Oracle Database 10g Release 2

Defense-In-Depth Security
An Oracle White Paper
August 2005
 Oracle Database 10g Release 2 Security
Defense-In-Depth Security

INTRODUCTION
Information theft is big business in the 21st century and the battle between those
who work to protect data and those who wish to steal it is intensifying and the
stakes have never been higher. Over the past ten years numerous regulations have
emerged which attempt to address internal controls and the protection of
personally identifiable information (PII). Examples of such regulations in the
Organizations today
United States include Sarbanes-Oxley, HIPAA and California SB 1386 and the EU
realize the internal threat
can be just as great or
Directive on Privacy and Electronic Communications in Europe. Organizations
greater than the external today realize the internal threat can be just as great or greater than the external
threat. threat. Worse yet, gaining access to a cache of personal data such as social security
numbers is like breaking into Fort Knox for an identity thief. Recent crimes have
targeted organizations whose business model is to collect and maintain personal
information. Preventing and detecting unauthorized usage of data requires far
more security than just good authentication and authorization management. To the
extent possible, administration and maintenance must be delegated and behavior
outside an area of responsibility must be monitored. However, the problem of
abuse within a role or responsibility can be challenging to detect and prevent as
well. While there is no easy answer, applications can be built based upon industry
standard security principles such as defense-in-depth, least privilege and trust but
verify.

DEFENSE-IN-DEPTH
Over the past 25 plus years Oracle has built powerful security solutions into the
Security must be part of the Oracle database enabling customers to deploy a defense in depth strategy and
planning process from day one of enforce the principle of least privilege. There is no single security solution that will
the application development provide absolute protection. Security must be part of the planning process from
process.
day one of the application development process. Security must be taken into
consideration from the web client to middle tier to the backend database. In
addition, it's important to remember that threats to data security from within
should be taken just as seriously as those coming from the outside.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 2

 Twelve Security Questions When Designing an Application
Too often the application development process skips over the phases of strategy
Too often the application
and analysis and goes straight to the design phase. However, the strategy and
development process skips analysis phases are critical to the overall security of an application. Security has to
over the phases of strategy be part of the design process from the start and not bolted on at the end. While
and analysis and goes not comprehensive, here are twelve questions that should be asked during the
straight to the design phase. application development process. Most of these questions should be answered
during the strategy, analysis and design phases before any application development
work takes place.
1. Can we audit the activities of the real user?
2. How do we efficiently provision and de-provision user accounts?
3. If necessary, how will we store and protect authentication credentials for
batch jobs?
4. What is our plan for tracking backup media and protecting sensitive data
shipped to our secure storage site?
5. What audit requirements do we have for regulatory compliance?
6. Do we have especially sensitive information that requires targeted
auditing?
7. Have we recorded what tables and columns within the application contain
sensitive information such as credit card numbers and PINS?
8. Have we designated DBA accounts other than the Oracle SYS and
SYSTEM accounts?
9. Do we plan to use stronger forms of authentication such as PKI or
Kerberos?
10. Do we have context-based security access control requirements such as
not allowing access in off hours or on weekends?
11. What if a user connects to the database and bypasses the application, how
do we enforce security?
12. Is the network protected?
The security features built into Oracle Database 10g Release 2 deliver the capability
to create and deploy secure applications with a defense-in-depth approach. Robust
privilege management, row level security, transparent data encryption, network
encryption, enterprise user security, integration with identity management, fine-
grained auditing, data classification, proxy authentication, strong
authentication/PKI, secure application roles and Virtual Private Database are just a
few of the technologies available with Oracle Database 10g Release 2 enabling
applications to be built and deployed securely. These technologies in sum form the
basis of Oracle's approach to security.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 3

 THE PRINCIPLE OF LEAST PRIVILEGE
The principle of least privilege has long been neglected due to software delivery and
The principal of least
privilege has long been
development schedules. Enforcing least privilege can complicate things like
neglected due to application installation and testing methodologies as well as application patching.
software delivery and However, the security benefits of enforcing a least privilege principle during
development schedules application development will pay off in the long run.

Oracle DBA Accounts

By default, the Oracle database provides two database administration accounts with
each installation. The first is an account called SYS. The SYS account holds the
Oracle data dictionary containing metadata about the tables, views, stored
procedures, triggers, privileges, roles that comprise applications running in the
Oracle database. The second account is called SYSTEM. The SYSTEM account
can be considered the default DBA account. Historically these two accounts have
been heavily relied upon for application development and database administration.
The problem with this approach is that these two accounts are highly privileged and
if two or more administrator's share the SYSTEM password then it's impossible to
track which administrator did what and when.

