17.1 Trusted Oracle
Trusted Oracle is a multi-level security (MLS) product used primarily within government agencies where data access is based on security clearance levels. The government security levels are (in increasing degree of security):
Normally, in highly secure government agencies, information is restricted by a "need to know" basis. Trusted Oracle is intended to allow you to access only the information at the level your security clearance allows. For example, if you have been granted a clearance level of secret , you can view information that has been classified at the confidential and secret levels, but you will not be able to view information at a higher level.
There is one more component to a clearance. You may hold a secret clearance but not be permitted to view specific areas of confidential or secret information because you do not have a need to know that information. In other words, you might be cleared to see information for the ABC program because you are working on that program but not be able to see information for the XYZ program.
There are, therefore, two potential levels of access at play within a single security level:
Restriction to data access is enforced by the Trusted Oracle engine and by stored PL/SQL programs.
We stress the use of Trusted Oracle in conjunction with security clearances because that is how the product is most often implemented. However, there are many organizations that could benefit by using this product to ensure the protection of very sensitive data. For example, a company whose profits depend on keeping formulas protected might implement Trusted Oracle using various company-defined levels of privilege. A pharmaceutical company could set up its database with different levels of access to the formulas that it views as top secret .
17.1.1 How Trusted Oracle Works
At its simplest level, Trusted Oracle adds a classification column to each table. The information this column contains is called a label. Each label is divided into two parts : the information label and the sensitivity label . Both labels include a classification such as unclassified, confidential, secret, and top secret . The information label also includes a marking section that allows a distinction to be made between different categories of the classification. Each row within the table contains an entry made for the classification level of that particular row.
Each user within the system has a label designation. The user's label identifies exactly what information he or she is permitted to view. A security scheme that implements matching table and column labels to user labels is called mandatory access control (MAC). Mandatory access control is implemented above any user-defined data restrictions. Full implementation of Trusted Oracle relies on the use of an approved trusted operating system that has been certified at a specific level of trust by the National Computer Security Center (NCSC) generally B1 or B2.
17.1.2 Accessing a Trusted Oracle Database
Access to a Trusted Oracle database can be enforced in one of two ways:
If access is implemented from the database, you have to present a username and password to log on to the operating system and another (or the same) username and password to connect to the database. If access is controlled from the operating system, you just have to enter a username and password to log on to the system. By default, Trusted Oracle will accept the operating system validation as enough proof that you are okay, and you will be granted access to the database. This approach is very similar to the approach taken by the "identified externally" accounts we described in Chapter 8.
Trusted Oracle (version 7) has been subjected to several U.S. and foreign government certification tests and has been certified as secure according to those tests. Among these are:
U.S. National Computer Security Center (NCSC) Trusted Computer System Evaluation Criteria (TCSEC) or "Orange Book," class B1.
European Information Technology Security Evaluation Criteria (ITSEC) at assurance E3.
The trusted version of Oracle8 is also being subjected to these tests.
| || |
You must remember that the full functionality of Trusted Oracle is only available provided that the computer on which the product is installed is also running a trusted version of the operating system.