IOUG SAP SIG Oracle Database Vault for SAP

IOUG SAP SIGOracle Database Vault for SAP

Kamal Tbeileh, Principal Product Manager, Oracle Database SecurityAndreas Becker, Principal Member, Oracle/SAP Development

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions.The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Agenda

• Database Vault Overview

• Realms, Command Rules, and Separation Of Duty

• Database Vault Certification for SAP – Project Details

• Overview

• Technical Details

• Best Practices and more

• Database Vault Best Practices

• Database Vault Performance Numbers

• Feedback and Questions

EM Data Masking

TDE Tablespace Encryption

Oracle Audit Vault

Oracle Database Vault

Secure Backup (Tape)

TDE Column Encryption

VPD Column Masking

VPD Column Relevant

EM Secure Config Scanning

Client Identity Propagation

Fine Grained Auditing

Oracle Label Security

Proxy authentication

Enterprise User Security

Virtual Private Database (VPD)

Database Encryption API

Strong Authentication

Native Network Encryption

Database Auditing

Government customer

Oracle Database SecurityContinuous Innovation

Oracle7

Oracle8i

Oracle Database 9i

Oracle Database 10g

Oracle Database 11g

Data Security Business Drivers

• Regulatory and Privacy Requirements • Sarbanes-Oxley (SOX), GLBA, HIPAA, PCI

• Japan, Korea have similar versions of SOX

• Regulations continue to expand in global economy

• Privacy breach disclosure laws

• 40+ US States have such laws

• EU Data Privacy

• Strong IT / Internal Security Controls• Customers looking for real-time preventive controls

• Separation of duty

• Strong security in outsourcing and off-shoring environments

• COSO, ITIL, COBIT frameworks

Customer Security Requirements

• Restrict full access of privileged users• Restrict access to application data stored in the database

• Separation of duty controls

• Easily implement environment based access control• User parameters

• Network parameters

• Database parameters

• Applying on existing and legacy applications• Highly transparent

• Minimal performance impact• Less than 5%

Database Vault

Oracle Database SecuritySolutions for Privacy and Compliance

Data Masking

Advanced Security

Label Security

SecureBackup

Audit Vault

Configuration Management

47986 $5%&*

TotalRecall

Oracle Database Vault

• Controls on privileged users• Restrict highly privileged

users from application data

• Provide Separation of Duty

• Security for database and information consolidation

• Real time access controls• Control who, when, where

and how data is accessed

• Make decision based on IP address, time, auth…

Reports

Protection Realms

Multi-FactorAuthorization

Separationof Duty

CommandRules

Oracle Database Vault Realms

DBA

HR DBAHR

HR Realm

HR

• Database DBA views HR data

select * from HR.empCompliance and protection from insiders

Fin

FIN DBA

• HR DBA views Fin. data

Eliminates security risks from server consolidation

Fin Realm

Fin

Realms can be easily applied to existing applicationswith minimal performance impact

Oracle Database VaultTransparent Multi-factor Authorization

HR account

FIN DBA

HR

FIN

SELECT….

CREATE…

Business hours

Unexpected IP address

<Insert Picture Here>

Example #1:

Protecting application data from

privileged users

Database Vault Administration Page

Step 1. Defining a Realm

Step 2. Adding Protected Schema


Example #2:

Limiting connection from non-application server

IP addresses

Limit Access to Specific IP Addresses Creating a Command Rule

List of Allowed IP Addresses

Connection Blocked from Other IP Addresses


Database Vault Certification for SAPProject Details

• Project Overview

• Technical Requirements

• DBV Software and Documentation

• DBV Installation Preparation

• DBV Installation Steps

• DBV Configuration Steps

• DBV Best practices

• DBV Overview of Changes

• More advanced configurations

• Summary

<Insert Picture Here>• Project Overview









• Summary


Database Vault Certification for SAPProject Overview

• December 2007 - started• First Database Vault Integration and Evaluation Tests started

• Oracle Release 10.2.0.4 Beta

• DBV 10.2.0.4 Beta Shiphome

• SAP NetWeaver (ABAP+Java) on Linux 32bit

• May 2008 - continued• Oracle Release 10.2.0.4 Beta/DBV 10.2.0.4 Beta Shiphome

• SAP NetWeaver (ABAP+Java) on Linux 32bit

• SAP NetWeaver (ABAP+Java) on Windows 32bit

• August 2008 – continued• Oracle Release 10.2.0.4 + DBV 10.2.0.4 (Production)

• SAP NetWeaver (ABAP+Java) on AIX 64Bit

Database Vault Certification for SAPProject Overview (cont’d)

• August/September 2008 – Today• Start of Pilot program

Plan:

