Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Protect Sensitive Data:
Implementing Fine-Grained
Access Control
Nelson Calero
Pythian

•Database Consultant at Pythian
•Working with Oracle tools and Linux environments since 1996
•DBA Oracle (2001) & MySQL (2005)
•Co-founder and President of the Oracle user Group of Uruguay (2009)
•LAOUC Director of events (2013)
•Computer Engineer
•Oracle ACE (2014)
•Oracle Certified Professional DBA 10g/11g (2008)
•Amazon Solutions Architect – Associate since (2016)
•Oracle University Instructor (2011)
•Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences
About me
4 © 2014 Pythian Confidential
http://www.linkedin.com/in/ncalero @ncalerouy

Pythian overview
© 2015 Pythian Confidential5
• 19 Years of data infrastructure management consulting
• 250+ Top brands
• 11700+ Systems under management
• Over 400 DBAs in 35 countries
• Top 5% of DBA work force, 10 Oracle ACEs, 4 ACED,
3 OakTable members, 2 OCM, 6 Microsoft MVPs,
1 Cloudera Champion of Big Data,
AWS Certified Solutions Architect – 2 Professional, 12 Associate
• Oracle, Microsoft, MySQL, Hadoop, Cassandra, MongoDB, and more
• Infrastructure, Cloud, DevOps, and application expertise

Today’s topics
• What is Fine Grain Access control?
• Functionalities available with Oracle
• Implementing row level security
– With standard edition
– Using OLS
– Using VPD
– Using RAS
• Complex scenarios

Fine Grain Access control?
What
– Ability to restrict access to objects applying small granularity
• row level instead of table level
• network services instead of all network access
Why
– Access to data comply with security regulations
– Industry regulations: health care (HIPAA), Defense (security clearances), Personal
information protection (several).
• database side implementation => no code on the application side
– Several functionalities available (next slide)
• We will discuss implementation and management from database point of view

Oracle functionalities for FG control
• auditing
• DBMS_FGA package (only in EE)
• external network services and wallets
• DBMS_NETWORK_ACL_ADMIN package
• data – several ways:
• Application context – available in SE
• Virtual Private Database (VPD) – 8i
– Only with EE, no extra cost
• Oracle Label Security (OLS) – 8i
– Only with EE, Extra cost option
• Oracle Real Application Security – new in 12c
– Next generation VPD, only with EE, no extra cost

Simple example
Policy
rules
SMAVRIS
user
JDANIEL
Manager 103
Select * From
HR.EMPLOYEES

Simple example
What do I need to implement it?
– It depends on your requirements
Functionalities available out of the box for free?
– limited, needs maintenance, will explore them next
Many functionalities with EE with no extra cost
– Only OLS have extra cost

Simple example - demo
Implementing a simple VPD on SE
– Schema owner of data not allowed to connect from app
– Views for each table including a where condition
– Nominated users granted access to views only
– Usage of application context
script: fga-se.sql

Application contexts
• session variables to store information
• useful to implement FGAC with Standard Edition
• session (local) or global (shared)
– select sys_context(namespace, attribute) from dual;
– dbms_session.set_context(namespace, attribute, value, client_id)
• built-in application context namespace: USERENV
– select sys_context('USERENV', 'SESSION_USER')from dual;
• Dictionary views
– V$CONTEXT / V$GLOBALCONTEXT
• Memory footprint
– select * from v$sgastat where name like 'Global Context%';
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG173

Poor man VPD problems
• Users with different privileges over the same data?
– More views per privilege set / coding logic into function / intermediate
table/...
– It is up to your coding abilities
• Different policies for insert/update/deletes?
– More views per policies / coding logic into functions /…
• Modified data will match the condition?
– Triggers to validate after data modifications / manual controls

Other implications
• Changes in query performance?
– Review indexes to cover all new conditions
• Connection pools at middle tier
– Proxy user and client_identifier usage
ALTER USER john GRANT CONNECT THROUGH appsrv;
oracle.jdbc.OracleConnection.setClientIdentifier()  from JDBC
exec dbms_session.set_identifier ('ABCD')  same from PL/SQL

