Summary

One of the beneficial outcomes to the explorations into MAC security was that the solutions became repeatable and well understood. The concept of providing fine-grained access control based on labels was validated and proven secure. Independent tests were conducted by the NSA. OLS uses the lessons learned from over ten years of building MAC solutions based on labels and applies them to today’s Oracle database. The result is a secure, easy-to-manage capability that has a proven track record and heritage.

The intention of OLS is to provide a technical implementation that reflects a defined security policy. Creating an accurate labeling scheme may be the most important step in the entire process, and it’s certainly the most challenging. However, unlike most security implementations, once the security policy has been translated into labels, the hard part is done.

There are many benefits to using OLS. The security can easily be made transparent. The security code writing is not only done for you, but it has also been evaluated. OLS is flexible, allowing you to change your policy enforcements on the fly. Most importantly, the system security is maintainable. One of the greatest challenges of any application implementation is supportability and maintenance of the code into the future. The Policy Manager provides an easy way to inspect, audit, review, and change the security policies.

What OLS can’t solve alone can be easily augmented with VPD. These two tools are complementary and not exclusionary. Together, these two technologies fight the evil forces of full-table access, bringing row-level security to all.

Chapter 13 delves even deeper into data protection with element-level protections provided by a new database encryption tool. Hint: this one is a lot easier to pronounce than its predecessor.