IOUG SAP SIG Oracle Database Vault for SAP

Kamal Tbeileh, Principal Product Manager, Oracle Database Security Andreas Becker, Principal Member, Oracle/SAP Development

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracles products remains at the sole discretion of Oracle.

Agenda
Database Vault Overview
Realms, Command Rules, and Separation Of Duty

Database Vault Certification for SAP Project Details

Overview Technical Details Best Practices and more

Database Vault Best Practices Database Vault Performance Numbers Feedback and Questions

Oracle Database Security

Continuous Innovation

EM Data Masking Oracle Database 11g TDE Tablespace Encryption Oracle Audit Vault

Oracle Database Vault

Secure Backup (Tape) TDE Column Encryption Oracle Database 10g VPD Column Masking VPD Column Relevant EM Secure Config Scanning Client Identity Propagation Fine Grained Auditing

Oracle Database 9i

Oracle8i

Oracle Label Security Proxy authentication Enterprise User Security Virtual Private Database (VPD)

Database Encryption API Strong Authentication Oracle7 Native Network Encryption Database Auditing Government customer

Data Security Business Drivers

Regulatory and Privacy Requirements
Sarbanes-Oxley (SOX), GLBA, HIPAA, PCI Japan, Korea have similar versions of SOX Regulations continue to expand in global economy Privacy breach disclosure laws 40+ US States have such laws EU Data Privacy

Strong IT / Internal Security Controls

Customers looking for real-time preventive controls Separation of duty Strong security in outsourcing and off-shoring environments COSO, ITIL, COBIT frameworks

Customer Security Requirements

Restrict full access of privileged users
Restrict access to application data stored in the database Separation of duty controls

Easily implement environment based access control

User parameters Network parameters Database parameters

Applying on existing and legacy applications

Highly transparent

Minimal performance impact

Less than 5%

Oracle Database Security

Solutions for Privacy and Compliance
Database Vault Advanced Security Audit Vault Configuration Management Total Recall
47986 $5%&*

Secure Backup Label Security Data Masking

Oracle Database Vault

Controls on privileged users
Restrict highly privileged users from application data Reports Provide Separation of Duty Security for database and information consolidation

Protection Realms

Multi-Factor Authorization

Real time access controls

Control who, when, where and how data is accessed Make decision based on IP address, time, auth

Command Rules

Separation of Duty

Oracle Database Vault

Realms
Database DBA views HR data Compliance and protection from insiders

select * from HR.emp DBA

HR DBA views Fin. data Eliminates security risks from server consolidation

HR HR HR DBA

HR Realm

Fin Fin FIN DBA

Fin Realm

Realms can be easily applied to existing applications with minimal performance impact

Oracle Database Vault

Transparent Multi-factor Authorization

SELECT . HR Unexpected IP address HR account

CREATE FIN Business hours

FIN DBA

<Insert Picture Here>

Example #1: Protecting application data from privileged users

Database Vault Administration Page

Step 1. Defining a Realm

Step 2. Adding Protected Schema

<Insert Picture Here>

Example #2:
Limiting connection from non-application server IP addresses

Limit Access to Specific IP Addresses

Creating a Command Rule

List of Allowed IP Addresses

Connection Blocked from Other IP Addresses

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

Project Overview December 2007 - started
First Database Vault Integration and Evaluation Tests started Oracle Release 10.2.0.4 Beta DBV 10.2.0.4 Beta Shiphome SAP NetWeaver (ABAP+Java) on Linux 32bit

May 2008 - continued

Oracle Release 10.2.0.4 Beta/DBV 10.2.0.4 Beta Shiphome SAP NetWeaver (ABAP+Java) on Linux 32bit SAP NetWeaver (ABAP+Java) on Windows 32bit

August 2008 continued

Oracle Release 10.2.0.4 + DBV 10.2.0.4 (Production) SAP NetWeaver (ABAP+Java) on AIX 64Bit

Database Vault Certification for SAP

Project Overview (contd) August/September 2008 Today
Start of Pilot program

Plan: Pilot program with ~5 pilot customers until end of 2008 2009: DBV Certification for SAP Generally Available

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

Technical Prerequisites and Requirements Oracle Database Release 10.2.0.4 Oracle database is installed and configured according to joint Oracle/SAP recommendations
Database patches SAP note 1137346 Database parameters SAP note 830576

SAP NetWeaver with SAP Kernel Release 7.00+ SAP BR*Tools Release 7.00 Patchlevel 36+

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

DBV software and documentation Oracle software for RDBMS and Database Vault can be downloaded from SAP Service Marketplace
http://service.sap.com/oracle-download Oracle 10.2.0.4 RDBMS 10.2.0.4 Patchset, RDBMS Patches DBV 10.2.0.4 Software, DBV Patches DBV scripts

