As Published In September/October 2004

Oracle Database 10g Security and Identity Management
By Michael Miley

Oracle Database 10g provides a secure, scalable foundation for Oracle Identity Management. Oracle Internet Directory (OID) is implemented as an application running on Oracle Database 10g, allowing OID to support terabytes of directory information on a single server or across nodes in a grid. Oracle Database 10g protects the raw data with strong features such as Virtual Private Database. Key database security features include:

Enterprise User Security. Oracle Database 10g's enterprise user security feature, consisting of enterprise privilege administration and shared schemas, allows per-user access to data while enabling centralized user management in Oracle Internet Directory. User privileges, represented as roles, and object constraints, represented as Access Control Lists (ACLs), can be stored in the OID database.

Virtual Private Database. Virtual Private Database (VPD) lets developers attach a security policy to an application table, view, or synonym. Secure Application Context can be used with the security policy to determine how to apply the policy. Oracle Database 10g introduces column-relevant security policy enforcement and optional column masking in VPD.

Oracle Label Security. Oracle Database 10g allows Oracle Label Security policies to be centrally created in the Oracle Identity Management infrastructure. Leveraging the Oracle Internet Directory allows creation of Oracle Label Security policies in a central location, simplifying provisioning and administration of security across all databases in the enterprise or grid. Organizational sensitivity labels and application user security clearances can be managed in one location.

Fine-Grained Auditing. A critical aspect of any effective security policy is maintaining a record of system activity to ensure that users are held accountable for their actions. Oracle builds on the existing robust, comprehensive auditing capabilities of the database to include fine-grained auditing that can serve as an organization's early warning system if users misuse data access privileges and as an intrusion detection system for the database itself.

Proxy Authentication. Oracle Database 10g supports proxy authentication, providing three-tier security by enabling an SSL credential—an X.509 certificate or DN—to be passed to the database to identify (but not authenticate) users. The database uses the DN or certificate to look up a user in Oracle Internet Directory or another LDAP-based directory. Integration of proxy authentication with Enterprise User Security enables the user identity to be maintained throughout all tiers of an application, yet the user need be created only once in the directory.

Oracle Advanced Security. Oracle Advanced Security provides strong authentication solutions leveraging a business's existing security framework, including Kerberos, Public Key Cryptography, RADIUS, and Distributed Computing Environment (DCE) for Oracle Database 10g. New in this release is the ability to check X509v3 certificate revocations by using Certificate Revocation Lists stored in the file system, Oracle Internet Directory, or CRL Distribution Points.