Applied Oracle Security: Developing Secure Database and Middleware Environments- P2 pot

Contents at a GlancePART I Oracle Database Security New Features 1 Security Blueprints and New Thinking.. 21 3 Applied Auditing and Audit Vault.. 117 6 Applied Database Vault for Custom

Contents at a Glance

PART I

Oracle Database Security New Features

1 Security Blueprints and New Thinking 3

2 Transparent Data Encryption 21

3 Applied Auditing and Audit Vault 57

PART II Oracle Database Vault 4 Database Vault Introduction 93

5 Database Vault Fundamentals 117

6 Applied Database Vault for Custom Applications 199

7 Applied Database Vault for Existing Applications 287

PART III Identity Management 8 Architecting Identity Management 357

9 Oracle Identity Manager 385

10 Oracle Directory Services 405

PART IV Applied Security for Oracle APEX and Oracle Business Intelligence 11 Web-centric Security in APEX 433

12 Secure Coding Practices in APEX 461

xi

xii Applied Oracle Security

13 Securing Access to Oracle BI 497

14 Securing Oracle BI Content and Data 535

A Using the Oracle BI Examples 579

Foreword xxi

Acknowledgments xxiii

PART I Oracle Database Security New Features 1 Security Blueprints and New Thinking 3

About This Book 4

Background Information 4

Organization 5

Database Security Today 6

Evolving Technologies 6

Security Motivators 8

Sensitive Data Categorization 9

Principles 10

Modeling Secure Schemas 12

Schema Profiles 12

Object Owner Accounts 13

User Access Accounts 14

Getting Started 16

User Profiles 16

Schema Naming 18

Security Architecture Checklist 19

Summary 20

2 Transparent Data Encryption 21

Encryption 101 23

Goal of Encryption 23

The Basics 23

Encryption Choices 24

The Algorithm and the Key 24

Encrypting Data Stored in the Database 28

Where the Data “Sleeps” 28

Protecting the Data 29

xiii

xiv Applied Oracle Security

Viewing the Data 30

Applied Example 31

Encrypting in the Database 32

The Transparent Data Encryption Solution 33

TDE as Part of the Advanced Security Option 33

TDE Setup: Oracle 10g 34

The Oracle Wallet 35

TDE’s Key Management 37

Creating an Encrypted Column in a New Table 38

Viewing Encrypted Columns 41

Encrypting an Existing Column 41

TDE Caveats 44

Tablespace Encryption: New with Oracle 11g 44

Oracle 11g Configuration 45

TDE to Address PCI-DSS 47

Operational Concerns 49

Exporting and Importing Encrypted Data 52

Integration with Hardware Security Modules 53

Summary 55

3 Applied Auditing and Audit Vault 57

An Era of Governance 58

Auditing for Nonsecurity Reasons 59

The Audit Data Warehouse 59

Audit Warehouse Objectives 60

What to Audit and When to Audit 63

Guiding Principles 63

Audit Patterns 64

Other Audit Action Best Practices 67

The Audit Warehouse Becomes the Audit Vault 68

Audit Vault Architecture 69

Installation Options 70

Installing Audit Vault Server 70

Installing Audit Vault Collection Agent 71

Installation Caveats 75

Reporting 79

Alerts 80

Managing Audit Policy for Source Databases 84

Audit Maintenance Operations 86

Summary 88

PART II Oracle Database Vault 4 Database Vault Introduction 93

The Security Gap 94

History of Privileged Accounts 94

Database Vault Components 100

Factors 101

Rules 101

Realms 102

Command Rules 104

Installing Oracle Database Vault 105

Installed DBV Administration Roles 105

Managing Oracle DBV Configuration 106

Default Separation of Duty 110

Default Audit Policy 115

Default Security-relevant DBV Factors 115

Summary: Database Vault Is Differentiating Security 116

5 Database Vault Fundamentals 117

Realms 118

Realm Protection Patterns 122

Creating Your First Realm 124

Realm Components 127

Command Rules 136

Command Rule Components 139

Commands Supported in Command Rules 143

DBV CONNECT Command Rule 144

Rule Sets 147

Rule Set Evaluation Mode 147

Rule Set Auditing 148

Custom Event Handlers 150

Rule Configuration 151

DBV Rule Set Event Functions 154

DBV Factors Used in Rule Set Expressions 156

Factors 157

Creating Factors 158

Factor Identities 163

DBV Factor Integration with OLS 174

DBV Secure Application Roles 194

Summary 198

6 Applied Database Vault for Custom Applications 199

Notional Database Applications Environment 200

From Requirements to Security Profile Design 202

Requirements Technique: Use Cases and Scenarios 202

Analyzing Requirements: Example Use Case 203

Identify Coarse-Grained Security Profile 205

Identify Fine-Grained Security Profile 208

Identify DBV Factors Based on Business or System Conditions 209

Centralizing PL/SQL Routines for DBV Factors and Rules 211

Factors Based on Compliance 215

Factors Based on Conflict of Interest or Separation of Duty 216

Factors Based on Organizational Policy 217

Factors Based on Identity Management 217

Factors Based on Access Path or Operational Context 218

xvi Applied Oracle Security

Factors Based on Time or Sequential Conditions 219

Factors Based on Data or Events Stored Externally 220

Incorporating DBV Factors in Your Application 220

Identify DBV Realms and Realm Objects Based on Objects 224

Configure Standard Object-level Auditing for Realm-protected Objects 226

Configure RLS on Realm-protected Objects 227

Identify Accounts, Roles, and DBV Realm Authorizations from Use Case Actors 228

Secure Schemas Under DBV 228

User Access Accounts 231

Example Implementation of Secure Schemas with DBV 239

Post-configuration Account Provisioning 267

Establish DBV Command Rules from Conditions 267

