Skip Headers

Oracle9i Security Overview
Release 2 (9.2)

Part Number A96582-01
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback

Go to previous page Go to next page

1
Data Security Challenges

This chapter presents an overview of data security requirements, and examines the full spectrum of data security risks that must be countered. It then provides a matrix relating security risks to the kinds of technology now available to protect your data. This chapter contains the following sections:

Top Security Myths

The field of data security is rife with mistaken beliefs which cause people to design ineffective security solutions. Here are some of the most prevalent security myths:

To design a security solution that truly protects your data, you must understand the security requirements relevant to your site, and the scope of current threats to your data.

Understanding the Many Dimensions of System Security

In an Internet environment, the risks to valuable and sensitive data are greater than ever before. Figure 1-1 presents an overview of the complex computing environment which your data security plan must encompass.

Figure 1-1 Scope of Data Security Needs

Text description of net81104.gif follows
Text description of the illustration net81104.gif


You must protect databases and the servers on which they reside; you must administer and protect the rights of internal database users; and you must guarantee the confidentiality of ecommerce customers as they access your database. With the Internet continually growing, the threat to data traveling over the network increases exponentially.

To protect all the elements of complex computing systems, you must address security issues in many dimensions, as outlined in Table 1-1:

Table 1-1 Dimensions of Data Security
Dimension Security Issues

Physical

Your computers must be physically inaccessible to unauthorized users. This means that you must keep them in a secure physical environment.

Personnel

The people responsible for system administration and data security at your site must be reliable. You may need to perform background checks on DBAs before making hiring decisions.

Procedural

The procedures used in the operation of your system must assure reliable data. For example, one person might be responsible for database backups. Her only role is to be sure the database is up and running. Another person might be responsible for generating application reports involving payroll or sales data. His role is to examine the data and verify its integrity. It may be wise to separate out users' functional roles in data management.

Technical

Storage, access, manipulation, and transmission of data must be safeguarded by technology that enforces your particular information control policies.



Think carefully about the specific security risks to your data, and make sure the solutions you adopt actually fit the problems. In some instances, a technical solution may be inappropriate. For example, employees must occasionally leave their desks. A technical solution cannot solve this physical problem: the work environment must be secure.

Fundamental Data Security Requirements

The following sections describe the basic security standards which technology must ensure:

Confidentiality

A secure system ensures the confidentiality of data. This means that it allows individuals to see only the data which they are supposed to see. Confidentiality has several different aspects, discussed in these sections:

Privacy of Communications

How can you ensure the privacy of data communications? Privacy is a very broad concept. For the individual, it involves the ability to control the spread of confidential information such as health, employment, and credit records. In the business world, privacy may involve trade secrets, proprietary information about products and processes, competitive analyses, as well as marketing and sales plans. For governments, privacy involves such issues as the ability to collect and analyze demographic information, while protecting the confidentiality of millions of individual citizens. It also involves the ability to keep secrets that affect the country's interests.

Secure Storage of Sensitive Data

How can you ensure that data remains private, once it has been collected? Once confidential data has been entered, its integrity and privacy must be protected on the databases and servers where it resides.

Authenticated Users

How can you designate the persons and organizations who have the right to see data? Authentication is a way of implementing decisions about whom to trust. Authentication methods seek to guarantee the identity of system users: that a person is who he says he is, and not an impostor.

Granular Access Control

How much data should a particular user see? Access control is the ability to cordon off portions of the database, so that access to the data does not become an all-or-nothing proposition. A clerk in the Human Relations department might need some access to the emp table--but he should not be permitted to access salary information for the entire company. The granularity of access control is the degree to which data access can be differentiated for particular tables, views, rows, and columns of a database.

Note the distinction between authentication, authorization, and access control. Authentication is the process by which a user's identity is checked. When a user is authenticated, he is verified as an authorized user of an application. Authorization is the process by which the user's privileges are ascertained. Access control is the process by which the user's access to physical data in the application is limited, based on his privileges. These are critical issues in distributed systems. For example, if JAUSTEN is trying to access the database, authentication would identify her as a a valid user. Authorization would verify her right to connect to the database with Product Manager privileges. Access control would enforce the Product Manager privileges upon her user session.

