Integrating traditional PHP-driven login mechanism with ...

russianmiserableSecurity

Jun 13, 2012 (5 years and 5 months ago)

457 views

Integrating traditional PHP-driven
login mechanism with Oracle’s
advanced security
by
Mikhail Seliverstov
Department of Alumni Relations
McGill University
PHP -Oracle Advanced Security2
Agenda
6.
Project background
7.
Security
requirements
8.
Security framework
architecture
9.
User session and 5-
step data access
10.
References
11.
Questions
1.
Introduction
2.
Short demonstration
3.
PHP code examples
4.
Oracle’s security
overview –
from
basic to advanced
5.
SQL code examples
PHP -Oracle Advanced Security3
Why this topic is important?
The problem
PHP -Oracle Advanced Security4
Why this topic is important?
The solution
PHP -Oracle Advanced Security5
Why this topic is important?
The advantages

Improved data security

Lightweight applications, faster
development

Less maintenance hassle

Simplified architectures and better data
integrity
PHP -Oracle Advanced Security6
Demonstration
Sample organization
PHP -Oracle Advanced Security7
Demonstration
Data structure
PHP -Oracle Advanced Security8
Demonstration
PHP application
PHP -Oracle Advanced Security9
Different levels of Oracle security

Account level security

Role level security

Row level security (v. 8i)

Column level security (v.10g)
PHP -Oracle Advanced Security10
Fine-Grained Access Control
PHP -Oracle Advanced Security11
Dynamic Query Modification
Executed in PHP -
all users:
SELECT * FROM EMPLOYEE;
Actual queries executed by Oracle (subject to security
policy):
Us
er 1 (HR Manager):
SELECT * FROM EMPLOYEE;
Us
er 2 (IS Manager):
SELECT * FROM EMPLOYEE WHERE DEP_ID = ‘IS’;
Us
er 3 (Programmer):
SELECT * FROM EMPLOYEE WHERE EMP_ID = 3;
PHP -Oracle Advanced Security12
Security policy function
PHP -Oracle Advanced Security13
Secure Application Context
PHP -Oracle Advanced Security14
Steps to set up a policy
1.
Create security policy function(s)
2.
Create policy by assigning the functions to
database objects
Optionally:
1.
Create a procedure that initializes context
variables
2.
Create context space and assign it to the
procedure
PHP -Oracle Advanced Security15
Development and Alumni Relations

Provide services and keep records of over
250,000 graduates, students, friends, and
donors

Raise $50 –
100 M per year

Manage over 400 alumni events per year
including 17 luxury cruises
PHP -Oracle Advanced Security16
Problem overview
PHP -Oracle Advanced Security17
Problem summary
1.
Inadequate security
2.
Data integrity
3.
Administrative overhead
4.
Limited functionality
PHP -Oracle Advanced Security18
Possible solutions
1.
Do nothing
2.
Re-write the central system to expand its
functionality
3.
Buy various third-party products and try
to integrate them
4.
Develop a companion application to
provide for missing functionality, to
standardize operations, and to enforce a
centralized data-access policy
PHP -Oracle Advanced Security19
Solution outline
PHP -Oracle Advanced Security20
Security framework requirements
1.
Each user has unique account and unique set
of rights within the system.
2.
Single sign-on mechanism across modules.
3.
Solid protection for sensitive data disregarding
how the data is being accessed.
4.
Efficient (ideally, behind the scenes)
management of user access rights within and
across modules.
PHP -Oracle Advanced Security21
Security framework in action
users, modules, and groups
PHP -Oracle Advanced Security22
Security framework in action
PHP-Oracle interaction
PHP -Oracle Advanced Security23
Security framework in action
High level architecture
PHP -Oracle Advanced Security24
5-step data access
PHP -Oracle Advanced Security25
Absence Report example
Regular employee
HR Personnel
PHP -Oracle Advanced Security26
References

Enterprise Application Development Using
PHP and Oracle
www.oracle.com/technology/pub/articles/php_experts/kardasz_php.html

The Virtual Private Database in Oracle9i
www.oracle.com/technology/deploy/security/oracle9ir2/pdf/VPD9ir2twp.pdf

Keeping Information Private with VPD
www.oracle.com/technology/oramag/oracle/04-mar/o24tech_security.html
PHP -Oracle Advanced Security27
Questions
Thank you!
mikhail.seliverstov@mcgill.ca