building secure database applicaons - rainfocus...copyright © 2017, oracle and/or its aﬃliates....

Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.

BuildingSecureDatabaseApplicaCons

ScoDRotondoOracleDatabaseSecurityOctober4,2017


SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecCon.ItisintendedforinformaConpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncConality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andCmingofanyfeaturesorfuncConalitydescribedforOracle’sproductsremainsatthesolediscreConofOracle.

3


CryptoToolkitforApplicaCons

RowLevelSecurityKeyManagement

DataEncrypCon

EVALUATE PREVENT DETECT DATADRIVENSECURITY

SecurityConfiguraCon

SensiCveDataDiscovery

PrivilegeAnalysis

DBA&OperaConControls

DatabaseAudiCng

Database/SQLFirewall

RealApplicaConSecurity

LabelbasedSecurity

CentralizedMonitoring

SecurityAssessment AlerCng&ReporCng

DataRedacCon

DataMaskingandSubseZng

Defense-in-DepthSecurityforDatabases

4


TypicalApplicaConArchitectureLDAP

User

ApplicaConServers

5


ProblemswithTypicalImplementaCons• Alldataistreatedthesame

– RegardlessofsensiCvityorimportance

• ApplicaConalwaysrunswithalltheprivilegesitwilleverneed– Independentofend-useroroperaConbeingperformed

• DatabasesecurityprotecConsdon’tmatchtheapplicaCon– Needricher,applicaCon-specificpolicies

•  InsufficientaudiCng– TomonitorapplicaConusersandthosewhobypassit

6


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl

ApplicaCon-SpecificProtecCon

AudiCng

1

2

3

4

5

7


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl


AudiCng

1

2

3

4

5

8


DealingwithSensiCveData•  ExamplesofsensiCvedata

– PersonallyidenCfiableinformaCon(e.g.name,phone,naConalid)– Privaterecords(e.g.medical,academic)– High-valueinformaCon(e.g.corporatefinancials,intellectualproperty)

• Keyissues– DiscoveringwhichinformaConinthedatabaseissensiCve– ExposingsensiCvedataonlyincontrolledways

9


DiscoveringSensiCveData

•  IdenCfyandcatalogsensiCvedata– EnterpriseManager– DBSecurityAssessmentTool(DBSAT)

•  ApplicaConDataModeldescribessensiCvetypesandrelaConships

10


Real-CmeredacConofsensiCvedatabasedoncontext

TransparenttoapplicaCons.Nocodechangesrequired

Consistentenforcementwithinthedatabase

NochangesinregulardatabaseoperaCons

OracleDataRedacCon

CallCenter

CreditCardProcessing

CreditCardNumbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827

4451-2172-9841-4368

xxxx-xxxx-xxxx-4368

11


052-51-2147 XXX-XX-2147

SupportedTransformaConsStoredData RedactedResults

10/09/1992

[email protected] [hidden]@acme.com

4451-2172-9841-4368 4943-6344-0547-0110

Full

ParIal

RegExp

Random

01/01/2001

12


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl


AudiCng

1

2

3

4

5

13


PrincipleofLeastPrivilege• RuneachprogramwiththeminimumprivilegesneededtoperformitsintendedfuncCon

•  Limitspossibledamageif– Theprogramcontainsabug– AvulnerabilityisexploitedbyanaDacker

•  Soundsobvious,butthisprincipleisviolatedalltheCme

14


ReviewofDatabasePrivilegesandRoles•  TheOracledatabasesupportstwotypesofprivilege• ObjectprivilegesallowanoperaCononaspecificobject

– grantSELECTonHR.EMPLOYEEStoSCOTT

•  Systemprivilegesapplytoanyobjectortothedatabaseasawhole– grantDROPANYTABLEtoSCOTT– grantALTERDATABASEtoSCOTT

• Canassignprivilegesdirectlytousersorindirectlyviaroles• PL/SQLcodecanuseeitherowner’sorcaller’sprivileges

– Definer’svs.invoker’srights

15


SchemaSeparaCon•  Less powerful runtime account

– No system privileges or DDL

•  Sensitive tables protected from runtime user –  VPD, Label Security, RAS

•  PL/SQL packages called by RUNTIME –  Invoker’s rights

•  Administrative packages run with HR privileges – Definer’s rights

User

HR Admin

App Server

RUNTIME

HR

DBA

Update Employee

Query Employee

Proxy

EMP Table

16


Code-BasedAccessControl•  StarCngwithOracle12c,awaytoassociateprivilegeswithcodeinsteadofusers

• GrantrolestoaPL/SQLprocedureorfuncCon– PrivilegesareacCveonlywhileexecuCngthisblockofcode

•  Similarineffecttodefiner’srights,except– NormalDRprocedureusesonlyprivilegesdirectlygrantedtoowner,notroles– Differentprocedureswiththesameownercanhavedifferentroles– Workswithbothdefiner’sandinvoker’srightsprocedures

17


WhichPrivilegesDoINeed?• Wewanttograntspecificprivilegestoeachuserorschema• Buthowdoweknowwhichprivilegestogrant?•  Startwithanalysisoftheprogram,but…

– Wanttoconfirmthatanalysisempirically– WhataboutexisCngprograms?

