You are previewing Oracle Database 12c Security.
O'Reilly logo
Oracle Database 12c Security

Book Description

Best Practices for Comprehensive Oracle Database Security

Written by renowned experts from Oracle's National Security Group, Oracle Database 12c Security provides proven techniques for designing, implementing, and certifying secure Oracle Database systems in a multitenant architecture. The strategies are also applicable to standalone databases. This Oracle Press guide addresses everything from infrastructure to audit lifecycle and describes how to apply security measures in a holistic manner. The latest security features of Oracle Database 12c are explored in detail with practical and easy-to-understand examples.

  • Connect users to databases in a secure manner
  • Manage identity, authentication, and access control
  • Implement database application security
  • Provide security policies across enterprise applications using Real Application Security
  • Control data access with Oracle Virtual Private Database
  • Control sensitive data using data redaction and transparent sensitive data protection
  • Control data access with Oracle Label Security
  • Use Oracle Database Vault and Transparent Data Encryption for compliance, cybersecurity, and insider threats
  • Implement auditing technologies, including Unified Audit Trail
  • Manage security policies and monitor a secure database environment with Oracle Enterprise Manager Cloud Control

Table of Contents

  1. Cover
  2. Title Page
  3. Copyright Page
  4. Dedication
  5. About the Author
  6. Contents
  7. Foreword
  8. Acknowledgments
  9. Introduction
  10. Part I: Essential Database Security
    1. Chapter 1: Security for Today’s World
      1. The Security Landscape
        1. Base Assumptions
      2. Database Security Today
        1. Evolving Security Technologies
      3. Security Motivators
        1. Sensitive Data Categorization
        2. Principles
      4. Summary
    2. Chapter 2: Essential Elements of User Security
      1. Understanding Identification and Authentication
        1. Identification Methods
        2. Authentication
      2. Understanding Database Account Types
        1. Database Account Types in Oracle Database 12c Multitenant Architecture
      3. Privileged Database Account Management in Oracle Database 12c
        1. Administrative Privileges for Separation of Duty
        2. Methods for Privileged Database Account Management
      4. Account Management in Multitenant Oracle Database 12c
        1. Creating Common Database Accounts
        2. Managing Accounts in a Pluggable Database
      5. Managing Database Account Passwords and Profiles
        1. Managing Passwords for Local Database Accounts
        2. Managing Database Account Profiles
      6. Summary
    3. Chapter 3: Connection Pools and Enterprise Users
      1. External Identification and Authentication Challenges
        1. Connection Challenges
        2. Performance
        3. Connection Pools
        4. Security Risks
      2. External Identification and Authentication in Oracle Database 12c
        1. Oracle Proxy Authentication
        2. Oracle Enterprise User Security
        3. Oracle Kerberos Authentication
        4. Oracle RADIUS Authentication
      3. Summary
    4. Chapter 4: Foundational Elements for a Secure Database
      1. Access Control, Authorization, and Privilege
        1. Access Control
        2. Authorization
        3. Privilege
        4. Object Privileges
        5. Column Privileges
        6. Synonyms
        7. System and Object Privileges Together
        8. Privilege Conveyance and Retraction
      2. Roles
        1. Role and Privilege Immediacy
        2. Roles and Container Databases
        3. Public and Default Database Roles
        4. Role Hierarchies
        5. Object Privileges Through Roles and PL/SQL
      3. Selective Privilege Enablement
        1. Selective Privilege Use Cases
      4. Password-Protected Roles
        1. Password-Protected Role Example
        2. Password-Protected Roles and Proxy Authentication
        3. Challenges to Securing the Password
      5. Secure Application Roles
        1. Secure Application Role Example
      6. Global Roles and Enterprise Roles
        1. Creating and Assigning Global and Enterprise Roles
        2. Combining Standard and Global Roles
      7. Using Roles Wisely
        1. Too Many Roles
        2. Naming
        3. Dependencies
      8. Summary
    5. Chapter 5: Foundational Elements of Database Application Security
      1. Application Context
      2. Default Application Context (USERENV)
        1. Auditing with USERENV
      3. Database Session-Based Application Context
        1. Creating a Database Session-Based Application Context
        2. Setting Context Attributes and Values
        3. Applying the Application Context to Security
        4. Secure Use
        5. Common Mistakes
      4. Global Application Context
        1. GAC Uses
        2. GAC Example
        3. Global Context Memory Usage