• Pilot program with ~5 pilot customers until end of 2008

• 2009: DBV Certification for SAP Generally Available










• Summary


Database Vault Certification for SAPTechnical Prerequisites and Requirements

• Oracle Database Release 10.2.0.4

• Oracle database is installed and configured according to joint Oracle/SAP recommendations• Database patches � SAP note 1137346

• Database parameters � SAP note 830576

• SAP NetWeaver with SAP Kernel Release 7.00+

• SAP BR*Tools Release 7.00 Patchlevel 36+










• Summary


Database Vault Certification for SAPDBV software and documentation

• Oracle software for RDBMS and Database Vault can be downloaded from SAP Service Marketplace

• http://service.sap.com/oracle-download� Oracle 10.2.0.4� RDBMS 10.2.0.4 Patchset, RDBMS Patches� DBV 10.2.0.4 Software, DBV Patches� DBV scripts

• Documentation about Oracle Database Vault for SAP

• SAP note 1241462 (accessible for Pilot customers only)

• Planned: Oracle whitepaper about SAP on Oracle with DV

• Oracle documentation (Install Guides, Admin Guide, Release notes, White papers on OTN)










• Summary


Database Vault Certification for SAPDBV Installation Preparation Steps

Installation of DBV will affect

• Database Software (ORACLE_HOME)

• Database (Installation of new db components)

• Database Parameters

1. Backup ORACLE_HOME and Oracle Inventory

2. Backup your database (brbackup)

3. Backup your database configuration files (OH/dbs, OH/network/admin)(init.ora, sqlnet.ora, tnsnames.ora, listener.ora)

Database Vault Certification for SAPDBV Installation Preparation Steps (2)

Preparation Steps:

• Create a working directory for the installation (spool output, install logs, software, patches, stages, …)

• Ensure that all database connections are working as expected• Check database connections (as ora<sid> <sid>adm user

before DBV is installed)

• Verify database connection via R3trans –d

• Turn off database auditing• can be turned on again after DBV installation

• Rename temporary tablespace• SQL> ALTER TABLE PSAPTEMP RENAME TO TEMP;


Preparation Steps:

• Configure Oracle Enterprise Manager DB Control

• EM DB Control is per default not configured in SAP envs.

• Prerequisite for Database Vault Administrator (DVA) Gui

• DVA uses same OC4J configuration as DB Control

• Run Database Configuration Assistant DBCA to install EM DB Control

• %dbca

Database Vault Certification for SAPDBV Installation Preparation Steps – EM DB Control






Preparation Steps:

• Download and extract Database Vault Policy Scripts for SAP

sqlplus / as sysdba SQL> @dbv_sap_prerequisite_script.sql

� creates new database accountsbefore installing DV


Last preparation Steps:

• Download Database Vault Software from SAP Service Marketplace and extract to a staging area

• Stop SAP Application

• Shutdown Oracle Instance and all Oracle processes running from the ORACLE_HOME










• Summary


Database Vault Certification for SAPDBV Installation Steps (1)

• Start runInstaller from DBV stage./runInstaller (interactive or silent install)







Database Vault Administrator URL:

https://<hostname>:1158/dva

Enterprise Manager Database Control URL:

https://<hostname>:1158/em


Post-Installation Steps

• Rename temporary tablespace back• SQL> ALTER TABLESPACE …

• Adapt certain database parameters that were changed during DBV installation• os_authent_prefix, remote_os_authent

• Start EM DB Control:• % emctl start dbconsole

• Run DBV Post-Install Script for SAP• post_dbv_install_secadmin.sql

• post_dbv_install_secacctmgr.sql

• Logon to DBV Administrator



Logon to DBV Admininstrator as SECADMIN










• Summary


Database Vault Certification for SAPDBV Configuration Steps (1)

Run DBV configuration scripts for SAP

sqlplus /nolog

SQL> connect SECADMIN/<pwd>

SQL> spool create_dbv_sap_policies.log

SQL> @create_dbv_sap_policies.sql

SQL> spool off

Database Vault Certification for SAPDBV Configuration Steps (2)

Run tests

• Basic Database connection tests

• SAP Application• Start/stop

• Database Administration Tasks• SAP BR*Tools

• Backup/Recovery

• Daily Database Administration Tasks

• SAP Administration Tasks

• ...