General implementation principles
Before coding, design your policies:
– Identify tables that requires security
– Evaluate its data and define level of security and groups
– Categorize users (privileged / typical / etc.)
As part of the coding:
– Lock down access to configuration – least privilege principle
– Audit operations

Today’s topics
– Using VPD
– Using OLS
– Using RAS

Virtual Private Database (VPD)
“interface to associate PL/SQL packages with application tables
to compute and append a predicate (where clause) that is
automatically appended to incoming SQL statements, restricting
access to rows and columns within the table”
http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html
• Package DBMS_RLS to manage policies
• View DBA_POLICIES to view existing policies
• View V$VPD_POLICY to see predicates generated for SQL_IDs
• Different policies can be used for SELECT/INSERT/UPDATE/DELETE
• Multiple policies allowed per table

Virtual Private Database (VPD) - example
script: fga-vpd.sql
Summary:
• Policy function using static and dynamic predicates
• Errors when querying base table on some cases
• Adding extra code to allow privileged user access
• Testing SELECT/UPDATE

Policies evaluation
• Defined by the policy type:
– Dynamic – evaluated every time is used
– Static – executed only once and cached
– Context_sensitive – evaluated if context change (useful on connection pooling)
– Shared_static – cache over multiple objects
– Shared_context_sensitive – combine previous two
• policy exemptions:
– direct path export
– cannot be applied to objects in schema SYS
– EXEMPT ACCESS POLICY privilege
• MERGE INTO statements supported on tables using VPD since 11gR2
• ORA_ROWSCN usage has problems

Policy function
• No validation on the code we create – it fails at runtime if wrong
• Code can use whatever we want to produce the string
– Performance overhead depending on the policy type when evaluating
– Execution plans may change because of the new condition in use
• String returned may be different for different tables (FK relationships, etc.)
• It can be applied to columns, not entire table
– Column masking vs row masking
• Access to policy function definition should be protected

VPD - Column masking
BEGIN
DBMS_RLS.ADD_POLICY(object_schema=>’HR’,
object_name=>'EMPLOYEES',
policy_name=>'SEC_SALARY',
function_schema=>‘HR',
policy_function=>'f_protect_salary',
sec_relevant_cols=>'SALARY',
sec_relevant_cols_opt=>dbms_rls.ALL_ROWS);
END;
create or replace function f_protect_salary (p_owner in varchar2, p_name in varchar2)
return varchar2 as
begin
if sys_context('userenv', 'session_user') = 'MANAGER'
then return ‘1=1’; /* value is displayed */
else return 'salary <= 10000'; /* displayed only if match condition */
end if;
end;
policy_function is treated
as a Boolean expression to
decide if column values are
shown

VPD – update check
New in 11.2:
BEGIN
DBMS_RLS.ADD_POLICY(object_schema=>user,
object_name=>'EMPLOYEES',
policy_name=>'SEC_SALARY',
function_schema=>'LBACSYS',
policy_function=>'f_protect_salary',
update_check=>true);
END;
SQL> Update hr.employees set salary=salary*2;
ERROR at line 1:
ORA-28115: policy with check option violation
policy_function is enforced
also after updates

Policies troubleshooting
• What condition (policy) is being applied to my query?
– v$vpd_policy
• When errors, trace file is generated on user_dump_dest
• Debugging
– Trace 10730 / 10060

Today’s topics
– Using VPD
– Using OLS
– Using RAS

Oracle Label Security (OLS)
• Based on tags for data
• Hierarchical classification: levels / compartments / groups
• Access to data granted based on policies without manual coding
– Using predefined PL/SQL packages, not user created as in VPD
– policy can be applied to table or schema
• When labels are used, a (hidden) column is created when policy is applied to tables
• Administration:
– User LBACSYS to manage policies
– SA_USER_ADMIN package - to manage user labels and user privileges
– SA_SESSION package to configure Labels & Privileges
– several SA_* views
– DBA_OLS_STATUS view shows if OLS is enabled and configured

Oracle Label Security (OLS) – labels example

Oracle Label Security (OLS) - example
script: fga-ols.sql
Summary:
define label hierarchy
define policies
test policies from users with different privileges
validate predicates used