Integrity

A secure system ensures that the data it contains is valid. Data integrity means that data is protected from deletion and corruption, both while it resides within the database, and while it is being transmitted over the network. Integrity has several aspects:

Availability

A secure system makes data available to authorized users, without delay. Denial-of-service attacks are attempts to block authorized users' ability to access and use the system when needed. System availability has a number of aspects:

Table 1-2 System Availability Aspects
Availability Aspect Description

Resistance

A secure system must be designed to fend off situations, or deliberate attacks, which might put it out of commission. For example, there must be facilities within the database to prohibit runaway queries. User profiles must be in place to define and limit the resources any given user may consume. In this way the system can be protected against users consuming too much memory or too many processes (whether maliciously or innocently), lest others be prevented from doing their work.

Scalability

System performance must remain adequate regardless of the number of users or processes demanding service.

Flexibility

Administrators must have adequate means of managing the user population. They might do this by using a directory, for example.

Ease of Use

The security implementation itself must not diminish the ability of valid users to get their work done.

Security Requirements in the Internet Environment

The Internet environment expands the realm of data security in several ways, as discussed in these sections:

Promises and Problems of the Internet

Information is the cornerstone of e-business. The Internet allows businesses to use information more effectively, by allowing customers, suppliers, employees, and partners to get access to the business information they need, when they need it. Customers can use the Web to place orders which can be fulfilled more quickly and with less error, suppliers and fulfillment houses can be engaged as orders are placed, reducing or eliminating the need for inventory, and employees can obtain timely information about business operations. The Internet also makes possible new, innovative pricing mechanisms, such as online competitive bidding for suppliers, and online auctions for customers. These Internet-enabled services all translate to reduced cost: there is less overhead, greater economies of scale, and increased efficiency. The greatest promise of e-business is more timely, more valuable information accessible to more people, at reduced cost of information access.

The promise of e-business is offset by the security challenges associated with the disintermediation of data access. Cutting out the middleman--removing the distributors, wholesalers and retailers from the trading chain--too often cuts out the information security the middleman provides. Likewise, the user community expands from a small group of known, reliable users accessing data from the intranet, to thousands of users accessing data from the Internet. Application hosting providers and exchanges offer especially stringent--and sometimes contradictory--requirements of security by user and by customer, while allowing secure data sharing among communities of interest.

While putting business systems on the Internet offers potentially unlimited opportunities for increasing efficiency and reducing cost, it also offers potentially unlimited risk. The Internet provides much greater access to data, and to more valuable data, not only to legitimate users, but also to hackers, disgruntled employees, criminals, and corporate spies.

Increased Data Access

One of the chief e-business benefits of the Internet is disintermediation. The intermediate information processing steps which employees typically perform in traditional businesses, such as typing in an order received over the phone or by mail, are removed from the e-business process. Users who are not employees and are thus outside the traditional corporate boundary (including customers, suppliers, and partners) can have direct and immediate online access to business information which pertains to them.

In a traditional office environment, any access to sensitive business information is through employees. Although employees are not always reliable, at least they are known, their access to sensitive data is limited by their job function, and access is enforced by physical and procedural controls. Employees who pass sensitive information outside the company contrary to policy may be subject to disciplinary action. The threat of punishment thus helps prevent unauthorized access.

Making business information accessible by means of the Internet vastly increases the number of users who may be able to access that information. When business is moved to the Internet, the environment is drastically changed. Companies may know little or nothing about the users (including, in many cases, employees) who are accessing their systems. Even if they know who their users are, it may be very difficult for companies to deter users from accessing information contrary to company policy. It is therefore important that companies manage access to sensitive information, and prevent unauthorized access to that information before it occurs.