      5. External and Initialized Globally
      6. Using Views in Security
        1. Views for Column- and Cell-Level Security
        2. Views for Row-Level Security
      7. Definer’s vs. Invoker’s Privileges/Rights for PL/SQL
        1. Definer’s Rights Invocation on PL/SQL Programs
        2. Invoker’s Rights Invocation for PL/SQL
      8. Definer’s vs. Invoker’s Privileges/Rights on Java Stored Procedures
        1. Java Stored Procedure and Definer’s Rights
        2. Java Stored Procedure and Invoker’s Rights
      9. Code-Based Security
        1. Granting Roles and Privileges to PL/SQL
      10. Entitlement Analytics
        1. Profile Application Use
        2. Privilege Reduction
        3. Oracle Enterprise Manager Cloud Control (OEMCC) 12c
      11. Sharing Application Code
        1. Managing Common Application Code with Pluggable Databases
      12. Managing Common Application Code with Database Links
      13. Summary
    6. Chapter 6: Real Application Security
      1. Account Management in Oracle RAS
        1. Configuring DLAU Accounts
        2. Configuring Simple Application User Accounts
      2. Oracle RAS Roles
        1. Integration of Standard Database Roles with Oracle RAS Roles
        2. Role Management Procedures in Package XS_PRINCIPAL
        3. Out-of-the-Box Roles in Oracle RAS
      3. Lightweight Sessions in Oracle RAS
        1. Setting Privileges for Direct Login Application User Accounts
        2. Lightweight Session Management in Java
        3. Namespaces in Oracle RAS
        4. Server-Side Event Handling and Namespaces in Oracle RAS
        5. Session Performance in Oracle RAS
      4. Privilege Management and Data Security in Oracle RAS
        1. Security Classes, Application Privileges, and ACLs
        2. Data Security Policies
        3. Protecting Namespaces with ACLs
      5. Auditing in Oracle RAS
        1. Default Audit Policies for Oracle RAS
        2. Reporting on Audit Events and Audit Policies in RAS
      6. Validating Policies and Tracing in Oracle RAS
        1. Validating Policy Components
        2. Tracing Sessions and Data Security Policies
      7. Summary
  11. Part II: Advanced Database Security
    1. Chapter 7: Controlled Data Access with Virtual Private Database
      1. Introduction to Virtual Private Database
        1. How VPD Works
        2. Benefits
        3. VPD Components
        4. Types of Control
        5. How to Use VPD
        6. Which Type of VPD Is Right for Me?
      2. Row-Level Security
        1. Table Fire with Row Filter
        2. Column Fire with Row Filter
        3. VPD and INSERT Statements
        4. VPD and INDEX Statements
      3. Column-Level Security
        1. Column Fire with Column Filter
      4. VPD Exemptions
        1. Audit EXEMPT ACCESS POLICY Privilege
        2. Verify EXEMPT ACCESS POLICY Privilege
        3. Verify Audit Trail
      5. Debugging and Troubleshooting VPD Policies
        1. Invalid Policy Functions
        2. Verifying and Validating Predicates
      6. VPD Performance
        1. Application Context and Logon Trigger
        2. Bind Variables
        3. VPD Caching
      7. Summary
    2. Chapter 8: Essential Elements of Sensitive Data Control
      1. Sensitive Data Protection Challenges
      2. Oracle Database 12c Transparent Sensitive Data Protection
        1. Discover Sensitive Information with Enterprise Manager
        2. Configuring a TSDP Administrator
        3. Defining Sensitive Information Types
        4. Mapping Sensitive Information Types to Columns
        5. Creating Sensitive Information Policies
        6. Mapping Sensitive Information Policies to Sensitive Types
        7. Enabling Sensitive Information Redaction
        8. Redacting Sensitive Information in the Database Audit Trail
      3. Summary
    3. Chapter 9: Access Controls with Oracle Label Security
      1. About Oracle Label Security
        1. History
        2. OLS Functional Overview
        3. OLS vs. VPD
        4. Label-Based Access Control
        5. OLS Label Types
      2. OLS Installation
        1. Installing OLS
        2. Register and Enable OLS in the Root Container
        3. Register and Enable OLS in a Pluggable Database
      3. Administering OLS
        1. OLS Role LBAC_DBA
      4. OLS Example
        1. Create a Policy
        2. Create Label Components
        3. Create OLS Labels
        4. Apply OLS Policy to a Table
        5. Authorize OLS Access
        6. Insert Data Using OLS Functions
        7. Querying Data from an OLS Protected Table
        8. OLS and the Connection Pool
        9. Auditing OLS Privileges and Use
        10. Trusted Stored Procedures
        11. Integrating OLS and Oracle Internet Directory
        12. Performance with OLS
      5. Summary
    4. Chapter 10: Oracle Database Vault: Securing for the Compliance Regulations, Cybersecurity, and Insider Threats
      1. History of Privileged Accounts
        1. SYS as SYSDBA (Super User 0)
      2. Security Should Haves
        1. Multifactored Security