Oracle Label Security (OLS)
Not enabled by default
SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';
VALUE
--------------------------------------------
FALSE
select * from DBA_OLS_STATUS;
NAME STATUS DESCRIPTION
-------------------- ------ -------------------------------------
OLS_CONFIGURE_STATUS FALSE Determines if OLS is configured
OLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLS
OLS_ENABLE_STATUS FALSE Determines if OLS is enabled

Oracle Label Security (OLS) - install
On 12c:
EXEC LBACSYS.CONFIGURE_OLS;
EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;
On 11g:
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk lbac_on ioracle
(same as: chopt enable lbac)
shutdown/startup
sqlplus @?/rdbms/admin/catols.sql

Oracle Label Security (OLS) - labels
label_to_char (OLS_COLUMN)
Display string label instead of internal code
sa_session.label(‘policy_name')
current user’s session label for the policy
OLS_LABEL_DOMINATES (session_tag, desired_tag)
returns 1 when first label is allowed for the second one
New in 12.1 - LBACSYS schema can be exported using full export/import
source>=11.2.0.3, target>=12.1

Oracle Label Security (OLS) - DML
Labeling column implications:
• column values set using labeling function or manually
oracle-base example
• affects initial configuration and inserts
create function f_label(..)
RETURN LBACSYS.LBAC_LABEL
..
RETURN TO_LBAC_DATA_LABEL('label', string);
end;
exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY
(...label_function => 'f_label(..)')

Today’s topics
– Using VPD
– Using OLS
– Using RAS

Oracle Real Application Security (RAS)
“A database authorization model:
• Supports declarative security policies
• Enables end-to-end security for multitier applications
• Provides an integrated solution to secure database and application
resources
• Advances the security architecture of Oracle Database to meet
existing and emerging demands of applications developed for the
Internet”
https://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000

Oracle Real Application Security (RAS) concepts
Application users – schema-less to create application session
Application role (static/dynamic)
Application privileges
Security class – set of privileges
Access control entry (ACE)
– grant/deny application privileges to principals
Access control list (ACL)
– named list of privilege grants bound to resources
Data realm
– business object defined by SQL predicate authorized by an ACL
– Regular / parameterized / inherited
Data security policy
– protect realms associating ACLs

• Application sessions – not bounded to database schemas
• PL/SQL and Java API
• Administration Application (RASADM) in APEX to download from OTN
http://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html
• HR Demo from java
https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE

Oracle Real Application Security (RAS) - example
scripts: ras-*.sql
Usage from PL/SQL
http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816
based on hrdemo*.sql scripts
Summary:
row filtering and column masking
realm with errors and troubleshooting

New hidden column to enforce policy: SYS_ACLOID
begin
xs_data_security.apply_object_policy(
policy => 'hr.employees_ds',
row_acl=> true ,
schema => 'hr',
object => 'employees');
end;
/
select column_name from dba_tab_cols
where table_name='EMPLOYEES' and hidden_column='YES';

Static policies (data realms):
XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID=50',
acl_list=> XS$NAME_LIST('HRACL'),
is_static=> TRUE); -- default is FALSE
Materialized view generated automatically to keep binding between
rows and ACL
Change the ACL refresh mode to on-commit or on-demand refresh
XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH

ACLs evaluation order:
1) application user-managed ACLs - from grants directly on object instances
2) ACLs from static data realm constraint grants are evaluated next
3) ACLs from dynamic data realm constraint grants are evaluated last
To see realms associated with tables:
DBA_XS_REALM_CONSTRAINTS
DBA_XS_* and DBA_XDS_* views to see all related data to RAS
ras-check.sql script

Parameters in data realm rules – definition
1) rows_sec := xs$REALM_CONSTRAINT_LIST(
XS$REALM_CONSTRAINT_TYPE(
realm => 'COUNTRY_REGION = &' || 'REGION'));
2) sys.xs_data_security.create_policy(
name => 'SH.CUSTOMER_DS',
realm_constraint_list => rows_secs,
description => 'Policy to protect sh.customers table');
3) sys.xs_data_security.create_acl_parameter(
policy => 'SH.CUSTOMER_DS',
parameter => 'REGION',
param_type => XS_ACL.TYPE_VARCHAR);

