SlideShare a Scribd company logo

TechEvent 2019: Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis

Trivadis
Trivadis

Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis TechEvent 2019

Technology
1 of 36
Download to read offline
www.oradba.ch@stefanoehrli PDB Isolation and Security What about security of Oracle multitenant container database (CDB)? Stefan Oehrli
Trivadis – Our key figures TechEvent 2019 - PDB Isolation and Security2 28.08.2019 • Founded in 1994 • 16 Trivadis locations with more than 650 employees • Sales of CHF 111 million (EUR 96 million) • Over 250 Service Level Agreements • More than 4000 training participants • Research and development budget: CHF 5.0 million • More than 1900 projects each year with over 800 customers • Financially independent and sustainably profitable
Stefan Oehrli Platform Architect, Trainer and Partner at Trivadis • Since 1997 active in various IT areas • Since 2008 with Trivadis AG • More than 20 years of experience in Oracle databases Focus: Protecting data and operating databases securely • Security assessments and reviews • Database security concepts and their implementation • Oracle Backup & Recovery concepts and troubleshooting • Oracle Enterprise User Security, Advanced Security, Database Vault, … • Oracle Directory Services Co-author of the book The Oracle DBA (Hanser, 2016/07) www.oradba.ch@stefanoehrli
Agenda 28.08.2019 TechEvent 2019 - PDB Isolation and Security4 • General Database Security • Multitenant Container Database Challenges • Isolation and Security Measures • Outlook and potential enhancements • Summary
General Database Security 28.08.2019 TechEvent 2019 - PDB Isolation and Security5
28.08.2019 TechEvent 2019 - PDB Isolation and Security6 Top 10 Database Risks and Threats • Excessive privileges • Privilege abuse • Unauthorized privilege elevation • Platform vulnerabilities • SQL injection • Weak audit • Denial of service • Database protocol vulnerabilities • Weak authentication • Exposure of backup data
Maximal Data Security Architecture 28.08.2019 TechEvent 2019 - PDB Isolation and Security7
Maximal Data Security Architecture - CDB 28.08.2019 TechEvent 2019 - PDB Isolation and Security8
Multitenant Container Database Challenges 28.08.2019 TechEvent 2019 - PDB Isolation and Security9
Multitenant Container Database Usage How are the multitenant container databases used? • Simple replacement of the classic database (none-CDB) architecture with just one PDB • Database consolidation using multiple PDBs • Private DBAAS • Public DBAAS Infrastructure architecture • Cloud, Hybrid or on-premises? • Dedicated hardware • Virtual environments • Engineered System 28.08.2019 TechEvent 2019 - PDB Isolation and Security10
Multitenant Container Database Usage Security related questions • Comprehensive privileges available in PDBs • Strict security requirements and standards • Industry dependent legal and compliance requirements Corporate structure • All just one legal entity • More or less independent departments • Several companies and subsidiaries • Service provider for different companies Isolation requirements vary 28.08.2019 TechEvent 2019 - PDB Isolation and Security11
But why isolation at all? • Just basic database security is not sufficient. • PDB admin and user do have comprehensive privileges (DBAAS). • Full DBA role • ALTER SYSTEM, ALTER SESSION,… • PL/SQL packages and procedures • Oracle bugs and feature allow to escape the boundaries of a PDB. • Scheduler jobs including OS calls • External table pre-processor scripts • PL/SQL Library calls • Java OS calls • Resource management beyond the scope of PDBs 28.08.2019 TechEvent 2019 - PDB Isolation and Security12
Risks in a DBAAS environment • PDB admin use privilege escalation. • Excessive use of shared resources. • Access sensitive data via shared resources e.g. backup or management LAN. • Break out of PDB and get OS access as oracle. • Gain access to the root container (cdb$root) • Gain access to other PDBs. • Gain access to the network. • Use of critical features like • Administration features • Oracle JVM • DBMS_SCHEDULER • External table pre-processor 28.08.2019 TechEvent 2019 - PDB Isolation and Security13
Isolation and Security Measures 28.08.2019 TechEvent 2019 - PDB Isolation and Security14
Will we cook or why onions? • Measures on several levels are absolutely essential. • Layered structure similar to an onion. E.g. • Secure and correct data • Secure application design • PDB hardening • PDB isolation and security • General CDB architecture • CDB hardening • OS Hardening • Network security • The following functions such as lockdown profiles, path prefix and PDB OS credentials are only part of a holistic approach. 28.08.2019 TechEvent 2019 - PDB Isolation and Security15
Possibilities for risk mitigation A multitenant container database provides the following features beyond regular security measures: • PATH_PREFIX and CREATE_FILE_DEST clause to limit data files and directory objects to certain paths. • PDB_OS_CREDENTIAL parameter assigning a dedicated user account for OS interactions • Lockdown profiles to restrict certain operations or functionalities in a PDBs But what can you do with them...? 28.08.2019 TechEvent 2019 - PDB Isolation and Security16
Managing OS Access • Define a dedicated OS user account for system interactions. • Based on DBMS_CREDENTIAL package and init parameter PDB_OS_CREDENTIAL. • Allows to define dedicated OS credential for: • External jobs that do not yet have an OS credential specified • External table pre-processors • PL/SQL library executions (EXTPROC) • Can be defined globally or per PDB. • Introduced with Oracle 12.2.0.1. As far as theory goes... • ... unfortunately there are still bugs (12g-19c) • … PDB_OS_CREDENTIAL does not work as expected for table pre-processor (DBMS_SCHEDULER fixed since yesterday for 12.2.0.1 RU April 2019) 28.08.2019 TechEvent 2019 - PDB Isolation and Security17
• Set the parameter at CDB level (older version did require a change via pfile) BEGIN dbms_credential.create_credential( credential_name => 'PDBSEC_OS_USER', username => 'orapdbsec', password => 'manager'); END; / ALTER SYSTEM SET pdb_os_credential=GENERIC_PDB_OS_USER SCOPE=SPFILE; Define credentials • Create a credential in the cdb$root for a corresponding OS user • Or individually per PDB ALTER SESSION SET CONTAINER=pdbsec; ALTER SYSTEM SET pdb_os_credential=PDBSEC_OS_USER SCOPE=SPFILE; 28.08.2019 TechEvent 2019 - PDB Isolation and Security18
Manage File Access PATH_PREFIX clause to restrict directory object paths • Set per PDB at creation time. Can not be changed later. • Restrictions and limitations when PATH_PREFIX is used: • Existing directory objects might not work as expected. • PATH_PREFIX string is always added as a prefix to all local directory objects in the PDB. • It does not apply to Oracle-supplied directory objects. • Does not affect files created by Oracle Managed Files. • Does not apply to data files or temporary files. Use CREATE_FILE_DEST CREATE_FILE_DEST clause to restrict directory path for data files or temporary files. • Implicit set DB_CREATE_FILE_DEST. => can be modified / requires lockdown profile • Enable Oracle Managed Files for the PDB. • Specifies the default file system directory or Oracle ASM disk group for PDB files. 28.08.2019 TechEvent 2019 - PDB Isolation and Security19
• Alternatively create a PDB based on a template PDB, dbca etc. • Check current setting of PATH_PREFIX in database_properties CREATE PLUGGABLE DATABASE pdbsec ADMIN USER pdbadmin IDENTIFIED BY LAB01schulung ROLES=(dba) PATH_PREFIX = '/u01/oradata/pdbsec/directories/' CREATE_FILE_DEST = '/u01/oradata/pdbsec/'; ALTER SESSION SET CONTAINER=pdbsec; SELECT * FROM database_properties WHERE property_name='PATH_PREFIX'; PROPERTY_NAME PROPERTY_VALUE DESCRIPTION ------------- ------------------------------- ---------------------- PATH_PREFIX /u01/oradata/PDBSEC/directories All paths for objects such as directories are relative to this Configure File Access • Manually create a PDB based on PDB$SEED 28.08.2019 TechEvent 2019 - PDB Isolation and Security20
• Create an Oracle directory object inside PATH_PREFIX SQL> CREATE DIRECTORY wrong_prefix AS '/tmp/test'; CREATE DIRECTORY wrong_prefix AS '/tmp/test' * ERROR at line 1: ORA-65254: invalid path specified for the directory SQL> CREATE DIRECTORY no_prefix AS 'no_prefix'; Directory created. SQL> SELECT directory_name, directory_path FROM dba_directories 2 WHERE origin_con_id=(SELECT con_id FROM v$pdbs); DIRECTORY_NAME DIRECTORY_PATH --------------- ------------------------------------------ NO_PREFIX /u01/oradata/PDBSEC/directories/no_prefix Verify File Access – PATH_PREFIX • Create an Oracle directory object outside PATH_PREFIX 28.08.2019 TechEvent 2019 - PDB Isolation and Security21