        2. Conditional Security
      3. DBV Components
        1. Factors
        2. Rules
        3. Realms
        4. Command Rules
        5. DBV Secure Application Roles
      4. Configuring and Enabling DBV
        1. DBV Administration Using Common Accounts
        2. DBV Administration Using Delegated Accounts
        3. Manually Configuring DBV in a PDB
      5. Managing DBV Configuration
        1. DBV Administration PL/SQL Package and Configuration Views
      6. DBV Security Policies in Action
        1. Installed DBV Roles
        2. SoD with Roles, Realms, and Command Rules
        3. Default Audit Policies
        4. General Database Maintenance and Operations Authorizations
        5. Creating Custom DBV Policies
      7. Summary
    5. Chapter 11: Oracle Transparent Data Encryption: Securing for the Compliance Regulations, Cybersecurity, and Insider Threats
      1. Encryption 101
        1. Goal of Encryption
        2. The Basics
        3. Encryption Choices
        4. The Algorithm and the Key
      2. Encrypting Data Stored in the Database
        1. Where the Data “Rests”
        2. Protecting the Data
        3. Applied Example
        4. Encrypting in the Database
      3. The Transparent Data Encryption Solution
        1. Key Management Facilities
        2. Key Management Roles
        3. Creating Keystores and a Master Key in the Root Container
        4. Creating Master Keys in Pluggable Databases
        5. Creating an Encrypted Column in a New Table
        6. Determining TDE Encrypted Columns
        7. Encrypting an Existing Column
        8. Caveats to Column-Level TDE
        9. Tablespace Encryption
      4. TDE and Oracle Database Tools Interoperability
      5. Performance
      6. Advanced Encryption Protection Support
        1. Configuring FIPS 140-2 Support
      7. Summary
  12. Part III: Security and Auditing for the Cloud
    1. Chapter 12: Audit for Accountability
      1. The Security Cycle
        1. Auditing for Accountability
        2. Auditing Provides the Feedback Loop
        3. Auditing Is Not Overhead
      2. Audit Methods
        1. Infrastructure and Application Server Logs
        2. Application Auditing
        3. Trigger Auditing
        4. Database Auditing
      3. Enabling Auditing in the Database
        1. Audit Destination for Standard Auditing and FGA
        2. Enable Oracle Unified Auditing in Oracle Database 12c
      4. Who Conducts the Audit Policy and Audit Reporting?
        1. Audit Administrator Role
        2. Audit Reporting Role
      5. What Should be Audited? Creating the Audit Policy
        1. Best Practices for Audit Polices
        2. OUA Audit Policy Configuration
        3. Traditional Audit Policy Configuration
      6. Fine-Grained Auditing
        1. Enabling FGA
        2. Acting on the Audit
      7. Audit Storage, Audit Retention, and Reporting
        1. Oracle Audit Vault
        2. Audit Trail Retention Under OUA
        3. Audit Trail Retention Under Traditional Auditing
        4. Reporting on Database History
      8. Summary
    2. Chapter 13: An Applied Approach to Multitenancy and Cloud Security
      1. System Baseline and Configuration
        1. Facility and Infrastructure Security
        2. Personnel Security
        3. Configuration Management
        4. Equipment
        5. Secure Virtualization
        6. Operating System
        7. Jobs, Users, Groups/Roles, and Privileges
      2. Oracle Database 12c Multitenancy and Cloud Computing
        1. Cloud Computing
      3. Oracle 12c Software Installation
        1. Security-Related Installation Prerequisites and Installation Options
        2. Choosing the Number of Oracle Homes
        3. Securing the Oracle Home
        4. Are You Still Secure?
        5. Securing the Listener
        6. Managing Passwords
        7. Secure Database Initialization Parameters
      4. Installing and Securing Your Application
        1. Sensitive Data Discovery
        2. Account Management
        3. Privilege Management
        4. Least Privilege
        5. Data Access Controls
        6. Protecting Your Company Intellectual Property
        7. Database Firewall
      5. Data Encryption
        1. Network Data Encryption and Integrity
        2. Encryption of Data at Rest
        3. Encryption of Backup Data
      6. Auditing
        1. Oracle Auditing
        2. Oracle Audit Vault
        3. Audit Life Cycle Management
      7. Locking Down Your System
        1. Standards for Lockdown
        2. Secure Patching
      8. Monitoring and Alerting
        1. Monitoring Audit Events
        2. System Monitoring Using OEMCC
      9. Availability, Backup and Recovery, and Continuity of Operations
        1. Availability
        2. Backup and Recovery
      10. Summary
  13. Appendix: Sample Preparation Scripts
    1. Sample Pluggable Databases
      1. SALES Pluggable Database
      2. Human Resources (HR) Pluggable Database
    2. Sample Security Manager Account Creation
      1. Root Container
      2. Pluggable Databases
  14. Index