<Insert Picture Here>• Project Overview: Database Vault Integration Project: Project Status and Time Schedule








• DBV Open issues

• Special configurations

• Summary


Database Vault Certification for SAPDBV Best Practices

• Configure glogin.sql for sqlplus• cd $ORACLE_HOME/sqlplus/admin

• Add the following lines to glogin.sql:

-- Set SQL prompt

SET sqlprompt "_user _privilege '@' _connect_identifier>„

Result:

sqlplus / as sysdba

SYS AS SYSDBA @ QO1> connect / as sysoper

PUBLIC AS SYSOPER @ QO1> connect /

OPS$ORAQO1 @ QO1>

<Insert Picture Here>• Project Overview: Database Vault Integration Project: Project Status and Time Schedule








• DBV Open issues

• Special configurations

• Summary


Database Vault Certification for SAPOverview of changes

Installation of DBV changes and affects:

• New software component

• New database components and database users


• New database schema for Database Vault• SYSMAN schema (EM Repository)

• DVSYS/DVF schema (DBV Repository)

• New Database Vault Accounts• SECADMIN: DBV Security Administrator

manages DBV security policy

• SECACCTMGR: DBV Account MgrCreate/drop/alter database users


• New database accounts for SAP• ABAP_CRED_MGR: account to manage SAP account

password

• SUPPORT_USER: Login account for Oracle/SAP Support

• Login account for Oracle/SAP Support

• locked by default

• EMERGENCY_USER: Login account in an emergency / support situation

• Login account in an emergency situation

• Same privileges as SUPPORT_USER


• New database accounts for SAP• BR_DBA: DBA account (instead of Oracle default account

SYSTEM)

• Account with DBA privilege for database administration with SAP BR*Tools

• Replaces Oracle Default DBA account SYSTEM

Database Vault Certification for SAPGOAL

• GOAL: Protection of SAP Application DataDBA/SYSDBA account can not see/access SAP data any more

sqlplus / as SYSDBASQL> select * from SAPSR3.T100;ORA-01031: insufficient privileges

Database Vault Certification for SAPDefined Realms

• Default Realms• Oracle Database Vault Account Management

• Oracle Database Vault

• Oracle Data Dictionary

• Oracle Enterprise Manager

• SAP Realms

• SAP Protection Realm for ABAP Stack

• SAP Protection Realm for Java Stack

• SAP Application Administration Realm for SAP BRTools

• SAP Application Credential Protection Realm

• SAP Application Protection Realm for SAP Admin Roles

Database Vault Certification for SAPDelivered Security Policies










• Summary


Database Vault Certification for SAPMore advanced configurations

• Real Application Clusters / RAC

• Tranparent for DBV

• Data Guard Physical Standby

• Tranparent for DBV

• MCOD

• Customer input is needed

• 3rd-party application installed

• Generic guidelines










• Summary


Database Vault Certification for SAPSummary – Current Status – Plans

• Initial evaluation tests with DBV and SAP started December 2007

• Internal Integration tests with SAP and DBV still ongoing (2008) during pilot phase

• Pilot tests started in September 2008


SAP Certification

Database Vault Application Protection Matrix

Database Vault with SAPDelivered Security Policies




Best Practices Overview: Separation of Duty

Database Vault Separation of Duty

• Database Vault Defines Three main responsibilities• Account Management responsibility

• Security Administration responsibility

• Traditional DBA responsibility

• These responsibilities can be further subdivided• Security Administration responsibility

• Security Administration

• Security Reporting

• Traditional DBA responsibility: with rule sets and command rules, it can be subdivided to any required level.

• Optionally can be consolidated to :• Security and Account Management responsibility

• Resource Management responsibility

Separation of Duty Best Practice

• SOD is important for companies Big and Small

• Have separate accounts:• Named accounts for database account management

• Named accounts for Database Security Administration

• Named accounts for DBAs

• Create at least two named accounts for each responsibility

• Auditors look for • Separate database accounts for different responsibilities

• Being able to track the actions of each account

• Less important is the Number of people doing the tasks

• Database Vault audit events are protected

• Reports show any attempted violations

Best Practices For Deploying Database VaultMain Stages and their Steps

• Strategy Analysis and Design Stage

• Build and Document Stage

• Recommendations for

• Pre-Installation

• Installation

• Post Installation

• Naming Convention

• Transition and Production Stages

• Deployment Recommendations


Strategy, Analysis, and Design Stage

Identifying Your Security RequirementsWhat to protect and who to authorize

• What databases and applications need to be protected?• Oracle Applications

• Partner Applications

• Custom Applications

• Who needs to be authorized to access business data?• Application Owners through middle tier processes

• Business Users through Application interface

• Who needs to manage the system without accessing business data?

• Back end users for:

• Backup

• Patching

• Tuning and Monitoring

Identifying Your Security Requirements How to implement Separation of Duty?

• Who will be setting up new database accounts?

• Who will be running security audit reports?

• Who will be doing security administration of the database?• Creating Realms and Command Rules

• Setting security policies for database users’ access

• Authorizing database users to what they are allowed to do

• Who are the Alternate accounts for management and security?

Identifying Your Security Requirements What is the current access structure?

• Who are all the users currently having access?

• What kind of access do they need?

• Application Owners -> data access

• Patching DBAs -> temporary access during patching time only

• Backup DBAs -> predefined time to do backup using predefined tools

• Tuning DBAs -> on-going performance monitoring and analysis

• Developers -> access to development instances only

• Data Masking or Scrambling is required

• Create a separation of duty matrix of • who will be doing what, When, and How?

• Create an Application Protection Matrix

Example Separation of Duty Matrix


Build and Document Stage

Build and Document Stage

• Build your Security Policies using API scripts

• Document the Application Security policies with the:• The Separation of Duty Matrix

• The Application Protection Matrix

• Document processes and Procedures for daily use cases:• Backup

• Patching

• Tuning and Monitoring

• Document production database accounts• The responsibilities of each

• Which should be locked by default

• When to use sys or system logins

• Document Emergency or “Break the Glass” Scenarios

• Reporting in production environment:• Define Which reports to run and who runs them

• Identify the needed frequency for each report

• Identify the parties these reports need to go to


Transition and Production Stages

Transition and Production Stages

• Run a Full Test of Your Application

• Monitor Performance and tune your rule expressions

• Apply Your DBV API scripts to production environment

• Hand responsibilities to the production support and security groups• Hand Security responsibility to the Database Security Admin

• Hand Account Management to the Database Account Manager

• Hand Resource Management to the DBAs

• Backup Your DBV API scripts in a Secure Server


Database Vault Performance Numbers

Database Vault Performance Numbers

• Performed OLTP tests on ALL versions of DB Vault• 9.2.0.8

• 10.2.0.3

• 11.1

• Each test had 6 different measure points:• Vanilla Database without DB Vault

• DB Vault enabled

• Setup Realm by itself

• Setup Command Rules without Realm

• Setup Realms and Command Rules

• Setup Command Rules, Realms, plus a CONNECT command rule

• 10.2.0.3 and 11.1:• Hardware profile:

• Linux 64 bit on Em64t Dell server

• 4 CPUs with 3.40 GH

• 4 GB of RAM

• Number of users:

• 20 dedicated users with multiple connections each

• Ramp up to over 400 concurrent database connections

• 9.2.0.8:• Hardware profile:

• Sun Solaris 9 Sparc, 64 bit on Sun4800-6 Sun-Fire server

• 8 CPUs

• 4 GB of RAM

• Number of users:

• 20 dedicated users with multiple connections each

• Ramp up to over 400 concurrent database connections

Database Vault Performance Numberstest profile

• 10.2.0.3 numbers:• Vanilla Database without DB Vault - Base


• zero overhead (within the margin of error 0.25 %)

• Setup a Realm by itself

• 1% overhead


• 1% overhead or less


• 1% to 1.5 % overhead


• 1% to 2% overhead

Database Vault Performance Numbersresults

• 9.2.0.8 and 11.1 numbers are comparable

• This is consistent with the fact that DB Vault 9i is a back port of 11g

• 9.2.0.8 and 11.1 numbers:

• Vanilla Database without DB Vault - Base


• zero overhead (within a margin of error 0.25 %)

• Setup Realm by itself

• less than 1% overhead


• 1% overhead or less


• 1% to 1.5% overhead


• 1% to 1.5% overhead

Database Vault Performance Numbersresults

• The numbers are great!

• There is still room for improvement – we are working on it

• Customers deploying DB Vault in production:• Should apply typical DB tuning if they face performance issues

• Should tune their rule expressions

• Should simplify their security policies

• Performance depends on many factors like:

• Network, Hardware, Operating System, etc.

• These need to be tuned as well

• should budget no or an extra 5% HW resources at max for DB Vault

Database Vault Performance NumbersConclusion and Best Practice

Database Vault certification with SAP

• Work has started

• Customer Pilot kick-off in June 2008

• Pilot Customers should have the following profile:

• Existing production customers with SAP on Oracle database

• Customers have to be on 10.2 database

• Customers have to be on SAP ERP 2005 (SAP 6.1) or higher

• Send your nominations to me: ([email protected])


Summary

Learn More

SAP Service Marketplace site

• Visit: http://service.sap.com/oracle-download

Oracle Technical Information, Demos, Software

• Visit OTN: otn.oracle.com -> products -> database -> security and compliance

Date post:	18-Mar-2022
Category:	Documents
Upload:	others
View:	31 times
Download:	1 times

IOUG SAP SIG Oracle Database Vault for SAP

Documents