The need for more sophisticated controls on access to sensitive data is becoming increasingly important as organizations address emerging security requirements around data consolidation, privacy and compliance. There are many examples of data breaches which have been perpetrated using stolen credentials, SQL injection or by insiders who are authorized to access the system and its data. Currently, hot topic news in Denmark is, where a popular week-magazine received sensitive information about famous people, from a highly trusted person, working for the Nordic provider of payment card transactions. Unfortunately this incident is not unique and happens far too often. Securing data requires a defense-in-depth approach. Both technical and administrative employees need to be involved to prevent and monitor unauthorized access to sensitive data.
This blog will discuss Oracle database security feature, Fine Grained Audit (FGA), that may help to discover unauthorized access of confidential data with the right setup.
With FGA, it is possible to create audit policies, that records if a user viewed (selected) data from a specific table or table column. Audit records include information about the operation that was audited, the user performing the operation, and the time of the operation. Audit trail records created by FGA can be captured and analyzed in Oracle Audit Vault and Database Firewall, automatically alerting the security team about possible malicious activity.
In next simple example, I will show how FGA can help to monitor unauthorized access of confidential data:
Fine Grained Audit example |
|
1 | Create user schema XXBANK:
sqlplus sys/xxx as sysdba |
2 | Create table XXBANK.TRANSAKTIONS and insert some rows:
sqlplus sys/xxx as sysdba SQL> insert into XXBANK.TRANSACTIONS values (1,to_timestamp(’02-APR-2014 10:45′,’DD-MON-YYYY HH24:MI’), ‘MC Donalds, Slagelse, DK’, ‘4599123466991234’,’Prins Henrik’, 55.50); |
3 | Create an FGA policy on table XXBANK.TRANSACTIONS:
sqlplus sys/xxx as sysdba |
4 | Do some sql-queries on sensitive data:
User APPS is looking at transactions done by members of the royal family: sqlplus apps/xxx TRANSACTION_ID TRANSACTION_TIME 5 03-APR-14 08.30.00.000000 AM 7 03-APR-14 04.39.00.000000 PM SQL> exit User EMPLOYEE_1 is looking at transactions done by Bubber: sqlplus employee_1/xxx Time TRANSACTION_PLACE SQL> exit |
5 | Check who has viewed sensitive information in the TRANSACTIONS table:
sqlplus sys/xxx as sysdba TS DB_USER OS_USER OBJECT_S 01-MAY-2014 08:08 EMPLOYEE_1 oracle XXBANK |