slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Oracle Database Vault – DBA Best Practices PowerPoint Presentation
Download Presentation
Oracle Database Vault – DBA Best Practices

Loading in 2 Seconds...

play fullscreen
1 / 42

Oracle Database Vault – DBA Best Practices - PowerPoint PPT Presentation


  • 185 Views
  • Uploaded on

Oracle Database Vault – DBA Best Practices. Kamal Tbeileh, Sr. Principal Product Manager, Database Security Chi Ching Chui, Sr. Development Manager, Database Security . Program Agenda. Oracle Database Vault – Overview Managing Database Users and Security

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Oracle Database Vault – DBA Best Practices' - zarita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
oracle database vault dba best practices

Oracle Database Vault – DBA Best Practices

Kamal Tbeileh, Sr. Principal Product Manager, Database Security

Chi Ching Chui, Sr. Development Manager, Database Security

program agenda
Program Agenda
  • Oracle Database Vault – Overview
  • Managing Database Users and Security
  • Controlling Sensitive Database Operations
program agenda1
Program Agenda
  • Oracle Database Vault – Overview
  • Managing Database Users and Security
  • Controlling Sensitive Database Operations
oracle database vault
Oracle Database Vault

Application

  • Privileged User Controls

Application DBA

Procurement

HR

DBA

select * from finance.customers

Finance

  • Enforce who, where, when, and how data can be accessed using rules and factors
  • Enforce least privilege and prevent privileged users from accessing apps data
  • Prevent application by-pass and enforce enterprise data governance
  • Restrict ad hoc database changes
program agenda2
Program Agenda
  • Oracle Database Vault – Overview
  • Managing Database Users and Security
  • Controlling Sensitive Database Operations
managing database users
Managing Database Users
  • Oracle Database Vault Creates an Accounts Administrator in the database with the DV_ACCTMGR role
  • Responsible for creating new users and profiles and managing existing ones
  • Can grant the CONNECT role to users
  • Can change password for all users except for Security Admins
  • As a best practice, customer should create personalized accounts for Accounts Admins
  • Database Accounts Administrator
managing database users1
Managing Database Users
  • Oracle Database Vault creates a Security Administrator in the database with the DV_OWNER role
  • Manages creation of protection policies including Realms and Command Rules
  • Does not have access to data
  • Manages his/her own password
  • As a best practice, customer should create personalized accounts for Security Admins
  • Database Security Administrator
managing database users and security
Managing Database Users and Security

Tuning

Recovery Managing DBAs

Create Security Policies to protect data

Security Admin

Senior DBA

Accounts Admin

Create and manage Database Users

Junior DBA

Backup Patch Install

Application user

managing database users2
Managing Database Users
  • Oracle Database Vault allows customers to control DBA actions
    • Distinguish between Senior and Junior DBAs
    • Distinguish between in-house DBA and outsourced or off-shored DBA
  • Senior DBA is a user who:
    • Has been granted system privileges and roles with ADMIN OPTION
    • Has been authorized as OWNER to the Oracle Data Dictionary realm
    • Can grant system privileges to new users
  • Junior DBA, outsourced DBA, or off-shored DBA can be controlled on what he/she can or cannot do
  • Senior DBAs and Junior DBAs
managing database users and security1
Managing Database Users and Security
  • In a small organization where customers have a single DBA
    • The same person will be handling multiple tasks
  • As a best practice, customer should
    • Create separate dedicated accounts for different responsibilities like: DBA_DEBRA, ACCTS_ADMIN_DEBRA, SEC_ADMIN_DEBRA
    • Lock default accounts including Database Vault default accounts
  • This allows customer to:
    • Prevent compromised privileged accounts from accessing application data
    • Track each account’s actions for auditing and compliance
  • For Small IT Organization
managing database users and security2
Managing Database Users and Security
  • In a medium size organization with a handful of DBAs
    • DBAs will be multi-tasking and one senior DBA will be a db Security Admin
    • Customer might be outsourcing some IT operations
  • As a best practice, customer should
    • Create separate dedicated accounts for different responsibilities
    • Lock default accounts
  • This allows customer to:
    • Prevent compromised privileged accounts from accessing application data
    • Outsource some IT operations and control outsourced DBAs actions
    • Protect the database from unauthorized changes
  • For Medium Size IT Organizations
managing database users and security3
Managing Database Users and Security
  • For large customers
    • Dedicated staff can be assigned to database security
    • Customer has contractors and may be doing some outsourcing / off-shoring
  • As a best practice, customer should
    • Create separate dedicated accounts
    • Lock default accounts
  • This helps customer:
    • Prevent hackers from accessing application data
    • Control what junior DBAs, outsourced DBAs, or off-shored DBAs can do
    • Protect the database from unauthorized changes
  • For Large IT Organizations
managing database users and security4
Managing Database Users and Security
  • Cloud services provider
    • Can delegate Security Administration and Accounts Administration to customers so they manage who can access their data
    • Provider’s own security staff can be given access in emergency
  • As a best practice, cloud services provider should
    • Create separate dedicated accounts for customers and own staff
    • Lock default accounts
  • This helps cloud services provider:
    • Improve SLA when it comes to security
    • Empower end customers and give them final say on who can access data
  • For SAAS and Cloud Services Providers
managing database users and security5
Managing Database Users and Security
  • IT Organization Separation of Duty

