Oracle Database 10g Release 2

Defense-In-Depth Security
An Oracle White Paper
August 2005

Organizations today
realize the internal threat
can be just as great or
greater than the external
threat.
Security must be part of the
planning process from day one of
the application development
process.
Oracle Database 10g Release 2 Security
Defense-In-Depth Security
INTRODUCTION
Information theft is big business in the 21st century and the battle between those
who work to protect data and those who wish to steal it is intensifying and the
stakes have never been higher. Over the past ten years numerous regulations have
emerged which attempt to address internal controls and the protection of
personally identifiable information (PII). Examples of such regulations in the
United States include Sarbanes-Oxley, HIPAA and California SB 1386 and the EU
Directive on Privacy and Electronic Communications in Europe. Organizations
today realize the internal threat can be just as great or greater than the external
threat. Worse yet, gaining access to a cache of personal data such as social security
numbers is like breaking into Fort Knox for an identity thief. Recent crimes have
targeted organizations whose business model is to collect and maintain personal
information. Preventing and detecting unauthorized usage of data requires far
more security than just good authentication and authorization management. To the
extent possible, administration and maintenance must be delegated and behavior
outside an area of responsibility must be monitored. However, the problem of
abuse within a role or responsibility can be challenging to detect and prevent as
well. While there is no easy answer, applications can be built based upon industry
standard security principles such as defense-in-depth, least privilege and trust but
verify.
DEFENSE-IN-DEPTH
Over the past 25 plus years Oracle has built powerful security solutions into the
Oracle database enabling customers to deploy a defense in depth strategy and
enforce the principle of least privilege. There is no single security solution that will
provide absolute protection. Security must be part of the planning process from
day one of the application development process. Security must be taken into
consideration from the web client to middle tier to the backend database. In
addition, it's important to remember that threats to data security from within
should be taken just as seriously as those coming from the outside.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 2

Too often the application
development process skips
over the phases of strategy
and analysis and goes
straight to the design phase.
Twelve Security Questions When Designing an Application
Too often the application development process skips over the phases of strategy
and analysis and goes straight to the design phase. However, the strategy and
analysis phases are critical to the overall security of an application. Security has to
be part of the design process from the start and not bolted on at the end. While
not comprehensive, here are twelve questions that should be asked during the
application development process. Most of these questions should be answered
during the strategy, analysis and design phases before any application development
work takes place.
1. Can we audit the activities of the real user?
2. How do we efficiently provision and de-provision user accounts?
3. If necessary, how will we store and protect authentication credentials for
batch jobs?
4. What is our plan for tracking backup media and protecting sensitive data
shipped to our secure storage site?
5. What audit requirements do we have for regulatory compliance?
6. Do we have especially sensitive information that requires targeted
auditing?
7. Have we recorded what tables and columns within the application contain
sensitive information such as credit card numbers and PINS?
8. Have we designated DBA accounts other than the Oracle SYS and
SYSTEM accounts?
9. Do we plan to use stronger forms of authentication such as PKI or
Kerberos?
10. Do we have context-based security access control requirements such as
not allowing access in off hours or on weekends?
11. What if a user connects to the database and bypasses the application, how
do we enforce security?
12. Is the network protected?
The security features built into Oracle Database 10g Release 2 deliver the capability
to create and deploy secure applications with a defense-in-depth approach. Robust
privilege management, row level security, transparent data encryption, network
encryption, enterprise user security, integration with identity management, fine-
grained auditing, data classification, proxy authentication, strong
authentication/PKI, secure application roles and Virtual Private Database are just a
few of the technologies available with Oracle Database 10g Release 2 enabling
applications to be built and deployed securely. These technologies in sum form the
basis of Oracle's approach to security.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 3

