Dear Readers,
My name is Franz Devantier, creator of this blog. I am an Oracle Certified
Professional (OCP DBA 11g) Security DBA.
I will be sharing with you the basic duties of an Oracle DBA, and also
some of the undocumented, and not so well known tasks.
Security, Policies and Tips - Part
2
What Information Security
Policies Can Include
Firstly all the requirements that are
appropriate for the specific environment must be addressed. In addition there are technical measures that
you can implement to address generic or documented issues.
Issues that Security
Policies should address
Security Issue
|
Recommended Actions
|
Establishing
and maintaining application level Security
|
Use
privileges and roles, that are designed for the specific application and
attach these roles and privileges to the application. Ensure that these roles and privileges will
not be abused by users, when they are not logged into the application. The roles and privileges can be granted to
specified users, connecting from a certain IP address or address range, or
through a particular middle tier.
|
Manage
system, Object, and User privileges and attributes
|
Only
certain users should be permitted to access, process or alter data. Only certain users should be allowed to execute
a certain type of SQL statement, or to access another schemas objects. Various limitations should be applied, on a
users access to actions on schemas, tables, table rows(columns), and
resources such as CPU time, connect time, Idle time etc.
|
Create,
manage and control roles
|
Create
roles, consisting of groups of privileges and other roles, that can be
granted to users, preferably dynamically when authorized, and needed.
|
Fine
Grained Access Control
|
You
can securely store user- based attributes like username, employee Number etc,
that can be retrieved in a user session to enable fine grained access
control. You can then create security
policies and attach them to tables containing sensitive data, that are used
by an application. DML statements on
such objects are then modified dynamically, and transparently to the
user. This scenario will prevent
inappropriate access to the data. You
can enforce fine grained or label based access to data with policy functions
or with data and user labels. This
configuration can quickly limit access to sensitive data with the minimal of
programming required.
|
Establishing
and managing encryption
|
Use
SSL connections, preferably with PKI certificates for creitical or sensitive
data transmissions, and application communications.
|
Setting
up and maintaining security in 3-tier applications
|
You
need to preserve the identity of the user, through the middle tier, and to
the database. Avoid the overhead of
separate database connections, by for example proxying user identities and
credentials (password, certificate, etc) through the middle tier and to the
database.
|
Controlling
of select / query access, and the misuse of the data. Controlling intrusions.
|
You
can monitor query access based on specific content or rows, in order to
detect data misuse or intrusions. Use
proxy authentication to audit proxied user connections. Use regular auditing, plus fine grained
auditing to detect inappropriate access to the data or actions.
|
The above mentioned security
practices and recommended actins can be implemented using the Oracle features,
facilities and products.
Franz Devantier,
Need a database health check,
or a security audit?
devantierf@gmail.com
Income stabilizer (win-win opportunity)
Join the carefully selected and tested cash-flow generating
program below to potentially create a long-term residual or annuity type income
enhancer for yourself.
|
Traffic Wave - Free Report: The report will
give you all the information you need to start making a nice long-term residual
income stream for yourself.
|
No comments:
Post a Comment