Access control
February 4, 2008 - 9am Central time zone
Reviewer: Karthick Pattabiraman from India
suppose i have access control on a table usig VPD. and if some one steals my data file. can he
access all the information.
what will happen to the policy on that table?
Followup February 4, 2008 - 4pm Central time zone:
VPD is about access control - exactly.
and if I steal your database and connect / as sysdba - access control no longer functions.
Enter the realm of ENCRYPTION. Encryption protects your data in the event of theft.
but, that is precisely what I wrote:
... You encrypt for one reason: to prevent the data you have from being accessed if someone steals your datafiles. ...
So, tell me please - why would someone only steal your stuff on the weekend? What about your backups? What about offsite stuff? etc....
You either
a) ALWAYS encrypt
b) NEVER encrypt
doesn't make sense any other way.
February 4, 2008 - 11pm Central time zone
Reviewer: Karthick Pattabiraman
Have you ever come across a situation where you have to encrypt an entire table or set of table.
does doing such thing make any sence. if so how to do such thing.
Followup February 5, 2008 - 7am Central time zone:
In oracle 10g release 2 there is column level encryption:
create table t
( x varchar2(30) ENCRYPT );
In 11g release 1 there is tablespace encryption.
RMAN can also encrypt backups.
so, yes, it does make sense, however the data is encrypted ALWAYS, in order to prevent someone that has "stolen" your data from seeing it - making use of it.
February 5, 2008 - 8am Central time zone
Reviewer: Karthick Pattabiraman from India
Ok i did the following.
[SYSADM@INLABTST]> connect sys/sys@inlabtst as sysdba
Connected.
[SYSADM@INLABTST]> alter system set encryption key identified by sysadm;
System altered.
[SYSADM@INLABTST]> connect sysadm/sysadm@inlabtst
Connected.
[SYSADM@INLABTST]> create table hx_test_encryption (hx_secured_info varchar2(100) encrypt);
Table created.
[SYSADM@INLABTST]> insert into hx_test_encryption values ('1111111111111111111');
1 row created.
[SYSADM@INLABTST]> insert into hx_test_encryption values ('1212121212121212121');
1 row created.
[SYSADM@INLABTST]> commit;
Commit complete.
[SYSADM@INLABTST]> select * from hx_test_encryption;
HX_SECURED_INFO
--------------------------------------------------------------------------------
1111111111111111111
1212121212121212121
[SYSADM@INLABTST]> connect sys/sys@inlabtst as sysdba
Connected.
[SYSADM@INLABTST]> alter system set wallet close;
System altered.
[SYSADM@INLABTST]> connect sysadm/sysadm@inlabtst
Connected.
[SYSADM@INLABTST]> select * from hx_test_encryption;
select * from hx_test_encryption
*
ERROR at line 1:
ORA-28365: wallet is not open
so untill i close the wallet i am able to view my data. once i close the wallet i cant access my
data.
But i was tinking of encryption and decryption. That is once i encrypt i should not be able to see
my data (it shoudl apear as some junk information like !@SDSD@@!SFS223)unless i decrypt. am i
missing some thing here.
Followup February 5, 2008 - 10am Central time zone:
you are missing the entire point of encryption.
I'll say it again:
encryption is NOT about access control.
encryption is about protecting your data from theft.
vpd (virtual private database) - that is about access control.
grant - that is about access control.
encryption - that is about making the data disappear if someone steals it and could circumvent all of your access controls.
What you are missing is what encryption is used for. People that have access to the data (that you GRANTED ACCESS TO THE DATA) can see the data. People that have NOT been granted access - cannot see it. If someone steals it, strips off your access control, then and only then does encryption "get in their way"
|