• Create an Oracle tablespace with an absolute path within CREATE_FILE_DEST and with OMF SQL> CREATE TABLESPACE wrong_prefix DATAFILE '/tmp/wrong_prefix.dbf' SIZE 1M; CREATE TABLESPACE wrong_prefix DATAFILE '/tmp/wrong_prefix.dbf' SIZE 1M * ERROR at line 1: ORA-65250: invalid path specified for file - /tmp/wrong_prefix.dbf SQL> CREATE TABLESPACE right_prefix DATAFILE 2 '/u01/oradata/PDBSEC/right_prefix.dbf' SIZE 1M; Tablespace created. SQL> CREATE TABLESPACE no_prefix datafile SIZE 1M; Tablespace created. Verify File Access – CREATE_FILE_DEST • Create an Oracle tablespace with an absolute path outside CREATE_FILE_DEST 28.08.2019 TechEvent 2019 - PDB Isolation and Security22
Lockdown Profiles • Oracle introduced lockdown profiles with 12.1. However, they become interesting only in 12.2 or the better 18c/19c • Lockdown profiles allows to restrict user operation in PDBs in a multitenant container database. • It is possible to assign lockdown profiles to... • ... individual PDBs, if PDB_LOCKDOWN is set while connected to a particular PDB. • ... all PDBs in a CDB, if PDB_LOCKDOWN is set while connected to the CDB root. • … application container, if PDB_LOCKDOWN is set while connected to an application root • The CREATE LOCKDOWN PROFILE statement must be issued from CDB or application root. • Usage of lockdown profiles includes 3 steps: • Create a lockdown profile using CREATE LOCKDOWN PROFILE • Enable / disable user operations using ALTER LOCKDOWN PROFILE • Enable the corresponding lockdown profile using ALTER SYSTEM SET pdb_lockdown= 28.08.2019 TechEvent 2019 - PDB Isolation and Security23
Capabilities of Lockdown Profiles • ALTER LOCKDOWN PROFILE statement allows to enable or disable the following functions : • LOCKDOWN_OPTIONS clause: User operations associated with certain database options. • LOCKDOWN_FEATURES clause: User operations associated with certain database features. • LOCKDOWN_STATEMENTS clause: The issuance of certain SQL statements. • Function can either explicitly be disable or enable. • Combination of ALL and EXCEPT is possible. • Oracle 18c introduced a couple of enhancements for lockdown profiles: • Restrict user operation for ALL, LOCAL or COMMON user. • Create lockdown profiles based existing profiles as static copy or dynamic link. 28.08.2019 TechEvent 2019 - PDB Isolation and Security24
ALTER LOCKDOWN PROFILE sec_default ENABLE OPTION ALL EXCEPT = ('DATABASE QUEUING'); LOCKDOWN_OPTIONS clause • The following database options can be restricted: • DATABASE QUEUING – User operations associated with Oracle Database Advanced Queuing option • PARTITIONING – User operations associated with Oracle Partitioning option • Restriction explicit or with exclusion: • Use ALL to specify all options. • Use ALL EXCEPT to specify all options except the specified options. • Default is ENABLE OPTION ALL. • Enable all options except DATABASE QUEUING 28.08.2019 TechEvent 2019 - PDB Isolation and Security25
ALTER LOCKDOWN PROFILE sec_default DISABLE FEATURE = ('OS_ACCESS'); ALTER LOCKDOWN PROFILE sec_default ENABLE FEATURE = ('TRACE_VIEW_ACCESS'); LOCKDOWN_FEATURES clause • LOCKDOWN_FEATURES clause disable or enable user operations associated with certain database features. • Supports a comprehensive list of database features and feature bundle e.g. AWR_ACCESS, CONNECTIONS, JAVA, JAVA_RUNTIME, NETWORK_ACCESS, OS_ACCESS, etc. • See Oracle documentation ALTER LOCKDOWN PROFILE for a complete list. • Restriction explicit or with exclusion: • Use ALL to specify all features. • Use ALL EXCEPT to specify all features except the specified feature. • Default is ENABLE ALL. • Disable OS_ACCESS but explicitly enable TRACE_VIEW_ACCESS 28.08.2019 TechEvent 2019 - PDB Isolation and Security26
LOCKDOWN_STATEMENTS clause • LOCKDOWN_ STATEMENTS clause disable or enable issuance of certain SQL statements. • Use DISABLE to disable the execution of specified SQL statements. • Use ENABLE to enable the execution of specified SQL statements. • Restriction explicit or with exclusion: • Use ALL to specify all statements. • Use ALL EXCEPT to specify all statements except the specified statements. • Default is ENABLE STATEMENT ALL. • The STATEMENT_CLAUSES lets disable or enable specific clauses of the specified SQL statement. • The OPTION_CLAUSES lets disable or enable setting or modification of specific options. • E.g. disable all ALTER SYSTEM but allow ALTER SYSTEM SET cursor_sharing • Challenging to cover all critical statements, clause and options and not open a security flaw. 28.08.2019 TechEvent 2019 - PDB Isolation and Security27
• Create a new lockdown profile sec_jvm based on sec_default • Enable Java and Java runtime ALTER LOCKDOWN PROFILE sec_default DISABLE STATEMENT = ('ALTER SYSTEM'); ALTER LOCKDOWN PROFILE sec_default ENABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SET') USERS=COMMON; ALTER LOCKDOWN PROFILE sec_default ENABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('KILL SESSION'); CREATE LOCKDOWN PROFILE sec_jvm FROM sec_default; ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA_RUNTIME'); ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA'); A few more examples • Disable ALTER SYSTEM but allow it for COMMON user and for clause KILL SESSION. 28.08.2019 TechEvent 2019 - PDB Isolation and Security28
Missing parts • PDB isolation is no a replacement for a comprehensive security concept. • Resource management is not covered at all. • TDE, in particular TDE key management requires additional measures • OS specific admin activities are not separated. e.g. Backup & Recover • Although user are distinct by PDB_OS_CREDENTIAL, measures on the OS are still mandatory. => Layered Security • Flaw in PDB isolation if poor lockdown profiles have been defined. 28.08.2019 TechEvent 2019 - PDB Isolation and Security29
Outlook and potential enhancements 28.08.2019 TechEvent 2019 - PDB Isolation and Security30
Outlook and potential enhancements • In short term, waiting for the problems around PDB_OS_CREDENTIAL to be solved is still required. • Bug 25820082 - PDB_OS_CREDENTIAL PARAMETER NOT WORKING => fixed for 12.2.0.1 RU April 2019 since 10. Sept. 2019 • Bug 29926986 - LISTENER SPAWNED EXTPROC FAILS WITH ORA-28575 • Bug 29922316 - EXTPROC FAILS WITH HS: CHILD EXTPROC FINISHED CALLING JSSU! STATUS = -1 WHEN DBMS_CREDENTIAL CONFIGURED • Doc 29938722 - PDB_OS_CREDENTIAL DOCUMENTION NEEDS TO INCLUDE CONFIGURATION REQUIREMENTS AND EXAMPLES • Although the Java challenges are not yet covered by these bugs • Oracle does struggle with similar challenges for their cloud services e.g. Oracle Autonomous Database • Discussions with the Oracle PM for PDBs have shown that solutions are needed and being developed. e.g. Linux CGROUPS, Linux Security Module (LSM) etc. 28.08.2019 TechEvent 2019 - PDB Isolation and Security31
• Reveals a functionality named DB Nest. • Presentations from OOW 2018 have mentioned DB Nest as a security enhancement for Multitenant Databases Parameter Instance Description ----------------------- ----------- -------------------------------- _dbnest_enable NONE dbNest enable _dbnest_pdb_fs_conf PDB Filesystem configuration _dbnest_pdb_fs_type DEFAULT PDB FS Type _dbnest_pdb_scm_conf PDB SCM configuration _dbnest_pdb_scm_level STRICT1 PDB SCM Level _dbnest_stage_dir Staging directory configuration _instance_dbnest_name Instance dbNest Name 28.08.2019 TechEvent 2019 - PDB Isolation and Security32 Oracle DB Nest • A possible hint in Oracle 19c based on a few hidden parameter
Oracle DB Nest The exact functionality can only be guessed at the moment. Control and isolation of... • OS resources used by a PDB • File system isolation per PDB • Secure computing • …? Oracle Open World 2019 is soon ☺ 28.08.2019 TechEvent 2019 - PDB Isolation and Security33
Summary 28.08.2019 TechEvent 2019 - PDB Isolation and Security34
Summary 28.08.2019 TechEvent 2019 - PDB Isolation and Security35 • It is not exclusively a customer challenge. Oracle has to solve similar issues for its cloud products. • Lockdown profiles, PATH_PREFIX, PDB_OS_CREDENTIAL etc. do provide basic functionality to implement PDB Isolation. But… • … there are still a few bugs. • … not all use cases are covered e.g. resource management, java etc. • What used to be true is still true. • Do not install Oracle JVM in security-critical databases! • If it is not absolutely necessary. • The opening of an SR on this topic is simply cumbersome and laborious. • The new functionality DB Nest does look promising. Despite the limitations, these functions offer basic functionalities to make the PDB more secure and to start implementing isolation.
TechEvent 2019: Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis

Recommended

Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...Trivadis
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABStefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityStefan Oehrli
 
SOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cSOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cStefan Oehrli
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Oracle and Docker
Oracle and DockerOracle and Docker
Oracle and DockerStefan Oehrli
 
TechEvent EUS, Kerberos, SSL and OUD
TechEvent EUS, Kerberos, SSL and OUDTechEvent EUS, Kerberos, SSL and OUD
TechEvent EUS, Kerberos, SSL and OUDTrivadis
 

Recommended

Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...
TechEvent 2019: Oracle Databases as Managed Service at AWS, Yes it works!; Al...Trivadis
 
IaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABIaC MeetUp Active Directory Setup for Oracle Security LAB
IaC MeetUp Active Directory Setup for Oracle Security LABStefan Oehrli
 
UKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityUKOUG TechFest PDB Isolation and Security
UKOUG TechFest PDB Isolation and SecurityStefan Oehrli
 
SOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cSOUG PDB Security, Isolation and DB Nest 20c
SOUG PDB Security, Isolation and DB Nest 20cStefan Oehrli
 
DOAG Oracle Database Vault
DOAG Oracle Database VaultDOAG Oracle Database Vault
DOAG Oracle Database VaultStefan Oehrli
 
Oracle and Docker
Oracle and DockerOracle and Docker
Oracle and DockerStefan Oehrli
 
TechEvent EUS, Kerberos, SSL and OUD
TechEvent EUS, Kerberos, SSL and OUDTechEvent EUS, Kerberos, SSL and OUD
TechEvent EUS, Kerberos, SSL and OUDTrivadis
 
AUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityAUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityStefan Oehrli
 
SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesStefan Oehrli
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practicesEmiliano Fusaglia
 
MythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data CorruptionMythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data CorruptionChristian Gohmann
 
Oracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformOracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformStefan Oehrli
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesStefan Oehrli
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTChristian Gohmann
 
Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?Performance Tuning Corporation
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsStefan Oehrli
 
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...Trivadis
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Andrejs Prokopjevs
 
SOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesSOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesStefan Oehrli
 
Best Features of Multitenant 12c
Best Features of Multitenant 12cBest Features of Multitenant 12c
Best Features of Multitenant 12cGuatemala User Group
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsBiju Thomas
 
RMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism DemystifiedRMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism DemystifiedPini Dibask
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c securityLaurent Leturgez
 
MySQL 5.7 in a Nutshell
MySQL 5.7 in a NutshellMySQL 5.7 in a Nutshell
MySQL 5.7 in a NutshellEmily Ikuta
 
OTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12cOTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12cDeiby Gómez
 
Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cZohar Elkayam
 
Security Multitenant
Security MultitenantSecurity Multitenant
Security MultitenantArush Jain
 

More Related Content

What's hot

AUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityAUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityStefan Oehrli
 
SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesStefan Oehrli
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTrivadis
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Stefan Oehrli
 
MythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data CorruptionMythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data CorruptionChristian Gohmann
 
Oracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformOracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformStefan Oehrli
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesStefan Oehrli
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTChristian Gohmann
 
Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?Performance Tuning Corporation
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsStefan Oehrli
 
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...Trivadis
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Andrejs Prokopjevs
 
SOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesSOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesStefan Oehrli
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsBiju Thomas
 
RMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism DemystifiedRMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism DemystifiedPini Dibask
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c securityLaurent Leturgez
 
MySQL 5.7 in a Nutshell
MySQL 5.7 in a NutshellMySQL 5.7 in a Nutshell
MySQL 5.7 in a NutshellEmily Ikuta
 
OTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12cOTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12cDeiby Gómez
 

What's hot (20)

AUSOUG Oracle Password Security
AUSOUG Oracle Password SecurityAUSOUG Oracle Password Security
AUSOUG Oracle Password Security
 
SOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security FeaturesSOUG Day Oracle 21c New Security Features
SOUG Day Oracle 21c New Security Features
 
TechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security FeaturesTechEvent Oracle 18c New Security Features
TechEvent Oracle 18c New Security Features
 
Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!Security Best Practice: Oracle passwords, but secure!
Security Best Practice: Oracle passwords, but secure!
 
Postgre sql best_practices
Postgre sql best_practicesPostgre sql best_practices
Postgre sql best_practices
 
MythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data CorruptionMythBusters Globalization Support - Avoid Data Corruption
MythBusters Globalization Support - Avoid Data Corruption
 
Oracle Cloud deployment with Terraform
Oracle Cloud deployment with TerraformOracle Cloud deployment with Terraform
Oracle Cloud deployment with Terraform
 
UKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle DatabasesUKOUG Techfest 2019 Central user Administration of Oracle Databases
UKOUG Techfest 2019 Central user Administration of Oracle Databases
 
REST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using RESTREST in Piece - Administration of an Oracle Cluster/Database using REST
REST in Piece - Administration of an Oracle Cluster/Database using REST
 
Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?Database 12c is ready for you... Are you ready for 12c?
Database 12c is ready for you... Are you ready for 12c?
 
DOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant EnvironmentsDOAG Oracle Unified Audit in Multitenant Environments
DOAG Oracle Unified Audit in Multitenant Environments
 
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
Trivadis TechEvent 2017 How modern DBAs can use our efficient Toolbox by Rola...
 
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
Oracle Unified Directory. Lessons learnt. Is it ready for a move from OID? (O...
 
SOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant DatabasesSOUG Oracle Unified Audit for Multitenant Databases
SOUG Oracle Unified Audit for Multitenant Databases
 
Best Features of Multitenant 12c
Best Features of Multitenant 12cBest Features of Multitenant 12c
Best Features of Multitenant 12c
 
Create non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windowsCreate non-cdb (traditional) oracle database 12c on windows
Create non-cdb (traditional) oracle database 12c on windows
 
RMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism DemystifiedRMOUG 18 - Oracle Database Locking Mechanism Demystified
RMOUG 18 - Oracle Database Locking Mechanism Demystified
 
Improve oracle 12c security
Improve oracle 12c securityImprove oracle 12c security
Improve oracle 12c security
 
MySQL 5.7 in a Nutshell
MySQL 5.7 in a NutshellMySQL 5.7 in a Nutshell
MySQL 5.7 in a Nutshell
 
OTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12cOTN Tour 2014: Rac 11g vs 12c
OTN Tour 2014: Rac 11g vs 12c
 

Similar to TechEvent 2019: Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis

Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cZohar Elkayam
 
Security Multitenant
Security MultitenantSecurity Multitenant
Security MultitenantArush Jain
 
Exploring Oracle Database 12c Multitenant best practices for your Cloud
Exploring Oracle Database 12c Multitenant best practices for your CloudExploring Oracle Database 12c Multitenant best practices for your Cloud
Exploring Oracle Database 12c Multitenant best practices for your Clouddyahalom
 
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...Trivadis
 
Oracle 12c PDB insights
Oracle 12c PDB insightsOracle 12c PDB insights
Oracle 12c PDB insightsKirill Loifman
 
Gloc gangler 2018._v4
Gloc gangler 2018._v4Gloc gangler 2018._v4
Gloc gangler 2018._v4Secure-24
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Alex Gorbachev
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.xFabio Codebue
 
Oracle database 12c introduction- Satyendra Pasalapudi
Oracle database 12c introduction- Satyendra PasalapudiOracle database 12c introduction- Satyendra Pasalapudi
Oracle database 12c introduction- Satyendra Pasalapudipasalapudi123
 
Simplify Consolidation with Oracle Pluggable Databases
Simplify Consolidation with Oracle Pluggable DatabasesSimplify Consolidation with Oracle Pluggable Databases
Simplify Consolidation with Oracle Pluggable Databasesomnidba
 
Winning performance challenges in oracle multitenant
Winning performance challenges in oracle multitenantWinning performance challenges in oracle multitenant
Winning performance challenges in oracle multitenantPini Dibask
 
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle MultitenantRMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle MultitenantPini Dibask
 