Documentation about Oracle Database Vault for SAP

SAP note 1241462 (accessible for Pilot customers only) Planned: Oracle whitepaper about SAP on Oracle with DV Oracle documentation (Install Guides, Admin Guide, Release notes, White papers on OTN)

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

DBV Installation Preparation Steps Installation of DBV will affect Database Software (ORACLE_HOME) Database (Installation of new db components) Database Parameters 1. Backup ORACLE_HOME and Oracle Inventory 2. Backup your database (brbackup) 3. Backup your database configuration files (OH/dbs, OH/network/admin) (init.ora, sqlnet.ora, tnsnames.ora, listener.ora)

Database Vault Certification for SAP

DBV Installation Preparation Steps (2) Preparation Steps: Create a working directory for the installation (spool output, install logs, software, patches, stages, ) Ensure that all database connections are working as expected
Check database connections (as ora<sid> <sid>adm user before DBV is installed) Verify database connection via R3trans d

Turn off database auditing

can be turned on again after DBV installation

Rename temporary tablespace

SQL> ALTER TABLE PSAPTEMP RENAME TO TEMP;

Database Vault Certification for SAP

DBV Installation Preparation Steps (3) Preparation Steps: Configure Oracle Enterprise Manager DB Control
EM DB Control is per default not configured in SAP envs. Prerequisite for Database Vault Administrator (DVA) Gui DVA uses same OC4J configuration as DB Control Run Database Configuration Assistant DBCA to install EM DB Control %dbca

Database Vault Certification for SAP

DBV Installation Preparation Steps EM DB Control

Database Vault Certification for SAP

DBV Installation Preparation Steps EM DB Control

Database Vault Certification for SAP

DBV Installation Preparation Steps EM DB Control

Database Vault Certification for SAP

DBV Installation Preparation Steps EM DB Control

Database Vault Certification for SAP

DBV Installation Preparation Steps EM DB Control

Database Vault Certification for SAP

DBV Installation Preparation Steps (4) Preparation Steps: Download and extract Database Vault Policy Scripts for SAP sqlplus / as sysdba SQL> @dbv_sap_prerequisite_script.sql creates new database accounts before installing DV

Database Vault Certification for SAP

DBV Installation Preparation Steps (5) Last preparation Steps: Download Database Vault Software from SAP Service Marketplace and extract to a staging area Stop SAP Application Shutdown Oracle Instance and all Oracle processes running from the ORACLE_HOME

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

DBV Installation Steps (1) Start runInstaller from DBV stage ./runInstaller (interactive or silent install)

Database Vault Certification for SAP

DBV Installation Steps (1)

Database Vault Certification for SAP

DBV Installation Steps (1)

Database Vault Certification for SAP

DBV Installation Steps (1)

Database Vault Certification for SAP

DBV Installation Steps (1)

Database Vault Certification for SAP

DBV Installation Steps (1)

Database Vault Certification for SAP

DBV Installation Steps (1) Database Vault Administrator URL: https://<hostname>:1158/dva Enterprise Manager Database Control URL: https://<hostname>:1158/em

Database Vault Certification for SAP

DBV Installation Steps (2) Post-Installation Steps Rename temporary tablespace back
SQL> ALTER TABLESPACE

Adapt certain database parameters that were changed during DBV installation
os_authent_prefix, remote_os_authent

Start EM DB Control:
% emctl start dbconsole

Run DBV Post-Install Script for SAP

post_dbv_install_secadmin.sql post_dbv_install_secacctmgr.sql

Logon to DBV Administrator

Database Vault Certification for SAP

DBV Installation Steps (3)

Database Vault Certification for SAP

DBV Installation Steps (3) Logon to DBV Admininstrator as SECADMIN

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

DBV Configuration Steps (1) Run DBV configuration scripts for SAP sqlplus /nolog SQL> connect SECADMIN/<pwd> SQL> spool create_dbv_sap_policies.log SQL> @create_dbv_sap_policies.sql SQL> spool off

Database Vault Certification for SAP

DBV Configuration Steps (2) Run tests Basic Database connection tests SAP Application
Start/stop

Database Administration Tasks

SAP BR*Tools Backup/Recovery Daily Database Administration Tasks

SAP Administration Tasks

...

