Data Warehouse Security

1
Data WarehouseSecurity

• Jim McGinnis
• Kris Williams
• Charl Welman
• Erin Bader

2
Data WarehouseSecurity

• Definition of Security
• Security is keeping anyone from doing things you
  do not want them to do, with, on, or from your
  computers or any peripheral devices
• William Cheswick and Steven Bellovin,
  Firewalls and Internet Security - Repelling the
  Wily Hacker

3
What is Security?

• Security Organization
• Risk Assessment
• Vulnerability Reduction
• Risk Management
• Policy-Based Management
• Access Control Management
• Security Awareness and Training

• Contingency Planning
• Disaster Recovery
• Workstation use
• Workstation Security
• Device and Media Controls
• Security Incident Procedures

4
What is Security?Cont.

• Intrusion Detection Systems
• Network Configurations
• Virus Protection
• Remote Access

• Facilities Access
• Audits/Reviews

5
How Much Security Is Needed?

• The strength of ones computer security
  defenses should be proportional to the threat
  from that arena
• William Cheswick and Steven Bellovin,
  Firewalls and Internet Security - Repelling the
  Wily Hacker

6
Who is Secure?
Source Cisco Secure Consulting Engagements
7

• Security is a business process requiring
  continuous improvement and automation...

2) Secure
3) Monitor and Respond
5) Manage and Improve
1) Security Policy
4) Test/Assess
8
Identifying the Threats?

• Hackers
• Denial of Service Attacks
• Corporate Espionage
• Former Employees
• SPAM and Junk E-Mail
• Viruses, Trojan Horses, Worms
• Java, ActiveX and Script Vandals
• Current Employees!
• Bad or no Policies
• Lack of Training
• Lack of enforcement

9
Data WarehouseSecurity

• Implementing Security
• Policies and Procedures
• Users
• Names
• Profiles
• Groups
• Education

10
Passwords

• How secure are our passwords
• How many passwords do users need to remember
• How often are passwords changed
• Are password lengths enforced
• Required alphanumeric
• Can users log in without passwords

11
Data WarehouseSecurity

• Security Privileges
• System Administrators
• Database Administrators
• Power Users

12
Data WarehouseSecurity

• Default Roles and Responsibilities
• The DBA
• Typical user
• Ready Only User
• Backup Operator
• Remote User

13
The DBA

• A database administrator (DBA) directs or
  performs all activities related to maintaining a
  successful database environment.

14
DBA Responsibilities

• The DBA has several groups of responsibilities.
  These include
• Database Architecture Duties
• Backup and Recovery Duties
• Maintenance and Daily Tasks
• Methodology and Business Process
• Education and Training
• Communication
• Documentation

15
Database Architecture Duties

• Planning for the databases future storage
  requirements
• Constructing the database
• Installing upgrades the database
• Evaluating/Researching new hardware and software
  purchases
• Provide database design and implementation

16
Backup and Recovery

• Establishing and maintaining sound backup and
  recovery policies and procedures
• Performing cold backups when the database is shut
  down to ensure consistency of the data
• Performing hot backups while the database is
  operational
• Performing import/export as a method of
  recovering data or individual objects
• Providing retention of data to satisfy legal
  responsibilities of the company
• Restoring database services for disaster recovery
• Recovering the database in the event of a
  hardware or software failure

17
Maintenance and Daily Tasks

• Adjusting extent size of rapidly growing tables
  and indexes
• Administering database-management software and
  related utilities
• Automating database startup and shutdown
• Automating repetitive operations
• Enrolling new users while maintaining system
  security
• Filtering database alarm and alert information
• Maintaining archived Oracle data
• Managing contractual agreements with providers of
  database-management software
• Managing service level agreements with Oracle
  consultants or vendors
• Performing correlation of database errors,
  alerts, and events
• Performing ongoing Oracle security management
• Performing routine audits of user and developer
  accounts

18
Methodology and Business Process

• Coordinating and executing database upgrades
• Creating error and alert processes and procedures
• Defining and maintaining database standards for
  the organization to ensure consistency in
  database creation
• Developing database test plans
• Providing database problem reporting, management,
  and resolution

19
Education and Training

• Attending training classes and user group
  conferences
• Understanding Oracle data integrity
• Staying abreast of the most current release of
  Oracle software and compatibility issues
• Providing in-house technical consulting and
  training

