As part of Quest Experience Week 2019, Richard Evans, database security product management at Oracle, spoke about the top 10 security features you might not be using. It is important to assess your company’s state in terms of sensitivity of data, users and privileges, and general configuration. Ultimately, you want to be able to detect improper access to data, conduct audits, and identify anomalies. You want to implement preventive data controls, encrypt at rest and in motion, and improve key management practices.
10 Database Security Features
Security Feature 1: Transparent Sensitive Data Protection (TSDP)
TSDP offers a way to find and classify table columns that hold sensitive information. TSDP allows you to tag columns that hold sensitive data and create policies throughout your organization to protect that data. TSDP is now available in Enterprise Edition.
Security Feature 2: Connection Manager (CMAN)
CMAN enables large numbers of users to connect to a single server by acting as a connection concentrator to “funnel” multiple client database sessions across a single network connection. It reduces operating system resource requirements by minimizing the number of network connections made to a server. System scalability significantly increases so that thousands of users can access a single database.
“Rather than opening up your firewall to other RAC IP addresses, set up a CMAN server in front and have CMAN proxy all those connections to the database,” said Evans. This is a classic security feature that is regularly updated and has new features being added.
When CMAN is in the new Traffic Director mode, in addition to providing the above functionality, Oracle CMAN acts as a database proxy and provides improved availability and performance for both planned and unplanned outages with the help of parameters. It also supports connection multiplexing and load balancing.
Security Feature 3: Real Application Security (RAS)
RAS is considered the “next generation” Virtual Private Database. This database authorization model is available and updated, so it continues to serve well as it does the following:
- Supports declarative security policies
- Enables end-to-end security for multitier applications
- Provides an integrated solution to secure database and application resources
- Advances the security architecture of Oracle Database to meet existing and emerging demands of applications developed for the internet
- Manages application security for application users rather than database users
- Enables developers to manage security for application-level tasks
- Enables an application user’s identity to be known during security enforcement
- Enables developers to return security to the database layer, either incrementally or all at once
The power of RAS is its ability to enforce business logic that is typically in the application of the database. According to Evans, you have the same controls available to all applications without having to rewrite them for each custom application.
Security Feature 4: Unified Audit
Unified audit earns its name by unifying all the different audit tables required and results with one view. Unified audit will be the default mode for all databases in Database 21c. Users have time to adapt but, in the interim, should take advantage of the capabilities.
So, what are the mechanics behind the security of unified audit? Login is limited. Any attempt to directly delete or update contents fails and generates a record. The audit data tablespace can be encrypted with transparent data encryption. It is also role-based security so that, based on their roles, some users can create and modify unified audit policies and view the audit trail while others can only view the audit trail but not change policies.
Unified audit also has predefined audit policies that can be enabled. Audits can be based on client conditions, the component used, role membership, and exceptions. Audit trails can also be extended with information from default and custom application contexts.
Security Feature 5: Network Access Control Lists
Network access control lists control the outgoing access of the database to external network services. Authorizations are based on IP address, port, user/role, and privilege. Rather than revoking data and information, the strategy of this security feature is to lock down and control information and data that goes out.
Security Feature 6: Network Encryption
Network encryption was introduced in Oracle Database 7.2, so it has been in circulation for a long time. However, it has been continuously improved. It has two options:
- Native network encryption
- Transport layer security
Both are available in the standard edition and enterprise edition.
Native network encryption offers the benefit of ease of configuration, and usually no client changes or certificates are required. Set parameters to “requested” and when read, you can switch it to “required” so everyone has to use it. This security feature is vulnerable to sophisticated attacks. However, Evans said that it is used by most of his clients.
Comparing transport layer security to native network security, the stronger security is native network, which is considered the industry standard. Businesses have to manage certificates and expirations.
Security Feature 7: Proxy Authentication
Proxy authentication allows an authorized user to connect on behalf of another user without knowing that user’s password. If the app user is connecting on behalf of another user, the app user would still use his/her own password to log in. Proxy authentication is available in standard and enterprise editions.
Proxy authentication is helpful in cases when there is a need to export a schema, connect as an application user without the app user’s credentials, or connect as a user without a password.
Evans suggested that those who would like to learn more should go to “Ask TOM” at https://asktom.oracle.com on the second Thursday of every month. The site offers sessions on various products and includes a session on database vault and proxy users.
Security Feature 8: Kerberos Authentication
Kerberos authentication is a trusted third-party authentication system that relies on shared secrets. Tickets and symmetric key cartography are used to eliminate the need to transmit passwords across the network. Kerberos is for organizations needing only authentication and the simplest form of Microsoft Active Directory integration.
One benefit of Kerberos authentication is the single sign-on between the Windows desktop and the Oracle Database. The authentication is done by a Kerberos distribution center. It does not require schema changes to or plug-ins on the domain controller.
Security Feature 9: Portable Database Lockdown Profiles
Portable database lockdown profiles are available in standard and enterprise editions. A lockdown profile is a mechanism to restrict certain operations or functionalities in a pluggable database (PDB). This new multitenant feature is managed by a container database (CDB) administrator and can be used to restrict user access in a particular PDB. Limits to privileges need to be applied with lockdown profiles.
A lockdown profile can prevent PDB users from:
- Executing certain SQL statements, such as ALTER SYSTEM and ALTER SESSION
- Running procedures that access the network (e.g., UTL_ SMTP, UTL_HTTP)
- Accessing a common user’s objects
- Interacting with the OS (In addition to the capabilities covered by PDB_OS_CREDENTIAL)
- Making unrestricted cross-PDB connections in a CDB
- Taking Automatic Workload Repository [AWR] snapshots
- Using Java partially or as a whole
- Using certain database options such as Advanced Queuing and Partitioning
Security Feature 10: Privilege Analysis
Privilege analysis can be used to build specialized accounts instead of using the default accounts. Privilege analysis can help track privilege or role usage by a database user for a period of time. Administrators using this security feature can view used and unused roles and privileges. This can help determine limits on privileges for roles and users. It can also be used to monitor use of privileges relative to privileges granted, enforce separation of duties, and reduce the attack surface in the event of being abused or stolen.
Other benefits of privilege analysis include:
- Reducing the impact of a compromised DBA account
- Working toward a least privilege model
- Causing minimal performance impact during capture
- Running in individual CDBs or PDBs, not globally