Secure Your Oracle Database: Authentication and Access Controls

Corporate information is a critical differentiator for organizations and their customers.  Financial intelligence, personally identifiable information (PII), trade secrets and other proprietary information are common forms of data stored in databases.

In order to protect this information from internal and external misuse or attack, businesses must implement security measures as close to the data as possible.  This means protection at the database layer.

Four Database Risk Management Basics

There are four (4) basic areas that must be addressed to protect databases and the sensitive information they contain:

1. Authentication
2. Access Controls
3. Secure Configuration
4. Database Auditing

This post will focus on the first two areas: Authentication and Access Controls.

Authentication

Default (Preset) User Accounts

Make sure default unused Oracle accounts are locked and expired.

Default User Passwords 

Change the Oracle default user passwords to strong, complex, mixed-character phrases.

Default Profile 

Modify the Default profile to restrict usage.

Secure Password Policy 

Create and implement a hardened password management policy for non-application users complying with your corporate password policy. The password policy function should be implemented for database users through Virtual Private Database (VPD).

Password Strength and Complexity 

Tying in with the previous tip, password profile attributes should be updated to accomplish the password recommendations from the Center for Internet Security (CIS) guidelines.

Access Controls

Roles and Permissions 

Assign and manage permissions based on roles rather than authorizing individual users. This will simplify your security administration efforts as you continue to fine-tune access levels based on job duties.

For example, perhaps the “operations manager” role can approve transactions but never access the accounts payable application; or only developers and their direct reports are able to access the development environment.

Principle of Least Privilege 

This is a good place to start for setting access controls. Only grant as much access to an employee as they need to fulfill their job-specific tasks. One set of roles and permissions to closely examine are those of your IT personnel – especially those who administer the access controls, since they usually have the necessary access levels to do maximum damage.

Identify and Reduce the Number of Privileged Accounts 

Creating an inventory of these accounts is essential. Once this list is established, unnecessary accounts should be deleted. Standard users should only be given privileged access on an as-needed basis.

Revocation of Rights 

The provisioning and de-provisioning of privileged access is essential to effective data security. Take measures to ensure immediate removal of access to privileged accounts and changing of shared credentials, as well as automatic termination of accounts once an employee leaves the organization.

Part II: Secure Configuration and Database Auditing

Learn even more about how to protect your Oracle database with the next post in this series: Best Practices for Secure Oracle Configuration and Database Auditing