Database Reference
In-Depth Information
Chapter 12
Privileged Access Control
Foundations
The next three chapters are about privileged access control (PAC) applied to Oracle RDBMS. This chapter will outline
the theoretical foundations underpinning PAC, as well as the business drivers justifying PAC projects. Practical
implementations will be described in Chapter 13. Chapter 13 will also demonstrate generic security weaknesses of
privileged access control implementations, before moving onto Chapter 14 and solutions for securing PAC installs.
Privileged Access Control Fundamentals
The roots of privileged access control in IT systems can be traced back to the origins of Multics (at MIT) and the NSA's
requirements for security controls to be added to that new OS. These requirements were documented by Bernard
Peters in “Security Considerations in a Multi-Programmed Computer System,” published in 1967 but still surprisingly
relevant today (
http://www.computer.org/csdl/proceedings/afips/1967/5069/00/50690283.pdf
). The paper
emphasizes the need for monitoring partly due to the difficulty of controlling the highest system privilege. This innate
difficulty has been de-emphasized by subsequent data security models, which follow.
Multi-Layer Security
Originating in military secrecy requirements, the first published data security model was by Bell and Lapadula
(BLP) and is available at
http://csrc.nist.gov/publications/history/bell76.pdf
.
BLP emphasizes secrecy
by disallowing visibility up a hierarchy. This is good for military secrecy, but tends towards low integrity and high
inaccuracy due to lack of peer review. This failing was recognized by the subsequent data security models proposed by
Biba (1977) and Clarke-Wilson (1987), which emphasized upward visibility of data in hierarchies, thus enabling greater
integrity at the cost of secrecy. These later models have been more applicable to civilian commerce than to the military.
It is interesting to note that this movement away from secrecy towards integrity regressed after 2001, as evidenced
by the increased military presence within corporate security leadership, resulting in greater secrecy but also lower
integrity (where integrity is a measure of accuracy). The author has experienced firsthand the negative effect of over-
secretive security controls on the integrity of critical systems, and is proud to have been part of a recent movement back
towards greater transparency in the vein of Clarke-Wilson (1987). Figure
12-1
is a simple visual representation of how
data secrecy models evolved, where the arrows represent the direction of data visibility.
