Oracle9i Security

1
Oracle Security Identity Management July 20,
2005
Gary Quarles Sr. Solutions Architect Columbus,
OH 614-280-6500 gary.quarles_at_oracle.com
Rafael Torres Sr. Solutions Architect Cincinnati,
OH 513-768-6856 rafael.torres_at_oracle.com
2
Agenda

• 9am-1015am
• Identity Management
• OID, User Provisioning, Directory Integration,
  Proxy Authentication
• Virtual Private Database
• Securing Data Access
• Secure Application Roles
• BREAK (15 mins)

3
Agenda (cont)

• 1030am-1145am
• Label Security
• Fine Grained Auditing
• Stored Data Encryption
• Detecting Security Breaches
• Data Privacy Compliance
• Network Encryption
• User Security
• Oblix Roadmap
• 1145am-1pm Buffet Luncheon
• 1pm-115pm Raffle

4
Security Legislation

• Sarbanes-Oxley
• Everyone
• Financial statements contain no errors
• Gramm-Leach-Bliley
• Fin Services, Healthcare
• Ensure privacy, security, confidentiality
• Californias Breach Disclosure Law
• Anyone with customers in California
• Audit breach of PII, notify those affected
• Safe Harbor
• Anyone doing business in Europe
• Reasonable steps to secure from unauthorized
  access

5
Data Privacy Concerns

• Customer information
• protecting customer personally identifiable
  information (PII)
• Employee information
• majority of privacy regulations provide equal or
  greater rights of privacy to employees
• Third Party information
• protecting PII of third persons provided to you
  by customers or employees

6
Data Privacy Compliance

• 25 technical
• 75 policy and procedures

www.oracle.com/consulting
7
The Expert View
90 detected computer security breaches in the
past year. 80 acknowledged financial losses
due to computer breaches.
- CSI/FBI Computer Crime and Security Survey
8
If you spend more on coffee than on IT security,
then you will be hackedwhat's more, you deserve
to be hacked!Richard ClarkeSpecial Advisor
to the President, Cyberspace Security
9
State of Security United States

• 90 of respondents detected computer security
  breaches within the last twelve months.
• 80 of respondents acknowledged financial losses
  due to computer breaches.
• 455,848,000 in quantifiable losses
• 170,827,000 theft of proprietary information
• 115,753,000 in financial fraud
• 74 cited their Internet connection as a frequent
  point of attack
• 33 cited internal systems as a frequent point of
  attack

Source CSI/FBI Computer Crime and Security
Survey
10
Why Oracle for Security and Identity Management?

• 25 year history
• First Oracle customer was a government customer
• Information Assurance
• 17 independent security evaluations over past
  decade
• Substantial financial commitment to independent
  security evaluations
• More evaluations than any other major database
  vendor
• Culture of security at Oracle
• Robust security features and Identity Management
  Infrastructure
• Row level security
• Fine Grained Auditing
• Integrated database security and identity
  management
• Web Single Sign-on, Oracle Internet Directory
• Strong authentication

11
Oracle Database 25 years of security leadership


Label Sec ID Mgmt


Column Sec Policies

Security
Evaluation 17

Identity Mgmt Release


Fine Grained
Auditing

Common Criteria (EAL4)

Oracle9iAS JAAS

Oracle9iAS Single Sign-On

Oracle Label Security (2000)

Virtual Private Database (1998)

Enterprise User Security

Oracle Internet Directory
Database Encryption
API
Kerberos framework

Support for
PKI
Radius Authentication
Network Encryption

Oracle Advanced
Security introduced
First Orange Book B1 evaluation (1993)
Trusted Oracle7 Multilevel Secure
Database (1992) Government
customer
1977
2004
12
Oracle Application Server 10g
13
Identity Management
14
Identity Management

• process by which the complete security lifecycle
  for users and other entities is managed for an
  organization or community of organizations.
• management of an organization's application
  users, where steps in the security lifecycle
  include account creation, suspension, privilege
  modification, and account deletion.