Configure System-level Auditing 280

Establish DBV Secure Application Roles from Conditions 281

Summary 284

7 Applied Database Vault for Existing Applications 287

Audit Capture Preparation 288

Capturing Audits 289

Analyzing the Audit Trail 290

DBV Realms from Object-Owner Accounts 292

DBV Realm Secured Objects 292

DBV Realm Authorizations 296

Identify End User Access Accounts and Roles for DBV SARs 310

Identifying DBV Command Rules from Conditions 311

Identifying DBV Factors Based on Business or System Conditions 318

Refining the DBV Policy Design 327

Deploying and Validating the DBV Policy 327

Integrating DBV with Oracle Database Features 329

Oracle Text 329

Oracle Spatial 332

Expression Filters 333

Oracle Streams Advanced Queuing 336

Transparent Data Encryption 341

Oracle Recovery Manager 342

Gathering Statistics on Realm-protected Schemas 343

EXPLAIN PLAN on Realm-protected Schemas 343

Advanced Monitoring and Alerting with a DBV Database 344

Monitoring and Alerting on DBV with OEM GC 345

Extending the DBV Rule Set Custom Event Handler 348

Summary 352

PART III Identity Management 8 Architecting Identity Management 357

Understanding the Problem with Identity Management 358

Central Issuance Authority 359

Architecting Identity Management 360

Identity Management Discovery 361

Identity Management Patterns 366

Oracle Identity Management Solutions 372

User Provisioning 372

Directory Management 373

Authentication Management 374

Authorization Management 378

Role Mining and Management 381

Summary 383

9 Oracle Identity Manager 385

The User Provisioning Challenge 386

Oracle Identity Manager Overview 386

User 387

User Group 387

Organization 388

Access Policy 389

Resource Object 390

IT Resource 390

User Provisioning Processes 390

Discretionary Account Provisioning 391

Self-Service Provisioning 392

Workflow-based Provisioning 393

Access Policy–driven Provisioning 394

User Provisioning Integrations 397

Prebuilt Connectors 397

Generic Technology Connector 397

Reconciliation Integrations 398

Compliance Solutions 399

Attestation 399

Access Reporting 401

OIM Deployment 402

Summary 403

10 Oracle Directory Services 405

Identity Management and the LDAP Directory 406

Oracle Internet Directory 406

OID Architecture 407

OID Synchronizations 408

Directory Virtualization and Oracle Virtual Directory 409

OVD 101 410

OVD Architecture 410

OVD Applied 413

OVD Installation 413

Creating a New OVD Server 413

Initializing the Virtual LDAP Tree Using a Local Store Adapter 414

Integrating OVD with an Active Directory LDAP Server 415

Integrating OVD with an Oracle Database 419

Joining Information in OVD 424

Summary 430

xviii Applied Oracle Security

PART IV Applied Security for Oracle APEX and Oracle Business Intelligence

11 Web-centric Security in APEX 433

Introduction to the APEX Environment 434

Components and Configurations 434

Architecture 435

APEX and Database Roles 437

APEX Sessions 438

Securing an APEX Instance 439

APEX Security Settings 439

Securing the Application Server Tier 443

Prevent Web-based Attacks with mod_security 449

SSL/TLS Techniques 451

Protecting the APEX Database Schemas 456

Database Vault and APEX 457

Summary 459

12 Secure Coding Practices in APEX 461

Authentication and Authorization 462

Authentication Schemes 462

Custom Table of Usernames and Passwords 463

Authorization Schemes 468

SQL Injection 472

Example 1: The Wrong Way 473

Example 2: The Right Way 475

Cross-site Scripting 476

URL Tampering 478

Leveraging Database Security Features 483

Virtual Private Database 484

Fine-grained Auditing 489

Summary 496

13 Securing Access to Oracle BI 497

The Challenge in Securing BI 499

System Users 499

Security in the Warehouse vs the Transactional System 499

What Needs To Be Secured 501

Mechanics of Accessing Data with Oracle BI 502

Architecture 502

Connection Pools 504

Variables 506

Authentication and Authorization 510

Authentication Options 510

Authorization 516

Single Sign-On 524

SSO Options 524

Deploying in a Secure Environment 530

SSL Everywhere 530

Encrypted Outward Connections 530

Securing the BI Cache 531

Public-facing Applications 532

Firewalls and DMZs 532

Public User 533

Summary 533

14 Securing Oracle BI Content and Data 535

Securing Web Catalog Content 536

Web Catalog Groups 537

Folder-based Security 537

iBot Security 538

Securing BI Publisher Catalog Content 539

Conveying Identity to the Database 540

Setting Client Identifiers 540

Securing Data Presented by Oracle BI 541

Security Policies Within the BI Server 542

Integrating Oracle BI with Database Security Policies 551

Deciding When to Use VPD or Oracle BI Row-level Security 559

Oracle BI and Database Vault 561

Factors and Oracle BI 561

Realms and Oracle BI 563

Auditing 563

Usage Tracking 564

Database Auditing 565

Combining Usage Tracking and Database Auditing 566

BI Features with Security Implications 567

Default Privileges 567

Act as Proxy 568

Direct Database Requests 571

Advanced Tab 574

Direct Access to the BI Server 575

Web Services Access 576

Summary 576

A Using the Oracle BI Examples 579

Users and Groups 580

Database Preparations 581

Database Auditing 582

Database Scripts 582

Oracle BI Setup 583

Credential Store 583

BI Publisher Superuser 584

Other BI Publisher Configuration Steps 584

Sample BI Publisher Report 585

Scheduler Configuration 585

Usage Tracking 585