xx Applied Oracle Security Recommend Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 Oracle BI Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 586 BI Publisher Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Oracle Delivers Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Sample Web Catalog Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 SH Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 587 Utilities Dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Other Dashboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Sample RPD Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Common to All RPDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588 Internal Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589 Internal Authentication with Act as Proxy Enabled . . . . . . . . . . . . . . . . . . . . . . 590 Column-based Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 Table-based Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 Database Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 590 LDAP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591 SSO Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 Foreword racle’s business is information: managing it, making it useful, and securing it. As Oracle’s Chief Architect, I have always had to ensure that our technologies not only provide business value but also do so in a robust manner. Security is a topic that comes up in practically every Customer Executive Visit and it’s no wonder why. Today, security, privacy, and governance are top issues for everyone. These are no longer “nice to have” issues but rather “must have” requirements. As such, people are looking for ways to ensure they have done what they need to do to meet these strenuous requirements. This book provides the architectural and design scenarios as well as code to help Oracle customers to create and lock down their information security systems. What’s most impressive about the book is that it is written by the hands-on experts in Oracle. The authors are the top engineers working with customers every day to bring together security solutions. Many of Oracle’s products and technologies have been borne directly from the customer experiences of these very authors. You will undoubtedly find useful and insightful information in this book. I encourage you to read it cover-to-cover, bookmark items of interest, and most importantly, implement the suggestions presented herein. —Edward Screven, Chief Corporate Architect Oracle Corporation O xxi This page intentionally left blank Acknowledgments would like to thank the collective team of authors who produced this book. The knowledge they possess in their areas of specialty cannot be surpassed. While I could have written an update on Oracle security, I believe this book is truly the culmination of best practices, topics, ideas, and suggestions from the world’s best on the topic of security as it relates to Oracle technologies. I recognize that saying “I am writing a book” and actually writing a book are two vastly different things, and I appreciate the team hanging in until the end and getting the content not only written, but also written very well. Thank you Richard, Pat, Scott, Hamza, Tyler, and Bryan for your hard, hard work and perseverance. I would also like to thank my peers and management within Oracle. As writing books is not why I was hired, I appreciate their support and encouragement to allow me to capture the knowledge so it can be used by the entire Oracle community. Mark Tatum and Glen Dodson have been especially supportive, and without Edward Screven’s support, the book could not have been produced. I would also like to thank my teammates—Ed Montes, Fred Justice, Joe Mazzafro, and Mark Lunny—for tolerating me during the production time for this book. I would also like to acknowledge Vipin Samar and Paul Needham’s team for their constant support over the years. Tammy Bednar in particular played a key role in the production of this book. Lastly, I would like thank my wife, Sandy, and the Knox boys. Sandy, you once again gave me the time and space to do something I said I would never do again (write a book!). I recognize your sacrifice and know that I could not have done it without your support. For the Knox boys, it gave me great pains to tell you that I could not play with you while writing this book. I hope you understand that sometimes daddy has to work but that you are truly the most important thing to me. I love you very much. Now, let’s go play! You hide and I’ll count. 1-2-3… Ready or not! —David Knox I xxiii xxiv Applied Oracle Security Patrick Sack would like to thank Glen Dodson and Ray Prescott for providing an innovative environment, where ideas can materialize, as well as a culture that drives these ideas into solutions that create business value. Thanks Glen and Ray. Scott Gaetjen would like to recognize that Patrick Sack’s strategic vision of what database security should be and his keen awareness of customer security requirements are the primary reasons Database Vault exists today. I want to thank Pat for extending the invitation to work with him on Database Vault and for challenging me every day to reach a higher level of assurance in all that I do. Patrick Sack would like to offer a special thanks to Scott Gaetjen and William (Bill) Maroulis for their diligence, positive attitude, and professionalism. Scott and William have developed some key solutions around Database Vault concepts that inspired many examples and concepts presented in this book. Special thanks to Scott and Bill. We would also like to acknowledge the following people for inspiring