The principal of least
privilege has long been
neglected due to
software delivery and
development schedules
Secure application roles are
standard database roles that
have a policy specified during
role definition
THE PRINCIPLE OF LEAST PRIVILEGE
The principle of least privilege has long been neglected due to software delivery and
development schedules. Enforcing least privilege can complicate things like
application installation and testing methodologies as well as application patching.
However, the security benefits of enforcing a least privilege principle during
application development will pay off in the long run.
Oracle DBA Accounts
By default, the Oracle database provides two database administration accounts with
each installation. The first is an account called SYS. The SYS account holds the
Oracle data dictionary containing metadata about the tables, views, stored
procedures, triggers, privileges, roles that comprise applications running in the
Oracle database. The second account is called SYSTEM. The SYSTEM account
can be considered the default DBA account. Historically these two accounts have
been heavily relied upon for application development and database administration.
The problem with this approach is that these two accounts are highly privileged and
if two or more administrator's share the SYSTEM password then it's impossible to
track which administrator did what and when.
Oracle Database Roles
Oracle7 introduced robust support for database roles in the early 1990's. Database
roles, combined with Oracle's robust object and system privileges, can be used to
help enforce separation of duty within an application. While this may prove
challenging for legacy applications, it should be a key consideration for new
application development. For example, let's say your organization is building the
new WIDGET application. As part of the initial application security design it is
decided to have two administrative roles for the WIDGET application. The first
role called WIDGET_DBA will maintain the application objects such as tables,
views, triggers and so forth. The second role called WIDGET_SECURITY_DBA
will manage any security relevant objects or stored procedures associated with say
Oracle Virtual Private Database (discussed later) and perhaps manage audit settings
on the overall WIDGET application. Using this approach the actions of individual
administrator's can be more closely monitored.
Oracle9i introduced secure application roles. Secure application roles are standard
database roles that have a policy specified during role definition. In order to
activate the role, a user must execute the associated policy. For example, a role
called WIDGET_USER might have a policy associated with it called
WIDGET_USER_POLICY. The policy, written in Oracle PL/SQL, might check
the IP address of the user session and then execute an Oracle SET ROLE
command invoking the role for the user.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 4

Oracle Identity Management
provides the ability to centrally
manage database users’ accounts
and authorizations within a central
enterprise-wide LDAP v3
compliant directory.
Traditionally n-tier applications
have authenticated end users to
the middle tier and then connected
to the backend database as one
big user
A significant part of enforcing
least privilege means making
sure only those functional job
roles with a requirement to see
data can access the data.
Enterprise User Security
Oracle enterprise user security provides the ability to manage database users and
associated authorizations within Oracle Identity Management. Oracle Identity
Management provides the ability to centrally manage database users’ accounts and
authorizations within a central enterprise-wide LDAP v3 compliant directory. This
technology has progressed since its first introduction in Oracle8i. The setup and
administration has been simplified and the desire to reduce the cost of provisioning
users within the enterprise has placed enterprise user security on the strategic
roadmap for many organizations. Oracle Identity Management now delivers web
access/single sign on, identity administration, user provisioning, federated identity
management, and Web services access control across heterogeneous environments.
Proxy Authentication
Oracle proxy authentication was introduced in Oracle8i to address the one big user
problem in n-tier application models. Traditionally n-tier applications have
authenticated end users to the middle tier and then connected to the backend
database as one big user. The problem with this approach is that accountability is
lost at the middle tier. Proxy authentication enables a middle tier or client
application to authenticate and then proxy to another account within the database
without re-authenticating.
Oracle Database 10g Release 2 provides significant enhancements to the Oracle
proxy capability by integrating proxy technology with command line tools such as
SQL*Plus and integrating proxy authorization with Oracle enterprise user security.
For example, using the WIDGET application as an example, application DBA's
could be managed within Oracle Identity Management and given the authorization
to proxy to an account within the database that has been assigned the
WIDGET_DBA role while still authenticating with their own credentials to the
Oracle database.
Row Level Security
A significant part of enforcing least privilege means making sure only those
functional job roles with a requirement to see data can access the data. When
developing a new application it can be useful to create a matrix on paper of job
roles against application tables. This can help determine exactly what object
privileges specific users need. The need to enforce access control beyond the
object level, say down to a specific row within a table can be achieved using
technologies such as Oracle Virtual Private Database (VPD)and Oracle Label
Security. These are extremely powerful technologies which can be used for
enforcing row level security and/or context based access control. For example,
using Oracle VPD a policy could be attached to an application table which states
that access is restricted on weekends or in off hours. Another example, might be
restricting access to tables based on IP address of the current session. This could
Oracle Database 10g Release 2 Defense-In-Depth Security Page 5