OpenProdoc Overview
OpenProdoc OverviewOpenProdoc Overview
OpenProdoc Overviewjhierrot
 
Plugging in oracle database 12c pluggable databases
Plugging in oracle database 12c pluggable databasesPlugging in oracle database 12c pluggable databases
Plugging in oracle database 12c pluggable databasesKellyn Pot'Vin-Gorman
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot
 
OOW 17 - database consolidation using the oracle multitenant architecture
OOW 17 - database consolidation using the oracle multitenant architectureOOW 17 - database consolidation using the oracle multitenant architecture
OOW 17 - database consolidation using the oracle multitenant architecturePini Dibask
 
Winning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle MultitenantWinning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle MultitenantPini Dibask
 

Similar to TechEvent 2019: Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis (20)

Exploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12cExploring Oracle Multitenant in Oracle Database 12c
Exploring Oracle Multitenant in Oracle Database 12c
 
Security Multitenant
Security MultitenantSecurity Multitenant
Security Multitenant
 
Exploring Oracle Database 12c Multitenant best practices for your Cloud
Exploring Oracle Database 12c Multitenant best practices for your CloudExploring Oracle Database 12c Multitenant best practices for your Cloud
Exploring Oracle Database 12c Multitenant best practices for your Cloud
 
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
TechEvent 2019: DB, CMU and EUS engineering with vagrant; Stefan Oehrli - Tri...
 
Oracle 12c PDB insights
Oracle 12c PDB insightsOracle 12c PDB insights
Oracle 12c PDB insights
 
Gloc gangler 2018._v4
Gloc gangler 2018._v4Gloc gangler 2018._v4
Gloc gangler 2018._v4
 
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
Under The Hood of Pluggable Databases by Alex Gorbachev, Pythian, Oracle OpeW...
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 
Oracle database 12c introduction- Satyendra Pasalapudi
Oracle database 12c introduction- Satyendra PasalapudiOracle database 12c introduction- Satyendra Pasalapudi
Oracle database 12c introduction- Satyendra Pasalapudi
 
Simplify Consolidation with Oracle Pluggable Databases
Simplify Consolidation with Oracle Pluggable DatabasesSimplify Consolidation with Oracle Pluggable Databases
Simplify Consolidation with Oracle Pluggable Databases
 
Winning performance challenges in oracle multitenant
Winning performance challenges in oracle multitenantWinning performance challenges in oracle multitenant
Winning performance challenges in oracle multitenant
 
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle MultitenantRMOUG 18 - Winning Performance Challenges in Oracle Multitenant
RMOUG 18 - Winning Performance Challenges in Oracle Multitenant
 
OpenProdoc Overview
OpenProdoc OverviewOpenProdoc Overview
OpenProdoc Overview
 
2020 - OCI Key Concepts for Oracle DBAs
2020 - OCI Key Concepts for Oracle DBAs2020 - OCI Key Concepts for Oracle DBAs
2020 - OCI Key Concepts for Oracle DBAs
 
Plugging in oracle database 12c pluggable databases
Plugging in oracle database 12c pluggable databasesPlugging in oracle database 12c pluggable databases
Plugging in oracle database 12c pluggable databases
 
Presentation day1oracle 12c
Presentation day1oracle 12cPresentation day1oracle 12c
Presentation day1oracle 12c
 
Oracle 12c - Multitenant Feature
Oracle 12c - Multitenant FeatureOracle 12c - Multitenant Feature
Oracle 12c - Multitenant Feature
 
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQLKangaroot EDB Webinar Best Practices in Security with PostgreSQL
Kangaroot EDB Webinar Best Practices in Security with PostgreSQL
 
OOW 17 - database consolidation using the oracle multitenant architecture
OOW 17 - database consolidation using the oracle multitenant architectureOOW 17 - database consolidation using the oracle multitenant architecture
OOW 17 - database consolidation using the oracle multitenant architecture
 
Winning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle MultitenantWinning Performance Challenges in Oracle Multitenant
Winning Performance Challenges in Oracle Multitenant
 

More from Trivadis

Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...
Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...
Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...Trivadis
 
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...Trivadis
 
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)Trivadis
 
Azure Days 2019: Master the Move to Azure (Konrad Brunner)
Azure Days 2019: Master the Move to Azure (Konrad Brunner)Azure Days 2019: Master the Move to Azure (Konrad Brunner)
Azure Days 2019: Master the Move to Azure (Konrad Brunner)Trivadis
 
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...Trivadis
 
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)Trivadis
 
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...Trivadis
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Trivadis
 
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...Trivadis
 
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...Trivadis
 
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...Trivadis
 
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...Trivadis
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTrivadis
 
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...Trivadis
 
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...Trivadis
 
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...Trivadis
 
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...Trivadis
 
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...Trivadis
 
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...Trivadis
 
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - Trivadis
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - TrivadisTechEvent 2019: The sleeping Power of Data; Eberhard Lösch - Trivadis
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - TrivadisTrivadis
 

More from Trivadis (20)

Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...
Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...
Azure Days 2019: Azure Chatbot Development for Airline Irregularities (Remco ...
 
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...
Azure Days 2019: Trivadis Azure Foundation – Das Fundament für den ... (Nisan...
 
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)
Azure Days 2019: Business Intelligence auf Azure (Marco Amhof & Yves Mauron)
 
Azure Days 2019: Master the Move to Azure (Konrad Brunner)
Azure Days 2019: Master the Move to Azure (Konrad Brunner)Azure Days 2019: Master the Move to Azure (Konrad Brunner)
Azure Days 2019: Master the Move to Azure (Konrad Brunner)
 
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...
Azure Days 2019: Keynote Azure Switzerland – Status Quo und Ausblick (Primo A...
 
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)
Azure Days 2019: Grösser und Komplexer ist nicht immer besser (Meinrad Weiss)
 
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...
Azure Days 2019: Get Connected with Azure API Management (Gerry Keune & Stefa...
 
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
Azure Days 2019: Infrastructure as Code auf Azure (Jonas Wanninger & Daniel H...
 
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...
Azure Days 2019: Wie bringt man eine Data Analytics Plattform in die Cloud? (...
 
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...
Azure Days 2019: Azure@Helsana: Die Erweiterung von Dynamics CRM mit Azure Po...
 
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...
TechEvent 2019: Kundenstory - Kein Angebot, kein Auftrag – Wie Du ein individ...
 
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...
TechEvent 2019: Oracle Database Appliance M/L - Erfahrungen und Erfolgsmethod...
 
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - TrivadisTechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
TechEvent 2019: Security 101 für Web Entwickler; Roland Krüger - Trivadis
 
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...
TechEvent 2019: Trivadis & Swisscom Partner Angebote; Konrad Häfeli, Markus O...
 
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...
TechEvent 2019: DBaaS from Swisscom Cloud powered by Trivadis; Konrad Häfeli ...
 
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...
TechEvent 2019: Status of the partnership Trivadis and EDB - Comparing Postgr...
 
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
TechEvent 2019: More Agile, More AI, More Cloud! Less Work?!; Oliver Dörr - T...
 
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...
TechEvent 2019: Kundenstory - Vom Hauptmann zu Köpenick zum Polizisten 2020 -...
 
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...
TechEvent 2019: Vom Rechenzentrum in die Oracle Cloud - Übertragungsmethoden;...
 
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - Trivadis
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - TrivadisTechEvent 2019: The sleeping Power of Data; Eberhard Lösch - Trivadis
TechEvent 2019: The sleeping Power of Data; Eberhard Lösch - Trivadis
 

Recently uploaded

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

TechEvent 2019: Oracle PDB Isolation and Security; Stefan Oehrli - Trivadis

  • 1. www.oradba.ch@stefanoehrli PDB Isolation and Security What about security of Oracle multitenant container database (CDB)? Stefan Oehrli
  • 2. Trivadis – Our key figures TechEvent 2019 - PDB Isolation and Security2 28.08.2019 • Founded in 1994 • 16 Trivadis locations with more than 650 employees • Sales of CHF 111 million (EUR 96 million) • Over 250 Service Level Agreements • More than 4000 training participants • Research and development budget: CHF 5.0 million • More than 1900 projects each year with over 800 customers • Financially independent and sustainably profitable
  • 3. Stefan Oehrli Platform Architect, Trainer and Partner at Trivadis • Since 1997 active in various IT areas • Since 2008 with Trivadis AG • More than 20 years of experience in Oracle databases Focus: Protecting data and operating databases securely • Security assessments and reviews • Database security concepts and their implementation • Oracle Backup & Recovery concepts and troubleshooting • Oracle Enterprise User Security, Advanced Security, Database Vault, … • Oracle Directory Services Co-author of the book The Oracle DBA (Hanser, 2016/07) www.oradba.ch@stefanoehrli
  • 4. Agenda 28.08.2019 TechEvent 2019 - PDB Isolation and Security4 • General Database Security • Multitenant Container Database Challenges • Isolation and Security Measures • Outlook and potential enhancements • Summary
  • 5. General Database Security 28.08.2019 TechEvent 2019 - PDB Isolation and Security5
  • 6. 28.08.2019 TechEvent 2019 - PDB Isolation and Security6 Top 10 Database Risks and Threats • Excessive privileges • Privilege abuse • Unauthorized privilege elevation • Platform vulnerabilities • SQL injection • Weak audit • Denial of service • Database protocol vulnerabilities • Weak authentication • Exposure of backup data
  • 7. Maximal Data Security Architecture 28.08.2019 TechEvent 2019 - PDB Isolation and Security7
  • 8. Maximal Data Security Architecture - CDB 28.08.2019 TechEvent 2019 - PDB Isolation and Security8
  • 9. Multitenant Container Database Challenges 28.08.2019 TechEvent 2019 - PDB Isolation and Security9
  • 10. Multitenant Container Database Usage How are the multitenant container databases used? • Simple replacement of the classic database (none-CDB) architecture with just one PDB • Database consolidation using multiple PDBs • Private DBAAS • Public DBAAS Infrastructure architecture • Cloud, Hybrid or on-premises? • Dedicated hardware • Virtual environments • Engineered System 28.08.2019 TechEvent 2019 - PDB Isolation and Security10
  • 11. Multitenant Container Database Usage Security related questions • Comprehensive privileges available in PDBs • Strict security requirements and standards • Industry dependent legal and compliance requirements Corporate structure • All just one legal entity • More or less independent departments • Several companies and subsidiaries • Service provider for different companies Isolation requirements vary 28.08.2019 TechEvent 2019 - PDB Isolation and Security11
  • 12. But why isolation at all? • Just basic database security is not sufficient. • PDB admin and user do have comprehensive privileges (DBAAS). • Full DBA role • ALTER SYSTEM, ALTER SESSION,… • PL/SQL packages and procedures • Oracle bugs and feature allow to escape the boundaries of a PDB. • Scheduler jobs including OS calls • External table pre-processor scripts • PL/SQL Library calls • Java OS calls • Resource management beyond the scope of PDBs 28.08.2019 TechEvent 2019 - PDB Isolation and Security12
  • 13. Risks in a DBAAS environment • PDB admin use privilege escalation. • Excessive use of shared resources. • Access sensitive data via shared resources e.g. backup or management LAN. • Break out of PDB and get OS access as oracle. • Gain access to the root container (cdb$root) • Gain access to other PDBs. • Gain access to the network. • Use of critical features like • Administration features • Oracle JVM • DBMS_SCHEDULER • External table pre-processor 28.08.2019 TechEvent 2019 - PDB Isolation and Security13
  • 14. Isolation and Security Measures 28.08.2019 TechEvent 2019 - PDB Isolation and Security14
  • 15. Will we cook or why onions? • Measures on several levels are absolutely essential. • Layered structure similar to an onion. E.g. • Secure and correct data • Secure application design • PDB hardening • PDB isolation and security • General CDB architecture • CDB hardening • OS Hardening • Network security • The following functions such as lockdown profiles, path prefix and PDB OS credentials are only part of a holistic approach. 28.08.2019 TechEvent 2019 - PDB Isolation and Security15
