Database Reference
In-Depth Information
An example of DAC in Oracle is an OBJECT privilege, such as a SELECT, on a user's schema object, which can be
delegated by that user, and also delegates the ability to pass on the grants through the use of
"with grant option"
when performing the original grant.
Oracle label security is a physical implementation of a hierarchical multi-layer data security model (MLS),
which attempts to enforce levels of secrecy, but, given its configurability, can be deployed in an openly documented
manner, thus maintaining higher integrity levels. Interestingly, one of the original initiators of OLS recently and
intelligently stated that the purpose of “security” is to enable information sharing. Agreed. (Patrick Sack 0:35
Access control in databases has been discussed in publications going back to 1994 (
http://profsandhu.com/
articles/auerbach/a94dac.pdf
), but mainly from a perspective internal to the DB. Data control language (DCL)
does provide user management features, but it should also be noted that DCL does not accept bind variables, so it is
a classic source of SQL injection. Grep'ing PL/SQL and Java source code for
"ALTER USER"
statements is often the first
step of a source code review (solution is to use
DBMS_ASSERT
to validate input).
Privileged access control sits within “Identity Management,” which includes provisioning (creating) and
reconciliation of many low-privileged accounts, largely by using automated software packages such as OAM. To
me this aspect is largely solved, in that its main challenge has been scaling up to address the sheer number of these
accounts. Oracle controls lower privilege better than it used to, so the technical challenge has moved to the higher
privileged accounts.
OLS and ODV security does still depend on underlying system security, so administrative
"oracle"
Unix access
is outside of OLS/ODV control, and thus represents a “trusted component.” The word
trust
will raise alarm bells for
experienced security folks as it implies a lack of actual control. The need for trust should be avoided. Where there is
no trust, there can be no mistrust. Thus the ongoing focus on bringing the administrative accounts under control so
that they no longer have to be trusted. This is the challenge of privileged access control, which has risen to the top of
many CISO agendas partly due to the successful reduction of other issues such as software security bugs. In the past
there has been less benefit to controlling high privileges when an attacker can break in without a password through an
SQL injection or buffer overflow. Thanks to secure software techniques such as static analysis, many of the software
security issues are solved, so attention now moves naturally to controlling the higher privileges.
Business Drivers for Focus on Privileged Access Control
A major reason for the refocus on privileged access control has been the highly publicized insider attacks, such as
those by Terry Childs, Bradley Manning, and Edward Snowden. These insider attacks were not financially motivated.
Financially motivated insider attacks normally take place when a disgruntled employee has missed out on a raise
associated with a promotion or with an impending redundancy. HR has long been able to deal with these threats by
making it known that good-standing employees that are asked to leave an organization will be recompensed with
a large, tax-free payment subject to a contracted NDA. The pay-off may well be staggered until months after the
termination date of the employee, such that the privileges of an employee are removed before the end of the pay-off
period. This is a human defense to financially motivated attacks. But Terry Child's motivation for not giving up the
administrative password for San Francisco's network was mainly that he had been involved in the original building of
the network and thus regarded it as
his
; his motivation was therefore not addressed by pure financial incentives.
Bradley Manning's and Edward Snowden's insider attacks appear to be largely motivated by an anti-secrecy and
anti-war ethical position as a reaction to a post-9/11 increase in military secrecy, in line with the resurgence of the
Bell-Lapadula secrecy model discussed earlier (though this is debatable, my point being their motivations are not
purely financial). Post-employment pay-offs have not been effective in these circumstances where personal emotions
and belief systems override financial concerns. What is needed is greater physical control of the administrative
privilege, so that organizations are not relying on financial gain to keep control.