15
Identity Management Components
16
The Identity Challenge

• Redundant, silod application development
• Non-uniform access policies
• Orphan accounts
• Audit/Log information fragmented

17
Bring Order to Chaos with Identity

• Centralized, policy-based management of access
  authorization
• Faster development and deployment
• Centralized audit and logging

18
Oracle ID Mgmt Typical Deployments

• Enterprise provisioning
• Heterogeneous integration
• Telco provisioning
• Scalability HA
• Enterprise Portal
• Single Sign-on, administrative delegation
• Government RD Organization, Corporate
  Conglomerates
• Centralized Identities with autonomous
  administration of departmental applications
• Multi-hosting with delegated subscriber admin
• Multiple identity realms in one physical
  infrastructure HA

19
Platform Security Architecture
BPEL Prcs Mgr, BI, Portal, ADF
E-Business Suite
Collaboration Suite
ISV Custom Applications
Application Security
Oracle Application Server
Oracle Application Server
Oracle Application Server
Oracle Database
Oracle Database
Oracle Database
External Security Services
Oracle Platform Security
Oracle Identity Management
Public Key Infrastructure
RBAC Web Authorization
Provisioning Delegated Administration
Directory Integration
SSO Identity Federation
Access Management
Provisioning Services
Directory Services
Oracle Internet Directory
20
Internet Directory

• Scalability
• Millions of users
• 1000s of simultaneous clients
• High availability
• Multimaster Fan-out replication
• Hot backup/recovery, RAC, etc.
• Manageability
• Grid Control multi-node monitoring
• Security
• Comprehensive password policies
• Role policy based access control
• Auditability
• Extensibility Virtualization
• Plug-in Framework
• Attribute and namespace virtualization
• External authentication
• Custom password policies

LDAP Clients
OID Server
Directory Admin Console
Oracle Database
21
Directory Integration
External Directories
DirectoryIntegrationService
SunOne
Active Directory
OracleInternet Directory
Oracle HR
Oracle DB
OpenLDAP
eDirectory
Connectors
22
Provisioning Integration
Corporate HR (Employee Enrollment)
Portal
eMail
ERP,CRM,
OID
Helpdesk Admin
Event Notification Engine
Policy Workflow Engine
Portal Admin
Partner Provisioning System
eMail Admin
Oracle Provisioning Integration Service
Self-service (Pswds, preferences)
23
Single Sign-On
OracleAS Enabled Environment
ERP, CRM,
OracleAS Single Sign-on
Portal
PKI, pwd, Win2K Native Auth
Partner SSO (Netegrity, RSA, Oblix)
SecureID, Biokey,

• Integrates Oracle and partner-SSO enabled apps
• Transparent access to DB Tier, 3rd party web apps
• Multiple AuthN options
• Different auth modes to match application
  security levels

Federation / Liberty
Partner SSO Enabled Environment
Extranet
24
Demonstration

• IdM SSO

25
SSO Benefits

• 1) Tightly integrated with the Oracle product
  stack
• 2) Easy to deploy, part of Oracle Identity
  Management
• 3) Supports PKI authentication with industry
  standard X.509V3 certificates
• 4) Accepts Microsoft Kerberos tokens for easy
  authentication in a windows environment
• 5) Integrated with Oracle Certificate Authority
  (OCA) for easy provisioning of X.509V3
  certificates using OCA

26
Certificate Authority
Oracle Internet Directory

• Solution for strong authentication / PKI
• Easy provisioning of X.509v3 digital certificates
  for end users
• Web Based certificate management and
  administration
• Seamless integration with Oracle Application
  Server Single Sign-On OID

User
Oracle Single Sign-On

Metadata Repository
Oracle Certificate Authority
Secure IT Facility
27
Future support

• SAML (Security Assertions Meta Language)
• facilitates interoperation and federation among
  security services.
• SPML (Service Provisioning Meta Language)
• XML standard that facilitates integration among
  provisioning environments by defining the
  protocol for interaction between provisioning
  service components and agents representing
  provisioned services.
• DSML
• XML standard for exchanging directory data as
  well as invoke directory operations over the
  Internet.

28
Future support (cont)

• XKMS
• XML Key Management Specification. It is intended
  to simplify deployment of PKI in a web services
  environment.
• WS-Security
• defines a set of SOAP extensions that can be used
  to provide message confidentiality, message
  integrity, and secure token propagation between
  Web Services and their clients
• Liberty Alliance standards define the framework
  and protocol for network identity based
  interactions among users and services within a
  federated identity management environment.

29
Delegated Administration Services

• Admin console w/ role-based customization
• User / group management
• End-user vs Admin views
• Admin delegation
• End-user self-service
• Self service provisioning
• Set preferences, Org-chart
• Pswd reset
• Embeddable admin components
• For integration with Apps
• Extensively configurable
• Accommodate new applications
• Customize UI views

30
Demonstration

• IdM Delegated Admin Svs

31
Delegated Admin Benefits

• 1) Enables self service administration of
  passwords and password resets
• 2) Enables administrative granularity of Identity
  Management components
• 3) Centralized provisioning for web SSO and
  enterprise user database access
• 4) Supports password or PKI based authentication
• 5) Self Service password management without the
  intervention of an administrator
• 6) Delegated administrators, such as
  non-technical managers, to create and manage both
  users and groups
• 7) Allows users to search parts of the directory
  to which they have access

32
Grid ComputingEnd-to-End Security
Data Grid
Application Grid
Securely Proxies User Identity to RDBMS

• Retrieve Authorizations for Users
• Connect users to Application Schema

Authenticate user
Client Authenticates To App Server
OID Identities, Roles Authorizations
33
AS10g r2 New 3-tier features

• Via proxy authentication, including credential
  proxy of X.509 certificates or Distinguished
  Names (DN) to the Oracle Database
• Support for Type 2 JDBC driver, connection
  pooling for application users (Type 2 and Type
  4 JDBC Drivers, OCI)
• Integration with Oracle Identity Management for
  Enterprise Users (EUS).

34
Demonstration

• User Security

35
User Security Benefits

• 1) Enables centralized management of traditional
  application users in Oracle Identity Management
• 2) Oracle Identity Management directory
  integration services can be used for
  bi-directional synchronization with existing
  Identity Management infrastructures (AD,
  SunOne/iPlanet, Netscape)
• 3) Optionally map users to shared schemes or
  retain individual account mappings in database
  for complete application transparency
• 4) Optionally manage database roles in Oracle
  Identity Management infrastructure
• 5) Optionally can be used with Oracle Label
  Security to maintain security clearances in
  Oracle Identity Management

36
Oracle IT Before ID Mgmt
IDs, passwords, profiles, prefs
HR
Oracle Files
IDs, passwords, profiles, prefs
IDs, passwords, profiles, prefs
Employees
E-Business Apps
Oracle Technology Network
IDs, passwords, profiles, prefs
My.oracle.com
IDs, passwords, profiles, prefs
Web Conferencing
Self-registered TechNet users
Web Mail / Calendar
IDs, passwords, profiles, prefs
Numerous Ids / Passwords Sign-On
Global Mail
IDs, passwords, profiles, prefs
Partners / Suppliers
Calendar
DMZ
Corporate Network
Extranet
37
Oracle IT After ID Mgmt
HR
Oracle Files
Employees
E-Business Apps
Oracle Technology Network
My.oracle.com
Oracle IdM Infrastructure
Web Conferencing
Self-registered TechNet users
Web Mail / Calendar
Global Mail
Single ID/Pswd SSO
Partners / Suppliers
Calendar
DMZ
Extranet
Corporate Network
38
Oracle IdM Summary

• Oracle Identity Management is a complete
  infrastructure providing
• directory services
• directory synchronization
• user provisioning
• delegated administration
• web single sign-on
• and an X.509v3 certificate authority.
• Oracle Identity Management is designed to provide
  ready, out-of-the-box deployment for Oracle
  applications, as well as serve as a
  general-purpose identity management
  infrastructure for the enterprise and beyond.

39
Break

• 15 minutes

40
Privacy Access Control
41
Oracle9i/10g Secure Application Role
CREATE ROLE SAR identified using
SCHEMA_USER.PACKAGE_NAME
JDBC / Net8 / ODBC
User A, HR Application
User A, Financials Application
Oracle9i 10g
User A, Ad-Hoc Reports

• Secure application role is a role enabled by
  security code
• Application asks database to enable role (can be
  called transparently)
• Security code performs desired validation before
  setting role (privileges)

42
Secure Application Role Benefits

• Security policy can check anything
• time of day
• day of week
• IP address/domain
• Local or remote connection
• user connected through application
• X.509 data, etc.
• Database controls whether privileges are enabled

• Multiple applications can access database
  securely
• Allows secure handshake between applications and
  database

43
Demonstration

• Secure Application Role

44
Oracle Database 10g Virtual Private Database

• Column Relevant Policies
• Policy enforced only if specific columns are
  referenced
• Increases row level security granularity

45
Oracle Database 10g Virtual Private Database

• Column Filtering
• Optional VPD configuration to return all rows but
  filter out column values in rows which dont meet
  criteria

46
Demonstration

• Virtual Private Database

47
Object Access Control
DATA TABLE
48
Oracle9i/10g Label Security

• Out-of-the-box, customizable row level security
• Design based on stringent commercial and
  government requirements for row level security

Sensitivity Label Public Sensitive Highly
Sensitive Confidential Europe
Project AX703 B789C JFS845 SF78SD
Location Chicago Dallas Chicago Miami
Department Corporate Affairs Engineering
Legal Human Resource
49
Components of Label Security
Label Components are the encoding within data
labels and user labels that determine access.

• Levels
• Sensitivity Level (e.g., Top Secret, Secret,
  Unclassified)
• Compartments
• (X,Y,Z), User must possess all
• Groups for Need to Know
• Hierarchical
• Supports Organization Infrastructure

50
Oracle Label Security
Oracle9i OLS
Oracle Label Security Authorizations Confidential
Partners
Application Table
Sensitivity Label Public Confidential
Partners Company Confidential Company
Confidential
Project AX703 B789C JFS845 SF78SD
Location Boston Denver Boston Miami
Department Finance Engineering Legal HR
OK
OK
51
Demonstration

• Oracle Label Security

52
Fine-grained Auditing
53
The Expert View
Companies that properly maintain the security
of their systems will eliminate 90 percent of all
potential exploits. Companies that fail to take
these precautions should prepare for breaches at
an increasing rate.
- Giga Information
54
Stored Data Encryption

• DBMS_OBFUSCATION (9i)
• DBMS_CRYPTO (10g)

55
Supported Encryption Standards

• AES (128, 192 and 256 Key)
• RC4 (40, 56, 128, 256 Key)
• 3DES (2 Key and 3 Key)
• MD5
• SHA1

56
Demonstration

• Data Encryption

57
Advanced Security Option

• Encryption for data in motion
• RSA RC4 Public Key Encryption
• 40, 56 and 128 bit key lengths
• Support for Data Encryption Standard (DES)
  algorithm
• Support for Message Digest 5 (MD5) checksumming
  algorithm

58
Advanced Security Option

• Authentication device support
• RADIUS device
• Token cards (securID for example)
• Biometric devices
• Secure Socket Layer
• With X.509 V3 certificate support
• Support for Open Software Foundations
  Distributed Computing Environment (DCE)

59
Threats to Networks and Internet
500 becomes 50,000
60
Demonstration

• Network Encryption

61
Oblix

• Brief Overview and Roadmap

62
Oblix Pure-Play Product Leader
Ability To Execute
Source Gartner Research (June 2004)
63
Oblix COREid
COREid Access

• Web Single Sign-On
• Flexible Authentication Methods
• Policy-based Authorization

COREid Identity

• User, Group, and Organization Management
• Delegated Administration
• Self Service and Self Registration
• Unified Workflow
• Identity Web Services Controls
• Password Management

COREid Reporting

• Centralized auditing
• Pre-built identity and security reports
• Global View user access
• Robust logging framework

64
Oracle / Oblix IdM Integration Roadmap
Current Portfolios
Integration Roadmap
10g / 10.1.3
Oblix
Federation (Liberty / SAML-2.0)
SHAREid
OracleAS SSO
COREid Access
Web Authorization
Provisioning connectors
COREid Provisioning
Provisioning Integration (DIP)
Delegated Admin Service
COREid Identity
Cert. Authority / PKI (OCA)
Virtual Directory
Meta Directory (DIP)
COREsv Web Services Management
Directory (OID)
Identity Grid Control
65
IdM What does Oracle offer today?
Privacy Compliance Management
Enterprise Provisioning Automation
Security Monitoring Audit Services
Web Authorizations
Identity Federation
SSO
Identity Access Mgmt
PKI Certificate Services
Delegated Admin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web 3rd party SSO
Password Management
Virtual Directory
Meta-Directory
Yes
Identity Integration
Directory
Oracle - Full Functionality
Partner Offering
Planned Functionality
Oracle - Limited Functionality
66
Current offering with Oblix today
Privacy Compliance Management
Enterprise Provisioning Automation
Security Monitoring Audit Services
Web Authorizations
Identity Federation
SSO
Identity Access Mgmt
PKI Certificate Services
Delegated Admin
Policy Based Access Ctrl
Role Based Access Ctrl
Non-web 3rd party SSO
Password Management
Virtual Directory
Meta-Directory
Yes
Identity Integration
Directory
Partner Offering
Oracle - Full Functionality
Planned Functionality
Oracle - Limited Functionality
67
Thursday, August 11, 2005800 am - 1100
am(Breakfast Registration at 800am) Oracle
Office - Cincinnati 312 Elm StreetSuite
1525Cincinnati, OH 45202

