Oracle Security Enhancement Methods

A. Currently implemented security measures.

1. Database Users and Schemas Password expiry period is set to 180 days. Password grace period is set to 15 dayas. Number of incorrect login attempts is set to 10 attempts. 2. Database Auditing All the users actions are being audited and is stored in the database table.

B. oints that can be implemented in the current en!ironment.

1. Database Users and Schemas
Create uni ue username ! password for each user. Assign only re uired roles ! pri"eleges to the user. #imit the use of dis$ space allocated to the database for each user% including default and temporary tablespaces and tablespace uotas. Create an appropriate Profile and assign it to the users. &ollowing points can be included in the profile. Number of concurrent sessions the user can establish CP' processing time a"ailable for the user(s session and a single call to )racle made by a *+# statement Amount of logical ,-) a"ailable for the user(s session and a single call to )racle made by a *+# statement Amount of idle time a"ailable for the user(s session Amount of connect time a"ailable for the user(s session Password restrictions. Account loc$ing after multiple unsuccessful login attempts Password expiration and grace period Password reuse and complexity restrictions

2. Enable "ransparent Data Encryption

/ransparent data encryption is a $ey0based access control system that enforces authori1ation by encrypting data with a $ey that is $ept secret. /here can be only one $ey for each database table that contains encrypted columns regardless of the number of encrypted columns in a gi"en table. 2ach table(s column encryption $ey is% in turn% encrypted with the database ser"er(s master $ey. No $eys are stored in the database. ,nstead% they are stored in an )racle wallet% which is part of the external security module. /he down side here is that if we lose the master password% then then the data is lost. 3e will ha"e to create a new database all o"er again.

#. Authentication Methods
Authentication by the Operating System )nce authenticated by the operating system% users can connect to )racle more con"eniently% without specifying a user name or password. 3ith control o"er user authentication centrali1ed in the operating system% )racle need not store or manage user passwords% though it still maintains user names in the database. Authentication by the $et%or& )racle supports the following methods of authentication by the networ$. /hird Party04ased Authentication /echnologies 5such as 6C2% 7erberos% or *2*A829 Public07ey0,nfrastructure04ased Authentication :emote Authentication 5:A6,'*9 Authentication o' Database Administrators ;ou can choose between operating system authentication or password files to authenticate database administrators.

(. )ine*+rained Auditing
&ine0grained auditing allows the monitoring of data access based on content. ,t pro"ides granular auditing of ueries% as well asINSERT%UPDATE% and DELETEoperations.

,. Restrict Schema Access to Specific IP Address

An AFTER LOGON trigger can be used to loc$ down access to specific schemas.