequiresAuthenIcaIon
25
![Page 26: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/26.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ApplicaConContext
• InformaConaboutcurrentsession• MostpredefinedaDributescannotbemodified
USERENVFixedADributes
• SetbyDBMS_APPLICATION_INFO,JDBC,OCI• Recordedinaudittrail
USERENVModifiableADributes
• Key-valuepairssetbydesignatedPL/SQLpackage• EachapplicaConhasitsownnamespace
ApplicaConNamespace
26
![Page 27: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/27.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AuthenCcaCngtheApplicaCon
• Securedatabase-externallocaContostoreapplicaConanduserpasswords– LeveragestheOracleWallet– Passwordsneverintheclearonfilesystem– AccessiblefromOCI,SQL*Plus,JDBC
• SupportsusingdifferentpasswordcredenCalsfordifferentdatabases
SecureExternalPasswordStore
OracleWallet
27
![Page 28: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/28.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
28
![Page 29: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/29.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
• SupportApplicaConUsersandSessions– Schema-lessuser,SecurityandapplicaConcontextinDB
• SupportApplicaConPrivilegesandRoles– E.g.,ViewSalary,RequestLeave,ApproveLeaveprivileges– E.g.,Manager,HR_Rep,Approverroles
• Supportfine-graineddataaccesscontrolonrowsandcolumns– BasedonuseroperaConexecuConcontext– Enforcesecurityclosetodata
OracleRealApplicaConSecurity(RAS)
29
![Page 30: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/30.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ApplicaCons
AuthorizaConServiceInterface
RASSessions
ConnecConPoolSessions
RASArchitecture
Auth
JDBC
Webusers
APEXapps
SQL*Plus
IdenCtyManager
DBSessions
RASSessions
DataSecurityPolicy
30
![Page 31: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/31.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Example:AccessControlRequirements• EmployeescanviewpublicinformaCon• Anemployeecanviewownrecord,updatecontactinformaCon• Managercanviewsalaryofhis/herreports
31
Name Manager SSN Salary PhoneNumber
Adam Steven 515.123.4567
Neena Steven 515.123.4568
Nancy Neena 515.124.4569
Luis Nancy 515.124.4567
John Nancy 515.124.4269
Daniel Nancy 515.124.4469
Nancy Neena 108-51-4569 12030 650.111.3300 6900
8200
9000
![Page 32: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/32.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
RealApplicaConSecurityConcepts
• AgroupofrowsrepresenCngabusinessobject– Allemployees– Myownemployeerecord– AllemployeesreporCngtome
• Assignprivilegestocolumns– viewSSNforSSNcolumn– viewSalaryforSalarycolumn
DataRealms
EMPLOYEEtable
Myown
Myreports
viewSSN viewSalary
Allrecords
32
![Page 33: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/33.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AccessControlList(ACL)
-GrantselecttoManager
-GrantviewSalarytoManager ApplicaIonPrivilege
-select,viewSalary
ApplicaIonPrivilege
-select,viewSalary
ApplicaIonRole
-Manager
ApplicaIonRole
-Manager DataRealm
- Employees under my report
DataRealm
- Employees under my report
RealApplicaConSecurityDataSecurityPolicyComponents
AccessControlList(ACL)
-GrantselecttoManager
-GrantviewSalarytoManager
DataRealm
- Employees under my report
§ EachDataRealmhasanassociatedACLwithgrants§ DataSecuritypolicyisacollecConofDataRealmsandACLs
ApplicaIonRole
-Manager
ApplicaIonPrivilege
-select,viewSalary
33
![Page 34: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/34.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ManagerRASAPEXHRApplicaCon
Canviewsalariesofmyreports
34
![Page 35: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/35.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
OracleRealApplicaConSecurityUniformAuthorizaIononAllAccessPaths
DirectconnecttoDBwithSQLPLUS
Manager‘Nancy’
35
![Page 36: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/36.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
RASAdministraConTool
1.Allrecords2.Myrecord3.Myreports
EmployeesTable
RestrictedSalary&SSNColumns
PrivilegeGrants
36
![Page 37: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/37.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DataSecurityPaDerns
• VPcanviewemployeesalariesofhisorganizaConSessionaDributebased
• AnEmployeerecordanditsJobHistorylineitemsareprotectedasasinglelogicalrecordMaster/Detail
• Managersineachregion,e.g.,EastandWest,accessemployeerecords,stripedbasedonregionParameterizedGrant
• HRrepresentaCvecanchangejobdesignaCon,iftheemployeeisassignedtohimCondiConallyrelated
• AcontractworkerneedstemporaryaccesstocertainemployeerecordsExcepCons
37
![Page 38: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/38.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
38
![Page 39: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/39.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhatActuallyHappened?AudiIngtheApplicaIonfromtheDatabase
• Monitorprivilegeduseraccountsfornon-compliantacCvity– Auditnon-applicaConaccesstosensiCvedata(creditcard,financialdata,personallyidenCfiableinformaCon,etc.)
• VerifythatnooneistryingtobypasstheapplicaConcontrols/security• AuditapplicaConacCvityselecCvely
– PerhapsauditchangestothemostsensiCvedataevenfromwithintheapplicaCon
39
![Page 40: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/40.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
CatchAnomalieswithCondiIonalAudiIngOracleDatabaseAudiCng
PolicyBased
CondiConal
ExtensibleSyntax
UserExcepCons
UnifiedAuditSecure,Performant
Setofprivileges,objects,acConsaudiCngmanagedasagroup
MulC-factoraudiCngtoeasilycatchanomalies
Auditallaccessexceptwhenconnectedby….
Addcontextdata:realms,labels,appcontext,etc.
40
![Page 41: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/41.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AuditPolicyExample
• CREATEAUDITPOLICYhr_app_policyACTIONSALLONHR.EMPLOYEESWHEN'UPPER(SYS_CONTEXT(''USERENV'',''MODULE''))!=''HR_APP'')'EVALUATEPERSESSION;
• AUDITPOLICYhr_app_policyEXCEPThr;
AuditAccessesthatBypassApplicaIonCode
41
![Page 42: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/42.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Bringingitalltogether…
42
![Page 43: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/43.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Summary• Thinksecurityfromthebeginning• IdenCfyandcatalogsensiCvedata• MinimizeprivilegebasedonuserandacCon• UseDatabaseSecuritytocontrolaccesstodata
– Consistentenforcement– Easytoextendandadapt– Closetodataandnotbypassable
• AuditchangestoapplicaConanddata
43
![Page 44: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/44.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
VisitUsintheOracleDatabaseSecurityDemoGroundsDemoBoothTitle FeaturedSoluIons
AuthenIcaIon&AuthorizaIon CentrallyManagedUsers,DatabaseVault,RealApplicaIonSecurity,LabelSecurity
EncrypIon&KeyManagement TransparentDataEncrypIon,KeyVault,DataRedacIon
AudiIngandAcIvityMonitoring DatabaseAudiIng,AuditVaultandDatabaseFirewall,DataSecurityCloudService-AudiIng
DatabaseSecurityforApplicaIonDevelopers DatabaseSecurityAssessmentTool,DataMaskingandSubse]ng,DataDiscoveryandDataSecurityCloudService-Masking
44
![Page 45: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/45.jpg)
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved. 45
![Page 46: Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates. All rights reserved. Access Control List (ACL) -Grant select to Manager -Grant viewSalary](https://reader033.vdocuments.mx/reader033/viewer/2022041800/5e50c0d77e3c414020099e66/html5/thumbnails/46.jpg)