G 3 Basics Grant Development, Grant Compliance, and Grant Accounting.
Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates....
Transcript of Building Secure Database Applicaons - RainFocus...Copyright © 2017, Oracle and/or its affiliates....
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
BuildingSecureDatabaseApplicaCons
ScoDRotondoOracleDatabaseSecurityOctober4,2017
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
SafeHarborStatementThefollowingisintendedtooutlineourgeneralproductdirecCon.ItisintendedforinformaConpurposesonly,andmaynotbeincorporatedintoanycontract.Itisnotacommitmenttodeliveranymaterial,code,orfuncConality,andshouldnotberelieduponinmakingpurchasingdecisions.Thedevelopment,release,andCmingofanyfeaturesorfuncConalitydescribedforOracle’sproductsremainsatthesolediscreConofOracle.
3
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
CryptoToolkitforApplicaCons
RowLevelSecurityKeyManagement
DataEncrypCon
EVALUATE PREVENT DETECT DATADRIVENSECURITY
SecurityConfiguraCon
SensiCveDataDiscovery
PrivilegeAnalysis
DBA&OperaConControls
DatabaseAudiCng
Database/SQLFirewall
RealApplicaConSecurity
LabelbasedSecurity
CentralizedMonitoring
SecurityAssessment AlerCng&ReporCng
DataRedacCon
DataMaskingandSubseZng
Defense-in-DepthSecurityforDatabases
4
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
TypicalApplicaConArchitectureLDAP
User
ApplicaConServers
5
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ProblemswithTypicalImplementaCons• Alldataistreatedthesame
– RegardlessofsensiCvityorimportance
• ApplicaConalwaysrunswithalltheprivilegesitwilleverneed– Independentofend-useroroperaConbeingperformed
• DatabasesecurityprotecConsdon’tmatchtheapplicaCon– Needricher,applicaCon-specificpolicies
• InsufficientaudiCng– TomonitorapplicaConusersandthosewhobypassit
6
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
7
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
8
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DealingwithSensiCveData• ExamplesofsensiCvedata
– PersonallyidenCfiableinformaCon(e.g.name,phone,naConalid)– Privaterecords(e.g.medical,academic)– High-valueinformaCon(e.g.corporatefinancials,intellectualproperty)
• Keyissues– DiscoveringwhichinformaConinthedatabaseissensiCve– ExposingsensiCvedataonlyincontrolledways
9
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DiscoveringSensiCveData
• IdenCfyandcatalogsensiCvedata– EnterpriseManager– DBSecurityAssessmentTool(DBSAT)
• ApplicaConDataModeldescribessensiCvetypesandrelaConships
10
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Real-CmeredacConofsensiCvedatabasedoncontext
TransparenttoapplicaCons.Nocodechangesrequired
Consistentenforcementwithinthedatabase
NochangesinregulardatabaseoperaCons
OracleDataRedacCon
CallCenter
CreditCardProcessing
CreditCardNumbers4451-2172-9841-43685106-8395-2095-59387830-0032-0294-1827
4451-2172-9841-4368
xxxx-xxxx-xxxx-4368
11
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
052-51-2147 XXX-XX-2147
SupportedTransformaConsStoredData RedactedResults
10/09/1992
[email protected] [hidden]@acme.com
4451-2172-9841-4368 4943-6344-0547-0110
Full
ParIal
RegExp
Random
01/01/2001
12
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
13
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
PrincipleofLeastPrivilege• RuneachprogramwiththeminimumprivilegesneededtoperformitsintendedfuncCon
• Limitspossibledamageif– Theprogramcontainsabug– AvulnerabilityisexploitedbyanaDacker
• Soundsobvious,butthisprincipleisviolatedalltheCme
14
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ReviewofDatabasePrivilegesandRoles• TheOracledatabasesupportstwotypesofprivilege• ObjectprivilegesallowanoperaCononaspecificobject
– grantSELECTonHR.EMPLOYEEStoSCOTT
• Systemprivilegesapplytoanyobjectortothedatabaseasawhole– grantDROPANYTABLEtoSCOTT– grantALTERDATABASEtoSCOTT
• Canassignprivilegesdirectlytousersorindirectlyviaroles• PL/SQLcodecanuseeitherowner’sorcaller’sprivileges
– Definer’svs.invoker’srights
15
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
SchemaSeparaCon• Less powerful runtime account
– No system privileges or DDL
• Sensitive tables protected from runtime user – VPD, Label Security, RAS
• PL/SQL packages called by RUNTIME – Invoker’s rights
• Administrative packages run with HR privileges – Definer’s rights
User
HR Admin
App Server
RUNTIME
HR
DBA
Update Employee
Query Employee
Proxy
EMP Table
16
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Code-BasedAccessControl• StarCngwithOracle12c,awaytoassociateprivilegeswithcodeinsteadofusers
• GrantrolestoaPL/SQLprocedureorfuncCon– PrivilegesareacCveonlywhileexecuCngthisblockofcode
• Similarineffecttodefiner’srights,except– NormalDRprocedureusesonlyprivilegesdirectlygrantedtoowner,notroles– Differentprocedureswiththesameownercanhavedifferentroles– Workswithbothdefiner’sandinvoker’srightsprocedures
17
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhichPrivilegesDoINeed?• Wewanttograntspecificprivilegestoeachuserorschema• Buthowdoweknowwhichprivilegestogrant?• Startwithanalysisoftheprogram,but…
– Wanttoconfirmthatanalysisempirically– WhataboutexisCngprograms?