Parameters in data realm rules – usage when creating ACL
DECLARE
ace_list XS$ACE_LIST;
BEGIN
ace_list := XS$ACE_LIST(
XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'),
granted => true,
principal_name => 'Americas_sales'),
XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT', 'VIEW_SENSITIVE_INFO'),
granted => true,
principal_name => 'Business_Analyst'));
sys.xs_acl.create_acl(name => 'View_Americas_sales',
ace_list => ace_list,
sec_class => 'SH.CUST_SEC_CLASS',
description => 'Authorize read access for the Americas region');
sys.xs_acl.add_acl_parameter(acl => 'View_Americas_sales',
policy => 'SH.CUSTOMER_DS',
parameter => 'REGION',
value => 'Americas');
END;
/

Oracle Real Application Security (RAS) - Trace
• V$VPD_POLICY works
• dump all the data realm constraint rules:
ALTER SESSION SET EVENTS 'TRACE[XSXDS] disk=high';
• dump the VPD views of the XDS-enabled table during the initial
(hard) parse
ALTER SESSION SET EVENTS 'TRACE[XSVPD] disk=high';

• Default passwords for RAS users are created with SHA2 hashes.
SQL Developer uses JDBC which does not support SHA512 hashes.
Need to specify SHA1 passwords for those cases:
exec XS_PRINCIPAL.SET_PASSWORD('john', 'john',xs_principal.XS_SALTED_SHA1);
• SA_SESSION.SET_ACCESS_PROFILE
– To implement proxy accounts with application users
– SA_SESSION.SA_USER_NAME function to see the current username

Today’s topics
– Using VPD
– Using OLS
– Using RAS

Complex scenarios?
• Combined with other functionalities
– Oracle Internet Directory
– Result cache, Materialized views, non-deterministic functions, etc.
• Mixed application usages of same data – vpd + non vpd
– Views for applying policies, base table access for non-vpd
– Grants / synonyms to control access to correct ones
• Multiple policies
– Combined condition should be valid
– Definition challenge when applied to multiple tables

Performance considerations
– Traditional tuning - considering final user + policy conditions for SQLs
• V$VPD_POLICY to start
– Optimizer does not estimate cardinality when using functions in policies
• id= SYS_CONTEXT('USERENV', 'SESSION_USER');
• Id=10 => it does

Changes in different versions
• 9i
– Multiple policies per table. Global contexts.
• 10g
– Column based policies, column masking, policy types
• 11g
– Support for MERGE INTO statement
• 12c
– RAS
– VPD context-sensitive policies – evaluated only if associated
application context attribute changes

Auditing - OLS
12c - unified auditing
• enabling and disabling of OLS policies, etc.
SELECT * FROM AUDITABLE_SYSTEM_ACTIONS WHERE COMPONENT = 'Label Security';
• example:
CREATE AUDIT POLICY audit_ols
ACTIONS SELECT ON OE.ORDERS
ACTIONS COMPONENT=OLS ALL;
• Oracle Label Security session label attributes can be audited
AUDIT CONTEXT NAMESPACE ORA_SESSION_LABELS ATTRIBUTES lsec_pol1, lsec_pol2;
• Auditing Oracle Label Security Events: https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454
• SYS.UNIFIED_AUDIT_TRAIL.xs_user_name for RAS db connections, XS$NULL on sys.aud$
Pre-12c auditing (OLS):
• using SA_AUDIT_ADMIN package
https://docs.oracle.com/database/121/OLSAG/packages.htm#GUID-C4FB5E20-D9B8-48A1-9DDB-1ACA4722846E

FGA options compared

Conclusions
• Several alternatives available with different functionality
• Some limitations exists, needs testing to validate it works for your
needs
• Access to packages that modify policies should be protected and
audited
• Don’t underestimate the effort needed to design the policies
• Changes in different versions
• RAS is brand new but should be used for all new developments

References - documentation
– Oracle license 12c
https://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110
– Oracle Label Security
https://docs.oracle.com/database/121/OLSAG/toc.htm
http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf
– Oracle VPD
https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442
– Oracle Real Application Security
http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html
– Auditing Oracle Label Security Events
https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454
- Application context
https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG172
53 © 2014 Pythian Confidential

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (6)

Ähnlich wie Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Ähnlich wie Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle (20)

Mehr von Nelson Calero

Mehr von Nelson Calero (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle