Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Protect Sensitive Data: Implementing Fine-Grained

Access ControlNelson Calero

Pythian

© 2014 Pythian Confidential4

•Database Consultant at Pythian •Working with Oracle tools and Linux environments since 1996•DBA Oracle (2001) & MySQL (2005)•Co-founder and President of the Oracle user Group of Uruguay (2009)•LAOUC Director of events (2013)

•Computer Engineer•Oracle ACE (2014)•Oracle Certified Professional DBA 10g/11g (2008)•Amazon Solutions Architect – Associate since (2016)•Oracle University Instructor (2011)•Blogger and speaker: Oracle Open World, Collaborate, OTN Tour, Regional conferences

About me

http://www.linkedin.com/in/ncalero @ncalerouy


Pythian overview•19 Years of data infrastructure management consulting•250+ Top brands•11700+ Systems under management•Over 400 DBAs in 35 countries•Top 5% of DBA work force, 10 Oracle ACEs, 4 ACED, 3 OakTable members, 2 OCM, 6 Microsoft MVPs, 1 Cloudera Champion of Big Data, AWS Certified Solutions Architect – 2 Professional, 12 Associate•Oracle, Microsoft, MySQL, Hadoop, Cassandra, MongoDB, and more•Infrastructure, Cloud, DevOps, and application expertise


Today’s topics• What is Fine Grain Access control?• Functionalities available with Oracle• Implementing row level security

– With standard edition– Using OLS– Using VPD– Using RAS

• Complex scenarios


Fine Grain Access control?What

– Ability to restrict access to objects applying small granularity• row level instead of table level• network services instead of all network access

Why– Access to data comply with security regulations– Industry regulations: health care (HIPAA), Defense (security clearances), Personal

information protection (several).

• database side implementation => no code on the application side– Several functionalities available (next slide)

• We will discuss implementation and management from database point of view


Oracle functionalities for FG control• auditing

• DBMS_FGA package (only in EE)• external network services and wallets

• DBMS_NETWORK_ACL_ADMIN package• data – several ways:

• Application context – available in SE• Virtual Private Database (VPD) – 8i

– Only with EE, no extra cost• Oracle Label Security (OLS) – 8i

– Only with EE, Extra cost option• Oracle Real Application Security – new in 12c

– Next generation VPD, only with EE, no extra cost


Simple example

Policy rules

SMAVRISuser

JDANIELManager 103

Select * FromHR.EMPLOYEES


Simple exampleWhat do I need to implement it?

– It depends on your requirements

Functionalities available out of the box for free?– limited, needs maintenance, will explore them next

Many functionalities with EE with no extra cost– Only OLS have extra cost


Simple example - demoImplementing a simple VPD on SE

– Schema owner of data not allowed to connect from app– Views for each table including a where condition– Nominated users granted access to views only– Usage of application context

script: fga-se.sql


Application contexts• session variables to store information• useful to implement FGAC with Standard Edition• session (local) or global (shared)

– select sys_context(namespace, attribute) from dual;– dbms_session.set_context(namespace, attribute, value, client_id)

• built-in application context namespace: USERENV– select sys_context('USERENV', 'SESSION_USER')from dual;

• Dictionary views– V$CONTEXT / V$GLOBALCONTEXT

• Memory footprint– select * from v$sgastat where name like 'Global Context%';

https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG173





Poor man VPD problems• Users with different privileges over the same data?

– More views per privilege set / coding logic into function / intermediate table/...

– It is up to your coding abilities

• Different policies for insert/update/deletes?– More views per policies / coding logic into functions /…

• Modified data will match the condition?– Triggers to validate after data modifications / manual controls


Other implications• Changes in query performance?

– Review indexes to cover all new conditions

• Connection pools at middle tier– Proxy user and client_identifier usage

ALTER USER john GRANT CONNECT THROUGH appsrv;oracle.jdbc.OracleConnection.setClientIdentifier() from JDBCexec dbms_session.set_identifier ('ABCD') same from PL/SQL


General implementation principlesBefore coding, design your policies:

– Identify tables that requires security– Evaluate its data and define level of security and groups– Categorize users (privileged / typical / etc.)

