Oracle9i Label Security is a new security option for the Oracle9i Enterprise Edition.  Oracle9i Label Security builds on the Oracle9i virtual private database (VPD) technology.  Oracle9i VPD technology gives you the ability write security policies using Oracle PL/SQL and assign them to database tables and views.  For example, an Oracle VPD policy can be written to restrict access outside normal business hours or restrict access to specific database rows based on an organizational identifier.  Oracle9i Label Security is an out-of-the-box solution for restricting access to specific database rows based on sensitivity labels.  Oracle9i Label Security eliminates the task of writing Oracle9i VPD policies to enforce row level security.  The complex nature of restricting access based on sensitivity labels requires a robust database infrastructure and highly optimized algorithms.  Oracle9i Label Security provides both the infrastructure and optimized algorithms as well as a GUI administration tool.  Oracle9i Label Security is highly customizable using an array of enforcement options and built-in features.  Release 2 of Oracle9i Label Security supports releasabilities, adding even more flexibility to the Oracle9i Label Security access control capabilities.

ORACLE LABEL SECURITY POLICIES
Oracle9i Label Security is best suited for row level security enforcement based on sensitivity labels.  Oracle Label Security policies are collections of labels, label authorizations and security enforcement options.  Once created, policies can be applied to entire application schemes or specific application tables.  Oracle Label Security supports multiple policy definitions within a single Oracle database.  Label definitions, user authorizations and enforcement options are defined on a per policy basis.  For example, a policy called DEFENSE might contain labels SECRET, TOP SECRET and CONFIDENTIAL.  A policy called SALES might contain labels NORTH AMERICA, EUROPE, and ASIA.  Both of these policies can exist in the same database and be applied to the same or different application tables.

SENSITIVITY LABELS
Sensitivity labels are central to Oracle9i Label Security.  Sensitivity labels are what determine an application user's ability to view and update application data.  Sensitivity labels provide sophisticated controls which are not possible with traditional object level privileges.  For example, suppose an order entry application has a security policy which states that the application must be capable of limiting access to purchase orders labeled company sensitive?  By default, giving an application user the SELECT privilege on the purchase orders table will allow the user to view all information.  One approach to solving this requirement is to create two database views.  The first view will exclude all the purchase orders deemed company sensitive and the second will include all the purchase orders.  This approach is problematic because the security policy may change to include new levels of sensitivity.  In addition, application users will need to be assigned the correct enterprise role depending on their authorization to view company sensitive information.  Sensitivity labels solve this security requirement and eliminate the need for additional views.

Oracle9i Label Security sensitivity labels contain three components: a single hierarchical level or classification, one or more horizontal compartments or categories and one or more groups. 

Label Components

• Level -- The level is a hierarchical component which denotes the sensitivity of the data.  A typical government organization might define levels confidential, sensitive and highly sensitive.  However, there is no requirement to define more than one level.  For example, a commercial organization might define a single level for company confidential data or application hosting requirements
• Compartment - The compartment component is sometimes referred to as a category and is non hierarchical.  Typically one or more compartments are defined to segregate data.  For example, a compartment might be defined for an ongoing strategic initiative or map to a hosted application subscriber.  Data related to the initiative can be labeled with the newly defined compartment.  Oracle Label Security supports up to 9999 unique compartments.
• Group - The group component is used to record ownership and can be used hierarchically.  For example, two groups called Senior VP and Manager can be created and subsequently assigned as children of the CEO group, creating an ownership tree.  Labels can be composed of a standalone level component or a level component can be combined with compartments, groups or both.

• Level = Confidential
• Compartment = Acquisitions
• Group = Asia

Releasabilities
Oracle9i Label Security uses inverse groups to indicate releasability of information: they are used to mark the dissemination of data. When you add an inverse group to a data label, the data becomes less classified.  For example, a user with inverse groups UK, US cannot access data which only has inverse group UK.  Adding US to that data makes it accessible to all users with the inverse groups UK, US.  When you assign releasabilities to a user, you mark the communication channel to the user. For data to flow across the communication channel, the data releasabilities must dominate the releasabilities assigned to the user.  In other words, releasabilities assigned to a data record must contain all the releasabilities assigned to a user.  The advantage of releasabilities lies in their power to broadly disseminate information. Releasing data to the entire marketing organization becomes as simple as adding the Marketing releasability to the data record. 

