You are previewing Applied Oracle Security.
O'Reilly logo
Applied Oracle Security

Book Description

Cutting-edge techniques from leading Oracle security experts

This Oracle Press guide demonstrates practical applications of the most compelling methods for developing secure Oracle database and middleware environments. You will find full coverage of the latest and most popular Oracle products, including Oracle Database and Audit Vaults, Oracle Application Express, and secure Business Intelligence applications.

Applied Oracle Security demonstrates how to build and assemble the various Oracle technologies required to create the sophisticated applications demanded in today's IT world. Most technical references only discuss a single product or product suite. As such, there is no roadmap to explain how to get one product, product-family, or suite to work with another. This book fills that void with respect to Oracle Middleware and Database products and the area of security.

Table of Contents

  1. Cover Page
  2. Applied Oracle Security
  3. Copyright Page
  4. Dedication
  5. About the Authors
  6. Contents
  7. Foreword
  8. Acknowledgments
  9. PART I Oracle Database Security New Features
    1. 1 Security Blueprints and New Thinking
      1. About This Book
        1. Background Information
        2. Organization
      2. Database Security Today
        1. Evolving Technologies
      3. Security Motivators
        1. Sensitive Data Categorization
        2. Principles
      4. Modeling Secure Schemas
        1. Schema Profiles
        2. Object Owner Accounts
        3. User Access Accounts
      5. Getting Started
        1. User Profiles
        2. Schema Naming
        3. Security Architecture Checklist
      6. Summary
    2. 2 Transparent Data Encryption
      1. Encryption 101
        1. Goal of Encryption
        2. The Basics
        3. Encryption Choices
        4. The Algorithm and the Key
      2. Encrypting Data Stored in the Database
        1. Where the Data “Sleeps”
        2. Protecting the Data
        3. Viewing the Data
        4. Applied Example
        5. Encrypting in the Database
      3. The Transparent Data Encryption Solution
        1. TDE as Part of the Advanced Security Option
        2. TDE Setup: Oracle 10g
        3. The Oracle Wallet
        4. TDE’s Key Management
        5. Creating an Encrypted Column in a New Table
        6. Viewing Encrypted Columns
        7. Encrypting an Existing Column
        8. TDE Caveats
      4. Tablespace Encryption: New with Oracle 11g
      5. Oracle 11g Configuration
        1. TDE to Address PCI-DSS
        2. Operational Concerns
        3. Exporting and Importing Encrypted Data
        4. Integration with Hardware Security Modules
      6. Summary
    3. 3 Applied Auditing and Audit Vault
      1. An Era of Governance
      2. Auditing for Nonsecurity Reasons
      3. The Audit Data Warehouse
        1. Audit Warehouse Objectives
      4. What to Audit and When to Audit
        1. Guiding Principles
        2. Audit Patterns
        3. Other Audit Action Best Practices
      5. The Audit Warehouse Becomes the Audit Vault
        1. Audit Vault Architecture
      6. Installation Options
        1. Installing Audit Vault Server
        2. Installing Audit Vault Collection Agent
        3. Installation Caveats
        4. Reporting
        5. Alerts
        6. Managing Audit Policy for Source Databases
        7. Audit Maintenance Operations
      7. Summary
  10. PART II Oracle Database Vault
    1. 4 Database Vault Introduction
      1. The Security Gap
        1. History of Privileged Accounts
        2. The Security Remedy
        3. Security Should-haves
      2. Database Vault Components
        1. Factors
        2. Rules
        3. Realms
        4. Command Rules
      3. Installing Oracle Database Vault
        1. Installed DBV Administration Roles
        2. Managing Oracle DBV Configuration
        3. Default Separation of Duty
        4. Default Audit Policy
        5. Default Security-relevant DBV Factors
      4. Summary: Database Vault Is Differentiating Security
    2. 5 Database Vault Fundamentals
      1. Realms
        1. Realm Protection Patterns
        2. Creating Your First Realm
        3. Realm Components
      2. Command Rules
        1. Command Rule Components
        2. Commands Supported in Command Rules
        3. DBV CONNECT Command Rule
      3. Rule Sets