As part of the coding:– Lock down access to configuration – least privilege principle– Audit operations



– With standard edition– Using VPD– Using OLS– Using RAS



Virtual Private Database (VPD)“interface to associate PL/SQL packages with application tables to compute and append a predicate (where clause) that is automatically appended to incoming SQL statements, restricting access to rows and columns within the table”http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html

• Package DBMS_RLS to manage policies• View DBA_POLICIES to view existing policies• View V$VPD_POLICY to see predicates generated for SQL_IDs• Different policies can be used for SELECT/INSERT/UPDATE/DELETE• Multiple policies allowed per table

http://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html




Virtual Private Database (VPD) - examplescript: fga-vpd.sql

Summary:• Policy function using static and dynamic predicates• Errors when querying base table on some cases• Adding extra code to allow privileged user access• Testing SELECT/UPDATE


Policies evaluation• Defined by the policy type:

– Dynamic – evaluated every time is used– Static – executed only once and cached– Context_sensitive – evaluated if context change (useful on connection pooling)– Shared_static – cache over multiple objects– Shared_context_sensitive – combine previous two

• policy exemptions:– direct path export– cannot be applied to objects in schema SYS– EXEMPT ACCESS POLICY privilege

• MERGE INTO statements supported on tables using VPD since 11gR2• ORA_ROWSCN usage has problems


Policy function• No validation on the code we create – it fails at runtime if wrong• Code can use whatever we want to produce the string

– Performance overhead depending on the policy type when evaluating– Execution plans may change because of the new condition in use

• String returned may be different for different tables (FK relationships, etc.)

• It can be applied to columns, not entire table– Column masking vs row masking

• Access to policy function definition should be protected


VPD - Column maskingBEGIN DBMS_RLS.ADD_POLICY(object_schema=>’HR’, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>‘HR', policy_function=>'f_protect_salary', sec_relevant_cols=>'SALARY', sec_relevant_cols_opt=>dbms_rls.ALL_ROWS);END;

create or replace function f_protect_salary (p_owner in varchar2, p_name in varchar2)return varchar2 asbegin if sys_context('userenv', 'session_user') = 'MANAGER' then return ‘1=1’; /* value is displayed */ else return 'salary <= 10000'; /* displayed only if match condition */ end if;end;

policy_function is treated as a Boolean expression to decide if column values are shown


VPD – update checkNew in 11.2: BEGIN DBMS_RLS.ADD_POLICY(object_schema=>user, object_name=>'EMPLOYEES', policy_name=>'SEC_SALARY', function_schema=>'LBACSYS', policy_function=>'f_protect_salary',

update_check=>true); END;

SQL> Update hr.employees set salary=salary*2; ERROR at line 1: ORA-28115: policy with check option violation

policy_function is enforced also after updates


Policies troubleshooting• What condition (policy) is being applied to my query?

– v$vpd_policy

• When errors, trace file is generated on user_dump_dest

• Debugging– Trace 10730 / 10060






Oracle Label Security (OLS)• Based on tags for data• Hierarchical classification: levels / compartments / groups• Access to data granted based on policies without manual coding

– Using predefined PL/SQL packages, not user created as in VPD– policy can be applied to table or schema

• When labels are used, a (hidden) column is created when policy is applied to tables

• Administration:– User LBACSYS to manage policies– SA_USER_ADMIN package - to manage user labels and user privileges– SA_SESSION package to configure Labels & Privileges – several SA_* views– DBA_OLS_STATUS view shows if OLS is enabled and configured


Oracle Label Security (OLS) – labels example


Oracle Label Security (OLS) - examplescript: fga-ols.sql

Summary:define label hierarchydefine policiestest policies from users with different privilegesvalidate predicates used


Oracle Label Security (OLS)Not enabled by default

SELECT VALUE FROM V$OPTION WHERE PARAMETER = 'Oracle Label Security';

VALUE--------------------------------------------FALSE

select * from DBA_OLS_STATUS;

NAME STATUS DESCRIPTION-------------------- ------ -------------------------------------OLS_CONFIGURE_STATUS FALSE Determines if OLS is configuredOLS_DIRECTORY_STATUS FALSE Determines if OID is enabled with OLSOLS_ENABLE_STATUS FALSE Determines if OLS is enabled


Oracle Label Security (OLS) - installOn 12c:

EXEC LBACSYS.CONFIGURE_OLS; EXEC LBACSYS.OLS_ENFORCEMENT.ENABLE_OLS;

On 11g:cd $ORACLE_HOME/rdbms/libmake -f ins_rdbms.mk lbac_on ioracle

(same as: chopt enable lbac)shutdown/startupsqlplus @?/rdbms/admin/catols.sql


Oracle Label Security (OLS) - labelslabel_to_char (OLS_COLUMN)

Display string label instead of internal code

sa_session.label(‘policy_name')current user’s session label for the policy

OLS_LABEL_DOMINATES (session_tag, desired_tag) returns 1 when first label is allowed for the second one

New in 12.1 - LBACSYS schema can be exported using full export/importsource>=11.2.0.3, target>=12.1


Oracle Label Security (OLS) - DMLLabeling column implications:• column values set using labeling function or manually

oracle-base example• affects initial configuration and inserts

create function f_label(..) RETURN LBACSYS.LBAC_LABEL .. RETURN TO_LBAC_DATA_LABEL('label', string); end; exec SA_POLICY_ADMIN.APPLY_TABLE_POLICY (...label_function => 'f_label(..)')






