Technical

Oracle Label Security Part 3: Adding a UI

If you’ve been following along in our series of Oracle Label Security posts (Part 1, Part 2) you should now have a table of ‘documents’ that depending on the users permission will return different sets of documents. In this post we’re going to add a UI so that we can see how Label Security makes application development easier by freeing us from having to worry about security in the application. We won’t actually be doing any database work (that’s been done in the previous posts) and will just focus on getting a simple UI up. You could use any language to build this UI as long as it can connect to the Oracle database (generally through ODBC), which is pretty much of all of them. For this example we are going to build a NodeJs application with a Bootstrap UI. It will be a good demonstration of how to connect NodeJs and the Oracle database together.

The completed application is available on GitHub: https://github.com/Joelith/SecDocNode. Read on to see how it’s built

Continue reading

Technical

Oracle Label Security Part 2: Policy Creation

In the previous post we outlined Oracle Label Security and set it up in our 12c database. Now we are actually going to implement the policy against our table. What we want to produce is a table (let’s call it ‘documents’) that will store sensitive data. That data will either be ‘Top Secret’ or ‘Secret’ and belong to one of a number of groups or compartments (‘Fraud’, ‘Narcotics’ and ‘Terrorism’). We want users to be able to log in and not have to worry about security (nor do we want them to be able to look at documents they don’t have access to). Basically we want every user to be able run ‘SELECT * FROM documents’ and get only the documents they are supposed to see.

I’ve uploaded a script to GistBox that will run all the SQL below. It contains some clean-up before it runs the SQL below, so you can run it as many times as you like. Just modify all the defines at the beginning of the script to match your environment and then run the script in sqlplus with @secdemo

Continue reading

Technical

Oracle Label Security Part 1: Intro

Oracle Label Security is an Oracle Database feature that provides row level security on records within your tables. It’s a way to centralise your data security in a single source – the Oracle Database. Basically it works by allowing you to create labels that are applied to records in your table. When a user queries for data in the database their access to the labels will be checked and only records that match will be returned. The beauty of this is that the user label checking is invisible to the user, it’s all done by the database. For instance the query ‘SELECT * FROM documents’ (assumming documents has a label policy applied) will return different results depending on the permissions of the user. Contrast this to the traditional approach where we would need to add a WHERE clause, eg: SELECT * FROM documents WHERE label=’Secret’;

You might be asking, so what? Adding a WHERE clause isn’t that hard and that’s exactly the point. Adding a WHERE clause is pretty easy, but so is not adding one. If I can get access to your database then I can just ‘SELECT * FROM documents’ and get every document in your system, regardless of permission. But with Label Security, even if I manage to bypass your application, I won’t be able to get any documents beyond those that I have permission for. This is especially important in a post-Snowden world, where we no longer trust our database admins (sorry guys!). With Label Security we can ensure that our DBAs and application developers can still have access to the underlying tables (for maintenance, development etc), but they won’t actually see any data (technically we’d also need to employ Database Vault to ensure that our DBAs don’t just modify the policy or add themselves to it, but that’s a post for another day).

Continue reading