Oracle Database 10g Release 2 Defense-In-Depth Security

An Oracle White Paper August 2005

Oracle Database 10g Release 2 Security Defense-In-Depth Security

INTRODUCTION

Organizations today realize the internal threat can be just as great or greater than the external threat.

Information theft is big business in the 21st century and the battle between those who work to protect data and those who wish to steal it is intensifying and the stakes have never been higher. Over the past ten years numerous regulations have emerged which attempt to address internal controls and the protection of personally identifiable information (PII). Examples of such regulations in the United States include Sarbanes-Oxley, HIPAA and California SB 1386 and the EU Directive on Privacy and Electronic Communications in Europe. Organizations today realize the internal threat can be just as great or greater than the external threat. Worse yet, gaining access to a cache of personal data such as social security numbers is like breaking into Fort Knox for an identity thief. Recent crimes have targeted organizations whose business model is to collect and maintain personal information. Preventing and detecting unauthorized usage of data requires far more security than just good authentication and authorization management. To the extent possible, administration and maintenance must be delegated and behavior outside an area of responsibility must be monitored. However, the problem of abuse within a role or responsibility can be challenging to detect and prevent as well. While there is no easy answer, applications can be built based upon industry standard security principles such as defense-in-depth, least privilege and trust but verify.
DEFENSE-IN-DEPTH

Security must be part of the planning process from day one of the application development process.

Over the past 25 plus years Oracle has built powerful security solutions into the Oracle database enabling customers to deploy a defense in depth strategy and enforce the principle of least privilege. There is no single security solution that will provide absolute protection. Security must be part of the planning process from day one of the application development process. Security must be taken into consideration from the web client to middle tier to the backend database. In addition, it's important to remember that threats to data security from within should be taken just as seriously as those coming from the outside.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 2

Twelve Security Questions When Designing an Application

Too often the application development process skips over the phases of strategy and analysis and goes straight to the design phase.

Too often the application development process skips over the phases of strategy and analysis and goes straight to the design phase. However, the strategy and analysis phases are critical to the overall security of an application. Security has to be part of the design process from the start and not bolted on at the end. While not comprehensive, here are twelve questions that should be asked during the application development process. Most of these questions should be answered during the strategy, analysis and design phases before any application development work takes place. 1. 2. 3. 4. 5. 6. 7. 8. 9. Can we audit the activities of the real user? How do we efficiently provision and de-provision user accounts? If necessary, how will we store and protect authentication credentials for batch jobs? What is our plan for tracking backup media and protecting sensitive data shipped to our secure storage site? What audit requirements do we have for regulatory compliance? Do we have especially sensitive information that requires targeted auditing? Have we recorded what tables and columns within the application contain sensitive information such as credit card numbers and PINS? Have we designated DBA accounts other than the Oracle SYS and SYSTEM accounts? Do we plan to use stronger forms of authentication such as PKI or Kerberos?

10. Do we have context-based security access control requirements such as not allowing access in off hours or on weekends? 11. What if a user connects to the database and bypasses the application, how do we enforce security? 12. Is the network protected? The security features built into Oracle Database 10g Release 2 deliver the capability to create and deploy secure applications with a defense-in-depth approach. Robust privilege management, row level security, transparent data encryption, network encryption, enterprise user security, integration with identity management, finegrained auditing, data classification, proxy authentication, strong authentication/PKI, secure application roles and Virtual Private Database are just a few of the technologies available with Oracle Database 10g Release 2 enabling applications to be built and deployed securely. These technologies in sum form the basis of Oracle's approach to security.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 3

THE PRINCIPLE OF LEAST PRIVILEGE
The principal of least privilege has long been neglected due to software delivery and development schedules

The principle of least privilege has long been neglected due to software delivery and development schedules. Enforcing least privilege can complicate things like application installation and testing methodologies as well as application patching. However, the security benefits of enforcing a least privilege principle during application development will pay off in the long run.
Oracle DBA Accounts

