Sumário Itens Encontrados: 337PART IEssential Database Security1 Security for Todayâs World 3The Security Landscape 4Base Assumptions 4Database Security Today 5Evolving Security Technologies 6Security Motivators 8Sensitive Data Categorization 9Principles 10Summary 112 Essential Elements of User Security 13Understanding Identification and Authentication 14Identification Methods 15Authentication 17Understanding Database Account Types 18Database Account Types in Oracle Database 12cMultitenant Architecture 21Privileged Database Account Management in Oracle Database 12c 22Administrative Privileges for Separation of Duty 22Methods for Privileged Database Account Management 24Account Management in Multitenant Oracle Database 12c 33Creating Common Database Accounts 34Managing Accounts in a Pluggable Database 34Managing Database Account Passwords and Profiles 39Managing Passwords for Local Database Accounts 40Managing Database Account Profiles 42Summary 513 Connection Pools and Enterprise Users 53External Identification and Authentication Challenges 54Connection Challenges 54Performance 55Connection Pools 55Security Risks 56External Identification and Authentication in Oracle Database 12c 56Oracle Proxy Authentication 57Oracle Enterprise User Security 63Oracle Kerberos Authentication 90Oracle RADIUS Authentication 91Summary 914 Foundational Elements for a Secure Database 93Access Control, Authorization, and Privilege 94Access Control 94Authorization 94Privilege 94Object Privileges 99Column Privileges 100Synonyms 102System and Object Privileges Together 105Privilege Conveyance and Retraction 106Roles 109Role and Privilege Immediacy 111Roles and Container Databases 112Public and Default Database Roles 113Role Hierarchies 115Object Privileges Through Roles and PL/SQL 115Selective Privilege Enablement 117Selective Privilege Use Cases 120Password-Protected Roles 122Password-Protected Role Example 123Password-Protected Roles and Proxy Authentication 124Challenges to Securing the Password 124Secure Application Roles 125Secure Application Role Example 126Global Roles and Enterprise Roles 130Creating and Assigning Global and Enterprise Roles 131Combining Standard and Global Roles 134Using Roles Wisely 135Too Many Roles 135Naming 135Dependencies 135Summary 1365 Foundational Elements of Database Application Security 137Application Context 138Default Application Context (USERENV) 140Auditing with USERENV 141Database Session-Based Application Context 143Creating a Database Session-Based Application Context 144Setting Context Attributes and Values 145Applying the Application Context to Security 149Secure Use 153Common Mistakes 153Global Application Context 156GAC Uses 156GAC Example 156Global Context Memory Usage 161External and Initialized Globally 161Using Views in Security 163Views for Column- and Cell-Level Security 164Views for Row-Level Security 171Definerâs vs. Invokerâs Privileges/Rights for PL/SQL 175Definerâs Rights Invocation on PL/SQL Programs 175Invokerâs Rights Invocation for PL/SQL 177Definerâs vs. Invokerâs Privileges/Rights on Java Stored Procedures 180Java Stored Procedure and Definerâs Rights 180Java Stored Procedure and Invokerâs Rights 182Code-Based Security 183Granting Roles and Privileges to PL/SQL 183Entitlement Analytics 184Profile Application Use 185Privilege Reduction 187Oracle Enterprise Manager Cloud Control (OEMCC) 12c 188Sharing Application Code 191Managing Common Application Code with Pluggable Databases 192Managing Common Application Code with Database Links 192Summary 1936 Real Application Security 195Account Management in Oracle RAS 197Configuring DLAU Accounts 197Configuring Simple Application User Accounts 201Oracle RAS Roles 202Integration of Standard Database Roles with Oracle RAS Roles 202Role Management Procedures in Package XS_PRINCIPAL 204Out-of-the-Box Roles in Oracle RAS 205Lightweight Sessions in Oracle RAS 206Setting Privileges for Direct Login Application User Accounts 207Lightweight Session Management in Java 208Namespaces in Oracle RAS 212Server-Side Event Handling and Namespaces in Oracle RAS 217Session Performance in Oracle RAS 223Privilege Management and Data Security in Oracle RAS 224Security Classes, Application Privileges, and ACLs 226Data Security Policies 229Protecting Namespaces with ACLs 234Auditing in Oracle RAS 236Default Audit Policies for Oracle RAS 236Reporting on Audit Events and Audit Policies in RAS 237Validating Policies and Tracing in Oracle RAS 237Validating Policy Components 237Tracing Sessions and Data Security Policies 238Summary 240PART IIAdvanced Database Security7 Controlled Data Access with Virtual Private Database 243Introduction to Virtual Private Database 244How VPD Works 244Benefits 245VPD Components 246Types of Control 246How to Use VPD 247Which Type of VPD Is Right for Me? 247Row-Level Security 248Table Fire with Row Filter 248Column Fire with Row Filter 255VPD and INSERT Statements 258VPD and INDEX Statements 260Column-Level Security 260Column Fire with Column Filter 260VPD Exemptions 263Audit EXEMPT ACCESS POLICY Privilege 263Verify EXEMPT ACCESS POLICY Privilege 264Verify Audit Trail 265Debugging and Troubleshooting VPD Policies 265Invalid Policy Functions 265Verifying and Validating Predicates 269VPD Performance 273Application Context and Logon Trigger 273Bind Variables 275VPD Caching 275Summary 2868 Essential Elements of Sensitive Data Control 287Sensitive Data Protection Challenges 288Oracle Database 12c Transparent Sensitive Data Protection 