18


DatabaseVaultPrivilegeAnalysis• CaptureandreportondatabaseprivilegeusageatrunCme

– Forusers,sessions,androles(incl.PUBLIC)– ShowusedSystem,Object,andPublicprivileges– Showhowtheusergottheprivilege

•  Showunusedsystemandobjectprivileges• Administratorcanmodifyprivilegegrantsbasedonresults

19


UnusedPrivilegesReport

20


UsedPrivilegesReport

21


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl


AudiCng

1

2

3

4

5

22


VirtualPrivateDatabase

•  Restrictaccesstosubsetofdata–  Rowfiltering–  Columnmasking

•  Customizablepolicies–  ApplicaConcontextvalue–  Currentsystemstate–  Currentandforeigntables

DatabaseEnforcedRowLevelSecurity

VPDPolicySelect*fromOrders

WhereRegion='EU'

WhereRegion='US'

Select*fromOrders

ORDERSSalesRep

USRegion

EURegion

23


OracleLabelSecurity

•  ClassifydatabasedonapplicaCon•  Level,Compartment,Group

•  AuthorizaConstoapplicaConordatabaseusers

•  AuthorizaConscanbemanagedindirectory

LabelBasedAccessControl

OracleLabelSecurityPolicySelect*fromOrders

Select*fromOrders

ORDERS LabelSalesRep

USRegion

EURegion

CA

CA

USEU

EU

EUUS

24


WhoIsTryingtoAccessData?

•  EnduseridenCtymustbeknowntothedatabase– Databasecanmanageusersforclient-serverapplicaCons– Three-CerapplicaConmustpropagateuseridenCtytodatabase

• AllowsdatabasetoenforceaccesscontrolbasedonuseridenCty• AllowsaudiCngtotrackwhoactuallyperformedtheoperaCon

AccessControlRequiresAuthenIcaIon

25


ApplicaConContext

•  InformaConaboutcurrentsession• MostpredefinedaDributescannotbemodified

USERENVFixedADributes

• SetbyDBMS_APPLICATION_INFO,JDBC,OCI• Recordedinaudittrail

USERENVModifiableADributes

• Key-valuepairssetbydesignatedPL/SQLpackage• EachapplicaConhasitsownnamespace

ApplicaConNamespace

26


AuthenCcaCngtheApplicaCon

•  Securedatabase-externallocaContostoreapplicaConanduserpasswords– LeveragestheOracleWallet– Passwordsneverintheclearonfilesystem– AccessiblefromOCI,SQL*Plus,JDBC

•  SupportsusingdifferentpasswordcredenCalsfordifferentdatabases

SecureExternalPasswordStore

OracleWallet

27


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl


AudiCng

1

2

3

4

5

28


•  SupportApplicaConUsersandSessions– Schema-lessuser,SecurityandapplicaConcontextinDB

•  SupportApplicaConPrivilegesandRoles– E.g.,ViewSalary,RequestLeave,ApproveLeaveprivileges– E.g.,Manager,HR_Rep,Approverroles

•  Supportfine-graineddataaccesscontrolonrowsandcolumns– BasedonuseroperaConexecuConcontext– Enforcesecurityclosetodata

OracleRealApplicaConSecurity(RAS)

29


ApplicaCons

AuthorizaConServiceInterface

RASSessions

ConnecConPoolSessions

RASArchitecture

Auth

JDBC

Webusers

APEXapps

SQL*Plus

IdenCtyManager

DBSessions

RASSessions

DataSecurityPolicy

30


Example:AccessControlRequirements•  EmployeescanviewpublicinformaCon• Anemployeecanviewownrecord,updatecontactinformaCon• Managercanviewsalaryofhis/herreports

31

Name Manager SSN Salary PhoneNumber

Adam Steven 515.123.4567

Neena Steven 515.123.4568

Nancy Neena 515.124.4569

Luis Nancy 515.124.4567

John Nancy 515.124.4269

Daniel Nancy 515.124.4469

Nancy Neena 108-51-4569 12030 650.111.3300 6900

8200

9000


RealApplicaConSecurityConcepts

• AgroupofrowsrepresenCngabusinessobject– Allemployees– Myownemployeerecord– AllemployeesreporCngtome