By default, the Oracle database provides two database administration accounts with each installation. The first is an account called SYS. The SYS account holds the Oracle data dictionary containing metadata about the tables, views, stored procedures, triggers, privileges, roles that comprise applications running in the Oracle database. The second account is called SYSTEM. The SYSTEM account can be considered the default DBA account. Historically these two accounts have been heavily relied upon for application development and database administration. The problem with this approach is that these two accounts are highly privileged and if two or more administrator's share the SYSTEM password then it's impossible to track which administrator did what and when.
Oracle Database Roles

Oracle7 introduced robust support for database roles in the early 1990's. Database roles, combined with Oracle's robust object and system privileges, can be used to help enforce separation of duty within an application. While this may prove challenging for legacy applications, it should be a key consideration for new application development. For example, let's say your organization is building the new WIDGET application. As part of the initial application security design it is decided to have two administrative roles for the WIDGET application. The first role called WIDGET_DBA will maintain the application objects such as tables, views, triggers and so forth. The second role called WIDGET_SECURITY_DBA will manage any security relevant objects or stored procedures associated with say Oracle Virtual Private Database (discussed later) and perhaps manage audit settings on the overall WIDGET application. Using this approach the actions of individual administrator's can be more closely monitored.
Secure application roles are standard database roles that have a policy specified during role definition

Oracle9i introduced secure application roles. Secure application roles are standard database roles that have a policy specified during role definition. In order to activate the role, a user must execute the associated policy. For example, a role called WIDGET_USER might have a policy associated with it called WIDGET_USER_POLICY. The policy, written in Oracle PL/SQL, might check the IP address of the user session and then execute an Oracle SET ROLE command invoking the role for the user.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 4

Enterprise User Security

Oracle Identity Management provides the ability to centrally manage database users’ accounts and authorizations within a central enterprise-wide LDAP v3 compliant directory.

Oracle enterprise user security provides the ability to manage database users and associated authorizations within Oracle Identity Management. Oracle Identity Management provides the ability to centrally manage database users’ accounts and authorizations within a central enterprise-wide LDAP v3 compliant directory. This technology has progressed since its first introduction in Oracle8i. The setup and administration has been simplified and the desire to reduce the cost of provisioning users within the enterprise has placed enterprise user security on the strategic roadmap for many organizations. Oracle Identity Management now delivers web access/single sign on, identity administration, user provisioning, federated identity management, and Web services access control across heterogeneous environments.
Proxy Authentication

Traditionally n-tier applications have authenticated end users to the middle tier and then connected to the backend database as one big user

Oracle proxy authentication was introduced in Oracle8i to address the one big user problem in n-tier application models. Traditionally n-tier applications have authenticated end users to the middle tier and then connected to the backend database as one big user. The problem with this approach is that accountability is lost at the middle tier. Proxy authentication enables a middle tier or client application to authenticate and then proxy to another account within the database without re-authenticating. Oracle Database 10g Release 2 provides significant enhancements to the Oracle proxy capability by integrating proxy technology with command line tools such as SQL*Plus and integrating proxy authorization with Oracle enterprise user security. For example, using the WIDGET application as an example, application DBA's could be managed within Oracle Identity Management and given the authorization to proxy to an account within the database that has been assigned the WIDGET_DBA role while still authenticating with their own credentials to the Oracle database.
Row Level Security

A significant part of enforcing least privilege means making sure only those functional job roles with a requirement to see data can access the data.

A significant part of enforcing least privilege means making sure only those functional job roles with a requirement to see data can access the data. When developing a new application it can be useful to create a matrix on paper of job roles against application tables. This can help determine exactly what object privileges specific users need. The need to enforce access control beyond the object level, say down to a specific row within a table can be achieved using technologies such as Oracle Virtual Private Database (VPD)and Oracle Label Security. These are extremely powerful technologies which can be used for enforcing row level security and/or context based access control. For example, using Oracle VPD a policy could be attached to an application table which states that access is restricted on weekends or in off hours. Another example, might be restricting access to tables based on IP address of the current session. This could

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 5

be used to help enforce access through a middle tier or specific application server. Oracle VPD works by dynamically modifying information requests within the Oracle database server based on an associated policy stored within the database. Oracle VPD addresses the application bypass problem by tightly binding security with the data so that security is enforced regardless of whether the information request comes through the application or not. Oracle Label Security provides the ability to define data classification/sensitivity labels within the Oracle database and associate the sensitivity labels with individual rows within an application table. Application users can then be assigned security clearances such as sensitive or confidential. Subsequent information requests compare the users security clearance with the data classification label associated with the data.
Encryption

Encryption is an important tool in the arsenal to protect sensitive information.