Company CIO

Database Administration

User

Provisioning

Information Security

Management

Development

QA

Database Security

  • Provision new users
  • Assign roles and responsibilities
  • De-provision users who leave the company
  • Manage Database accounts
  • Manage passwords for default accounts
  • Develop and communicate security policies
  • Conduct internal audits with the security group
  • Work with external auditors
  • Work with the security team to remedy any audit finding
  • Develop new applications
  • Maintain existing applications
  • Provide patches to DBAs to apply on production
  • Test applications and patches with Oracle Database Vault
  • Manage Oracle Database Vault Realms and Command rules
  • Review security reports
  • Work with business owners to authorize exceptions and monitoring
  • Work with Information Security on internal audits
  • Backup
  • Tuning
  • Patching and upgrade
  • Replication and High Availability
  • Work with security and data owners for emergency access
program agenda3
Program Agenda
  • Oracle Database Vault – Overview
  • Managing Database Users and Security
  • Controlling Sensitive Database Operations
    • Changing Init Parameters
    • Job Scheduling
    • Oracle Data Pump
    • Oracle Streams
    • Oracle Data Guard
    • Explain Plan, Analyze Table
    • Database Patching
controlling changes to db init parameters
Controlling Changes to DB Init Parameters
  • Created by default when Oracle Database Vault is installed
  • Prevents changes to DB parameters related to security, audit, and file locations
    • This tightens the security of the database
  • As a best Practice, Users or roles who should be authorized to change these init parameters, need to be:
    • Granted the ALTER SYSTEM privilege
    • Added to the “Allow Fine Grained Control of System Parameters” Rule Set
  • ALTER SYSTEM Command Rule
controlling changes to db init parameters1
Controlling Changes to DB Init Parameters
  • Authorizing a DBA to Change Parameters Example
controlling database job scheduling
Controlling Database Job Scheduling
  • To schedule database jobs, DBA needs privileges like:
    • CREATE JOB, CREATE ANY JOB, MANAGE SCHEDULER
  • Security Administrator needs to authorize DBA to be able to schedule jobs on realm protected schemas
  • Authorization can be granted on the entire database or on a schema or table level
  • Authorization can be revoked from the user once done
controlling oracle data pump
Controlling Oracle Data Pump
  • DBA needs to be granted EXP_FULL_DATABASE / IMP_FULL_DATABASE roles
  • For realm-protected data, more authorization is needed:
    • Security Administrator can give authorization on a specific database object, a whole schema, or on the entire database
    • To export / import the whole database, user needs to be granted DV_OWNER role for the duration of the operation
  • Data Pump authorization should be revoked once export / import is done
  • Best Practices
controlling oracle data pump1
Controlling Oracle Data Pump
  • Best Practices Example
controlling oracle data pump2
Controlling Oracle Data Pump
  • Best Practices Example
controlling oracle streams
Controlling Oracle Streams
  • To replicate realm-protected data using Oracle Streams grant DV_STREAMS_ADMIN role to the user who manages it
  • Best Practices
oracle data guard
Oracle Data Guard
  • For Oracle Active Data Guard and Oracle Data Guard Physical Standby:
    • install Oracle Database Vault software on primary database and all standby databases
    • Follow Oracle support note 754065.1 instructions
  • Oracle Data Guard Logical Standby is not currently supported with Oracle Database Vault
  • Best Practices
running explain plan
Running EXPLAIN PLAN
  • DBA can run EXPLAIN PLAN on realm-protected tables without having Realm authorization or access to apps data
  • PLAN_TABLE should be created in
    • DBA’s own schema
    • Or in a schema where the DBA has INSERT and SELECT privileges to the table
  • Best Practice
running explain plan1
Running EXPLAIN PLAN
  • Best Practice Example
running analyze table
Running ANALYZE TABLE
  • Best Practice
  • DBA can run ANALYZE TABLE on realm-protected tables without having Realm authorization or access to apps data
  • CHAINED_ROWS table should be created in
    • DBA’s own schema
    • Or in a schema where the DBA has INSERT and SELECT privileges to the table
running analyze table1
Running ANALYZE TABLE
  • Best Practice Example
database patching
Database Patching
  • Best Practices
  • Grant DV_PATCH_ADMIN role to user doing database patching – SYS user typically
  • Protection for apps data remains in effect during patching
  • Revoke DV_PATCH_ADMIN role once patching is done
database patching1
Database Patching
  • Best Practices Example
oracle database vault dba best practices1
Oracle Database Vault – DBA Best Practices
  • Oracle Technology Network link

oracle.com/technetwork/database/options/database-vault/index.html

    • Download white papers and watch demos
    • Download protection policies for Applications
      • PeopleSoft, Siebel, JD Edwards EnterpriseOne and more
    • Download information on SAP certification
  • Additional Resources
slide38

Latin America 2011

December 6–8, 2011

Tokyo 2012

April 4–6, 2012

oracle openworld bookstore
Oracle OpenWorld Bookstore
  • Visit the Oracle OpenWorld Bookstore for a fabulous selection of books on many of the conference topics and more!
  • Bookstore located at Moscone West, Level 2
  • All Books at 20% Discount
oracle products available online
Oracle Products Available Online

Oracle Store

Buy Oracle license and support online today atoracle.com/store