• Assignprivilegestocolumns– viewSSNforSSNcolumn– viewSalaryforSalarycolumn

DataRealms

EMPLOYEEtable

Myown

Myreports

viewSSN viewSalary

Allrecords

32


AccessControlList(ACL)

-GrantselecttoManager

-GrantviewSalarytoManager ApplicaIonPrivilege

-select,viewSalary

ApplicaIonPrivilege

-select,viewSalary

ApplicaIonRole

-Manager

ApplicaIonRole

-Manager DataRealm

- Employees under my report

DataRealm


RealApplicaConSecurityDataSecurityPolicyComponents

AccessControlList(ACL)

-GrantselecttoManager

-GrantviewSalarytoManager

DataRealm


§ EachDataRealmhasanassociatedACLwithgrants§ DataSecuritypolicyisacollecConofDataRealmsandACLs

ApplicaIonRole

-Manager

ApplicaIonPrivilege

-select,viewSalary

33


ManagerRASAPEXHRApplicaCon

Canviewsalariesofmyreports

34


OracleRealApplicaConSecurityUniformAuthorizaIononAllAccessPaths

DirectconnecttoDBwithSQLPLUS

Manager‘Nancy’

35


RASAdministraConTool

1.Allrecords2.Myrecord3.Myreports

EmployeesTable

RestrictedSalary&SSNColumns

PrivilegeGrants

36


DataSecurityPaDerns

• VPcanviewemployeesalariesofhisorganizaConSessionaDributebased

• AnEmployeerecordanditsJobHistorylineitemsareprotectedasasinglelogicalrecordMaster/Detail

• Managersineachregion,e.g.,EastandWest,accessemployeerecords,stripedbasedonregionParameterizedGrant

• HRrepresentaCvecanchangejobdesignaCon,iftheemployeeisassignedtohimCondiConallyrelated

• AcontractworkerneedstemporaryaccesstocertainemployeerecordsExcepCons

37


FiveAreastoConsider

SensiCveData

LeastPrivilege

BasicAccessControl


AudiCng

1

2

3

4

5

38


WhatActuallyHappened?AudiIngtheApplicaIonfromtheDatabase

• Monitorprivilegeduseraccountsfornon-compliantacCvity– Auditnon-applicaConaccesstosensiCvedata(creditcard,financialdata,personallyidenCfiableinformaCon,etc.)

• VerifythatnooneistryingtobypasstheapplicaConcontrols/security• AuditapplicaConacCvityselecCvely

– PerhapsauditchangestothemostsensiCvedataevenfromwithintheapplicaCon

39


CatchAnomalieswithCondiIonalAudiIngOracleDatabaseAudiCng

PolicyBased

CondiConal

ExtensibleSyntax

UserExcepCons

UnifiedAuditSecure,Performant

Setofprivileges,objects,acConsaudiCngmanagedasagroup

MulC-factoraudiCngtoeasilycatchanomalies

Auditallaccessexceptwhenconnectedby….

Addcontextdata:realms,labels,appcontext,etc.

40


AuditPolicyExample

• CREATEAUDITPOLICYhr_app_policyACTIONSALLONHR.EMPLOYEESWHEN'UPPER(SYS_CONTEXT(''USERENV'',''MODULE''))!=''HR_APP'')'EVALUATEPERSESSION;

• AUDITPOLICYhr_app_policyEXCEPThr;

AuditAccessesthatBypassApplicaIonCode

41


Summary•  Thinksecurityfromthebeginning•  IdenCfyandcatalogsensiCvedata• MinimizeprivilegebasedonuserandacCon• UseDatabaseSecuritytocontrolaccesstodata

– Consistentenforcement– Easytoextendandadapt– Closetodataandnotbypassable

• AuditchangestoapplicaConanddata

43


VisitUsintheOracleDatabaseSecurityDemoGroundsDemoBoothTitle FeaturedSoluIons

AuthenIcaIon&AuthorizaIon CentrallyManagedUsers,DatabaseVault,RealApplicaIonSecurity,LabelSecurity

EncrypIon&KeyManagement TransparentDataEncrypIon,KeyVault,DataRedacIon

AudiIngandAcIvityMonitoring DatabaseAudiIng,AuditVaultandDatabaseFirewall,DataSecurityCloudService-AudiIng

DatabaseSecurityforApplicaIonDevelopers DatabaseSecurityAssessmentTool,DataMaskingandSubse]ng,DataDiscoveryandDataSecurityCloudService-Masking

44

building secure database applicaons - rainfocus...copyright © 2017, oracle and/or its aﬃliates....

Documents