  • 16. Possibilities for risk mitigation A multitenant container database provides the following features beyond regular security measures: • PATH_PREFIX and CREATE_FILE_DEST clause to limit data files and directory objects to certain paths. • PDB_OS_CREDENTIAL parameter assigning a dedicated user account for OS interactions • Lockdown profiles to restrict certain operations or functionalities in a PDBs But what can you do with them...? 28.08.2019 TechEvent 2019 - PDB Isolation and Security16
  • 17. Managing OS Access • Define a dedicated OS user account for system interactions. • Based on DBMS_CREDENTIAL package and init parameter PDB_OS_CREDENTIAL. • Allows to define dedicated OS credential for: • External jobs that do not yet have an OS credential specified • External table pre-processors • PL/SQL library executions (EXTPROC) • Can be defined globally or per PDB. • Introduced with Oracle 12.2.0.1. As far as theory goes... • ... unfortunately there are still bugs (12g-19c) • … PDB_OS_CREDENTIAL does not work as expected for table pre-processor (DBMS_SCHEDULER fixed since yesterday for 12.2.0.1 RU April 2019) 28.08.2019 TechEvent 2019 - PDB Isolation and Security17
  • 18. • Set the parameter at CDB level (older version did require a change via pfile) BEGIN dbms_credential.create_credential( credential_name => 'PDBSEC_OS_USER', username => 'orapdbsec', password => 'manager'); END; / ALTER SYSTEM SET pdb_os_credential=GENERIC_PDB_OS_USER SCOPE=SPFILE; Define credentials • Create a credential in the cdb$root for a corresponding OS user • Or individually per PDB ALTER SESSION SET CONTAINER=pdbsec; ALTER SYSTEM SET pdb_os_credential=PDBSEC_OS_USER SCOPE=SPFILE; 28.08.2019 TechEvent 2019 - PDB Isolation and Security18
  • 19. Manage File Access PATH_PREFIX clause to restrict directory object paths • Set per PDB at creation time. Can not be changed later. • Restrictions and limitations when PATH_PREFIX is used: • Existing directory objects might not work as expected. • PATH_PREFIX string is always added as a prefix to all local directory objects in the PDB. • It does not apply to Oracle-supplied directory objects. • Does not affect files created by Oracle Managed Files. • Does not apply to data files or temporary files. Use CREATE_FILE_DEST CREATE_FILE_DEST clause to restrict directory path for data files or temporary files. • Implicit set DB_CREATE_FILE_DEST. => can be modified / requires lockdown profile • Enable Oracle Managed Files for the PDB. • Specifies the default file system directory or Oracle ASM disk group for PDB files. 28.08.2019 TechEvent 2019 - PDB Isolation and Security19
  • 20. • Alternatively create a PDB based on a template PDB, dbca etc. • Check current setting of PATH_PREFIX in database_properties CREATE PLUGGABLE DATABASE pdbsec ADMIN USER pdbadmin IDENTIFIED BY LAB01schulung ROLES=(dba) PATH_PREFIX = '/u01/oradata/pdbsec/directories/' CREATE_FILE_DEST = '/u01/oradata/pdbsec/'; ALTER SESSION SET CONTAINER=pdbsec; SELECT * FROM database_properties WHERE property_name='PATH_PREFIX'; PROPERTY_NAME PROPERTY_VALUE DESCRIPTION ------------- ------------------------------- ---------------------- PATH_PREFIX /u01/oradata/PDBSEC/directories All paths for objects such as directories are relative to this Configure File Access • Manually create a PDB based on PDB$SEED 28.08.2019 TechEvent 2019 - PDB Isolation and Security20
  • 21. • Create an Oracle directory object inside PATH_PREFIX SQL> CREATE DIRECTORY wrong_prefix AS '/tmp/test'; CREATE DIRECTORY wrong_prefix AS '/tmp/test' * ERROR at line 1: ORA-65254: invalid path specified for the directory SQL> CREATE DIRECTORY no_prefix AS 'no_prefix'; Directory created. SQL> SELECT directory_name, directory_path FROM dba_directories 2 WHERE origin_con_id=(SELECT con_id FROM v$pdbs); DIRECTORY_NAME DIRECTORY_PATH --------------- ------------------------------------------ NO_PREFIX /u01/oradata/PDBSEC/directories/no_prefix Verify File Access – PATH_PREFIX • Create an Oracle directory object outside PATH_PREFIX 28.08.2019 TechEvent 2019 - PDB Isolation and Security21
  • 22. • Create an Oracle tablespace with an absolute path within CREATE_FILE_DEST and with OMF SQL> CREATE TABLESPACE wrong_prefix DATAFILE '/tmp/wrong_prefix.dbf' SIZE 1M; CREATE TABLESPACE wrong_prefix DATAFILE '/tmp/wrong_prefix.dbf' SIZE 1M * ERROR at line 1: ORA-65250: invalid path specified for file - /tmp/wrong_prefix.dbf SQL> CREATE TABLESPACE right_prefix DATAFILE 2 '/u01/oradata/PDBSEC/right_prefix.dbf' SIZE 1M; Tablespace created. SQL> CREATE TABLESPACE no_prefix datafile SIZE 1M; Tablespace created. Verify File Access – CREATE_FILE_DEST • Create an Oracle tablespace with an absolute path outside CREATE_FILE_DEST 28.08.2019 TechEvent 2019 - PDB Isolation and Security22
  • 23. Lockdown Profiles • Oracle introduced lockdown profiles with 12.1. However, they become interesting only in 12.2 or the better 18c/19c • Lockdown profiles allows to restrict user operation in PDBs in a multitenant container database. • It is possible to assign lockdown profiles to... • ... individual PDBs, if PDB_LOCKDOWN is set while connected to a particular PDB. • ... all PDBs in a CDB, if PDB_LOCKDOWN is set while connected to the CDB root. • … application container, if PDB_LOCKDOWN is set while connected to an application root • The CREATE LOCKDOWN PROFILE statement must be issued from CDB or application root. • Usage of lockdown profiles includes 3 steps: • Create a lockdown profile using CREATE LOCKDOWN PROFILE • Enable / disable user operations using ALTER LOCKDOWN PROFILE • Enable the corresponding lockdown profile using ALTER SYSTEM SET pdb_lockdown= 28.08.2019 TechEvent 2019 - PDB Isolation and Security23
  • 24. Capabilities of Lockdown Profiles • ALTER LOCKDOWN PROFILE statement allows to enable or disable the following functions : • LOCKDOWN_OPTIONS clause: User operations associated with certain database options. • LOCKDOWN_FEATURES clause: User operations associated with certain database features. • LOCKDOWN_STATEMENTS clause: The issuance of certain SQL statements. • Function can either explicitly be disable or enable. • Combination of ALL and EXCEPT is possible. • Oracle 18c introduced a couple of enhancements for lockdown profiles: • Restrict user operation for ALL, LOCAL or COMMON user. • Create lockdown profiles based existing profiles as static copy or dynamic link. 28.08.2019 TechEvent 2019 - PDB Isolation and Security24