Oracle Real Application Security (RAS)“A database authorization model:• Supports declarative security policies• Enables end-to-end security for multitier applications• Provides an integrated solution to secure database and

application resources• Advances the security architecture of Oracle Database to meet

existing and emerging demands of applications developed for the Internet”

https://docs.oracle.com/database/121/DBFSG/intro.htm#DBFSG10000




© 2015 Pythian Confidential34https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD

https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD

https://docs.oracle.com/database/121/DBFSG/intro.htm#BABHAIFD


Oracle Real Application Security (RAS) conceptsApplication users – schema-less to create application sessionApplication role (static/dynamic)Application privilegesSecurity class – set of privilegesAccess control entry (ACE)

– grant/deny application privileges to principalsAccess control list (ACL)

– named list of privilege grants bound to resourcesData realm

– business object defined by SQL predicate authorized by an ACL– Regular / parameterized / inherited

Data security policy – protect realms associating ACLs


Oracle Real Application Security (RAS)• Application sessions – not bounded to database schemas

• PL/SQL and Java API

• Administration Application (RASADM) in APEX to download from OTNhttp://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html

• HR Demo from javahttps://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE

http://www.oracle.com/technetwork/database/security/real-application-security/downloads/index.html




https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE

https://docs.oracle.com/database/121/DBFSG/midtierjava.htm#CBBDJDDE


Oracle Real Application Security (RAS) - examplescripts: ras-*.sql

Usage from PL/SQL http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816 based on hrdemo*.sql scripts

Summary: row filtering and column masking

realm with errors and troubleshooting

http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816

http://docs.oracle.com/database/121/DBFSG/security_hr_demo_tutorial.htm#DBFSG816


Oracle Real Application Security (RAS)New hidden column to enforce policy: SYS_ACLOID

begin xs_data_security.apply_object_policy( policy => 'hr.employees_ds', row_acl=> true , schema => 'hr', object => 'employees'); end; /

select column_name from dba_tab_cols where table_name='EMPLOYEES' and hidden_column='YES';


Oracle Real Application Security (RAS)Static policies (data realms):

XS$REALM_CONSTRAINT_TYPE(realm=> 'DEPARTMENT_ID=50', acl_list=> XS$NAME_LIST('HRACL'), is_static=> TRUE); -- default is FALSE

Materialized view generated automatically to keep binding between rows and ACL

Change the ACL refresh mode to on-commit or on-demand refresh XS_DATA_SECURITY_UTIL.ALTER_STATIC_ACL_REFRESH


Oracle Real Application Security (RAS)ACLs evaluation order:1) application user-managed ACLs - from grants directly on object instances2) ACLs from static data realm constraint grants are evaluated next3) ACLs from dynamic data realm constraint grants are evaluated last

To see realms associated with tables: DBA_XS_REALM_CONSTRAINTS

DBA_XS_* and DBA_XDS_* views to see all related data to RAS

ras-check.sql script


Oracle Real Application Security (RAS)Parameters in data realm rules – definition

1) rows_sec := xs$REALM_CONSTRAINT_LIST( XS$REALM_CONSTRAINT_TYPE( realm => 'COUNTRY_REGION = &' || 'REGION'));

2) sys.xs_data_security.create_policy( name => 'SH.CUSTOMER_DS', realm_constraint_list => rows_secs,

description => 'Policy to protect sh.customers table'); 3) sys.xs_data_security.create_acl_parameter( policy => 'SH.CUSTOMER_DS', parameter => 'REGION', param_type => XS_ACL.TYPE_VARCHAR);


Oracle Real Application Security (RAS)Parameters in data realm rules – usage when creating ACL

DECLARE ace_list XS$ACE_LIST;BEGIN ace_list := XS$ACE_LIST( XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT'), granted => true, principal_name => 'Americas_sales'), XS$ACE_TYPE(privilege_list => XS$NAME_LIST('SELECT', 'VIEW_SENSITIVE_INFO'), granted => true, principal_name => 'Business_Analyst')); sys.xs_acl.create_acl(name => 'View_Americas_sales', ace_list => ace_list, sec_class => 'SH.CUST_SEC_CLASS', description => 'Authorize read access for the Americas region'); sys.xs_acl.add_acl_parameter(acl => 'View_Americas_sales', policy => 'SH.CUSTOMER_DS', parameter => 'REGION', value => 'Americas');END;