the idea, clearing the way, or getting the job done to make Database Vault a product: Glen Dodson, Raymond Prescott, Jay Gladney, Jon Bakke, Wendy Delmolino, David Knox, Rusty Austin, Gail Wright, Jack Brinson, Chi Ching Chui (and his team!), Chon Lei, Ben Chang, Vipin Samar, Paul Needham, Daniel Wong, Kamal Tbeileh, Aravind Yalamanchi, Timothy Chorma, Frank Lee, Nina Lewis, Maria Chen, Cindy Li, Matthew Mckerley, Xiaofang Wang, Martin Widjaja, Sumit Jeloka, Patricia Huey, Ernest Chen, James Spiller, Tom Best, Duncan Harris, Howard Smith, Andy Webber, and Jeff Schaumuller. We would like to recognize the sales and consulting teams of the Oracle National Security Group (NSG) and the Oracle Database Security development teams. These Oracle groups work together to deliver the industry’s best security products and solutions to some of the most demanding customers in the information technology field. —Patrick Sack and Scott Gaetjen I want to acknowledge all my peer writers for all their hard work and dedication in making this book happen. I would especially like to thank David Knox for his mentorship and friendship at Oracle. I would also like to thank Richard Wark, Pat Davies, Al Kiessel, Matt Piermarini, and Colin Nurse for their help and valuable support in many forms, including long, tasty lunches. Finally, I would like to thank my two older siblings, Javed and Tabassum, for being a constant force in my life to reach for bigger and better things. I am very grateful for their love, guidance, and friendship. —Hamza Jahangir I would like to thank David Knox and Scott Spadafore for their leadership in the Oracle Security community. Their work has directly influenced the security awareness of Oracle professionals, both inside and outside of Oracle, and consequently countless applications and products. I would like to express appreciation to Tim Ryan, Ken Currie, and Peter Doolan for fostering an environment of creativity and innovation. I would also like to thank members of the Application Express development team including Mike Hichwa and Joel Kallman, whose pragmatic philosophy, emphasis on performance, and strong work ethic provided an ideal environment for me to hone his skills. I would especially like to thank Tom Kyte for his years of mentoring, encouragement, and lessons in critical thinking. These individuals are some of the best and brightest in the industry and were a major influence in my professional development. —Tyler Muth I would like to thank Peter Wahl, product manager for Advanced Security, for his time, friendship, and contributions to the transparent data encryption chapter. For their help, I would like to acknowledge David Knox, Tammy Bednar, Al Kiessel, Hamza Jahangir, Matt Piermarini, Pat Davies, Tom Kyte, and others who have corrected, educated, and debated the finer points of electronic security along the way. I would like to thank my Mum, family, friends, and co-workers for their support, encouragement, love, and friendship—I am indebted to you all. Special thanks to Melanie Valdez for her editing assistance and to Bridget, Jeff, Brice, Guy, and Joel for helping me blow off steam along the way. —Richard Wark Most importantly, I would like to thank Jennifer, my wife, for all of her wonderful support and for the long nights and weekends where she ended up managing the family solo while I typed away. Jennifer was also a tremendous help in developing my illustrations. I would like to thank Alysia, Samantha, and Matthew for putting up with “Dad being in the workshop.” The technical editors, Ben Ault, Robert Lindsley, and Derrick Cameron, have been incredibly helpful, and I owe them a great deal of gratitude. They provided excellent feedback on the material and examples. In addition to his technical feedback, Derrick also did some of the earliest work in integrating Oracle BI with Oracle Database security. This whole process would have been much harder without his work. The rest of my team here at Oracle have also been very helpful. They provided an excellent sounding board and helped me better understand the material presented. In particular, Jerry Conrad provided a great deal of feedback on the initial development of the concepts I presented. I would also like to thank Michael Yeganeh, Ken Currie, and Peter Doolan for the opportunities they have provided at Oracle over the years. Their encouragement to innovate and integrate as part of my daily job has helped shape both me as a person and the content of this book. I deeply appreciate their support on this project. Finally, I would like to thank David Knox for inviting me to work on this project and work with this amazing group of people. I also want to thank him for all that he added to the material I contributed to this book. I often learned more from the feedback he provided than I did from researching or writing the subject. —Bryan Wise Acknowledgments xxv This page intentionally left blank PART I Oracle Database Security New Features This page intentionally left blank CHAPTER 1 Security Blueprints and New Thinking 3 . Harris, Howard Smith, Andy Webber, and Jeff Schaumuller. We would like to recognize the sales and consulting teams of the Oracle National Security Group (NSG) and the Oracle Database Security development. awareness of Oracle professionals, both inside and outside of Oracle, and consequently countless applications and products. I would like to express appreciation to Tim Ryan, Ken Currie, and Peter. and Bryan for your hard, hard work and perseverance. I would also like to thank my peers and management within Oracle. As writing books is not why I was hired, I appreciate their support and