        1. Rule Set Evaluation Mode
        2. Rule Set Auditing
        3. Custom Event Handlers
        4. Rule Configuration
        5. DBV Rule Set Event Functions
        6. DBV Factors Used in Rule Set Expressions
      4. Factors
        1. Creating Factors
        2. Factor Identities
        3. DBV Factor Integration with OLS
      5. DBV Secure Application Roles
      6. Summary
    3. 6 Applied Database Vault for Custom Applications
      1. Notional Database Applications Environment
      2. From Requirements to Security Profile Design
      3. Requirements Technique: Use Cases and Scenarios
        1. Analyzing Requirements: Example Use Case
      4. Identify Coarse-Grained Security Profile
      5. Identify Fine-Grained Security Profile
      6. Identify DBV Factors Based on Business or System Conditions
        1. Centralizing PL/SQL Routines for DBV Factors and Rules
        2. Factors Based on Compliance
        3. Factors Based on Conflict of Interest or Separation of Duty
        4. Factors Based on Organizational Policy
        5. Factors Based on Identity Management
        6. Factors Based on Access Path or Operational Context
        7. Factors Based on Time or Sequential Conditions
        8. Factors Based on Data or Events Stored Externally
        9. Incorporating DBV Factors in Your Application
      7. Identify DBV Realms and Realm Objects Based on Objects
        1. Configure Standard Object-level Auditing for Realm-protected Objects
        2. Configure RLS on Realm-protected Objects
      8. Identify Accounts, Roles, and DBV Realm Authorizations from Use Case Actors
        1. Secure Schemas Under DBV
        2. User Access Accounts
        3. Example Implementation of Secure Schemas with DBV
        4. Post-configuration Account Provisioning
      9. Establish DBV Command Rules from Conditions
        1. Configure System-level Auditing
      10. Establish DBV Secure Application Roles from Conditions
      11. Summary
    4. 7 Applied Database Vault for Existing Applications
      1. Audit Capture Preparation
      2. Capturing Audits
      3. Analyzing the Audit Trail
        1. DBV Realms from Object-Owner Accounts
        2. DBV Realm Secured Objects
        3. DBV Realm Authorizations
        4. Identify End User Access Accounts and Roles for DBV SARs
        5. Identifying DBV Command Rules from Conditions
        6. Identifying DBV Factors Based on Business or System Conditions
        7. Refining the DBV Policy Design
        8. Deploying and Validating the DBV Policy
      4. Integrating DBV with Oracle Database Features
        1. Oracle Text
        2. Oracle Spatial
        3. Expression Filters
        4. Oracle Streams Advanced Queuing
        5. Transparent Data Encryption
        6. Oracle Recovery Manager
        7. Gathering Statistics on Realm-protected Schemas
        8. EXPLAIN PLAN on Realm-protected Schemas
      5. Advanced Monitoring and Alerting with a DBV Database
        1. Monitoring and Alerting on DBV with OEM GC
        2. Extending the DBV Rule Set Custom Event Handler
      6. Summary
  11. PART III Identity Management
    1. 8 Architecting Identity Management
      1. Understanding the Problem with Identity Management
        1. Central Issuance Authority
        2. Identity Verification
        3. Identity Propagation
      2. Architecting Identity Management
        1. Identity Management Discovery
        2. Identity Management Patterns
      3. Oracle Identity Management Solutions
        1. User Provisioning
        2. Directory Management
        3. Authentication Management
        4. Authorization Management
        5. Role Mining and Management
      4. Summary
    2. 9 Oracle Identity Manager
      1. The User Provisioning Challenge
      2. Oracle Identity Manager Overview
        1. User
        2. User Group
        3. Organization
        4. Access Policy
        5. Resource Object
        6. IT Resource
      3. User Provisioning Processes
        1. Discretionary Account Provisioning
        2. Self-Service Provisioning
        3. Workflow-based Provisioning
        4. Access Policy–driven Provisioning
      4. User Provisioning Integrations
        1. Prebuilt Connectors
        2. Generic Technology Connector
      5. Reconciliation Integrations
      6. Compliance Solutions
        1. Attestation
        2. Access Reporting
      7. OIM Deployment
      8. Summary