18
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DatabaseVaultPrivilegeAnalysis• CaptureandreportondatabaseprivilegeusageatrunCme
– Forusers,sessions,androles(incl.PUBLIC)– ShowusedSystem,Object,andPublicprivileges– Showhowtheusergottheprivilege
• Showunusedsystemandobjectprivileges• Administratorcanmodifyprivilegegrantsbasedonresults
19
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
UnusedPrivilegesReport
20
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
UsedPrivilegesReport
21
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
22
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
VirtualPrivateDatabase
• Restrictaccesstosubsetofdata– Rowfiltering– Columnmasking
• Customizablepolicies– ApplicaConcontextvalue– Currentsystemstate– Currentandforeigntables
DatabaseEnforcedRowLevelSecurity
VPDPolicySelect*fromOrders
WhereRegion='EU'
WhereRegion='US'
Select*fromOrders
ORDERSSalesRep
USRegion
EURegion
23
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
OracleLabelSecurity
• ClassifydatabasedonapplicaCon• Level,Compartment,Group
• AuthorizaConstoapplicaConordatabaseusers
• AuthorizaConscanbemanagedindirectory
LabelBasedAccessControl
OracleLabelSecurityPolicySelect*fromOrders
Select*fromOrders
ORDERS LabelSalesRep
USRegion
EURegion
CA
CA
USEU
EU
EUUS
24
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhoIsTryingtoAccessData?
• EnduseridenCtymustbeknowntothedatabase– Databasecanmanageusersforclient-serverapplicaCons– Three-CerapplicaConmustpropagateuseridenCtytodatabase
• AllowsdatabasetoenforceaccesscontrolbasedonuseridenCty• AllowsaudiCngtotrackwhoactuallyperformedtheoperaCon
AccessControlRequiresAuthenIcaIon
25
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ApplicaConContext
• InformaConaboutcurrentsession• MostpredefinedaDributescannotbemodified
USERENVFixedADributes
• SetbyDBMS_APPLICATION_INFO,JDBC,OCI• Recordedinaudittrail
USERENVModifiableADributes
• Key-valuepairssetbydesignatedPL/SQLpackage• EachapplicaConhasitsownnamespace
ApplicaConNamespace
26
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AuthenCcaCngtheApplicaCon
• Securedatabase-externallocaContostoreapplicaConanduserpasswords– LeveragestheOracleWallet– Passwordsneverintheclearonfilesystem– AccessiblefromOCI,SQL*Plus,JDBC
• SupportsusingdifferentpasswordcredenCalsfordifferentdatabases
SecureExternalPasswordStore
OracleWallet
27
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
28
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
• SupportApplicaConUsersandSessions– Schema-lessuser,SecurityandapplicaConcontextinDB
• SupportApplicaConPrivilegesandRoles– E.g.,ViewSalary,RequestLeave,ApproveLeaveprivileges– E.g.,Manager,HR_Rep,Approverroles
• Supportfine-graineddataaccesscontrolonrowsandcolumns– BasedonuseroperaConexecuConcontext– Enforcesecurityclosetodata
OracleRealApplicaConSecurity(RAS)
29
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ApplicaCons
AuthorizaConServiceInterface
RASSessions
ConnecConPoolSessions
RASArchitecture
Auth
JDBC
Webusers
APEXapps
SQL*Plus
IdenCtyManager
DBSessions
RASSessions
DataSecurityPolicy
30
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Example:AccessControlRequirements• EmployeescanviewpublicinformaCon• Anemployeecanviewownrecord,updatecontactinformaCon• Managercanviewsalaryofhis/herreports
31
Name Manager SSN Salary PhoneNumber
Adam Steven 515.123.4567
Neena Steven 515.123.4568
Nancy Neena 515.124.4569
Luis Nancy 515.124.4567
John Nancy 515.124.4269
Daniel Nancy 515.124.4469
Nancy Neena 108-51-4569 12030 650.111.3300 6900
8200
9000
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
RealApplicaConSecurityConcepts
• AgroupofrowsrepresenCngabusinessobject– Allemployees– Myownemployeerecord– AllemployeesreporCngtome
• Assignprivilegestocolumns– viewSSNforSSNcolumn– viewSalaryforSalarycolumn
DataRealms
EMPLOYEEtable
Myown
Myreports
viewSSN viewSalary
Allrecords
