Vault_KT.pptx

AGENDA
 Introduction
 Oracle Database Vault in a Nutshell
 Latest Database Vault Features
 Conceptual Considerations
 Good Practice
 Further Measures
 Alternatives to Database Vault
 Conclusion
Thief
Snake
Cheetah

PROTECT FROM WHOM?
Snake
Cheetah
 Privileges escalation
 Improper use of rights
 Vulnerabilities and
misconfiguration
 Excessive and unnecessary
user authorizations
 Denial of Service
 Unmonitored sensitive data
 Input Injection / SQL Injection
Thief
 Theft of backups
 Disclosure / access to
the storage medium
 Datafile (modification,access)

THE PROBLEM
 Database with classified data
o Individual Objects
o Schemas or whole database
 High privileges users are not allowed to read / modify data
o User with ANY privileges
o User with administrative privileges e.g., SYSDBA
o OS user oracle
o OS super user like root
 No segregation of duties enforced
Highly privileged users can basically read everything or
assign themselves the appropriate rights.

ORACLE DATABASE VAULT…
 …provides advanced controls for sensitive data
o Basic security concept is still necessary respectively even mandatory
 …integrated with existing security measures and features
o Transparent Data Encryption
o Oracle Multitenant architecture
o Enterprise User Security
o Secure Application Roles, Data Redaction, Virtual Private Database and other security features
 …implements a few basic security measures by just switching it on.
o Update existing database roles
o Modify some commands by adding command rules
o Change some init.ora parameter

DATABASE VAULT BASIC FEATURES
 Controls for privileged accounts
 Controls for database configuration
 Enforce separation of duty out of the box
 Operation Control and Manageability
o Day to day DB Administration ”as usual”
under the premise of separation of duties
 Integration through a change of binaries
 Database Vault is based on the existing access and protection
 Rule sets for four eyes principle possible
 Only data in a realm is protected
o A realm is a functional group of schemas and roles
o A realm must be set up after activation of Database Vault

ACCESS WORKFLOW
 Verify if object is protected by a REALM
 Verify if a ANY or system privilege is used
 Check if REALM is mandatory
 User must be part of the REALM
 Is there a RULE SET defined?
 How does the RULE SET evaluate?
 Is there a COMMAND RULE defined?
 Command is either executed or not

MAJOR ENHANCEMENTS OVER THE PAST RELEASES
 Oracle Database12c Release 1 and 2
o Introduction of the Oracle Database Vault Simulation Mode
o Vault Mandatory Realms e.g., to control access to own objects
 Oracle Database19c
o Enhanced support for Unified Audit Policies
o Database Vault Operations Control for Infrastructure Database Administrators in Oracle Multitenant
o Enhancements to Oracle Database Vault Simulation Mode
o Ability to Grant Data Pump-Database Vault Authorizations to Roles
o Oracle Database Vault Support for Oracle Database Replay
 Oracle Database21c (innovation release)
o Operational Improvements e.g., no Need to Disable Oracle Database Vault Before Upgrades
o Better support for Oracle Multitenant
o Uninstalling and Installing Oracle Label Security and Oracle Database Vault Now Supported

RECOMMENDED PREREQUISITES FOR DATABASE VAULT
 Existing Database Security Concept covering Users and Roles
 Moderate Database Hardening
o Database Vault for a DB with holes like a Swiss Emmental makes no sense
 Have an idea about Operation and Administration Use Cases
o What has to be done by a DB operator?
o What activities are performed by a DBA?
o =>Get an idea of where additional costs might be generated
 Have an idea about Application Use Cases
o Who is doing what?
 Propre data classification or be sure what requires protection
 Review what is available
o Pre-Defined Oracle Database Vault configuration / guidelines for SAP, People Soft and more

DATABASE VAULT ADMINISTRATION USE CASES
Administration Task Oracle Database Vault operational
controls required?
Comments
Starting up and shutting down the
database
No
Managing database initialization
parameters
Yes Some parameters are protected by the
ALTER SYSTEM command rule.
Managing users and roles Yes
Oracle Data Pump Yes Proper Oracle Database Vault
authorization should be granted
before doing this task.
EXPLAIN PLAN Yes PLAN_TABLE should be accessible to
DBA.

 Not everything what is possible should be done
o REALMS
o COMMAND RULES
o RULES / RULE SET
o FACTORES
 Use a simple as possible concept
 The more complex the configuration, the more vulnerable
to vulnerabilities
 Plan enough time to application and functional tests
 Database Simulation Mode does help
KEEP THE CONFIGURATION SIMPLE

OBJECT TYPES
 Object types that can be protected by realms. Use them all?
CLUSTER LIBRARY ROLE
DIMENSION MATERIALIZED VIEW SEQUENCE
FUNCTION MATERIALIZED VIEW LOG SYNONYM
INDEX OPERATOR TABLE
INDEX PARTITION PACKAGE TRIGGER
INDEXTYPE PROCEDURE TYPE
JOB PROGRAM VIEW

