Securing The Extended Enterprise: Enterprise User Security · Privileged User Control, Big Data Security, Secure Config Solaris Trusted Extensions, ... groups are mapped to database

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |

Securing The Extended Enterprise:

Enterprise User Security

Abdul Asfour | Sr. Security ConsultantNAS Security Specialized Sales Consulting

April 2016


DEFENSE

IN DEPTHLayered overlapping controls: Encryption, audit,

monitoring, access control, masking, redaction, …

Oracle Public 2

ORACLE DATABASE SECURITY STRATEGY

SECURITY

INSIDE OUTSecurity close to the data. Maximize performance

with application transparency.

SECURE

DEPLOYMENTSAcross multiple systems: operating systems,

heterogeneous databases, applications, …

CONTINUOUS

INNOVATIONSVirtual Private Databases, Transparent Data Encryption,

DBA Control, Data Redaction, Privilege Analysis,

Database Firewall, Real Application Security, ….

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. |Oracle Confidential – Internal/Restricted/Highly Restricted 3

S E C U R I T Y

ORACLE SECURITY INSIDE OUT LAYERS OF THE STACK

76%

NETWORK INTRUSIONS LOST, STOLEN & WEAK CREDENTIALS

Governance Risk & Compliance Access & Certification Review, Anomaly Detection,User Provisioning, Entitlements Management

Mobile Security, Privileged UsersDirectory Services, Identity Governance Entitlements Management, Access Management

Encryption, Masking, Redaction, Key ManagementPrivileged User Control, Big Data Security, Secure Config

Solaris Trusted Extensions,LDAP Host Access Control

Secure Live Migration

Cryptographic Acceleration Application Data Integrity

Secure backup, Disk EncryptionILM Security

EN

TE

RP

RISE

MA

NA

GE

R80%

IMPLICATE WEB OR APPLICATION SERVERS

94%

BREACHED RECORDS FROM SERVERS

50%

PROPOGATION ENABLED BY MISCONFIGURATION

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal/Restricted/Highly Restricted 4

SECURING ACCESS TO APPS & DATA

DATABASE PROTECTION

Key

Management

Encryption

Redaction

Privileged

User Control

Activity

Monitoring

Secure

Auditing

Database

Firewall

IDENTITY & ACCESS

Identity

Governance

Access

Management

Directory

Services

Mobile

Security


Each Database is basically an island. Users are managed separately in each database

Understanding the Problem


Standard Database Users

Admins manage Database Users and Roles in each database

A user potentially has multiple database login names and passwords to remember

Oracle Confidential – Internal/Restricted/Highly Restricted 6

“LOCAL”

Copyright © 2014 Oracle and/or its affiliates. All rights reserved. | 7

Authentication Options in Oracle Database 12c

Authentication Type Description

Password Authentication Users are authenticated using standard passwords as defined by the Password Policy.

Operating System

Authentication

Some operating systems permit Oracle Database to use information they maintain to

authenticate users

Kerberos Authentication Kerberos is a trusted third-party authentication system that relies on shared secrets.

Radius Authentication Remote Authentication Dial-In User Service (RADIUS), a standard lightweight protocol

used for user authentication, authorization, and accounting.

Public Key Infrastructure Authentication systems based on public key infrastructure (PKI) issue digital certificates

to user clients

Enterprise User Security Using a central directory can make authentication and its administration efficient.

Secure External Password

Store

The secure external password store is a client-side wallet that is used for store password

credentials


• EUS stores user credentials and

authorizations in a central

location.

• It eases administration through

centralization

• It enables single-point

authentication

• Each person has one

username/password for ALL

databases.

• Directory identities are mapped

to database schemas. Directory

groups are mapped to database

roles.

Enterprise User Security


*Based on 200 Named Users for 200 Databases, 8 Normal/Forgotten Password Changes

Enterprise User SecurityImpact of Using EUS vs Named Accounts on each Database

DB Work Item Current EUS

Password Changes

200 Databases x 200 Users x 4

(quarterly)

160,000 0

Create New Users

200 Databases x 20 (10% yearly

turnover)

4,000 0

Delete Old Users


turnover)

4,000 0

Assign Privileges


turnover)

4,000 40

Total 176,000 400

DBA’s must perform these tasks on every database:

•Set password policies

•Create users and passwords

•Reset passwords

•Manage roles and privileges

•Assign roles and privileges to users


Enterprise User SecurityCost Savings/Operational Efficiency and Risk

Cost Savings and Operational Efficiency

• Users benefit from SSO or single password authentication.

• Fewer Password Resets

• Less Accounts to Create

• Centrally Manage Access

• Easily manage roles and privileges through AD/LDAP Groups

Reduce Risk

• Fewer Passwords to Remember

• Users Access can be easily removed during employment transfer or termination.

• Leverage Secure Password Policy and storage of corporate directory


Enterprise User SecurityManaging Database Information


History LessonThick client Connect strings

• sqlplus’user/pass@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=hostname.network)(Port=1521))(CONNECT_DATA=(SID=remote_SID)))’

or

• sqlplus username/password@connect_identifier

– With a tnsnames.ora file containing the connect_identifier

local_SID =

(DESCRIPTION =

(ADDRESS = (PROTOCOL= TCP)(Host= hostname.network)(Port= 1521))

(CONNECT_DATA = (SID = remote_SID))

)

– It becomes sqlplus user/password@local_SID

– With ORACLE_SID environment variable set it becomes sqlplus user/pass



What is Oracle Net ServicesClient interaction

• Every time a new database becomes available for use, your end users need to:

– Know the connect string

– Get an updated tnsnames.ora or

– Leverage Net Services

• i.e. IP Name Address Resolution Analogy– %SYSTEMROOT%\system32\drivers\etc\hosts ~= $ORACLE_HOME/network/admin/tnsnames.ora

– nslookup ~$ORACLE_HOME/network/admin/ldap.ora


Database

Information


Example Net Services in OUDDBCA registered DB11g



Database

Roles

System Privileges

Object Privileges

.