Much More Valuable Data

E-business relies not only on making business information accessible outside the traditional company, it also depends on making the best, most up-to-date information available to users when they need it. For example, companies can streamline their operations and reduce overhead by allowing suppliers to have direct access to consolidated order information. This allows companies to reduce inventory by obtaining exactly what they need from suppliers when they need it. Companies can also take advantage of new pricing technology, such as online competitive bidding by means of exchanges, to obtain the best price from suppliers, or offer the best price to consumers.

Streamlining information flow through the business system allows users to obtain better information from the system. In the past, data from external partners, suppliers, or customers was often entered into the system through inefficient mechanisms that were prone to error and delay. For example, many companies accepted the bulk of their orders by phone, letter, or fax, and this information was typed in by clerks or sales people. Even when electronic data interchange mechanisms existed, they were typically proprietary and difficult to integrate with companies' internal data infrastructure. Now, businesses that allow other businesses and consumers to submit and receive business information directly through the Internet can expect to get more timely, accurate, and valuable information, at less expense than if traditional data channels were used.

Formerly, when information was entered into a business system, it was often compartmentalized. Information maintained by each internal department, such as sales, manufacturing, distribution, and finance, was kept separate, and was often processed by physically separate and incompatible databases and applications--so-called "islands of information". This prevented businesses from taking full advantage of the information they already had, since it was difficult for different departments to exchange information when it was needed, or for executives to determine the latest and most accurate status of the business. Companies have found that linking islands of information and consolidating them where possible, allows users to obtain better information, and to get more benefit from that information. This makes the information more valuable.

Improving the value of data available to legitimate users generally improves its value to intruders as well. This increases the potential rewards to be gained from unauthorized access to that data, and the potential damage that can be done to the business if the data were corrupted. In other words, the more effective an e-business system is, the greater the need to protect it against unauthorized access.

Larger User Communities

The sheer size of the user communities which can access business systems by way of the Internet not only increases the risk to those systems, but also constrains the solutions which can be deployed to address that risk. The Internet creates challenges in terms of scalability of security mechanisms, management of those mechanisms, and the need to make them standard and interoperable.

Scalability

Security mechanisms for Internet-enabled systems must support much larger communities of users than systems which are not Internet-enabled. Whereas the largest traditional enterprise systems typically supported thousands of users, many Internet-enabled systems have millions of users.

Manageability

Traditional mechanisms for identifying users and managing their access, such as granting each user an account and password on each system she accesses, may not be practical in an Internet environment. It rapidly becomes too difficult and expensive for system administrators to manage separate accounts for each user on every system.

Interoperability

Unlike traditional enterprise systems, where a company owns and controls all components of the system, Internet-enabled e-business systems must exchange data with systems owned and controlled by others: by customers, suppliers, partners, and so on. Security mechanisms deployed in e-business systems must therefore be standards-based, flexible, and interoperable, to ensure that they work with others' systems. They must support thin clients, and work in multitier architectures.

Hosted Systems and Exchanges

The principal security challenge of hosting is keeping data from different hosted user communities separate. The simplest way of doing this is to create physically separate systems for each hosted community. The disadvantage of this approach is that it requires a separate computer, with separately installed, managed, and configured software, for each hosted user community. This provides little in the way of economies of scale to a hosting company.

Several factors can greatly reduce costs to hosting service providers. These factors include mechanisms which allow multiple user communities to share a single hardware and software instance; mechanisms which separate data for different user communities; and ways to provide a single administrative interface for the hosting provider.

Exchanges have requirements for both data separation and data sharing. For example, an exchange may ensure that a supplier's bid remains unviewable by other suppliers, yet allow all bids to be evaluated by the entity requesting the bid. Furthermore, exchanges may also support communities of interest in which groups of organizations can share data selectively, or work together to provide such things as joint bids.

A World of Data Security Risks

The integrity and privacy of data are at risk from unauthorized users, external sources listening in on the network, and internal users giving away the store. This section explains the risky situations and potential attacks that could compromise your data.

Data Tampering

Privacy of communications is essential to ensure that data cannot be modified or viewed in transit. Distributed environments bring with them the possibility that a malicious third party can perpetrate a computer crime by tampering with data as it moves between sites.