    3. 10 Oracle Directory Services
      1. Identity Management and the LDAP Directory
      2. Oracle Internet Directory
        1. OID Architecture
        2. OID Synchronizations
      3. Directory Virtualization and Oracle Virtual Directory
        1. OVD 101
        2. OVD Architecture
      4. OVD Applied
        1. OVD Installation
        2. Creating a New OVD Server
        3. Initializing the Virtual LDAP Tree Using a Local Store Adapter
        4. Integrating OVD with an Active Directory LDAP Server
        5. Integrating OVD with an Oracle Database
        6. Joining Information in OVD
      5. Summary
  12. PART IV Applied Security for Oracle APEX and Oracle Business Intelligence
    1. 11 Web-centric Security in APEX
      1. Introduction to the APEX Environment
        1. Components and Configurations
        2. Architecture
        3. APEX and Database Roles
        4. APEX Sessions
      2. Securing an APEX Instance
        1. APEX Security Settings
        2. Securing the Application Server Tier
        3. Prevent Web-based Attacks with mod_security
        4. SSL/TLS Techniques
      3. Protecting the APEX Database Schemas
        1. Database Vault and APEX
      4. Summary
    2. 12 Secure Coding Practices in APEX
      1. Authentication and Authorization
        1. Authentication Schemes
        2. Custom Table of Usernames and Passwords
        3. Authorization Schemes
      2. SQL Injection
        1. Example 1: The Wrong Way
        2. Example 2: The Right Way
      3. Cross-site Scripting
        1. URL Tampering
      4. Leveraging Database Security Features
        1. Virtual Private Database
        2. Fine-grained Auditing
      5. Summary
    3. 13 Securing Access to Oracle BI
      1. The Challenge in Securing BI
        1. System Users
        2. Security in the Warehouse vs. the Transactional System
      2. What Needs To Be Secured
      3. Mechanics of Accessing Data with Oracle BI
        1. Architecture
        2. Connection Pools
        3. Variables
      4. Authentication and Authorization
        1. Authentication Options
        2. Authorization
      5. Single Sign-On
        1. SSO Options
        2. SSO Setup Cautions
        3. SSO Using Oracle Access Manager
      6. Deploying in a Secure Environment
        1. SSL Everywhere
        2. Encrypted Outward Connections
      7. Securing the BI Cache
      8. Public-facing Applications
        1. Firewalls and DMZs
        2. Public User
      9. Summary
    4. 14 Securing Oracle BI Content and Data
      1. Securing Web Catalog Content
        1. Web Catalog Groups
        2. Folder-based Security
        3. iBot Security
        4. Securing BI Publisher Catalog Content
      2. Conveying Identity to the Database
        1. Setting Client Identifiers
      3. Securing Data Presented by Oracle BI
        1. Security Policies Within the BI Server
        2. Integrating Oracle BI with Database Security Policies
        3. Deciding When to Use VPD or Oracle BI Row-level Security
      4. Oracle BI and Database Vault
        1. Factors and Oracle BI
        2. Realms and Oracle BI
      5. Auditing
        1. Usage Tracking
        2. Database Auditing
        3. Combining Usage Tracking and Database Auditing
      6. BI Features with Security Implications
        1. Default Privileges
        2. Act as Proxy
        3. Direct Database Requests
        4. Advanced Tab
        5. Direct Access to the BI Server
        6. Web Services Access
      7. Summary
  13. A Using the Oracle BI Examples
    1. Users and Groups
    2. Database Preparations
      1. Database Auditing
      2. Database Scripts
    3. Oracle BI Setup
      1. Credential Store
      2. BI Publisher Superuser
      3. Other BI Publisher Configuration Steps
      4. Sample BI Publisher Report
      5. Scheduler Configuration
      6. Usage Tracking
    4. Recommend Testing
      1. Oracle BI Tests
      2. BI Publisher Tests
      3. Oracle Delivers Tests
    5. Sample Web Catalog Description
      1. SH Dashboard
      2. Utilities Dashboard
      3. Other Dashboards
    6. Sample RPD Descriptions
      1. Common to All RPDs
      2. Internal Authentication
      3. Internal Authentication with Act as Proxy Enabled
      4. Column-based Security
      5. Table-based Authentication
      6. Database Authentication
      7. LDAP Authentication
      8. SSO Integration
    7. Summary
  14. Index