20
Communication

• Disseminating Oracle information to the
  developers, users, and staff
• Interfacing with vendors
• Training interim DBAs and junior-level DBAs

21
Documentation

• Creating and maintaining a database operations
  handbook for frequently performed tasks
• Defining standards for database documentation
• Creating documentation of the database environment

22
Auditing Security

• What is auditing security?
• It is a chronological record of system resource
  usage. This includes user logins, file access,
  and other various activities. By using various
  auditing tools, an administrator can tell
  whether any actual or attempted security
  violations occurred, legitimate or unauthorized.
• Another form of auditing in IT terms, is
  searching through a computer system or database
  to look for vulnerabilities or any other security
  problems.

23
Auditing Software

• Most database manufacturers include a security
  auditing program with their software. For one,
  Oracle includes its Fine-Grained Auditing program
  with most versions of its programs. However,
  second-party software can be purchased from other
  vendors.

24
THE PROBLEMThe compromise between enabling
appropriate database access and maintaining tight
security against unauthorized access is the
enduring dilemma of the database administrator
25
Fine-grain Access Control

• ensure that each user is only allowed access to
  the appropriate files, applications or services
• Groups or roles associated with each of the
  different types of users can be established, then
  their authorization can be checked upon access

26
FGAC Continued

• Fine-Grained Access Control is built on virtual
  private database technology and utilizes its
  application context functionality
• FGAC enables administrative users to dynamically
  attach a fully optimized and sharable WHERE
  predicate to any and all queries issued against a
  database table or view. FGAC uses security
  policies to define predicates and assign them to
  users and DML statements. Each table or view to
  be protected is associated with a function, which
  determines the proper predicate to be appended to
  the users queries.

27
Oracle Label Security

• Oracle Label Security is based on data element
  labeling concepts to protect sensitive
  information and provide data separation
• Labels are composed of a hierarchy with multiple
  categories or compartments
• Two methods to grant or deny database access
  Discretionary Access Control (DAC) and Mandatory
  Access Control (MAC).

28
DAC and MAC

• DAC was the level of access that all Oracle
  database users must pass. This level uses object
  grants to differentiate access level on a
  table-by-table basis.
• MAC is the control level that allows Trusted
  Oracle to be a multilevel security system

29
OLS

• Oracle Label Security controls access to rows in
  a table based on labels contained in the rows and
  labels and object grants assigned to each user.
  Label-Based Access Control (LBAC) is Oracles new
  implementation of the older MAC later. It
  utilizes the application context functionality of
  the VPD (virtual private database) product and
  provides a functional, out-of-the-box VPD policy
  that enables row-level security and supplies an
  infrastructure for specifying labels for users
  and data.

30
Bypassing Security

• The system privilege EXEMPT ACCESS POLICY allows
  a user to be exempted from all fine-grained
  access control policies on any DML operation such
  as SELECT, INSERT, UPDATE, and DELETE. If a user
  is granted the EXEMPT ACCESS POLICY privilege,
  then the user is exempt from FGAC and Oracle
  Label Security policy enforcement. Obviously,
  this privilege should be tightly controlled in
  environments implementing VPD.

31
AUTHENTICATION

• Asked these questions
• Who are you?
• To what community do you belong? Are you still a
  trusted member?
• How can you prove your identity?
• Four important componentsestablish identity,
  present a credential, credentials must be
  managed, must be accessible via some sort of
  directory.

32
IDENTITY

• process that verifies that an organization or
  individual exists
• has a name, and is entitled to use that name
• process may also establish other identification
  attributes
• Trusted third parties or delegated authorities
  play a key role in identity attributes of
  participants

33
Credential Management

• issue a credential that can be used to prove
  identity
• most robust form of credential is the digital
  certificate
• Digital certificates provide the standards-based
  technological beachhead required for securing
  communications
• also establish a technical framework for
  nonrepudiable transactions

34
Identity Validation Directory Services

• prove its identity, that is, authenticate
• this process requires the application to ask the
  user for the credential, and to verify the
  credential's validity before granting access
• directory should support both public and private
  attributes, and allow users to securely
  manipulate their own information
• aspects of customer acquisition, risk management,
  security, scalability and reliability
  requirements are addressed by effective
  implementation of secure directory services