Oracle Database Roles

Oracle7 introduced robust support for database roles in the early 1990's. Database
roles, combined with Oracle's robust object and system privileges, can be used to
help enforce separation of duty within an application. While this may prove
challenging for legacy applications, it should be a key consideration for new
application development. For example, let's say your organization is building the
new WIDGET application. As part of the initial application security design it is
decided to have two administrative roles for the WIDGET application. The first
role called WIDGET_DBA will maintain the application objects such as tables,
views, triggers and so forth. The second role called WIDGET_SECURITY_DBA
will manage any security relevant objects or stored procedures associated with say
Oracle Virtual Private Database (discussed later) and perhaps manage audit settings
on the overall WIDGET application. Using this approach the actions of individual
administrator's can be more closely monitored.
Oracle9i introduced secure application roles. Secure application roles are standard
Secure application roles are
standard database roles that
database roles that have a policy specified during role definition. In order to
have a policy specified during activate the role, a user must execute the associated policy. For example, a role
role definition called WIDGET_USER might have a policy associated with it called
WIDGET_USER_POLICY. The policy, written in Oracle PL/SQL, might check
the IP address of the user session and then execute an Oracle SET ROLE
command invoking the role for the user.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 4

 Enterprise User Security
Oracle enterprise user security provides the ability to manage database users and
associated authorizations within Oracle Identity Management. Oracle Identity
Oracle Identity Management Management provides the ability to centrally manage database users’ accounts and
provides the ability to centrally authorizations within a central enterprise-wide LDAP v3 compliant directory. This
manage database users’ accounts
technology has progressed since its first introduction in Oracle8i. The setup and
and authorizations within a central
enterprise-wide LDAP v3
administration has been simplified and the desire to reduce the cost of provisioning
compliant directory. users within the enterprise has placed enterprise user security on the strategic
roadmap for many organizations. Oracle Identity Management now delivers web
access/single sign on, identity administration, user provisioning, federated identity
management, and Web services access control across heterogeneous environments.

Proxy Authentication
Oracle proxy authentication was introduced in Oracle8i to address the one big user
Traditionally n-tier applications problem in n-tier application models. Traditionally n-tier applications have
have authenticated end users to authenticated end users to the middle tier and then connected to the backend
the middle tier and then connected database as one big user. The problem with this approach is that accountability is
to the backend database as one
lost at the middle tier. Proxy authentication enables a middle tier or client
big user
application to authenticate and then proxy to another account within the database
without re-authenticating.
Oracle Database 10g Release 2 provides significant enhancements to the Oracle
proxy capability by integrating proxy technology with command line tools such as
SQL*Plus and integrating proxy authorization with Oracle enterprise user security.
For example, using the WIDGET application as an example, application DBA's
could be managed within Oracle Identity Management and given the authorization
to proxy to an account within the database that has been assigned the
WIDGET_DBA role while still authenticating with their own credentials to the
Oracle database.

Row Level Security

A significant part of enforcing least privilege means making sure only those
functional job roles with a requirement to see data can access the data. When
A significant part of enforcing developing a new application it can be useful to create a matrix on paper of job
least privilege means making roles against application tables. This can help determine exactly what object
sure only those functional job
privileges specific users need. The need to enforce access control beyond the
roles with a requirement to see
data can access the data.
object level, say down to a specific row within a table can be achieved using
technologies such as Oracle Virtual Private Database (VPD)and Oracle Label
Security. These are extremely powerful technologies which can be used for
enforcing row level security and/or context based access control. For example,
using Oracle VPD a policy could be attached to an application table which states
that access is restricted on weekends or in off hours. Another example, might be
restricting access to tables based on IP address of the current session. This could

Oracle Database 10g Release 2 Defense-In-Depth Security Page 5

 be used to help enforce access through a middle tier or specific application server.
Oracle VPD works by dynamically modifying information requests within the
Oracle database server based on an associated policy stored within the database.
Oracle VPD addresses the application bypass problem by tightly binding security
with the data so that security is enforced regardless of whether the information
request comes through the application or not.
Oracle Label Security provides the ability to define data classification/sensitivity
labels within the Oracle database and associate the sensitivity labels with individual
rows within an application table. Application users can then be assigned security
clearances such as sensitive or confidential. Subsequent information requests compare
the users security clearance with the data classification label associated with the
data.