In a data modification attack, an unauthorized party on the network intercepts data in transit and changes parts of that data before retransmitting it. An example of this is changing the dollar amount of a banking transaction from $100 to $10,000.

In a replay attack, an entire set of valid data is repeatedly interjected onto the network. An example would be to repeat, one thousand times, a valid $100 bank account transfer transaction.

Eavesdropping and Data Theft

Data must be stored and transmitted securely, so that information such as credit card numbers cannot be stolen.

Over the Internet and in Wide Area Network (WAN) environments, both public carriers and private network owners often route portions of their network through insecure land lines, extremely vulnerable microwave and satellite links, or a number of servers. This situation leaves valuable data open to view by any interested party. In Local Area Network (LAN) environments within a building or campus, insiders with access to the physical wiring can potentially view data not intended for them. Network sniffers can easily be installed to eavesdrop on network traffic. Packet sniffers can be designed to find and steal user names and passwords.

Falsifying User Identities

You need to know your users. In a distributed environment, it becomes more feasible for a user to falsify an identity to gain access to sensitive and important information. How can you be sure that user Pat connecting to Server A from Client B really is user Pat?

In addition, malefactors can hijack connections. How can you be sure that Client B and Server A are what they claim to be? A transaction that should go from the Personnel system on Server A to the Payroll system on Server B could be intercepted in transit and routed instead to a terminal masquerading as Server B.

Identity theft is becoming one of the greatest threats to individuals in the Internet environment. Criminals attempt to steal users' credit card numbers, and then make purchases against the accounts. Or they steal other personal data, such as checking account numbers and driver's license numbers, and set up bogus credit accounts in someone else's name.

Nonrepudiation is another identity concern: how can a person's digital signature be protected? If hackers steal someone's digital signature, that person may be held responsible for any actions performed using their private signing key.

Password-Related Threats

In large systems, users must remember multiple passwords for the different applications and services that they use. For example, a developer can have access to a development application on a workstation, a PC for sending e-mail, and several computers or intranet sites for testing, reporting bugs, and managing configurations.

Users typically respond to the problem of managing multiple passwords in several ways:

All of these strategies compromise password secrecy and service availability. Moreover, administration of multiple user accounts and passwords is complex, time-consuming, and expensive.

Unauthorized Access to Tables and Columns

The database may contain confidential tables, or confidential columns in a table, which should not be available indiscriminately to all users authorized to access the database. It should be possible to protect data on a column level.

Unauthorized Access to Data Rows

Certain data rows may contain confidential information which should not be available indiscriminately to users authorized to access the table.

You need granular access control--a way to enforce confidentiality on the data itself. For example, in a shared environment businesses should only have access to their own data; customers should only be able to see their own orders. If the necessary compartmentalization is enforced upon the data, rather than added by the application, then it cannot be bypassed by users.

Systems must therefore be flexible: able to support different security policies depending on whether you are dealing with customers or employees. For example, you may require stronger authentication for employees (who can see more data) than you do for customers. Or, you may allow employees to see all customer records, while customers can only see their own records.

Lack of Accountability

If the system administrator is unable to track users' activities, then users cannot be held responsible for their actions. There must be some reliable way to monitor who is performing what operations on the data.

Complex User Management Requirements

Systems must often support thousands of users, or hundreds of thousands of users: thus they must be scalable. In such large-scale environments, the burden of managing user accounts and passwords makes your system vulnerable to error and attack. You need to know who the user really is--across all tiers of the application--to have reliable security.

Multitier Systems

This problem becomes particularly complex in multitier systems. Here, and in most packaged applications, the typical security model is that of One Big Application User. The user connects to the application, and the application (or application server) logs on and provides complete access for everyone, with no auditing and unlimited privileges. This model places your data at risk--especially in the Internet, where your Web server or application server depends upon a firewall. Firewalls are commonly vulnerable to break-ins.