PL/SQL API
BEGIN
DVSYS.DBMS_MACADM.CREATE_REALM(
realm_name => 'TVD_SCOTT',
description => 'Protect highly sensitive SCOTT schema',
enabled => 'Y',
audit_options => 3,
realm_type =>'0' );
END;
/
 Database Vault is configured using the PL/SQL API
 Not that simple for engineering but easy reproducible (script)

ORACLE ENTERPRISE MANAGER THE DATABASE VAULT GUI

GOOD PRACTICE AND WHITE PAPERS
 Check the security configuration of your database
o Oracle Database Security Assessment Tool (DBSAT) and Support Note 2484219.1
o Oracle Data Safe - unified control center for your Oracle databases
o CIS Assessor Tool CIS Cat Pro
 Do the security audit initially as well on a regular basis
o Configuration may change
 Consider the Oracle White Papers regarding Oracle Database Vault
o Oracle Database Vault DBA Administrative Best Practices
o Does provide information about different administration tasks and the impact
o Oracle Database Vault Best Practices
o General information and best practices for implementing Oracle Database Vault protections

 Verify Database Vault configuration using simulation Mode
 Configured when creating REALMS or COMMAND RULES
 Protection is enabled but not enforces
 Violations are reported in DBA_DV_SIMULATION_LOG
 Database Vault use either traditional or unified audit
 Traditional Audit use DVSYS.AUDIT_TRAIL$ table
 Unified Audit does support policy based auditing
 All goes to the unified audit train
AUDIT AND SIMULATION

MANDATORY REALMS
 User with object privileges can always access an
object
 Consider using Mandatory REALMS
Mandatory REALMS …
 …can block object owners and object privileged users
 …provide more flexible configurations for access control
 …add a layer of protection during patch upgrades
 ... secure tables during runtime
 …freeze security settings by preventing changes to
configured roles

BACKUP ACCOUNTS
 DBA or SYSDBA can no longer do everything
o Segregation of duties
 DV_OWNER is the schema owner
o Configure / control Database Vault
 DV_ACCMGR is the account manager
o Only user who can maintain accounts
Loss of passwords for DV_
OWNER/DV_
ACCMGR
means loss of control over Database Vault
 Make sure you do have backup accounts with DV_OWNER
and DV_ACCMGR
o =>Also,a risk for a backdoor

ORACLE TRANSPARENT DATA ENCRYPTION
 Database Vault provides advanced controls only within the
database
o REALMS,RULES,FACTORS,COMMAND RULES
 No measures for external access
o Theft of backups
o Disclosure / access to the storage medium
o Datafile manipulations e.g., hexedit,strings etc.
 OracleAdvanced Security and Transparent Data Encryption is a
mandatory companion
o Protect data at REST
o Secure Backup Thief

USE CENTRAL MANAGED USERS /ROLES
 Database Vault enforce segregation of duties
o DBA is no longer maintaining accounts
o Task is handed over e.g., Service Desk, Sec
Operation,IAM etc.
 Increased effort for decentralized account
management
 Consider using
o Oracle Centrally Managed Users (CMU)
o Oracle EnterpriseUser Security (EUS)
 Account Management is done centrally
 Ideally integrated with an IAM solution

NETWORK ENCRYPTION
 By default SQL*Net Traffic is not encrypted
 Everybody on the network can read the TCP packets
 Encryption on transportation is recommended
 Oracle Native SQL*Net encryption using
SQLNET
.ENCRYPTION_CLIENTor
SQLNET.ENCRYPTION_SERVER
o Simple and transparent
o Does work for any OracleClient
 SSL Network Encryption using Secure Listener TCPS
o Requires Certificate
o Can be combined with Authentication

PDB ISOLATION
A multitenant container database provides the following
features beyond regular security measures:
 PATH_PREFIX and CREATE_FILE_DEST clause to limit data
files and directory objects to certain paths.
 PDB_OS_CREDENTIAL parameter assigning a dedicated user
account for OS interactions
 Lockdown profiles to restrict certain operations or
functionalities in a PDBs

 Third party tools to “monitor” the database access
 McAfee Database Activity Monitoring
o Running on the Database Server / SGA
 Imperva SecureSphare
o Network Appliance; Some kind of an application firewall
 IBM Guardian
o Database / Application firewall
 Oracle Database Firewall and Audit Vault Server
o Software Appliance
 All tools must learn the access rules / firewall rules
o More or less;predefined rules are available
 Residual risk that the tools can be bypassed
ACTIVITY MONITORING /DATABASE FIREWALL

CONCLUSION
 Oracle Database Vault has matured
o Shortcomings such as those in Oracle 9i,10g are pass
 Advanced controls for a robust protection of sensitive data
o On-premises and especially in cloud environments
 A clear security concept is a mandatory prerequisite
o E.g., user and role concept, hardening, data classification
 Accompanying measures such as TDE, CMU, etc. are required
 The additional effort is to be verified
o E.g., License costs,operating expenses,etc.
The question remains whether data is
so important that it is worth the effort

Vault_KT.pptx

More Related Content

Similar to Vault_KT.pptx

Recently uploaded

Vault_KT.pptx