Database Vault Certification for SAP Project Details

<Insert Picture Here> Project Overview: Database Vault Integration Project: Project Status and Time Schedule Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes DBV Open issues Special configurations Summary

Database Vault Certification for SAP

DBV Best Practices Configure glogin.sql for sqlplus
cd $ORACLE_HOME/sqlplus/admin Add the following lines to glogin.sql: -- Set SQL prompt SET sqlprompt "_user _privilege '@' _connect_identifier> Result: sqlplus / as sysdba SYS AS SYSDBA @ QO1> connect / as sysoper PUBLIC AS SYSOPER @ QO1> connect / OPS$ORAQO1 @ QO1>

Database Vault Certification for SAP Project Details

<Insert Picture Here> Project Overview: Database Vault Integration Project: Project Status and Time Schedule Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes DBV Open issues Special configurations Summary

Database Vault Certification for SAP

Overview of changes Installation of DBV changes and affects: New software component New database components and database users

Database Vault Certification for SAP

Overview of changes

New database schema for Database Vault

SYSMAN schema (EM Repository) DVSYS/DVF schema (DBV Repository)

New Database Vault Accounts

SECADMIN: DBV Security Administrator manages DBV security policy SECACCTMGR: DBV Account Mgr Create/drop/alter database users

Database Vault Certification for SAP

Overview of changes

New database accounts for SAP

ABAP_CRED_MGR: account to manage SAP account password SUPPORT_USER: Login account for Oracle/SAP Support Login account for Oracle/SAP Support locked by default EMERGENCY_USER: Login account in an emergency / support situation Login account in an emergency situation Same privileges as SUPPORT_USER

Database Vault Certification for SAP

Overview of changes

New database accounts for SAP

BR_DBA: DBA account (instead of Oracle default account SYSTEM) Account with DBA privilege for database administration with SAP BR*Tools Replaces Oracle Default DBA account SYSTEM

Database Vault Certification for SAP

GOAL GOAL: Protection of SAP Application Data DBA/SYSDBA account can not see/access SAP data any more sqlplus / as SYSDBA SQL> select * from SAPSR3.T100; ORA-01031: insufficient privileges

Database Vault Certification for SAP

Defined Realms

Default Realms
Oracle Database Vault Account Management Oracle Database Vault Oracle Data Dictionary Oracle Enterprise Manager

SAP Realms
SAP Protection Realm for ABAP Stack SAP Protection Realm for Java Stack SAP Application Administration Realm for SAP BRTools SAP Application Credential Protection Realm SAP Application Protection Realm for SAP Admin Roles

Database Vault Certification for SAP

Delivered Security Policies

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

More advanced configurations
Real Application Clusters / RAC Tranparent for DBV Data Guard Physical Standby Tranparent for DBV MCOD Customer input is needed 3rd-party application installed Generic guidelines

Database Vault Certification for SAP Project Details

Project Overview Technical Requirements DBV Software and Documentation DBV Installation Preparation DBV Installation Steps DBV Configuration Steps DBV Best practices DBV Overview of Changes More advanced configurations Summary
<Insert Picture Here>

Database Vault Certification for SAP

Summary Current Status Plans Initial evaluation tests with DBV and SAP started December 2007 Internal Integration tests with SAP and DBV still ongoing (2008) during pilot phase Pilot tests started in September 2008

<Insert Picture Here>

SAP Certification Database Vault Application Protection Matrix

Database Vault with SAP

Delivered Security Policies

Database Vault with SAP

Delivered Security Policies

Database Vault with SAP

Delivered Security Policies

<Insert Picture Here>

Best Practices Overview: Separation of Duty

Database Vault Separation of Duty

Database Vault Defines Three main responsibilities
Account Management responsibility Security Administration responsibility Traditional DBA responsibility

These responsibilities can be further subdivided

Security Administration responsibility Security Administration Security Reporting Traditional DBA responsibility: with rule sets and command rules, it can be subdivided to any required level.

Optionally can be consolidated to :

Security and Account Management responsibility Resource Management responsibility

Separation of Duty Best Practice

SOD is important for companies Big and Small Have separate accounts:
Named accounts for database account management Named accounts for Database Security Administration Named accounts for DBAs Create at least two named accounts for each responsibility

Auditors look for

Separate database accounts for different responsibilities Being able to track the actions of each account Less important is the Number of people doing the tasks

Database Vault audit events are protected Reports show any attempted violations

Best Practices For Deploying Database Vault

Main Stages and their Steps
Strategy Analysis and Design Stage Build and Document Stage Recommendations for
Pre-Installation Installation Post Installation

Naming Convention Transition and Production Stages Deployment Recommendations

<Insert Picture Here>

Strategy, Analysis, and Design Stage

Identifying Your Security Requirements

What to protect and who to authorize What databases and applications need to be protected?
Oracle Applications Partner Applications Custom Applications

Who needs to be authorized to access business data?

Application Owners through middle tier processes Business Users through Application interface

Who needs to manage the system without accessing business data?

