By Greg Jensen on Aug 23, 2013
As organized cyber-attacks become sophisticated and targeted, organizations, particularly those in the financial and health sectors, have come under strict regulations. The growing security risks from internal and external sources have brought focus on both preventive and detective controls working together to protect data. In this edition of the Oracle IAM blog series, we will take a look at how an organization can leverage Oracle’s Identity and Access Management technologies in conjunction with Oracle’s database security offerings.
Traditionally, encryption has been considered as the required approach to protect information. However, complex information systems have led to implementation of a defense-in-depth approach to database security that includes stronger preventive and detective controls. In addition to encryption, preventive measures should also include restricting access to data within the organization. Compliance requirements on the other hand, have driven adoption of detective controls such as database activity monitoring and auditing. Detective controls complement preventive controls by filtering attempts to connect to the information system, generating activity reports, and help investigations of potential breaches.
A common concern identified in several organizations is the lack of insight about the access users have. This usually stems from multiple points to manually create users and ad-hoc processes, such as a phone call, to grant access to applications. By relying on incoherent manual processes to provide, monitor and audit user access, the organization risks drastic implications on the privacy and integrity of their information. Deloitte approaches this problem by leveraging solutions like Oracle’s IAM stack to pro-actively restrict database access by defining user profiles and centrally managing user life cycle. This, coupled with preventive and detective controls, can offer a holistic approach to securing information.
Separation of Duties
Separation of duties is an important component to managing user access because it separates the responsibility of sensitive tasks into multiple people, so that no one person has all power. Oracle Database Vault, an add-on to Oracle database, protects against insider threats by restricting read/write access to sensitive data. For example, an administrator can be allowed to increase or decrease the size of a table, but given the role, they will be denied read/write access to the contents of the table. By securing access to the data based on multi-factor policies such as application, IP address, and other pre-determined factors, organizations have granular control over what, when, where, and how users can access sensitive data.
Deloitte’s strategy lets the client manage access to its data layer by separating approach vectors, such as internal or external clients, or type of access such as web and mobile applications. Oracle Access Manager helps to control user’s access to web applications, and Oracle Entitlement Server allows administrators to control what a user can see within an application.
The first step in this direction is to have a least-privilege approach to endeavor to provide that each user has a base profile giving them minimum access to the database. These profiles can be configured through Oracle Identity Manager (OIM). If a user’s business function requires elevated access, it can be requested. Requests access can be made through a central portal and provisioned automatically through OIM. The requirement for approvals adds a layer of control for the client over what a user can view or modify.
In order to have granular access control, the information stored within the database should be ranked based on sensitivity; this can be achieved by deploying Oracle Label Security (OLS). With OLS in place, only the users with read/write access to sensitive information will be able to interact with the data. By comparing a user’s profile and the level assigned to the data, level based access to data is determined. These data ranks are defined according to the organization’s requirements with the highest level assigned to the most sensitive information. Adding finer security controls, data is put in “compartments” that can have their own levels. For example, the financial compartment can have the highest level ranking.
As mentioned above, Oracle Database Vault provides security by preventing access. There is a lot that can be done to secure information above the data level. Database defense-in-depth also includes database activity monitoring and auditing. Oracle Audit Vault and Database Firewall monitor database traffic to detect and block threats. The tools help improve compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. The following illustration shows how the two can work together:
Logs from the Database Firewall and other systems in the network, can be fed into the Audit Vault. Then, custom and template-driven database activity reports can be generated to help address compliance and regulations.
Deloitte suggests organizations establish a database defense-in-depth strategy that includes multiple layers of both preventive and detective security controls. By logging the entire process of user account creation, granting access, changing roles, and user account termination, the organization has a 360-degree approach to access governance. Detective controls add valuable context for investigations and provide a critical layer of security during a security breach incident. If network firewalls are by-passed, or in the case of an insider threat, preventive controls can offer a strong defense. Since these security controls are granular, they can be effectively configured to limit employees to their day-to-day activities. Identity and access management helps setup work flows for provisioning and defining roles to limit access; this coupled with encryption, activity monitoring and reporting, form a holistic defense-in-depth approach to security and compliance.