Encryption is an important tool
in the arsenal to protect
sensitive information.
Remember, just because
it's encrypted doesn't
mean access should be
granted
be used to help enforce access through a middle tier or specific application server.
Oracle VPD works by dynamically modifying information requests within the
Oracle database server based on an associated policy stored within the database.
Oracle VPD addresses the application bypass problem by tightly binding security
with the data so that security is enforced regardless of whether the information
request comes through the application or not.
Oracle Label Security provides the ability to define data classification/sensitivity
labels within the Oracle database and associate the sensitivity labels with individual
rows within an application table. Application users can then be assigned security
clearances such as sensitive or confidential. Subsequent information requests compare
the users security clearance with the data classification label associated with the
data.
Encryption
Over the past few years a great deal of attention has been given to encryption as a
solution to the problem of identity theft and protection of personally identifiable
information (PII). Encryption is an important tool in the arsenal to protect
sensitive information. However, its not a magic bullet and shouldn't be used in
place of strong access controls and the principle of least privilege. Oracle provides
robust enterprise wide authorization management capabilities with Oracle Identity
Management and strong enforcement within the Oracle database. Remember, just
because it's encrypted doesn't mean access should be granted. When talking about
encryption it's important to distinguish between network encryption and database
encryption. Network encryption refers to the encryption of data traveling between
computers. Database encryption refers to the encryption of information stored
within the database and stored on disk. Oracle Database 10g Release 2 introduces
a powerful new feature for database encryption called Transparent Data Encryption
to protect sensitive information on backup media and disk drives.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 6

Oracle Advanced Security
can protect all
communications to and
from the Oracle Database
as well as all
communications between
databases.
Transparent data encryption
sets the standard for database
encryption by tightly coupling
encryption with the database
to provide a highly
transparent encryption
solution to protect sensitive
data written to disk or backup
media.
In addition, it's possible with
TDE to have the database up and
running for maintenance and
disable access to sensitive data
from a DBA.
Network Encryption
Oracle Advanced Security can protect all communications to and from the Oracle
Database as well as all communications between databases. Businesses have a
choice between using Oracle Advanced Security’s native encryption/data integrity
algorithms and SSL to protect data over the network. Some of the typical scenarios
requiring network level encryption include:
• Database Server is behind a firewall and users access the server via
client server applications
• Communication between the application server in a DMZ and the
Database which is behind a second firewall must be encrypted
Native Encryption and Data Integrity algorithms in Oracle Advanced Security
require no PKI deployment. With each subsequent release of the database, newer
encryption algorithms are included as they gain industry approval. The latest
addition is the Advanced Encryption Standard (AES). SSL based encryption is
available for businesses that have elected to provide Public Key Infrastructure to
their IT deployments.
Database Encryption
Perhaps the most important new feature in Oracle Database 10g Release 2 is the
addition of Transparent Data Encryption (TDE) to the Oracle Advanced Security
option. Oracle can now transparently encrypt data on the network and inside the
database. TDE sets the standard for database encryption by tightly coupling
encryption with the database to provide a highly transparent encryption solution to
protect sensitive data written to disk or backup media. Social security numbers,
credit card numbers and other personally identifiable information (PII) can be
easily encrypted without breaking the existing application. Most encryption
solutions require specific calls to encryption functions within the application code
plus the creation of addition views inside the database. This is expensive and time
consuming because it requires extensive understanding of an application as well as
the ability to write and maintain software. Most organizations don't have the time
or expertise to modify existing applications to make calls to encryption routines. In
addition, the task of retrofitting an existing application with encryption is manual
and error prone. With TDE existing applications and backup routines will
continue to work with the added assurance that sensitive data is encrypted on the
backup tapes.
In addition, it's possible with TDE to have the database up and running for
maintenance and disable access to sensitive data from a DBA. This can be done
because the master key used to encrypt and decrypt information is stored outside
the Oracle database in an object known as an Oracle Wallet. The Wallet contains
the master key and must be opened before encrypted data can be accessed. The
password for the Wallet can be separate from the system or DBA password.
Therefore the regular DBA may be able to startup the database, but without the
Oracle Database 10g Release 2 Defense-In-Depth Security Page 7

