Security and Compliance with Oracle Database 12cPosted: December 5, 2014
Oracle Key Vault
Master Key in Vault – Transparent Data Encryption.
– Validate encryption keys
– Create encrypted tablespace
– Move data into encrypted tablespace
– Verify encryption
– Drop unencrypted tablespace without dropping database files
– Securely delete unencrypted database files
– Separate instance
– Audit data sent to this instance
– Only allow certain sql statements
– Can use unique so predicate values do not result in duplicate entries
– Can first capture and login data
– Can select whitelist policy (Pass,Logging Level Unique)
– Does not pickup local connections as these are not over the network
– New SQL Statements go to default rule and can be blocked.
– Default rule can also substitute the statement.
– Assigned Firewall Policy to secured target.
– Create dba user set
– Add exception to policy for dba user set
Database Firewall works at OSI Application (SQL*Net) layer.
Multiple Database Firewalls can connect to 1 Audit Server.
Privileged Account Management – proxy server bob->oracle
– Realms, transparently Block DBA privileges from accessing data
– Command Rules – grant with admin option – can filter
– Installed by default with 12c, just need to enable.
– DBA, Account Administrator, Security Administrator (Database Vault,Realms,Command Rules)
– Oracle 12c adds Mandatory Realm, even table owner cannot access table unless part of the realm.
– Oracle 12c adds privilege analysis, run db in training mode.
– Realm Audit Report shows attempted violations
– Need to enable OLS (Oracle Label Security) to use Database Vault
– Still need traditional object privileges access as well.
– Can specify that a user can only access a realm during business hours
– Can use PL/SQL procedure to apply restrictions
– User can be in multiple realms and all realms must allow access.
– PL/SQL function DVSYS.SQL_TEXT is parsed sql text without comments.
Dask Masking and Subsetting
– Change but keep checksum the same
– Keep primary/foreign keys in sync.
Oracle Internet Directory, Oracle Virtual Directory, Now Oracle Unified Directory consume user/group information from Active Directory, do not need to change AD schema. Roles for users done via groups in AD.