Geek Sync | Understanding Oracle Database Security
Download as PPTX, PDF1 like667 views
This document discusses security options in Oracle Database. It covers topics like database architecture and how it impacts security options, users, roles and grants for authorization, advanced user options like profiles, resource groups for managing resource usage, auditing, and virtual private databases for fine-grained access control. The presenter demonstrates some of these security features using the DBArtisan tool from IDERA.
Geek Sync | Understanding Oracle Database Security
- 2. Released Aug 2015 About the Presenter
- 3. Agenda / Topics Advanced User Options Architecture = Options Users, Roles & Grants Resource Groups 3 1 2 4 Auditing & Virtual Private DBs5
- 4. Architecture = Options The basic database architecture may well define options & limits
- 5. Database #1 Schema #1 Database #2 Processes Memory Instance #1 Processes Memory Instance #2 Database #1 Database #2 Single Instance / Server Processes Memory Instance #1 Processes Memory Instance #2 Schema #2 Schema #1 Schema #2 Multi Instances / Server Processes Memory Instance #1 Database #1 Schema #1 Schema #2 Single Instance / Multi Schemas Traditional Choices
- 6. Processes Memory Instance #1 Pluggable DBs + VPN Modern Choices Processes Memory Instance #1 Database #1 Virtual Private Database (VPD) Schema Database #1 Database #2 Schema #1 Processes Memory Instance #1 Multi-Tenant / Pluggable DBs Database #1 Database #2 Schema #1 Schema #2 Schema
- 7. Virtualization No Different You may think VMs complicate things, but… • VM vs. physical server, really just same diagrams • VM flexible resource allocation & higher utilization • OS and DB security remains essentially unchanged • OS and DB monitoring slightly different (need tools) • Becoming more common, and almost the standard • SQL Server DBAs virtualized much sooner and more prolifically in the past, we’re just now catching up
- 8. Users, Roles & Grants Similar to diamonds, security has many facets; start first at Authorization
- 9. Authorization is Paramount Oracle offers numerous security options. The key and first line of defense is controlling data access
- 10. Roles Offer Manageability Authorization is a simple concept, but also complex…
- 11. Role Hierarchies No real limit, but one level probably too simplistic
- 12. Make Your Own Roles! Oracle Docs: https://stage.toadworld.com/platforms/oracle/b/weblog/archive/2013/08/12/common-oracle-security-connection-mistakes Pet peeve: quit being lazy and using 3 old roles
- 13. Advanced User Options There’s more to an Oracle database user than meets the eye
- 14. Create Role & Grants
- 16. Create Profile Often overlooked, profiles have a lot to offer…
- 17. Create User & Grants Now bring it all together. But there’s lots more…
- 18. Resource Groups Not security per se, however, managing resource usage is always a good idea
- 19. Allocate Resources Fairly Development Resource Plan Production Resource Plan 1st Dev Proj Resource Group Bus Users Resource Group 2nd Dev Proj Resource Group Developers Resource Group 50% CPU 50% CPU 70% CPU 30% CPU Prevent or minimize the effects of certain DoS (Denial of Service) type attacks against your DB
- 20. Hierarchies Once Again Development Resource Plan 1st Dev Proj Resource Plan 2nd Dev Proj Resource Group 50% CPU 50% CPU Proj 1 Senior PLSQL Dev Group Proj 1 Junior PLSQL Dev Group 70% CPU 30% CPU
- 21. Complex To Define (Not SQL)
- 22. Auditing & VPDs Tracking access and limiting access based upon user criteria
- 23. Old Style Auditing (pre-12c) Must bounce database to enable!
- 24. Unified Auditing (new 12c)
- 26. Fine Grain Access Control Yet another example of how features aren’t SQL commands but calls to complex PL/SQL APIs (called by OEM for you)
- 27. There’s much more! Oracle offers numerous security options. Many are $$ enterprise edition options in price list
- 28. Demo Time I will demonstrate some of these security topics using IDERA’s DBArtisan multi-platform DBA tool
- 29. Thank You Slides will be posted on the IDERA community My Contact Info [email protected] [email protected] My Web Sites www.bertscalzo.com http://www.toadworld.com/members/bert_5f00_scalzo/blogs https://www.linkedin.com/in/bertscalzo
- 30. Download DBArtisan 14-day free trial on IDERA.com