32
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AccessControlList(ACL)
-GrantselecttoManager
-GrantviewSalarytoManager ApplicaIonPrivilege
-select,viewSalary
ApplicaIonPrivilege
-select,viewSalary
ApplicaIonRole
-Manager
ApplicaIonRole
-Manager DataRealm
- Employees under my report
DataRealm
- Employees under my report
RealApplicaConSecurityDataSecurityPolicyComponents
AccessControlList(ACL)
-GrantselecttoManager
-GrantviewSalarytoManager
DataRealm
- Employees under my report
§ EachDataRealmhasanassociatedACLwithgrants§ DataSecuritypolicyisacollecConofDataRealmsandACLs
ApplicaIonRole
-Manager
ApplicaIonPrivilege
-select,viewSalary
33
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
ManagerRASAPEXHRApplicaCon
Canviewsalariesofmyreports
34
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
OracleRealApplicaConSecurityUniformAuthorizaIononAllAccessPaths
DirectconnecttoDBwithSQLPLUS
Manager‘Nancy’
35
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
RASAdministraConTool
1.Allrecords2.Myrecord3.Myreports
EmployeesTable
RestrictedSalary&SSNColumns
PrivilegeGrants
36
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
DataSecurityPaDerns
• VPcanviewemployeesalariesofhisorganizaConSessionaDributebased
• AnEmployeerecordanditsJobHistorylineitemsareprotectedasasinglelogicalrecordMaster/Detail
• Managersineachregion,e.g.,EastandWest,accessemployeerecords,stripedbasedonregionParameterizedGrant
• HRrepresentaCvecanchangejobdesignaCon,iftheemployeeisassignedtohimCondiConallyrelated
• AcontractworkerneedstemporaryaccesstocertainemployeerecordsExcepCons
37
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
FiveAreastoConsider
SensiCveData
LeastPrivilege
BasicAccessControl
ApplicaCon-SpecificProtecCon
AudiCng
1
2
3
4
5
38
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
WhatActuallyHappened?AudiIngtheApplicaIonfromtheDatabase
• Monitorprivilegeduseraccountsfornon-compliantacCvity– Auditnon-applicaConaccesstosensiCvedata(creditcard,financialdata,personallyidenCfiableinformaCon,etc.)
• VerifythatnooneistryingtobypasstheapplicaConcontrols/security• AuditapplicaConacCvityselecCvely
– PerhapsauditchangestothemostsensiCvedataevenfromwithintheapplicaCon
39
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
CatchAnomalieswithCondiIonalAudiIngOracleDatabaseAudiCng
PolicyBased
CondiConal
ExtensibleSyntax
UserExcepCons
UnifiedAuditSecure,Performant
Setofprivileges,objects,acConsaudiCngmanagedasagroup
MulC-factoraudiCngtoeasilycatchanomalies
Auditallaccessexceptwhenconnectedby….
Addcontextdata:realms,labels,appcontext,etc.
40
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
AuditPolicyExample
• CREATEAUDITPOLICYhr_app_policyACTIONSALLONHR.EMPLOYEESWHEN'UPPER(SYS_CONTEXT(''USERENV'',''MODULE''))!=''HR_APP'')'EVALUATEPERSESSION;
• AUDITPOLICYhr_app_policyEXCEPThr;
AuditAccessesthatBypassApplicaIonCode
41
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Bringingitalltogether…
42
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
Summary• Thinksecurityfromthebeginning• IdenCfyandcatalogsensiCvedata• MinimizeprivilegebasedonuserandacCon• UseDatabaseSecuritytocontrolaccesstodata
– Consistentenforcement– Easytoextendandadapt– Closetodataandnotbypassable
• AuditchangestoapplicaConanddata
43
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved.
VisitUsintheOracleDatabaseSecurityDemoGroundsDemoBoothTitle FeaturedSoluIons
AuthenIcaIon&AuthorizaIon CentrallyManagedUsers,DatabaseVault,RealApplicaIonSecurity,LabelSecurity
EncrypIon&KeyManagement TransparentDataEncrypIon,KeyVault,DataRedacIon
AudiIngandAcIvityMonitoring DatabaseAudiIng,AuditVaultandDatabaseFirewall,DataSecurityCloudService-AudiIng
DatabaseSecurityforApplicaIonDevelopers DatabaseSecurityAssessmentTool,DataMaskingandSubse]ng,DataDiscoveryandDataSecurityCloudService-Masking
44
Copyright©2017,Oracleand/oritsaffiliates.Allrightsreserved. 45