Encryption
Over the past few years a great deal of attention has been given to encryption as a
solution to the problem of identity theft and protection of personally identifiable
Encryption is an important tool
information (PII). Encryption is an important tool in the arsenal to protect
in the arsenal to protect
sensitive information.
sensitive information. However, its not a magic bullet and shouldn't be used in
place of strong access controls and the principle of least privilege. Oracle provides
robust enterprise wide authorization management capabilities with Oracle Identity
Management and strong enforcement within the Oracle database. Remember, just
because it's encrypted doesn't mean access should be granted. When talking about
encryption it's important to distinguish between network encryption and database
Remember, just because encryption. Network encryption refers to the encryption of data traveling between
it's encrypted doesn't computers. Database encryption refers to the encryption of information stored
mean access should be within the database and stored on disk. Oracle Database 10g Release 2 introduces
granted a powerful new feature for database encryption called Transparent Data Encryption
to protect sensitive information on backup media and disk drives.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 6

 Network Encryption
Oracle Advanced Security can protect all communications to and from the Oracle
Oracle Advanced Security Database as well as all communications between databases. Businesses have a
can protect all choice between using Oracle Advanced Security’s native encryption/data integrity
communications to and
algorithms and SSL to protect data over the network. Some of the typical scenarios
from the Oracle Database
requiring network level encryption include:
as well as all
communications between • Database Server is behind a firewall and users access the server via
databases.
client server applications
• Communication between the application server in a DMZ and the
Database which is behind a second firewall must be encrypted
Native Encryption and Data Integrity algorithms in Oracle Advanced Security
require no PKI deployment. With each subsequent release of the database, newer
encryption algorithms are included as they gain industry approval. The latest
addition is the Advanced Encryption Standard (AES). SSL based encryption is
available for businesses that have elected to provide Public Key Infrastructure to
their IT deployments.

Database Encryption
Perhaps the most important new feature in Oracle Database 10g Release 2 is the
Transparent data encryption addition of Transparent Data Encryption (TDE) to the Oracle Advanced Security
sets the standard for database option. Oracle can now transparently encrypt data on the network and inside the
encryption by tightly coupling
database. TDE sets the standard for database encryption by tightly coupling
encryption with the database
encryption with the database to provide a highly transparent encryption solution to
to provide a highly
transparent encryption
protect sensitive data written to disk or backup media. Social security numbers,
solution to protect sensitive credit card numbers and other personally identifiable information (PII) can be
data written to disk or backup easily encrypted without breaking the existing application. Most encryption
media. solutions require specific calls to encryption functions within the application code
plus the creation of addition views inside the database. This is expensive and time
consuming because it requires extensive understanding of an application as well as
the ability to write and maintain software. Most organizations don't have the time
or expertise to modify existing applications to make calls to encryption routines. In
addition, the task of retrofitting an existing application with encryption is manual
and error prone. With TDE existing applications and backup routines will
continue to work with the added assurance that sensitive data is encrypted on the
backup tapes.
In addition, it's possible with TDE to have the database up and running for
maintenance and disable access to sensitive data from a DBA. This can be done
In addition, it's possible with
because the master key used to encrypt and decrypt information is stored outside
TDE to have the database up and
running for maintenance and
the Oracle database in an object known as an Oracle Wallet. The Wallet contains
disable access to sensitive data the master key and must be opened before encrypted data can be accessed. The
from a DBA. password for the Wallet can be separate from the system or DBA password.
Therefore the regular DBA may be able to startup the database, but without the

Oracle Database 10g Release 2 Defense-In-Depth Security Page 7

 password protecting the Oracle Wallet the database will not be able to decrypt any
information stored inside the database and an error will be returned if the DBA
attempts to access encrypted data. Once maintenance personnel depart the facility,
the Wallet can be opened and the application will transparently see the data
decrypted.