289Discover Sensitive Information with Enterprise Manager 290Configuring a TSDP Administrator 296Defining Sensitive Information Types 296Mapping Sensitive Information Types to Columns 297Creating Sensitive Information Policies 297Mapping Sensitive Information Policies to Sensitive Types 299Enabling Sensitive Information Redaction 299Redacting Sensitive Information in the Database Audit Trail 301Summary 3029 Access Controls with Oracle Label Security 305About Oracle Label Security 306History 306OLS Functional Overview 306OLS vs. VPD 306Label-Based Access Control 307OLS Label Types 310OLS Installation 311Installing OLS 311Register and Enable OLS in the Root Container 314Register and Enable OLS in a Pluggable Database 315Administering OLS 316OLS Role LBAC_DBA 316OLS Example 318Create a Policy 318Create Label Components 319Create OLS Labels 325Apply OLS Policy to a Table 332Authorize OLS Access 334Insert Data Using OLS Functions 336Querying Data from an OLS Protected Table 339OLS and the Connection Pool 340x Oracle Database 12c SecurityAuditing OLS Privileges and Use 341Trusted Stored Procedures 343Integrating OLS and Oracle Internet Directory 344Performance with OLS 344Summary 34410 Oracle Database Vault: Securing for the Compliance Regulations,Cybersecurity, and Insider Threats 345History of Privileged Accounts 346SYS as SYSDBA (Super User 0) 347Security Should Haves 347Multifactored Security 347Conditional Security 348DBV Components 348Factors 349Rules 350Realms 351Command Rules 351DBV Secure Application Roles 352Configuring and Enabling DBV 352DBV Administration Using Common Accounts 352DBV Administration Using Delegated Accounts 354Manually Configuring DBV in a PDB 355Managing DBV Configuration 357DBV Administration PL/SQL Package and Configuration Views 357DBV Security Policies in Action 360Installed DBV Roles 360SoD with Roles, Realms, and Command Rules 362Default Audit Policies 367General Database Maintenance and Operations Authorizations 368Creating Custom DBV Policies 368Summary 38711 Oracle Transparent Data Encryption: Securing for theCompliance Regulations, Cybersecurity, and Insider Threats 389Encryption 101 390Goal of Encryption 390The Basics 391Encryption Choices 391The Algorithm and the Key 392Encrypting Data Stored in the Database 394Where the Data âRestsâ 395Protecting the Data 396Applied Example 398Encrypting in the Database 398The Transparent Data Encryption Solution 399Key Management Facilities 400Key Management Roles 401Creating Keystores and a Master Key in the Root Container 402Creating Master Keys in Pluggable Databases 406Creating an Encrypted Column in a New Table 407Determining TDE Encrypted Columns 411Encrypting an Existing Column 412Caveats to Column-Level TDE 413Tablespace Encryption 414TDE and Oracle Database Tools Interoperability 415Performance 416Advanced Encryption Protection Support 418Configuring FIPS 140-2 Support 418Summary 419PART IIISecurity and Auditing for the Cloud12 Audit for Accountability 423The Security Cycle 424Auditing for Accountability 425Auditing Provides the Feedback Loop 425Auditing Is Not Overhead 425Audit Methods 425Infrastructure and Application Server Logs 425Application Auditing 426Trigger Auditing 427Database Auditing 428Enabling Auditing in the Database 429Audit Destination for Standard Auditing and FGA 429Enable Oracle Unified Auditing in Oracle Database 12c 430Who Conducts the Audit Policy and Audit Reporting? 432Audit Administrator Role 432Audit Reporting Role 433What Should be Audited? Creating the Audit Policy 434Best Practices for Audit Polices 435OUA Audit Policy Configuration 437Traditional Audit Policy Configuration 448Fine-Grained Auditing 453Enabling FGA 453Acting on the Audit 454Audit Storage, Audit Retention, and Reporting 455Oracle Audit Vault 455Audit Trail Retention Under OUA 456Audit Trail Retention Under Traditional Auditing 458Reporting on Database History 459Summary 46013 An Applied Approach to Multitenancy and Cloud Security 461System Baseline and Configuration 462Facility and Infrastructure Security 462Personnel Security 464Configuration Management 465Equipment 465Secure Virtualization 466Operating System 467Jobs, Users, Groups/Roles, and Privileges 468Oracle Database 12c Multitenancy and Cloud Computing 471Cloud Computing 472Oracle 12c Software Installation 472Security-Related Installation Prerequisites and Installation Options 472Choosing the Number of Oracle Homes 473Securing the Oracle Home 473Are You Still Secure? 474Securing the Listener 474Managing Passwords 474Secure Database Initialization Parameters 475Installing and Securing Your Application 475Sensitive Data Discovery 475Account Management 476Privilege Management 477Least Privilege 477Data Access Controls 478Protecting Your Company Intellectual Property 478Database Firewall 479Data Encryption 480Network Data Encryption and Integrity 480Encryption of Data at Rest 481Encryption of Backup Data 482Auditing 484Oracle Auditing 484Oracle Audit Vault 485Audit Life Cycle Management 485Locking Down Your System 488Standards for Lockdown 488Secure Patching 490Monitoring and Alerting 492Monitoring Audit Events 492System Monitoring Using OEMCC 492Availability, Backup and Recovery, and Continuity of Operations 494Availability 495Backup and Recovery 496Summary 496A Sample Preparation Scripts 499Sample Pluggable Databases 500SALES Pluggable Database 500Human Resources (HR) Pluggable Database 500Sample Security Manager Account Creation 501Root Container 501Pluggable Databases 503Index 505