Security Features

Oracle Corporation has improved the security features in Oracle Database 10g over previous versions to provide better data security, integrity, authentication, auditing, and access control based on industry standards. Oracle Advanced Security provides these features along with strong authentication methods such as Kerberos, smart cards, and digital certificates.

Fine-grained auditing (FGA) has been updated to enable queries for granular auditing along with INSERT, UPDATE, and DELETE operations. Also, bind variable information is now captured in both DBA_AUDIT_TRAIL and DBA_FGA_AUDIT_TRAIL via the new SQL_BIND column.

Sensitive enterprise data should always be encrypted to prevent illegal viewing or tampering by malicious users and external hackers. Corporate databases should be set up in a way to detect, block, and log the illegal attempts to get to the data. Oracle protects the sensitive data traveling over enterprise networks and the Internet using encryption algorithms like RC4 encryption, DES and Triple-DES (3DES) encryptions, and Advanced Encryption Standard (AES). For RC4 encryption, a secret, randomly generated key that is unique to each session is created by the encryption module with encryption key lengths of 40 bits, 56 bits, 128 bits, and 256 bits. Oracle Advanced Security implements the U.S. Data Encryption Standard algorithm (DES) with a standard 56-bit key encryption algorithm, and provides DES40 with 40-bit keys for backward compatibility to older applications. The Triple-DES encryption encrypts data with three passes of the DES algorithm for higher security at lower performance rates. 3DES is available in two-key (112 bits) and three-key (168 bits) formats. For more details on Oracle security packages, refer to Oracle Database 10g Security Guide.

Oracle Advanced Security ensures data integrity over the network by generating a cryptographically secure message using a Message Digest 5 (MD5) algorithm or a Secure Hash Algorithm (SHA-1) and including it with the data (message). The integrity algorithm protects against data modification, data deletion, and replay attacks on a network.

User authentication in distributed environments is usually provided by means of passwords. Oracle Advanced Security supports various third-party authentication services including Secure Sockets Layer (SSL with digital certificates), DCE (Distributed Computing Environment), Kerberos (authentication server), RADIUS (Remote Authentication Dial-In User Service), and Entrust/PKI. Oracle Connection Manager makes secure data transfer across network protocols such as LU6.2, TCP/IP, and DECnet by passing encrypted data between protocols without additional costs of repeated encryption and decryption.

Access Control Features

Now that you have reviewed the encryption, integrity, and authentication parts of database security, let's focus on access control features for the enterprise. Oracle internet Directory (OiD) is an LDAP-compliant directory service that helps to manage the security privileges for users at the attribute level in a database. Other database-security features are Virtual Private Database (VPD) and Oracle Label Security.

Virtual Private Database enforces security at a lower level of granularity on database tables, views, and synonyms, preventing any ways to bypass security. When a user accesses a database object protected by a VPD policy, the server will dynamically add predicates to the user's SQL statement in accordance with the security policy. Thus, VPD policies restrict access to the database tables, can be easily changed as necessary, and do not require modifications to application code. This is especially useful in enterprise resource planning (ERP) applications, where database objects are highly customized for a variety of users.

Oracle Label Security controls user access to a data record (row) by comparing that row's label with a user's label and privileges. Database administrators can easily add selective row-restrictive policies to existing databases' Oracle Policy Manager GUI and fortify their existing applications without changing any application code.

Oracle Java Virtual Machine (OracleJVM) can be used to run Java objects inside the database in tandem with the database-security features. The Oracle Advanced Security User Migration utility helps to migrate users from existing databases to OiD. For existing applications with several hundred users, the users can be ported over using the migration utility and authenticated through OiD for new applications.