Global Roles Enterprise Roles LDAP Groups

Managing Enterprise User PrivilegesEnterprise User Security


Connect : username@database_service_name

Enter password:

Connect to Enterprise User SecurityAuthentication and Authorization Flow

User and Group Info

OUD

DSEE

Or

AD

LDAP Search

Assign Privileges and Roles


Example Dedicated Schema Mapping in OUD



Create New User Schema Mapping

18


Create Enterprise Role Mapping

19


Enterprise RolesDBA Perspective

• Global Roles within the database

create role ldapdbaidentified globally;

grant dba to ldapdba;

• Map to Enterprise Roles within the Directory

• Add users to LDAP Role



How to identify dedicated schema “globally”DBA Perspective

• Dedicated Schemacreate user ldapauser identified globally as 'CN=And y User,ou=ad,cn=users,dc=oracle,dc=vm';

-or-

alter user ldapauser identified globally as 'CN=And y User,ou=ad,cn=users,dc=oracle,dc=vm‘;

• Mappings maintained within the the databaseselect username, password, external_name from dba_us ers where password='GLOBAL';

USERNAME PASSWORD EXTERNAL_NAME

------------- ------------ -------------------------- ---------

LDAPAUSER GLOBAL CN=Andy User,ou=ad,cn =users,dc=oracle,dc=vm

Password = GLOBAL means password is external to DB



How to identify shared schema “globally”DBA Perspective

• Shared Schema

– Create Global Schemacreate user ldapuser identified globally as '’;

• Entry is dedicated with Subtree mappings maintained within directory for shared.



EUS Supported Deployments

23

Oracle DB 9i Oracle DB 10g Oracle DB 11g Oracle DB 12c

Oracle Internet

Directory

11g

Oracle Virtual

Directory

Microsoft Active

Directory

Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD

Novell eDirectory

Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD

Oracle Directory Server

Enterprise Edition / Sun

DSEE Requires OID Requires OID,OVD or OUD Requires OID,OVD or OUD Requires OID,OVD or OUD

Oracle Unified Directory

11g

Requires Min. 11.2 DB


EUS with Oracle Unified Directory

• OUD works seamlessly with EUS. Database user information, passwords and privileges information for a database or for a database domain can be stored in OUD

• Supported on 11.2+ Databases

24


EUS with Oracle Unified Directory and Active Directory

25

• The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Active Directory. User passwords are retrieved from the hashed password stored by the OUD Password Change Notification plug-in. EUS metadata are stored and retrieved from OUD.

• Active Directory Schema extension is required to store the hashed passwords.


EUS with Active Directory/Kerberos• The database establishes a

connection to OUD. OUD retrieves user data (users and groups) from Active Directory. EUS metadata are stored and retrieved from OUD.

• Access to the hashed user password is not required, so no schema extensions and no Password Change Notification dll have to be deployed on Active Directory

26


EUS with ODSEE

27

• The database establishes a connection to OUD. OUD retrieves user data (users and groups) from Oracle Directory Server Enterprise Edition (ODSEE). EUS metadata are stored and retrieved from OUD.

• This integration does not require any changes in the database nor for database clients that use password authentication.


Authentication Process Flow

User provides credentials to client application Database looks for username in local table Directory responds to searches from database

Client application sends credentials to database Database looks for username in directory

Database looks for username to schema explicit

mapping

Database looks for username to schema

implicit mapping (OU level)

Database retrieves hashed password from

directory and compares it with provided

password that has been hashed

Database checks local system and role

privileges assigned to schema

Database checks directory for roles assigned to

user

Session is established

28


Auditing

Column Name Value

USERNAME GLOBAL_USER

ACTION_NAME LOGON

COMMENT_TEXT Authenticated by: DIRECTORY PASSWORD;EXTERNAL NAME: cn=Ted

Turner,cn=Users,dc=example,dc=com; Client address:

(ADDRESS=(PROTOCOL=tcp)(HOST=192.168.56.2)(PORT=59912))

PRIV_USED CREATE SESSION

Auditing Type: Standard /DB_EXTENDEDView: DB_AUDIT_TRAIL


Auditing

Column Name Value

DBUSERNAME GLOBAL_USER

EXTERNAL_USERID cn=Ted Turner,cn=Users,dc=example,dc=com

GLOBAL_USERID 11dfef187d1045ab8ed9f04991e539d1

AUTHENTICATION_TYPE (TYPE=(DIRECTORY PASSWORD))

Auditing Type: Unified Auditing (12c)View: UNIFIED_AUDIT_TRAIL


Using EUS Attributes with Fine Grained Auditing

31


Using EUS Attributes with Database Vault

32


Using EUS Attributes with Database Redaction

33


Using EUS Attributes with Virtual Private Database

34

select * from EMPLOYEESEARCH.demo_hr_employees


Questions

Documents

Securing The Extended Enterprise: Enterprise User Security · Privileged User Control, Big Data Security, Secure Config Solaris Trusted Extensions, ... groups are mapped to database