  • 25. ALTER LOCKDOWN PROFILE sec_default ENABLE OPTION ALL EXCEPT = ('DATABASE QUEUING'); LOCKDOWN_OPTIONS clause • The following database options can be restricted: • DATABASE QUEUING – User operations associated with Oracle Database Advanced Queuing option • PARTITIONING – User operations associated with Oracle Partitioning option • Restriction explicit or with exclusion: • Use ALL to specify all options. • Use ALL EXCEPT to specify all options except the specified options. • Default is ENABLE OPTION ALL. • Enable all options except DATABASE QUEUING 28.08.2019 TechEvent 2019 - PDB Isolation and Security25
  • 26. ALTER LOCKDOWN PROFILE sec_default DISABLE FEATURE = ('OS_ACCESS'); ALTER LOCKDOWN PROFILE sec_default ENABLE FEATURE = ('TRACE_VIEW_ACCESS'); LOCKDOWN_FEATURES clause • LOCKDOWN_FEATURES clause disable or enable user operations associated with certain database features. • Supports a comprehensive list of database features and feature bundle e.g. AWR_ACCESS, CONNECTIONS, JAVA, JAVA_RUNTIME, NETWORK_ACCESS, OS_ACCESS, etc. • See Oracle documentation ALTER LOCKDOWN PROFILE for a complete list. • Restriction explicit or with exclusion: • Use ALL to specify all features. • Use ALL EXCEPT to specify all features except the specified feature. • Default is ENABLE ALL. • Disable OS_ACCESS but explicitly enable TRACE_VIEW_ACCESS 28.08.2019 TechEvent 2019 - PDB Isolation and Security26
  • 27. LOCKDOWN_STATEMENTS clause • LOCKDOWN_ STATEMENTS clause disable or enable issuance of certain SQL statements. • Use DISABLE to disable the execution of specified SQL statements. • Use ENABLE to enable the execution of specified SQL statements. • Restriction explicit or with exclusion: • Use ALL to specify all statements. • Use ALL EXCEPT to specify all statements except the specified statements. • Default is ENABLE STATEMENT ALL. • The STATEMENT_CLAUSES lets disable or enable specific clauses of the specified SQL statement. • The OPTION_CLAUSES lets disable or enable setting or modification of specific options. • E.g. disable all ALTER SYSTEM but allow ALTER SYSTEM SET cursor_sharing • Challenging to cover all critical statements, clause and options and not open a security flaw. 28.08.2019 TechEvent 2019 - PDB Isolation and Security27
  • 28. • Create a new lockdown profile sec_jvm based on sec_default • Enable Java and Java runtime ALTER LOCKDOWN PROFILE sec_default DISABLE STATEMENT = ('ALTER SYSTEM'); ALTER LOCKDOWN PROFILE sec_default ENABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('SET') USERS=COMMON; ALTER LOCKDOWN PROFILE sec_default ENABLE STATEMENT = ('ALTER SYSTEM') CLAUSE = ('KILL SESSION'); CREATE LOCKDOWN PROFILE sec_jvm FROM sec_default; ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA_RUNTIME'); ALTER LOCKDOWN PROFILE sec_jvm ENABLE FEATURE = ('JAVA'); A few more examples • Disable ALTER SYSTEM but allow it for COMMON user and for clause KILL SESSION. 28.08.2019 TechEvent 2019 - PDB Isolation and Security28
  • 29. Missing parts • PDB isolation is no a replacement for a comprehensive security concept. • Resource management is not covered at all. • TDE, in particular TDE key management requires additional measures • OS specific admin activities are not separated. e.g. Backup & Recover • Although user are distinct by PDB_OS_CREDENTIAL, measures on the OS are still mandatory. => Layered Security • Flaw in PDB isolation if poor lockdown profiles have been defined. 28.08.2019 TechEvent 2019 - PDB Isolation and Security29
  • 30. Outlook and potential enhancements 28.08.2019 TechEvent 2019 - PDB Isolation and Security30
  • 31. Outlook and potential enhancements • In short term, waiting for the problems around PDB_OS_CREDENTIAL to be solved is still required. • Bug 25820082 - PDB_OS_CREDENTIAL PARAMETER NOT WORKING => fixed for 12.2.0.1 RU April 2019 since 10. Sept. 2019 • Bug 29926986 - LISTENER SPAWNED EXTPROC FAILS WITH ORA-28575 • Bug 29922316 - EXTPROC FAILS WITH HS: CHILD EXTPROC FINISHED CALLING JSSU! STATUS = -1 WHEN DBMS_CREDENTIAL CONFIGURED • Doc 29938722 - PDB_OS_CREDENTIAL DOCUMENTION NEEDS TO INCLUDE CONFIGURATION REQUIREMENTS AND EXAMPLES • Although the Java challenges are not yet covered by these bugs • Oracle does struggle with similar challenges for their cloud services e.g. Oracle Autonomous Database • Discussions with the Oracle PM for PDBs have shown that solutions are needed and being developed. e.g. Linux CGROUPS, Linux Security Module (LSM) etc. 28.08.2019 TechEvent 2019 - PDB Isolation and Security31
  • 32. • Reveals a functionality named DB Nest. • Presentations from OOW 2018 have mentioned DB Nest as a security enhancement for Multitenant Databases Parameter Instance Description ----------------------- ----------- -------------------------------- _dbnest_enable NONE dbNest enable _dbnest_pdb_fs_conf PDB Filesystem configuration _dbnest_pdb_fs_type DEFAULT PDB FS Type _dbnest_pdb_scm_conf PDB SCM configuration _dbnest_pdb_scm_level STRICT1 PDB SCM Level _dbnest_stage_dir Staging directory configuration _instance_dbnest_name Instance dbNest Name 28.08.2019 TechEvent 2019 - PDB Isolation and Security32 Oracle DB Nest • A possible hint in Oracle 19c based on a few hidden parameter
  • 33. Oracle DB Nest The exact functionality can only be guessed at the moment. Control and isolation of... • OS resources used by a PDB • File system isolation per PDB • Secure computing • …? Oracle Open World 2019 is soon ☺ 28.08.2019 TechEvent 2019 - PDB Isolation and Security33
  • 34. Summary 28.08.2019 TechEvent 2019 - PDB Isolation and Security34
  • 35. Summary 28.08.2019 TechEvent 2019 - PDB Isolation and Security35 • It is not exclusively a customer challenge. Oracle has to solve similar issues for its cloud products. • Lockdown profiles, PATH_PREFIX, PDB_OS_CREDENTIAL etc. do provide basic functionality to implement PDB Isolation. But… • … there are still a few bugs. • … not all use cases are covered e.g. resource management, java etc. • What used to be true is still true. • Do not install Oracle JVM in security-critical databases! • If it is not absolutely necessary. • The opening of an SR on this topic is simply cumbersome and laborious. • The new functionality DB Nest does look promising. Despite the limitations, these functions offer basic functionalities to make the PDB more secure and to start implementing isolation.