TRUST BUT VERIFY

The only bullet-proof Intrusion prevention is an important part of the overall enterprise security
intrusion prevention architecture. However, the only bullet-proof intrusion prevention solution in the
solution in the world world today is to lock the computer away, don't connect a network and don't give
today is to lock the
anyone the key. Of course that's not a practical solution. The reality must be faced
computer away, don't
that someone will get in and it probably will be either an employee, someone
connect a network and
don't give anyone the key.
posing as a legitimate customer/business partner or a hacker. Intrusion detection is
an imperfect science but it's safe to say that the easiest attack to catch will probably
be the hacker because like an enemy trying to invade across the border IT Security
is on guard and watching for this type of attack. The other types of attacks will
typically be very subtle. Intrusion detection will require, among other things,
auditing and this boils down to the principle of trust but verify.
Since the passage of the United States Sarbanes-Oxley Act in 2002, auditing has
Auditing can be used to
become an important tool in the implementation of the internal controls necessary
detect usage anomalies,
which can tip off to internal to comply with section 404 of the Sarbanes-Oxley Act. However, the benefit of
security personnel and lead auditing goes well beyond the original intentions of Sarbanes-Oxley. Auditing can
to the early detection of be used to detect usage anomalies, which can tip off internal security personnel and
illegal activity. lead to the early detection of illegal activity.
Oracle has provided robust audit capabilities since Oracle7 was introduced in the
early 1990's and auditing has never been more important than it is today. Oracle9i
introduced a significant new audit feature called Fine Grained Auditing. Fine
Grained Auditing allows audit policies to be associated with application tables and
the policy determines when to generate an audit record. For example, an audit
record might only when someone attempts to access information after midnight or
attempts to access a specific bank account. Fine Grained Auditing can be used to
reduce the amount of audit information generated and restrict auditing to especially
sensitive information. Fine Grained Auditing was enhanced in Oracle Database 10g
Release 1 to work with DML operations. Oracle Database 10g Release 2 auditing
enhancements include the ability to write audit information outside the database to
the operating system sys log.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 8

 INFORMATION ASSURANCE
There is no equivalent of a TPC benchmark for security. There are, however,
international standards, such as the International Common Criteria (CC) evaluation
There is no equivalent of a TPC
and FIPS. Oracle has completed 17 independent security evaluations over the past
benchmark for security. There
are, however, international
decade. The evaluation process lasts up to a full year—and sometimes longer—for
standards, such as the an independent, licensed and accredited organization to complete. Oracle
International Common Criteria completed its first evaluation in 1994. Evaluators examine coding standards and
(CC) evaluation and FIPS. development practices. Organizations who have undergone evaluations learn to
improve upon their coding, testing and shipping processes as a result of undergoing
the demanding process. No other database vendor can match Oracle's long term
commitment to information assurance. Security evaluations are perhaps the most
effective way to qualify a vendor’s assertions about its security implementations.
Assurance afforded by independent security evaluations is a significant part of
Oracle’s approach to security. Oracle Database 10g Release 1 is currently in
evaluation under the International Common Criteria at EAL4.

CONCLUSION - DEFENSE-IN-DEPTH
Historically security has been focused on the perimeter and keeping the bad guys
out. However, over the past few years the focus has shifted to the Intranet and
While the vast majority of internal security. While the vast majority of employees are trustworthy and strive to
employees are trustworthy and
contribute to the overall success of an organization, one employee can wreak havoc
strive to contribute to the overall
success of an organization, one
on corporate strategy and image. In addition, there are individuals and companies
employee can wreak havoc on who seek personal gain by to exploiting the information they gain through
corporate strategy and image seemingly legitimate partnerships or business relationships. Oracle Database 10g
Release 2 raises database security technology to a new level. Oracle's decade long
commitment to independent security evaluations, coupled with Oracle's 25 plus
years working with security conscious customers has enabled Oracle to establish
itself as the database security leader. Oracle Transparent Data Encryption makes
the practical application of encryption within a database cost effective. Robust
support for row level security, integrated identity management capabilities, fine-
grained auditing, data classification/label security, proxy authentication, PKI
support, Virtual Private Database are just a few of the technologies available with
Oracle Database 10g Release 2. In addition, the capabilities in the Oracle Database
10g Release 2 are ideally suited for meeting the privacy and compliance challenges
in today's global economy. Oracle Database 10g Release 2 has robust identity
management integration capabilities providing huge cost savings by dramatically
reducing the complexity of managing application users. Oracle is an ideal platform
on which to build and deploy secure applications for today's complex, Internet-
connected world.

Oracle Database 10g Release 2 Defense-In-Depth Security Page 9

Oracle Database 10g Release 2 Defenese-In-Depth Security
August 2005
Author: Paul Needham
Contributing Authors:

Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.

Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com

Copyright © 2005, Oracle. All rights reserved.

This document is provided for information purposes only and the
contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any
other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability
or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations
are formed either directly or indirectly by this document. This document
may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without our prior written permission.
Oracle, JD Edwards, PeopleSoft, and Retek are registered trademarks of
Oracle Corporation and/or its affiliates. Other names may be trademarks
of their respective owners.