Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Business & Decision Life Sciences

Creating a personal view on the data via using a

Virtual Private Database Sébastien Roland 13 October

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

User  Interface  

Controllers  layer  

Services  layer  

Data  Layer  

DB  

Introduction

•  Applications are viewed as monolithic block

Threat!  

Spy  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Security issues

-­‐  Rela)onal  database  -­‐  52  tables  -­‐  Data  &  metadata  -­‐   Clinical  studies  -­‐   Users  &  groups  

STUDY

CODEVALVLMVALTRIALARM

XMLDOC...

DOMAINEPOCHCDASHVLMNAM

CODELIST

STUDY_ID STUDY_NAME ...

201 ST_CRO_B1 Confidential  data  !

202 ST_CRO_B2 Confidential  data  !

207 ST_CRO_ZA Confidential  data  !

245 ST_CRO_KU Confidential  data  !

GROUP

DM1

DM1

DM2

DM3

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Security issues

-­‐  Rela)onal  database  -­‐  52  tables  -­‐  Data  &  metadata  -­‐   Clinical  studies  -­‐   Users  &  groups  

STUDY

CODEVALVLMVALTRIALARM

XMLDOC...

DOMAINEPOCHCDASHVLMNAM

CODELIST

STUDY_ID STUDY_NAME ...

201 ST_CRO_B1 Confidential  data  !

202 ST_CRO_B2 Confidential  data  !

207 ST_CRO_ZA Confidential  data  !

245 ST_CRO_KU Confidential  data  !

GROUP

DM1

DM1

DM2

DM3

CUSTOM  APPLICATION Logged  in  as:  DM1

Login  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Security issues

•  There are 2 major security issues –  Security is handled by the application –  Doesn’t take into account third-party accesses

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Issue 1: Application’s security

STUDY

CODEVALVLMVALTRIALARM

XMLDOC...

DOMAINEPOCHCDASHVLMNAM

CODELIST

STUDY_ID STUDY_NAME ...

201 ST_CRO_B1 Confidential  data  !

202 ST_CRO_B2 Confidential  data  !

207 ST_CRO_ZA Confidential  data  !

245 ST_CRO_KU Confidential  data  !

GROUP

DM1

DM1

DM2

DM3

CUSTOM  APPLICATION Logged  in  as:  DM1

Login  

SELECT  *FROM  STUDY  JOIN...WHERE  STUDY_NAME  LIKE  ‘ST_CRO_B1’

ST_CRO_B1  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Issue 1: Application’s security

STUDY

CODEVALVLMVALTRIALARM

XMLDOC...

DOMAINEPOCHCDASHVLMNAM

CODELIST

STUDY_ID STUDY_NAME ...

201 ST_CRO_B1 Confidential  data  !

202 ST_CRO_B2 Confidential  data  !

207 ST_CRO_ZA Confidential  data  !

245 ST_CRO_KU Confidential  data  !

GROUP

DM1

DM1

DM2

DM3

CUSTOM  APPLICATION Logged  in  as:  DM1

Login   ‘  or  1=1-­‐-­‐  

SELECT  *FROM  STUDY  JOIN...WHERE  STUDY_NAME  LIKE  ''  or  1=1-­‐-­‐'

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Issue 2: Third party access

File  server

PROGRAMSSASPERL...

starts

-  User has access to the password

-  Hash it? E.g. PROC PWENCODE -  Not safe  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Securing via views

•  What is a view and how to secure?

CREATE  VIEW  staff  AS      SELECT  employee_id,  last_name,  job_id,  manager_id,  department_id      FROM      employees;  

access  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Securing via views

STUDY

CODEVALVLMVALTRIALARM

XMLDOC...

DOMAINEPOCHCDASHVLMNAM

CODELIST

STUDY_ID STUDY_NAME ...

201 ST_CRO_B1 Confidential  data  !

202 ST_CRO_B2 Confidential  data  !

207 ST_CRO_ZA Confidential  data  !

245 ST_CRO_KU Confidential  data  !

GROUP

DM1

DM1

DM2

DM3

STUDY_VIEW_DM1  

GRANT  select,  update…  

•  To solve our practical example

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Securing via Virtual Private Database

•  What is a Virtual Private Database? –  Dynamic WHERE clause

SELECT  *    FROM  EMPLOYEES;  

SELECT  *    FROM  EMPLOYEES  WHERE  EMPLOYEE_ID  =  203;  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Securing via Virtual Private Database

•  Policies can be added to tables, views or synonyms

CREATE  OR  REPLACE  FUNCTION  check_updates(      schema_var  IN  VARCHAR2,      table_var  IN  VARCHAR2  

 )    RETURN  VARCHAR2    IS      return_val  VARCHAR2  (400);    BEGIN          if  UPPER(SYS_CONTEXT('USERENV',  'SESSION_USER'))  =  UPPER(SYS_CONTEXT('USERENV',  'CURRENT_SCHEMA'))            then                  return_val  :=  NULL;          else                  return_val  :=  ‘EMPLOYEE_ID  =  SYS_CONTEXT(''USERENV'',  ''SESSION_USER'')';          end  if;          RETURN  return_val;    END  check_updates;  

BEGIN    DBMS_RLS.ADD_POLICY(  

   object_schema        =>  'hr',      object_name            =>  'employees',      policy_name            =>  'secure_update',      policy_func)on    =>  'check_updates',        statement_types    =>    'SELECT');  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Content

Introduc)on  

Security  issues  

Securing  via  Views  

Securing  via  Virtual  Private  Database  

Advantages  and  disadvantages  

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Advantages and disadvantages

•  Views Provide row level protection Maintability: number of views to create Security based on an extra-layer

•  Virtual Private Database Provide row level protection Maintability: policies defined once Security in the kernel Complete range of motion

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Thank you for your attention. Join us for a coffee at our stand. London, United Kingdom, 13 OCT 2014

Restricted © Business & Decision Life Sciences 2014 All rights reserved.

Business & Decision Life Sciences Sint-Lambertusstraat 141 rue Saint-Lambert

B-1200 Brussels T: +32 2 774 11 00 F: +32 2 774 11 99

lifesciences@businessdecision.com http://www.businessdecision-lifesciences.com/

Sébastien Roland | Software Architect | sebastien.roland@businessdecision.com