Scaling the Security Administration of Multiple Systems

Administration of hundreds of thousands of users is difficult enough on a single system. This burden is compounded when security must be administered on multiple systems.

To meet the challenges of scale in security administration, you should be able to centrally manage users and privileges across multiple applications and databases by using a directory based on industry standards. This can reduce system management costs and increase business efficiency.

Further, creating and building separate databases for multiple application subscribers is not a cost-efficient model for an application service provider. While technically possible, the separate database model would quickly become unmanageable. To be successful, a single application installation should be able to host multiple companies--and be administered centrally.

A Matrix of Security Risks and Solutions

Table 1-3 relates security risks to the technologies which address them, and to the corresponding Oracle products.

Table 1-3 Matrix of Security Risks and Solutions 
Problem Solution Security Technology Oracle Products and Features

Unauthorized users

Know your users

Authentication

Oracle9i Standard Edition, and Oracle9i Enterprise Edition: Passwords, Password management

Oracle Advanced Security: Tokens, smart cards, Kerberos, and so on.

PKI: X.509 Certificates

Unauthorized access to data

Limit access to data

Access control

Oracle9i Standard Edition

Oracle9i Enterprise Edition: Virtual Private Database feature

Dynamic query modification

Fine-grained access control

Oracle9i Enterprise Edition: Virtual Private Database feature

Limit access to data rows and columns

Label-based access control

Oracle Label Security

Encrypt data

Data encryption

Oracle9i Standard Edition, and Oracle9i Enterprise Edition

Limit privileges

Privilege management

Oracle9i Standard Edition: Roles, Privileges

Oracle9i Enterprise Edition: Secure Application Roles

Oracle Advanced Security: Enterprise Roles

Eavesdropping on communications

Protect the network

Network encryption

Oracle Advanced Security: Encryption

Secure Sockets Layer

Corruption of data

Protect the network

Data integrity

Oracle Advanced Security: Checksumming

PKI: Checksumming (as part of SSL)

Denial of service

Control access to resources

Availability

Oracle9i Standard Edition and Oracle9i Enterprise Edition: User Profiles

Complexity to user

Limit number of passwords

Single signon

Oracle Advanced Security: Kerberos, DCE, Enterprise User Security

Login Server: Web-Based SSO

Complexity to administrator

Centralize management

Enterprise user security

Oracle Advanced Security: Directory Integration

Oracle Internet Directory

Lack of accountability

Monitor users' actions

Auditing

Oracle9i Standard Edition: Auditing

Oracle9i Enterprise Edition: Standard Auditing, Fine-Grained Auditing.

Overly broad access to data

Dynamic query modification

Fine-grained access control

Oracle9i Enterprise Edition: Virtual Private Database

Oracle Label Security

Too many accounts

Centralize management

Directory services, LDAP-compliant directory services

Oracle Internet Directory

Operating system break-in

Encrypt sensitive data

Stored data encryption

Oracle9i Standard Edition and Oracle9i Enterprise Edition: Data encryption

The System Security Team

Complex data security systems require a team of people to ensure security at a particular site. Table 1-4 introduces the types of administrators who may be involved.

Table 1-4 The System Security Team
Person Responsibilities

User

Responsible for using the system for legitimate purposes, protecting sensitive data to which she has access, and managing her passwords securely.

Database Administrator

Responsible for creating and administering database users, granting system and object privileges, and assigning local roles to users.

Operating System Administrator

Responsible for maintaining the underlying security of the operating system.

Network Administrator

Responsible for ensuring the security of data in transmission.

Application Administrators

Responsible for deploying applications in such a way as to ensure security.

Trusted Application Administrator

Responsible for creating and administering users of trusted applications, and their associated privileges.

Enterprise Security Manager

Responsible for maintaining the security of the directory, and for implementing centralized enterprise user security.


Go to previous page Go to next page
Oracle
Copyright © 2001, 2002 Oracle Corporation.

All Rights Reserved.
Go To Documentation Library
Home
Go To Product List
Book List
Go To Table Of Contents
Contents
Go To Index
Index

Master Index

Feedback