/


Oracle Real Application Security (RAS) - Trace

• V$VPD_POLICY works

• dump all the data realm constraint rules: ALTER SESSION SET EVENTS 'TRACE[XSXDS] disk=high'; • dump the VPD views of the XDS-enabled table during the

initial (hard) parse ALTER SESSION SET EVENTS 'TRACE[XSVPD] disk=high';


Oracle Real Application Security (RAS)• Default passwords for RAS users are created with SHA2 hashes. SQL Developer uses JDBC which does not support SHA512 hashes.

Need to specify SHA1 passwords for those cases: exec XS_PRINCIPAL.SET_PASSWORD('john', 'john',xs_principal.XS_SALTED_SHA1);

• SA_SESSION.SET_ACCESS_PROFILE– To implement proxy accounts with application users– SA_SESSION.SA_USER_NAME function to see the current username






Complex scenarios?• Combined with other functionalities

– Oracle Internet Directory– Result cache, Materialized views, non-deterministic functions, etc.

• Mixed application usages of same data – vpd + non vpd– Views for applying policies, base table access for non-vpd– Grants / synonyms to control access to correct ones

• Multiple policies– Combined condition should be valid– Definition challenge when applied to multiple tables


Performance considerations– Traditional tuning - considering final user + policy conditions for

SQLs• V$VPD_POLICY to start

– Optimizer does not estimate cardinality when using functions in policies • id= SYS_CONTEXT('USERENV', 'SESSION_USER');

• Id=10 => it does


Changes in different versions• 9i

– Multiple policies per table. Global contexts.• 10g

– Column based policies, column masking, policy types• 11g

– Support for MERGE INTO statement• 12c

– RAS– VPD context-sensitive policies – evaluated only if associated

application context attribute changes


Auditing - OLS12c - unified auditing• enabling and disabling of OLS policies, etc.

SELECT * FROM AUDITABLE_SYSTEM_ACTIONS WHERE COMPONENT = 'Label Security'; • example:

CREATE AUDIT POLICY audit_olsACTIONS SELECT ON OE.ORDERSACTIONS COMPONENT=OLS ALL;

• Oracle Label Security session label attributes can be audited

AUDIT CONTEXT NAMESPACE ORA_SESSION_LABELS ATTRIBUTES lsec_pol1, lsec_pol2;

• Auditing Oracle Label Security Events: https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454 • SYS.UNIFIED_AUDIT_TRAIL.xs_user_name for RAS db connections, XS$NULL on sys.aud$

Pre-12c auditing (OLS):• using SA_AUDIT_ADMIN package

https://docs.oracle.com/database/121/OLSAG/packages.htm#GUID-C4FB5E20-D9B8-48A1-9DDB-1ACA4722846E

https://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454







FGA options compared


Conclusions• Several alternatives available with different functionality• Some limitations exists, needs testing to validate it works

for your needs• Access to packages that modify policies should be

protected and audited• Don’t underestimate the effort needed to design the

policies • Changes in different versions• RAS is brand new but should be used for all new

developments


Questions?

[email protected]

@ncalerouy

http://www.linkedin.com/in/ncalero


References - documentation– Oracle license 12chttps://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110– Oracle Label Securityhttps://docs.oracle.com/database/121/OLSAG/toc.htm http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf– Oracle VPDhttps://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442

– Oracle Real Application Securityhttp://www.oracle.com/technetwork/database/security/real-application-security/overview/index.html– Auditing Oracle Label Security Eventshttps://docs.oracle.com/database/121/DBSEG/audit_config.htm#DBSEG454- Application context https://docs.oracle.com/database/121/DBSEG/app_context.htm#DBSEG172

https://docs.oracle.com/database/121/DBLIC/editions.htm#DBLIC110

http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf

http://www.oracle.com/technetwork/database/options/label-security/label-security-wp-12c-1896140.pdf

https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442

https://docs.oracle.com/database/121/TDPSG/GUID-92A1A94D-319C-4FB2-AEC3-B86415D72628.htm#TDPSG94442









Date post:	19-Jan-2017
Category:	Technology
Upload:	nelson-calero
View:	191 times
Download:	0 times

Protect Sensitive Data: Implementing Fine-Grained Access Control in Oracle

Technology