Back end users for: Backup Patching Tuning and Monitoring

Identifying Your Security Requirements

How to implement Separation of Duty? Who will be setting up new database accounts? Who will be running security audit reports? Who will be doing security administration of the database?
Creating Realms and Command Rules Setting security policies for database users access Authorizing database users to what they are allowed to do

Who are the Alternate accounts for management and security?

Identifying Your Security Requirements

What is the current access structure? Who are all the users currently having access?
What kind of access do they need? Application Owners -> data access Patching DBAs -> temporary access during patching time only Backup DBAs -> predefined time to do backup using predefined tools Tuning DBAs -> on-going performance monitoring and analysis Developers -> access to development instances only Data Masking or Scrambling is required

Create a separation of duty matrix of

who will be doing what, When, and How?

Create an Application Protection Matrix

Example Separation of Duty Matrix

<Insert Picture Here>

Build and Document Stage

Build and Document Stage

Build your Security Policies using API scripts Document the Application Security policies with the:
The Separation of Duty Matrix The Application Protection Matrix

Document processes and Procedures for daily use cases:

Backup Patching Tuning and Monitoring

Document production database accounts

The responsibilities of each Which should be locked by default When to use sys or system logins

Document Emergency or Break the Glass Scenarios Reporting in production environment:

Define Which reports to run and who runs them Identify the needed frequency for each report Identify the parties these reports need to go to

<Insert Picture Here>

Transition and Production Stages

Transition and Production Stages

Run a Full Test of Your Application Monitor Performance and tune your rule expressions Apply Your DBV API scripts to production environment Hand responsibilities to the production support and security groups
Hand Security responsibility to the Database Security Admin Hand Account Management to the Database Account Manager Hand Resource Management to the DBAs

Backup Your DBV API scripts in a Secure Server

<Insert Picture Here>

Database Vault Performance Numbers

Database Vault Performance Numbers

Performed OLTP tests on ALL versions of DB Vault
9.2.0.8 10.2.0.3 11.1

Each test had 6 different measure points:

Vanilla Database without DB Vault DB Vault enabled Setup Realm by itself Setup Command Rules without Realm Setup Realms and Command Rules Setup Command Rules, Realms, plus a CONNECT command rule

Database Vault Performance Numbers test profile

10.2.0.3 and 11.1:
Hardware profile: Linux 64 bit on Em64t Dell server 4 CPUs with 3.40 GH 4 GB of RAM Number of users: 20 dedicated users with multiple connections each Ramp up to over 400 concurrent database connections

9.2.0.8:
Hardware profile: Sun Solaris 9 Sparc, 64 bit on Sun4800-6 Sun-Fire server 8 CPUs 4 GB of RAM Number of users: 20 dedicated users with multiple connections each Ramp up to over 400 concurrent database connections

Database Vault Performance Numbers results

10.2.0.3 numbers:
Vanilla Database without DB Vault - Base DB Vault enabled zero overhead (within the margin of error 0.25 %) Setup a Realm by itself 1% overhead Setup Command Rules without Realm 1% overhead or less Setup Realms and Command Rules 1% to 1.5 % overhead Setup Command Rules, Realms, plus a CONNECT command rule 1% to 2% overhead

Database Vault Performance Numbers results

9.2.0.8 and 11.1 numbers are comparable This is consistent with the fact that DB Vault 9i is a back port of 11g 9.2.0.8 and 11.1 numbers:
Vanilla Database without DB Vault - Base DB Vault enabled zero overhead (within a margin of error 0.25 %) Setup Realm by itself less than 1% overhead Setup Command Rules without Realm 1% overhead or less Setup Realms and Command Rules 1% to 1.5% overhead Setup Command Rules, Realms, plus a CONNECT command rule 1% to 1.5% overhead

Database Vault Performance Numbers Conclusion and Best Practice

The numbers are great! There is still room for improvement we are working on it Customers deploying DB Vault in production:
Should apply typical DB tuning if they face performance issues Should tune their rule expressions Should simplify their security policies Performance depends on many factors like: Network, Hardware, Operating System, etc. These need to be tuned as well should budget no or an extra 5% HW resources at max for DB Vault

Database Vault certification with SAP

Work has started Customer Pilot kick-off in June 2008 Pilot Customers should have the following profile:
Existing production customers with SAP on Oracle database Customers have to be on 10.2 database Customers have to be on SAP ERP 2005 (SAP 6.1) or higher

Send your nominations to me: (Kamal.Tbeileh@oracle.com)

<Insert Picture Here>

Summary

Learn More

SAP Service Marketplace site Visit: http://service.sap.com/oracle-download Oracle Technical Information, Demos, Software Visit OTN: otn.oracle.com -> products -> database -> security and compliance