35
Typical Authentication Environments

• private intranets
• B2B extranets
• B2B net marketplace
• Data warehouses

36
WEB SERVICES and APPLICATION SECURITY

• Each Web services application must be able to
  validate in real-time the identity of the
  machines it interacts with
• ensure that data remains confidential and intact
  as it crosses the network
• control access, and provide a mechanism for
  auditing, tracking, and substantiating data
  exchanges

37
Continued

• To enable the secure exchange of confidential
  data, application security should include the
  following mechanisms
• Authentication, Encryption, Digital signing,
  Access control, Non-repudiation, SOAP-based
  security, Malicious attack prevention, alerting,
  and isolation

38
Additional Concerns

• PKI deployment, Partner, customer, and supplier
  requirements and capabilities, Regulatory
  compliance
• Extensibility
• Scalability

39
TRUST GATEWAY

• Routes incoming and outgoing messages based on
  match pattern or XML content
• Establishes secure connections with business
  partners and back-end applications
• Validates credentials in real time using the
  VeriSign public key infrastructure
• Encrypts and decrypts requests and responses
• Applies and verifies digital signatures
• Authorizes access based on digital certificates

40
Distributed Database and Multi-tier Security
41

• Multi-tiered means that it integrates the
  protection of files and objects both inside and
  outside the database
• The Oracle Security Model is multi-layered
• When using layers you can hide files and data
  from the general users view
• It also allows you to better determine how much
  security is enough to protect your system.

42
Layers of Security

• Protecting the operating system files
• Protecting the application code
• Controlling connections to the database
• Controlling access to the database tables
• Ensuring recoverability of your corporate data
• Enabling more complex forms of security
• Supporting web site structures and database access

43
Examples of More Complex Forms of Security

• Data encryption
• Digital signatures
• Single sign-on

44
Oracle Advanced Security Option
45

• The Oracle Advanced Security Option (ASO),
  formerly known as the Advanced Networking Option
  (ANO) is used in distributed environments in
  which there are concerns regarding secure access
  and transmission of data.

46
ASO

• Provides data encryption during transmission to
  protect data
• Provides support for several identity
  authentication methods to accurately identify
  users

47
ASO Extra Security Functionality in 3 Main Areas

• Network Security
• Includes encrypting messages going over Oracle
  Net Services, implementing Secure Sockets Layer
  (SSL) encryption and support for RADIUS,
  Kerberos, smart Cards, token cards, and biometric
  authentication.

48
ASO Extra Security Functionality in 3 Main Areas

• Enterprise security
• Includes the use of a wide variety of third-party
  directory support, such as LDAP directories,
  which can be used to implement single signon
  capability. Oracle Internet Directory (OID) is
  also included

49
ASO Extra Security Functionality in 3 Main Areas

• Public key infrastructure security
• Includes support for standard X.509 Version 3
  certificates. Oracle works with major PKI
  service vendors, such as Baltimore Technologies
  and VeriSign, to ensure coordination with their
  trusted roots

50
ASO Supports 3 Types of Authentication Methods

• RADIUS (Remote Authentication Dial-In User
  Service) support
• Provides synchronous-mode support of passwords,
  SecureID token cards, smart cards, and
  challenge-response asynchronous authentication

51
ASO Supports 3 Types of Authentication Methods

• Biometic support using the Identix Biometric
  Authentication Adapter
• Includes a repository of stored fingerprint
  templates that are compared to templates
  transmitted from a fingerprint reader for
  authentication 

52
ASO Supports 3 Types of Authentication Methods

• X.509 v3 digital certificates issued by a
  certificate authority
• Contains a created public key and entity name,
  serial number, and certificate expiration date.
•  

53
Data Warehouse Security

• Data warehouse security is a combination of all
  the aspects that we have discussed. An important
  feature to remember is that one aspect of
  security can undue all the others. The strongest
  security is only as strong as the weakest area.

54
Questions
55
Jims Question

• What components makeup security?

56
Kris Question

• What are some of the main responsibilities of the
  DBA?

57
Charls Question

• What is a major concern for the DBA concerning
  security?

58
Erins Question

• What is the definition of Multi-tiered security?