Remember, just because it's encrypted doesn't mean access should be granted

Over the past few years a great deal of attention has been given to encryption as a solution to the problem of identity theft and protection of personally identifiable information (PII). Encryption is an important tool in the arsenal to protect sensitive information. However, its not a magic bullet and shouldn't be used in place of strong access controls and the principle of least privilege. Oracle provides robust enterprise wide authorization management capabilities with Oracle Identity Management and strong enforcement within the Oracle database. Remember, just because it's encrypted doesn't mean access should be granted. When talking about encryption it's important to distinguish between network encryption and database encryption. Network encryption refers to the encryption of data traveling between computers. Database encryption refers to the encryption of information stored within the database and stored on disk. Oracle Database 10g Release 2 introduces a powerful new feature for database encryption called Transparent Data Encryption to protect sensitive information on backup media and disk drives.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 6

Network Encryption
Oracle Advanced Security can protect all communications to and from the Oracle Database as well as all communications between databases.

Oracle Advanced Security can protect all communications to and from the Oracle Database as well as all communications between databases. Businesses have a choice between using Oracle Advanced Security’s native encryption/data integrity algorithms and SSL to protect data over the network. Some of the typical scenarios requiring network level encryption include: • • Database Server is behind a firewall and users access the server via client server applications Communication between the application server in a DMZ and the Database which is behind a second firewall must be encrypted

Native Encryption and Data Integrity algorithms in Oracle Advanced Security require no PKI deployment. With each subsequent release of the database, newer encryption algorithms are included as they gain industry approval. The latest addition is the Advanced Encryption Standard (AES). SSL based encryption is available for businesses that have elected to provide Public Key Infrastructure to their IT deployments.
Database Encryption
Transparent data encryption sets the standard for database encryption by tightly coupling encryption with the database to provide a highly transparent encryption solution to protect sensitive data written to disk or backup media.

Perhaps the most important new feature in Oracle Database 10g Release 2 is the addition of Transparent Data Encryption (TDE) to the Oracle Advanced Security option. Oracle can now transparently encrypt data on the network and inside the database. TDE sets the standard for database encryption by tightly coupling encryption with the database to provide a highly transparent encryption solution to protect sensitive data written to disk or backup media. Social security numbers, credit card numbers and other personally identifiable information (PII) can be easily encrypted without breaking the existing application. Most encryption solutions require specific calls to encryption functions within the application code plus the creation of addition views inside the database. This is expensive and time consuming because it requires extensive understanding of an application as well as the ability to write and maintain software. Most organizations don't have the time or expertise to modify existing applications to make calls to encryption routines. In addition, the task of retrofitting an existing application with encryption is manual and error prone. With TDE existing applications and backup routines will continue to work with the added assurance that sensitive data is encrypted on the backup tapes. In addition, it's possible with TDE to have the database up and running for maintenance and disable access to sensitive data from a DBA. This can be done because the master key used to encrypt and decrypt information is stored outside the Oracle database in an object known as an Oracle Wallet. The Wallet contains the master key and must be opened before encrypted data can be accessed. The password for the Wallet can be separate from the system or DBA password. Therefore the regular DBA may be able to startup the database, but without the

In addition, it's possible with TDE to have the database up and running for maintenance and disable access to sensitive data from a DBA.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 7

password protecting the Oracle Wallet the database will not be able to decrypt any information stored inside the database and an error will be returned if the DBA attempts to access encrypted data. Once maintenance personnel depart the facility, the Wallet can be opened and the application will transparently see the data decrypted.
TRUST BUT VERIFY
The only bullet-proof intrusion prevention solution in the world today is to lock the computer away, don't connect a network and don't give anyone the key.

