Oracle 12c New Features 10 – Security

Srinivas Maddali


The following sections describe the new database security features for Oracle Database 12c Release 1 (12.1).

Data Encryption, Hashing and Redaction

The following sections describe the encryption, hashing and redaction features.

Oracle Data Redaction

This new database security feature is part of Oracle Advanced Security and prevents data columns (such as credit card numbers, U.S. Social Security numbers, and other sensitive or regulated data) from being displayed. It is driven by declarative policies that can take into account database session factors and information passed by applications. Sensitive display data can be redacted at runtime on live production systems with minimal disruption to running applications and without altering the actual stored data. Different types of redaction are supported including full, partial, random, and regular expression redaction. You can conceal entire data values or redact only part of the value. The functionality is implemented inside of the database, therefore separate installation is not required.

Support for Secure Hash Algorithm SHA-2 in Oracle Database

Oracle Database 12c support for the SHA-2 algorithm builds upon the existing support for SHA-2 in Oracle Database The expanded support for the SHA-2 algorithm includes the PL/SQL DBMS_CRYPTO package.

Support for the SHA-2 algorithm provides increased security assurance for Oracle Database. In addition, it provides compliance with regulations that may now or in the future require use of the SHA-2 algorithm for hashing of sensitive data.

Database Security Enhancements

The following sections describe database security enhancements.

Auditing Enabled By Default

The new unified auditing architecture can be used in Oracle Database with no changes required to the database initialization parameters. This feature enables audit policies to be created and enabled in the database with no production database downtime, providing flexibility and ease of administration for database auditing.

Code-Based Security

Code-based security enables roles to be associated with PL/SQL packages, functions, and procedures. Associating roles with packages, functions, and procedures provides finer granularity for privileged grants, eliminating the need to grant these roles directly to the runtime users.

Code-based security provides increased security for applications by enabling roles only for the execution scope of the PL/SQL program units without granting them directly to the user. Scoping the grants of roles reduces the database privilege grants to users and helps enforce the security concept of least privilege.

Data Guard Support for Separation of Duty (SoD)

This feature makes it possible to administer a Data Guard configuration without requiring SYSDBA privileges. Administration of Data Guard configurations can be delegated to a class of users who would not be granted SYSDBA privileges.

Enhanced Security of Audit Data

The new unified context-based database audit architecture stores audit records in an insert-only tablespace. This new audit tablespace is created as part of the Oracle database infrastructure. The maintenance of the audit trail records are implemented using the audit trail cleanup package that can only be used by users with the new AUDIT_ADMIN administrator role.

Security and compliance regulations require accurate monitoring and reporting of Oracle database activity. The new insert-only tablespace provides increased assurance that audit records are not modified or deleted after they have been written to the audit trail. Maintenance of the new audit trail is limited to users who have been granted the new AUDIT_ADMIN role. Only users with the new AUDIT_ADMIN role can manage the retention policy of the audit data.

Increased Security When Using SELECT ANY DICTIONARY

The SELECT ANY DICTIONARY privilege no longer permits access to security sensitive data dictionary tables DEFAULT_PWD$, ENC$, LINK$, USER$, USER_HISTORY$, and XS$VERIFIERS.

This change increases the default security of the database by not allowing access to a subset of data dictionary tables through the SELECT ANY DICTIONARY privilege.

Last Login Time Information

The last login time for database users is recorded in the USER$ table and displayed when connecting to the database using Oracle SQL*Plus.

Recording the last login time for database users increases database security by providing security administrators the ability to determine when an account was last used in the database. Displaying the last login time in the Oracle SQL*Plus connection banner provides the SQL*Plus user information on their last account usage.

Oracle Database Vault Mandatory Realms

Oracle Database Vault mandatory realms block both DBA privileges and direct object privilege grants, including the object owner. Traditional Oracle Database Vault realms protect against the common DBA ANY system privileges, preventing privileged users from accessing realm-protected objects using their SELECT ANY privilege. With the mandatory realm, users with direct object privileges, including the object owner, are blocked from accessing realm protected objects as well. As with traditional realms, users who need access are authorized using the realm authorization capability of Oracle Database Vault.

Oracle Database Vault mandatory realms provide increased protection for sensitive application tables that exist within a larger application. Using this feature, application tables that contain highly sensitive information can be placed in a mandatory realm and users with direct object grants will be blocked from accessing data contained in those tables. Mandatory realms can also be used in situations where database administrators, support analysts, or developers need temporary access to an application schema but access to specific application tables needs to be blocked.

Oracle Label Security Metadata Export and Import

Oracle Label Security metadata in the LBACSYS schema can be included when doing a full database export and import operation. The source database can be Oracle Database 11g Release 2 (, or higher. The target database must be Oracle Database 12c Release 1 (12.1) or higher.

Oracle Label Security metadata export and import provides the ability to move Oracle Label Security policies and protected tables between databases.

Password Complexity Check

New databases created using the Oracle Database Configuration Assistant (DBCA) can optionally have a default password complexity check enabled. Password complexity checks increase the security of Oracle databases and the overall enterprise by reducing the potential for new databases to be created without a strong password check enabled.

Privilege Analysis

Privilege analysis, which is available with Oracle Database Vault, enables customers to create a profile for a database user and capture the list of system and object privileges that are being used by this user. The customer can then compare the user's list of used privileges with the list of granted privileges and reduce the list of granted privileges to match the used privileges.

Privilege analysis helps improve the security of applications and operations by identifying unused or excessive privileges. Privileges required by database administrators can easily be identified by analyzing the privileges used while performing common administration activities. Privileges required by applications can be easily identified by running privilege analysis during an application connection to the database.

