The goal of this book has been to provide you with the background and examples to implement a reasonable degree of security within your Oracle database, based on the software Oracle delivers by default. For example, it describes how you can use roles and views to control user access to different areas of the database, limit access to your operating system files, and implement auditing to further protect your data and database.
The topics discussed in this chapter go beyond the basic security available in the standard Oracle database. Oracle Corporation provides several products that offer additional security at an additional cost. Here we provide a brief discussion of these Oracle products so you will have an idea of other options available to protect your databases:
Trusted Oracle (TO)
The Advanced Networking Option (ANO)
The Oracle Application Server (OAS)
Our hope is that we can supply you with enough information so you’ll be able to recognize the terms and concepts pertaining to each of the products described. You can get a great deal more information from Oracle Corporation.
Trusted Oracle is a multi-level security (MLS) product used primarily within government agencies where data access is based on security clearance levels. The government security levels are (in increasing degree of security):
Unclassified
Confidential
Secret
Top secret
Normally, in highly secure government agencies, information is
restricted by a “need to know” basis. Trusted
Oracle is intended to allow you to access only the information at the
level your security clearance allows. For example, if you have been
granted a clearance level of secret, you can
view information that has been classified at the
confidential and secret
levels, but you will not be able to view information at a
higher level.
There is one more component to a clearance. You may hold a
secret clearance but not be permitted to view
specific areas of confidential or
secret information because you do not have a
need to know that information. In other words, you might be cleared
to see information for the ABC program because you are working on
that program but not be able to see information for the XYZ program.
There are, therefore, two potential levels of access at play within a single security level:
The actual security clearance you hold
The programs you have a need to access
Restriction to data access is enforced by the Trusted Oracle engine and by stored PL/SQL programs.
We stress the use of Trusted Oracle in conjunction with security clearances because that is how the product is most often implemented. However, there are many organizations that could benefit by using this product to ensure the protection of very sensitive data. For example, a company whose profits depend on keeping formulas protected might implement Trusted Oracle using various company-defined levels of privilege. A pharmaceutical company could set up its database with different levels of access to the formulas that it views as top secret.
At its simplest level, Trusted Oracle adds a classification column to
each table. The information this column contains is called a
label.
Each label is divided into two parts:
the information label and the
sensitivity label. Both labels include a
classification such as unclassified, confidential,
secret, and top secret. The
information label also includes a marking
section that allows a distinction to be made between different
categories of the classification. Each row within the table contains
an entry made for the classification level of that particular row.
Each user within the system has a label designation. The user’s
label identifies exactly what information he or she is permitted to
view. A security scheme that implements matching table and column
labels to user labels is called mandatory access
control (MAC). Mandatory access control is implemented
above any user-defined data restrictions. Full implementation of
Trusted Oracle relies on the use of an approved trusted
operating system that has been certified at a specific
level of trust by the National Computer Security Center (NCSC)
— generally B1 or B2.
Access to a Trusted Oracle database can be enforced in one of two ways:
From the database level
From the operating system level
If access is implemented from the database, you have to present a username and password to log on to the operating system and another (or the same) username and password to connect to the database. If access is controlled from the operating system, you just have to enter a username and password to log on to the system. By default, Trusted Oracle will accept the operating system validation as enough proof that you are okay, and you will be granted access to the database. This approach is very similar to the approach taken by the “identified externally” accounts we described in Chapter 8.
Trusted Oracle (version 7) has been subjected to several U.S. and foreign government certification tests and has been certified as secure according to those tests. Among these are:
U.S. National Computer Security Center (NCSC) Trusted Computer System Evaluation Criteria (TCSEC) or “Orange Book,” class B1.
European Information Technology Security Evaluation Criteria (ITSEC) at assurance E3.
The trusted version of Oracle8 is also being subjected to these tests.