• Oracle COREid Access Identity
• Oracle COREid Federation
• Oracle COREid Provisioning
• Oracle Single Sign On/Oracle Internet Directory
• Oracle Application Server, Enterprise Edition
• Oracle Web Services Manager

http//www.oracle.com/webapps/events/EventsDetail.
jsp?p_eventId42000src3830746src3830746Act41
68
A
69
Additional Slides
70
Security Tips 101

• Oracle Security Step-by-step
• By Pete Finnigan
• SANS Press

71
Security Tips 101

• Keep up with security patches!
• Security alerts from Oracle Technology Network
  site
• Security Issues Website

72
Security Tips 101

• Check your file system privileges

• If on Windows, use NTFS not FAT or FAT32

• Prevent seeing passwords with UNIX ps command
• Note 136480.1 or 1009091.6

• Check privileges on export files in OS

73
Security Tips 101

• If a full export is done to populate a test
  database, immediately change all passwords

• No database user except SYS must have
• ALTER SYSTEM
• ALTER SESSION

74
Security Tips 101

• Change default passwords
• List of default users and passwords
• Where to get this list
• SYS should not be CHANGE_ON_INSTALL !!!!
• SYSTEM should not be MANAGER !!!!

75
Security Tips 101

• Check scripts that are in the file system that
  have embedded passwords!

• Make sure REMOTE_OS_AUTHENT FALSE
• (Allows login without password)

• REMOTE_OS_ROLES FALSE also

• Check for all users with DBA role

• Check for users or roles with an ANY privilege
• UPDATE ANY TABLE
• DROP ANY TABLE

76
Security Tips 101

• Revoke RESOURCE role from normal users

• No users or roles should have access to
• dba_users
• Sys.link
• Sys.user
• Sys.user_history
• These have clear text passwords!

77
Security Tips 101

• Make sure your listener has a password

• Use Current User database links if possible
• CONNECT TO CURRENT USER

• Check database links from Test, Dev and QA
• instances. Remove any that are not absolutely
  necessary

• Avoid plain text passwords in batch files. Use
  an
• encryption utility

• Avoid external accounts for batch processes

78
Security Tips 101

• Use the Oracle Security Checklists
• 9i R2 Security Checklist
• 9iAS Security Checklist
• Or third party utilities to check your security
• Oracle Enterprise Manager 10g includes Security
  Checking

79
Security Tips 101

• 1. Only two highly trusted DBAs have sys
  privileges
• 2. All other DBAs log in using unique user IDs
  and those IDs be granted ONLY the privileges
  needed to do their job.
• 3. Partition responsibilities as much as possible
  between the DBAs
• 4. Security administration, not DBAs, have the
  ability to grant or change access privileges
• 5. Employ strong password policies
• 6. Audit ALL activities the DBAs do
• 7. Audit ALL activities the two trusted DBAs do
  both in their regular login and when connected as
  sys. (9iR2 and higher)

80
Security Tips 101

• 8. Audit logs are locked out of DBAs reach and
  monitored and reviewed by security
  administration, possibly stored on a separate
  system
• 9. Replicate the logs to help identify if a log
  has been tampered with
• 10. Audit ALL DML on the audit logs
• 11. Set up fine grained auditing alerts on key
  information when there is attempted access by
  unauthorized persons. These alerts are sent to
  the security administrator.
• 12. If offshore DBA services are employed, track
  everything they do very closely and restrict what
  they can see or do.