The only bullet-proof
intrusion prevention
solution in the world
today is to lock the
computer away, don't
connect a network and
don't give anyone the key.
Auditing can be used to
detect usage anomalies,
which can tip off to internal
security personnel and lead
to the early detection of
illegal activity.
password protecting the Oracle Wallet the database will not be able to decrypt any
information stored inside the database and an error will be returned if the DBA
attempts to access encrypted data. Once maintenance personnel depart the facility,
the Wallet can be opened and the application will transparently see the data
decrypted.
TRUST BUT VERIFY
Intrusion prevention is an important part of the overall enterprise security
architecture. However, the only bullet-proof intrusion prevention solution in the
world today is to lock the computer away, don't connect a network and don't give
anyone the key. Of course that's not a practical solution. The reality must be faced
that someone will get in and it probably will be either an employee, someone
posing as a legitimate customer/business partner or a hacker. Intrusion detection is
an imperfect science but it's safe to say that the easiest attack to catch will probably
be the hacker because like an enemy trying to invade across the border IT Security
is on guard and watching for this type of attack. The other types of attacks will
typically be very subtle. Intrusion detection will require, among other things,
auditing and this boils down to the principle of trust but verify.
Since the passage of the United States Sarbanes-Oxley Act in 2002, auditing has
become an important tool in the implementation of the internal controls necessary
to comply with section 404 of the Sarbanes-Oxley Act. However, the benefit of
auditing goes well beyond the original intentions of Sarbanes-Oxley. Auditing can
be used to detect usage anomalies, which can tip off internal security personnel and
lead to the early detection of illegal activity.
Oracle has provided robust audit capabilities since Oracle7 was introduced in the
early 1990's and auditing has never been more important than it is today. Oracle9i
introduced a significant new audit feature called Fine Grained Auditing. Fine
Grained Auditing allows audit policies to be associated with application tables and
the policy determines when to generate an audit record. For example, an audit
record might only when someone attempts to access information after midnight or
attempts to access a specific bank account. Fine Grained Auditing can be used to
reduce the amount of audit information generated and restrict auditing to especially
sensitive information. Fine Grained Auditing was enhanced in Oracle Database 10g
Release 1 to work with DML operations. Oracle Database 10g Release 2 auditing
enhancements include the ability to write audit information outside the database to
the operating system sys log.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 8

There is no equivalent of a TPC
benchmark for security. There
are, however, international
standards, such as the
International Common Criteria
(CC) evaluation and FIPS.
While the vast majority of
employees are trustworthy and
strive to contribute to the overall
success of an organization, one
employee can wreak havoc on
corporate strategy and image
INFORMATION ASSURANCE
There is no equivalent of a TPC benchmark for security. There are, however,
international standards, such as the International Common Criteria (CC) evaluation
and FIPS. Oracle has completed 17 independent security evaluations over the past
decade. The evaluation process lasts up to a full year—and sometimes longer—for
an independent, licensed and accredited organization to complete. Oracle
completed its first evaluation in 1994. Evaluators examine coding standards and
development practices. Organizations who have undergone evaluations learn to
improve upon their coding, testing and shipping processes as a result of undergoing
the demanding process. No other database vendor can match Oracle's long term
commitment to information assurance. Security evaluations are perhaps the most
effective way to qualify a vendor’s assertions about its security implementations.
Assurance afforded by independent security evaluations is a significant part of
Oracle’s approach to security. Oracle Database 10g Release 1 is currently in
evaluation under the International Common Criteria at EAL4.
CONCLUSION - DEFENSE-IN-DEPTH
Historically security has been focused on the perimeter and keeping the bad guys
out. However, over the past few years the focus has shifted to the Intranet and
internal security. While the vast majority of employees are trustworthy and strive to
contribute to the overall success of an organization, one employee can wreak havoc
on corporate strategy and image. In addition, there are individuals and companies
who seek personal gain by to exploiting the information they gain through
seemingly legitimate partnerships or business relationships. Oracle Database 10g
Release 2 raises database security technology to a new level. Oracle's decade long
commitment to independent security evaluations, coupled with Oracle's 25 plus
years working with security conscious customers has enabled Oracle to establish
itself as the database security leader. Oracle Transparent Data Encryption makes
the practical application of encryption within a database cost effective. Robust
support for row level security, integrated identity management capabilities, fine-
grained auditing, data classification/label security, proxy authentication, PKI
support, Virtual Private Database are just a few of the technologies available with
Oracle Database 10g Release 2. In addition, the capabilities in the Oracle Database
10g Release 2 are ideally suited for meeting the privacy and compliance challenges
in today's global economy. Oracle Database 10g Release 2 has robust identity
management integration capabilities providing huge cost savings by dramatically
reducing the complexity of managing application users. Oracle is an ideal platform
on which to build and deploy secure applications for today's complex, Internet-
connected world.
Oracle Database 10g Release 2 Defense-In-Depth Security Page 9
Oracle Database 10g Release 2 Defenese-In-Depth Security
August 2005
Author: Paul Needham
Contributing Authors:

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.

Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com

Copyright © 2005, Oracle. All rights reserved.

This document is provided for information purposes only and the
contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any
other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability
or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations
are formed either directly or indirectly by this document. This document
may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without our prior written permission.
Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of
Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.