Resource Role Default Privileges

The UNLIMITED TABLESPACE privilege is no longer the default RESOURCE role starting in Oracle Database 12c. This change increases the default security of the database by eliminating the potential for database users and applications that have been granted the RESOURCE role to exceed their intended resource quotas for tablespaces.

Separation of Duty for Audit Administration

The new unified context-based database audit configuration provides two new roles for managing database auditing. The new AUDIT_ADMIN role provides the ability to create and enable new audit policies and specify the audit record retention policy. The new AUDIT_VIEWER role provides auditors and security administrators the ability to view audit data in the new unified audit trail.

Separation of duty in the new unified context-based database audit architecture provides the ability to selectively assign the users that may create, enable, and delete audit policies while still allowing security team members and managers to review the audit data that has been generated. Database administration can be separated from audit administration, increasing the security of day-to-day operations.

Separation of Duty for Database Administration

Oracle Database provides new roles for database administrative activities such as backup and recovery, high availability, and key management. Providing new roles for common database administration tasks increases the security of the Oracle database by eliminating the need to grant the highly privileged SYSDBA role for common day-to-day operations.

SYSBACKUP Administration Privilege

A new administration privilege, SYSBACKUP, allows Recovery Manager (RMAN) users to connect to the target database and run RMAN commands, no longer requiring SYSDBA.

This feature enforces the separation of duty security model, whereby backup operators only need SYSBACKUP privilege to run RMAN commands and have separate responsibilities from database administrators who need real SYSDBA privileges.

Encryption Key Management Enhancements

The following sections describe encryption key management enhancements.

Updated Key Management Framework 

1.  This feature updates the Oracle Advanced Security Transparent Database Encryption (TDE) key management capabilities with a range of new functionality including:

1.  A common layer for keystore management that enables consistent administration of Oracle keystores for TDE (called wallets in previous releases) and third-party Hardware Security Modules (HSMs).

2.  New key management SQL statements (ADMINISTER KEY MANAGEMENT) that consolidate functionality previously provided in separate Oracle utilities.

3.  New metadata for tracking important attributes of master encryption keys.

4.  New built-in database views for examining keys and their attributes.

5.  A SYSKM database administrative privilege for managing keystores and master encryption keys.

2.  Support for exporting or importing individual keys from the keystore to move them between Oracle databases.

3.  Support for storing TDE keystores directly on Oracle ASM managed disk groups, with no requirement for an additional file system.

4.  The updated key management framework provides a more flexible, secure, and user-friendly key management interface.

5.  Improve Security Manageability, Administration and Integration

Transparent Sensitive Data Protection

Transparent sensitive data protection enables you to protect sensitive data consistently in the database based on a classification type (for example, credit card numbers whose columns use a specific data type). This feature makes it easier to manage database enforced protections around sensitive data as well as enforce additional protections. In addition, you can easily export transparent sensitive data protection policies to other databases. You can use transparent sensitive data protection with Oracle Data Redaction policies.

Transparent sensitive data protection provides the ability to apply protection policies across data classifications inside the Oracle database, reducing the cost and complexity of protecting sensitive data. By applying policies across classification types, the need to apply polices on a column-by-column basis is eliminated.

VPD Fine-Grained Context-Sensitive Policies

Fine-grained context-sensitive policies provide the ability to associate one or more (context,attribute) pairs with a virtual private database (VPD) policy. The VPD policy function gets evaluated only when one of the (context,attribute) pair changes its value.

Fine-grained context sensitive policies provide improved performance for applications using virtual private database.

Protect the Database Server From Outside

The following section describes protecting the database server from outside.

Restricted Service Registration for Oracle RAC

Listeners managed by Oracle Grid Infrastructure can be configured to restrict clients from accessing a database registered with this listener using various conditions, for example, the subnet from which these clients are connecting. Restricting client access to a database makes Oracle RAC even more secure and less vulnerable to security threats and attacks.

Real Application Security

A security infrastructure is needed in the database for application security that understands application users and roles natively along with their access rights and ACLs so that they can be enforced in the database securely and efficiently. With declarative and extensible security policies, customers can build secure applications quickly.

The following sections describe improvements in Real Application Security.

Real Application Security

Real Application Security provides an Oracle database authorization solution for end-to-end application security. It specifies, provisions, and enforces application-level security policies at the database layer, eliminating the task of building custom application logic to handle application users, their authorizations, and security policies on data. A wider range of data-centric security policies and constraints on application users' authorization can be defined inside the Oracle database, providing a consistent and uniform authorization model across applications.

Real Application Security strengthens overall application and data security and ultimately reduces application development time by moving security controls from the application layer to where the data resides in the database. Application users, privileges, roles, grants, and security policies can be defined, provisioned, and enforced at the database layer, enhancing security of the data and application. It reduces custom development of application security by providing security features, such as privilege delegation, role-based constraints, time-based access control, code-based security, multi-level authorization, negative grants, authorization on user interface artifacts, access constraints on relational data, and application users auditing. Enforcement of application security at the database layer increases security for data by enforcing application security logic regardless of the access path to the database.

Security Optimizations

The following sections describe security optimization features.

Unified Context-Based Database Audit Architecture

The Oracle database now supports a single unified audit trail and a new policy syntax that enables named audit policies to be created inside the Oracle database. This powerful new audit implementation supports context-based conditions, limiting when an audit record should be created. In addition, auditing can be specified for specific database roles and a set of users can be listed as exempt from auditing.

Auditing is playing an increasingly important role in security. The new unified audit trail and policy syntax simplifies management of database auditing and provides highly granular controls over when to audit, optimized performance, and flexibility for security and compliance.