Providing Security in Oracle Database

1. Database Security Course
Tarbiat Modares Universisty
Atousa Ahsani, Hanie Zolfi
Professor: Dr.Sadegh Dorri Nogoorani
Fall 2019
2019/12/30
Video Link: https://www.aparat.com/v/AP2NS
SECURITY IN ORACLE

2. 2
OVERVIEW
 Introduction
 PL/SQL
 Pluggable Database
Password Protection
Virtual Private Database
Access Control
 DAC
 MAC (OLS)
Transparent Data Encryption

3. INTRODUCTION
3

4. INTRODUCTION
PL/SQL is an extension of Structured Query Language (SQL)
that is used in Oracle.
PL/SQL allows the programmer to write code in a procedural
format.
Similar to other database languages, it gives more control to
the programmers by the use of loops, conditions and object-
oriented concepts.
4

5. PDB
One or more PDBs together are called
a container database (CDB).
They are completely transparent to the
users and applications.
5
A Pluggable Database (PDB) is a portable collection of schemas, schema objects, and non
schema objects that appear to an Oracle Net client as a separate database.

6. PASSWORD PROTECTION
6

7.  In a default installation,
Oracle Database provides
tow password verification
functions to ensure that new
or changed passwords are
sufficiently complex.
 You must manually enable
password complexity
checking.
 You can further customize
the complexity of your
users' passwords
 Passwords are case
sensitive. For example, the
password hPP5620qr fails if
it is entered as hpp5620QR
or hPp5620Qr
 To verify the user's
password and enforce case
sensitivity in password
creation, Oracle Database
uses the 12C password
version, which is based on a
de-optimized algorithm that
involves Password-Based
Key Derivation Function
(PBKDF2) and the SHA-
512 cryptographic hash
functions
7
PASSWORD PROTECTION
Password
encryption
Password
complexity
checking
Enforced case
sensitivity
Password
hashed using
the 12C password
version.
 Oracle Database
automatically and
transparently encrypts
passwords during network
connections using AES.
 You can enabled Advanced
Security Option native
network encryption or
configure Secure Sockets
Layer (SSL) encryption.

8. VIRTUAL PRIVATE DATABASE
8

9. Oracle Virtual Private Database (VPD) enables you to dynamically
add a WHERE clause in any SQL statement that a user executes. The
WHERE clause filters the data the user is allowed to access, based on
the identity of a user.
This feature restricts row and column level data access by creating a
policy that enforces a WHERE clause for all SQL statements that
query the database.
9
VIRTUAL PRIVATE DATABASE

10. ACCESS CONTROL
10

11. ACCESS CONTROL
 discretionary access control
 Implementations With owner
 GRANT privileges ON object TO
user;
 REVOKE privileges ON object
FROM user;
 Oracle Label Security (OLS) provides
row-level security for your database
tables.
 Can be accomplished by assigning
security labels
 you can use OLS to assign specific users
authorization for specific rows, based on
these labels.
 OLS compares the label of the data row
with the security clearance of the user to
determine whether the user is allowed
access to the data in the row.
11
MAC(OLS)DAC

12. EMPLOYEESTABLE
Id first_name last_name department salary ols_label
101 Harry Hill IT 600 S
102 Vik Reeves STAFF 300 UC
103 Bob Mortimer SEC 1000 TS
104 Paul Whitehouse EDU 500 C
105 Harry Enfield Staff 350 UC
9
Bill
Security level = S
John
Security level = C

13. 13
OLS VS VPD
Use case: Web based systems or any
application needs to allow user based
access to content
OLS Row Level Security, based on user credentials
VPD Similar to Row Level Security
Without adding extra column to table
Use case
Web based systems or any application needs to allow user based access to content

14. TRANSPARENT DATA ENCRYPTION
14

15. 15
TRANSPARENT DATA ENCRYPTION
Encrypting data includes the following components:
 An algorithm to encrypt the data
 A key to encrypt and decrypt data
Transparent Data Encryption enables you to encrypt individual table
columns or an entire tablespace.
When a user inserts data into an encrypted column, Transparent Data
Encryption automatically encrypts the data. When authorized users
select the column, then the data is automatically decrypted.

16. IMPLEMENTATION
16
 PASSWORD PROTECTION
 VIRTUAL PRIVATE DATABASE
 ORACLE LABEL SECURITY(OLS)
 TRANSPARENT DATA ENCRYPTION

17. RESOURCES AND REFERENCES
17
https://docs.oracle.com/database/121/TDPSG/toc.htm
https://oracle-base.com/articles/9i/oracle-label-security-9i
https://oracle-base.com/articles/8i/virtual-private-databases
https://oracle-base.com/articles/12c/multitenant-transparent-data-encryption-tde-12cr1