Database Reference
In-Depth Information
Additionally, system privileges like CREATE ANY DIRECTORY are needed for an application account to write
to new OS locations, which means that the main problem isn't so much unknown “spare” privileges, but big chunky
privileges that can't be subdivided, more about that in the next chapter.
Transparent Sensitive-Data Protection
Transparent Sensitive Data Protection (TSDP) is an EM feature that searches application data in a database to identify
sensitive information, and then will create security configurations that are implemented as controls in the database,
again automatically. Those controls are redaction, encryption, and auditing aimed at protecting the sensitive data
it has found. The discovery rules consist of regexes that search for phone numbers, email addresses, and credit card
data. This feature will save some time but cost more money. A cheaper and more interesting option is to familiarize
yourself with Oracle's free, inbuilt regex query language and create queries like this to identify potentially sensitive
information, like a simple credit card number format:
select REGEXP_SUBSTR( column_name,'(([0-9]{4})([[:space:]])){3}[0-9]{4}')
from table_name
where REGEXP_LIKE( column_name,'(([0-9]{4})([[:space:]])){3}[0-9]{4}');
Take care with testing regexes, as they can cause a loss of availability, so definitely test in dev first.
Transparent Data Encryption
Transparent Data Encryption (TDE) is a well-used method of encrypting the data files so that backups and direct OS
access do not allow access to the plain-text data file. (Access to the file might be possible, but its contents won't be
plain text). TDE does depend on a key kept in the wallet on the OS.
12c enables greater mobility of databases as they are consolidated, and therefore a formal method of transferring
the key from machine to machine with the consolidated DB is needed. TDE 12c includes
import
and
export
functionality to enable the encryption key to move with the consolidated pluggable databases.
Unfortunately, with mobility comes danger. The wallet can be copied and taken to a new location. I write about
how to do that in my blog entry at the following URL:
The point is that a user can copy the wallet with the datafile and then escape with the data. Therefore OS
privileges on the wallet are crucial, and unfortunately are limited by the very basic file permissions provided by Unix
and Linux file systems. (Look at KEoN as a potential enterprise solution to Unix file system security issues. KEoN was
changed to BOKS, and is now known as Foxt ServerControl and can be found at this URL:
Database Vault
Data Realms in Database Vault (DBV) are designed to protect application data from DBA privileges, whether such
access is from an actual DBA or from someone else who has gained their DBA's privilege. A protected schema named
DVSYS is compiled into the kernel and is immune to SYS privilege, thus providing a way to control DB users and data
without SYS interfering.