Intrusion prevention is an important part of the overall enterprise security architecture. However, the only bullet-proof intrusion prevention solution in the world today is to lock the computer away, don't connect a network and don't give anyone the key. Of course that's not a practical solution. The reality must be faced that someone will get in and it probably will be either an employee, someone posing as a legitimate customer/business partner or a hacker. Intrusion detection is an imperfect science but it's safe to say that the easiest attack to catch will probably be the hacker because like an enemy trying to invade across the border IT Security is on guard and watching for this type of attack. The other types of attacks will typically be very subtle. Intrusion detection will require, among other things, auditing and this boils down to the principle of trust but verify. Since the passage of the United States Sarbanes-Oxley Act in 2002, auditing has become an important tool in the implementation of the internal controls necessary to comply with section 404 of the Sarbanes-Oxley Act. However, the benefit of auditing goes well beyond the original intentions of Sarbanes-Oxley. Auditing can be used to detect usage anomalies, which can tip off internal security personnel and lead to the early detection of illegal activity. Oracle has provided robust audit capabilities since Oracle7 was introduced in the early 1990's and auditing has never been more important than it is today. Oracle9i introduced a significant new audit feature called Fine Grained Auditing. Fine Grained Auditing allows audit policies to be associated with application tables and the policy determines when to generate an audit record. For example, an audit record might only when someone attempts to access information after midnight or attempts to access a specific bank account. Fine Grained Auditing can be used to reduce the amount of audit information generated and restrict auditing to especially sensitive information. Fine Grained Auditing was enhanced in Oracle Database 10g Release 1 to work with DML operations. Oracle Database 10g Release 2 auditing enhancements include the ability to write audit information outside the database to the operating system sys log.

Auditing can be used to detect usage anomalies, which can tip off to internal security personnel and lead to the early detection of illegal activity.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 8

INFORMATION ASSURANCE

There is no equivalent of a TPC benchmark for security. There are, however, international standards, such as the International Common Criteria (CC) evaluation and FIPS.

There is no equivalent of a TPC benchmark for security. There are, however, international standards, such as the International Common Criteria (CC) evaluation and FIPS. Oracle has completed 17 independent security evaluations over the past decade. The evaluation process lasts up to a full year—and sometimes longer—for an independent, licensed and accredited organization to complete. Oracle completed its first evaluation in 1994. Evaluators examine coding standards and development practices. Organizations who have undergone evaluations learn to improve upon their coding, testing and shipping processes as a result of undergoing the demanding process. No other database vendor can match Oracle's long term commitment to information assurance. Security evaluations are perhaps the most effective way to qualify a vendor’s assertions about its security implementations. Assurance afforded by independent security evaluations is a significant part of Oracle’s approach to security. Oracle Database 10g Release 1 is currently in evaluation under the International Common Criteria at EAL4.
CONCLUSION - DEFENSE-IN-DEPTH

While the vast majority of employees are trustworthy and strive to contribute to the overall success of an organization, one employee can wreak havoc on corporate strategy and image

Historically security has been focused on the perimeter and keeping the bad guys out. However, over the past few years the focus has shifted to the Intranet and internal security. While the vast majority of employees are trustworthy and strive to contribute to the overall success of an organization, one employee can wreak havoc on corporate strategy and image. In addition, there are individuals and companies who seek personal gain by to exploiting the information they gain through seemingly legitimate partnerships or business relationships. Oracle Database 10g Release 2 raises database security technology to a new level. Oracle's decade long commitment to independent security evaluations, coupled with Oracle's 25 plus years working with security conscious customers has enabled Oracle to establish itself as the database security leader. Oracle Transparent Data Encryption makes the practical application of encryption within a database cost effective. Robust support for row level security, integrated identity management capabilities, finegrained auditing, data classification/label security, proxy authentication, PKI support, Virtual Private Database are just a few of the technologies available with Oracle Database 10g Release 2. In addition, the capabilities in the Oracle Database 10g Release 2 are ideally suited for meeting the privacy and compliance challenges in today's global economy. Oracle Database 10g Release 2 has robust identity management integration capabilities providing huge cost savings by dramatically reducing the complexity of managing application users. Oracle is an ideal platform on which to build and deploy secure applications for today's complex, Internetconnected world.

Oracle Database 10g Release 2 Defense-In-Depth Security

Page 9

Oracle Database 10g Release 2 Defenese-In-Depth Security August 2005 Author: Paul Needham Contributing Authors: Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2005, Oracle. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.