A reader, October 02, 2003 - 4:58 pm UTC
Isn't label security the new name for what used to be known as Trusted Oracle in Oracle 7? Was Trusted Oracle implementation based on the RLS model(which I think is an 8i feature) or was it different? Essentially could you please tell what are the differences between the Trusted Oracle implementation and Label Security? Thanks.
October 02, 2003 - 6:52 pm UTC
Trusted Oracle (i cut my teeth on that product way way way back when -- i was one of the first customers) is much "bigger" then Label Security.
Trusted Oracle was a b1 multi-level secure database that relied on a b1 multi-level secure operating system. It was "big time". it used the OS to enforce the "row level security"
Label Security has many of the salient features of Trusted -- but is not so onerous. No trusted OS is needed, but you have some (not all) of the qualities of that b1 multi-level secure OS (so secure it was, that people couldn't really 'use' it day to day)
Trusted Oracle is "dead", Label Security is what we are producing now.
Memories of Trusted Oracle...
Mark Wooldridge, October 02, 2003 - 11:47 pm UTC
I also was thrown into Trusted Oracle back in 95. I had alot of interesting days working with the product and integrated webservers (back before they were application servers) onto trusted solaris, dec mls, sco's mls and hp cmw.
Replication was very intersting when Trusted Oracle was involved.
OLS, previously Military security is also an interesting product. The key piece missing is the multilevel listener to allow OLS to work on Trusted Solaris.
OLS is a good product but is designed after the Trusted Oracle model with levels, and compartments (also now inverse compartments as a result of my beta testing), and a new feature groups. If your data fits this model, then OLS is the product for you.
OLS vs FGAC
Suhail, April 03, 2006 - 4:57 pm UTC
Tom,
I need to implement data classification, I need to associate labels like 'sensitive', 'classified', 'public', etc to each record along with some other attributes such as ROLE (manager, programmer etc. Would I be able to do it using VPD/FGAC or I need to have OLS?
Thank you for your answer
April 04, 2006 - 9:48 am UTC
OLS (Oracle label security) is implemented via FGAC (fine grained access control).
It is an implementation that does what you say you would like to do.
So you can either buy OLS (extra cost option to the enterprise edition) or write it yourself.
writing it itself
Suhail, April 04, 2006 - 10:16 am UTC
Tom,
In OLS, I can define level, group and compartment, whereas in VPD we filter data by a some field. In OLS, we need to create a new field to store values for group, compartment and level combination, whereas, in VPD we donot change the table definition. So why does OLS need this new column? In OLS, as we know, access to data is controlled in three dimension, could we do this in VPD?
I am working on a Data Classification project and I have been asked to justify why do I need OLS?
April 04, 2006 - 7:24 pm UTC
In OLS you use what they built.
With VPD - what you can build is limited by your IMAGINATION.
I totally agree, this is 100% a "buy vs build" decision.
Do you want to design, build, and maintain forever your own custom implementation
Or
Do you want to buy an off the shelf solution that on the face of it sounds like it would satisfy your needs.
That is always the question..
references
Suhail, April 05, 2006 - 2:28 pm UTC
Could you give me some references of agencies who are uusing OLS or some success story.
Thanks
April 06, 2006 - 9:47 am UTC
GD-AIS & OLS
Richard Evans, April 06, 2006 - 5:48 pm UTC
April 08, 2006 - 8:27 am UTC
Umm, but since OLS stands for Oracle Label Security - and you are not Oracle - I'm not really understanding how this is showing OLS?
That is not OLS.
VPD, FGAC, label security... express edition
A reader, April 19, 2006 - 3:23 pm UTC
Tom, VPD is based on fine grain access control? Are VPD and FGAC pretty much the same? The reasn for asking - product features list says VPD is available only in EE. Does it mean that XE (or any other but EE) doesn't have FGAC? There is no way to create policies etc.? Just confused by all these acronyms and terms...
Thank you very much!!!
April 19, 2006 - 5:21 pm UTC
VPD is synonymous with fine grained access control is synonymous with "using DBMS_RLS"
Column security
Azamat, May 11, 2006 - 3:53 pm UTC
We are building a enterprise wide data warehouse and we need to classify the data. We have several subject areas such as Contract, Accounting, Payrrole etc. For example my INVOICE_FACT fact table contain following columns:
Agency_id
Acc_id
Contract_id
Payee_id
Invoice_dt_id
Invoice_num
AMT
Audit_Amt
Transaction_Amt
In this fact table my Compartment is Invoice and combination of following columns have different sensitivity level:
data classification Sensitivity Level
(agency_id,contract_id) PUBLIC
(agency_id,contract_id,payee_id) CONFIDENTIAL
(agency_id,contract_id,audit_amt) HIGHLY SENSITIVE
I am not sure how I will be able to implement this kind of label security using OLS, do I need to implement column lavel security using VPD or should I use sub category in defining my compartments, such as INVOICE is main compartments, under INVOICE, I have following three compartments:
INVOICE_PUBLIC
INVOICE_CONFIDENTIAL
INVOICE_HIGHLY_CLASSIFIED.
Hopeing to hear from you.
Thanks