Security, Policies and Tips - Part 3

Dear Readers,

My name is Franz Devantier, creator of this blog.  I am an Oracle Certified Professional (OCP DBA 11g) Security DBA.  I will be sharing with you the basic duties of an Oracle DBA, and also some of the undocumented, and not so well known tasks. 

Security, Policies and Tips  -  Part 3

Reference Terms:

Term	Description
Application Context	Application context is useful for: ·         Enforcing fine-grained access control ·         Preserving user identity across multitier environments ·         Serving as a secure data cache for attributes needed by an application There are three different types of application context: ·         Secure session-based application contexts, where data is stored in the database user session (UGA).  In a namespace specified by “CREATE CONTEXT” ·         Client session-based application context, using only the CLIENT CONTEXT namespace.  No privilege or package security is done ·         Nonsession-based application contexts.  Data is stored in the SGA
Data Encryption	You can also encrypt your data to reduce security risks.  Data encryption is not an infallible solution, but it does have its place.  Compressing data is also a form of data encryption.
Fine-Grained Access Control	Fine-grained access control is based on dynamically modified statements. ·         Create a function to add a predicate to a DML statement ·         User enters a statement, and the database server calls the function that you used to implement the security policy ·         The defined predicate is added to the statement, which typically includes sys-context values ·         Oracle runs the dynamically modified statement
Fine-Grained Auditing	Fine-Grained Auditing(FGA), enables you to monitor data access based on the content.  A built-in mechanism in the database prevents users from bypassing the audit. Oracle database triggers can monitor DML actions, although SELECT statements are costly to monitor.  A trigger will simply insert a record into an audit trail. FGA provides an extensible interface for creating policies to audit SELECT’s and other DML statements on tables and views.  Typically you would use the DBMS_FGA.ADD_POLICY package.
Oracle Label Security	·         Enables a comprehensive set of access authorizations, contained in the row itself ·         Provides for flexible policy enforcements, to one type of DML, to label creation, or enabling default labels ·         Policies can protect individual application tables ·         Special labelling functions can be added to a policy ·         Multiple policies protecting different areas, can be created and exist and function together ·         A single policy can be applied to multiple application tables
Proxy Authentication	Oracle database server supports the following ways of preserving user identity through the middle tier of an application. ·         Proxy Authentication: in OCI or thick JDBX for database or enterprise users.  Enterprise users are managed in Oracle Internet Directory ·         Client Identifiers: CLIENT_IDENTIFIER attribute in USERENV application context namespace for application users.  These users are known to the application, but not the database.
End-User Identity Propagation	Oracle STS can be configured to support scenarios that include both identity propagation and token translation between web services deployed in the same security domain. SOAP messages are used to transfer the security tokens and communicating between web services clients and providers. STS => is a WS-Trust- based token service that allows for a policy-driven trust brokering and secure identity propagation and token exchange between web services. SOAP => Simple Object Access Protocol is a lightweight, XML-based protocol for exchanging information in a decentralized, distributed environment.
Secure Application Roles	Oracle Database provides secure application roles, which are roles that can only be enabled by authorized PL/SQL packages. This mechanism restricts the enabling of such roles to the invoking application.

Franz Devantier,

Need a database health check, or a security audit?

devantierf@gmail.com

Income stabilizer (win-win opportunity)

Join the carefully selected and tested cash-flow generating program below to potentially create a long-term residual or annuity type income enhancer for yourself.

Traffic Wave - Free Report:  The report will give you all the information you need to start making a nice long-term residual income stream for yourself.