The term inverse group is used because an administrator can now create an Oracle Label Security policy which uses the access control logic provided by standard groups or decide to create the policy using inverse group access control logic.

Comparing Standard Groups and Inverse Groups
Groups in Oracle Label Security identify organizations which own or access data. Like standard groups, inverse groups control the dissemination of information. However, the behavior of inverse groups differs from Oracle Label Security standard group behavior. By default, all policies created in Oracle Label Security use the standard group behavior.  When you include inverse groups in a data label, the effect is similar to assigning label compartment authorizations to a user. When Oracle Label Security evaluates whether a user can view a row of data assigned a label with inverse groups, it checks to see whether the data, not the user, has the appropriate group authorizations: does the data have all the inverse groups assigned to the user? With standard groups, by contrast, Oracle Label Security checks to see whether a user is authorized for at least one of the groups assigned to a row of data.  Consider a policy which contains 3 standard groups:  Eastern, Western, and Southern.  User1�s label authorizations include the groups Eastern and Western. Assuming User1 has been assigned the appropriate level and compartment authorizations in the policy, then:
 

• With standard Oracle Label Security groups, User1 can view all data records that have the group Eastern, or the group Western, or both Eastern and Western.
• With inverse groups, User1 can only view data records that have, at a minimum, all the groups assigned to the user: that is, both Eastern and Western. She cannot view records that have only the Eastern group, only the Western group, or that have no groups at all.

Label Tags
Label tags are used internally and stored with the data for optimization. The example application table above shows a table with four attributes: Project, Location, and Budget.  The fourth and final component is the label attribute added by Oracle Label Security.  The values listed under the sensitivity label are the external representations of the labels.  The corresponding internal label tags might be 10010, 20005, and 30106. 

ORACLE9i LABEL SECURITY MEDIATION
Oracle9i Label Security mediates access to rows in database tables based on the label contained in the row, a label associated with each database session, and Oracle9i Label Security privileges assigned to the session.  Oracle9i Label Security provides access mediation to application data after a user has been granted the standard Oracle SYSTEM and OBJECT privileges.  For example, if an application user executes a SQL SELECT statement Oracle9i will first verify that the user has the appropriate OBJECT privileges or enterprise roles to access the tables referenced in the statement.  Second, Oracle9i will check if any of the tables referenced in the statement are protected by Oracle9i Label Security.  Oracle9i Label Security will then determine access to individual table rows based on sensitivity labels assigned to the rows and the user's label authorizations.

ORACLE9i LABEL SECURITY USER LABEL AUTHORIZATIONS
Oracle9i Label Security user label authorizations are managed by the database security officer.  Oracle Label Security user label authorizations are defined as follows:

Maximum Level � The maximum sensitivity level a user is authorized to access.  In a hosting environment a single level may only exist.  In government and defense environments four or five levels might be defined.

Minimum Level  � The minimum sensitivity level a user is authorized to write data.  For example, an administrator can prevent users from labeling data as Public or Internet by assigning a minimum level of Company Confidential.

Default Level � The level used by default when a user connects to the database. For example, a user can set his or her default level to Secret.   When he or she connects to the system, the default level will be initialized to Secret. 

Row Level �  The level used to label data inserted into the database by the user through the application or directly through a tool such as SQL*Plus.

Read Compartments  �  The set of compartments assigned to the user and used during READ access mediation.  For example, if a user has compartments A,B and C, he can view data which has compartments A and B but not data which has compartments A,B,C and D.

Write Compartments  � The set of compartments assigned to the user and used during WRITE access mediation.  For example, a user can be given READ and WRITE access to compartments A and B and READ-ONLY access to compartment C.  If an application record is labeled with compartments A,B and C, the user will not be allowed to update the record because he or she does not have WRITE access on compartment C.

Read Groups �  The set of groups assigned to the user and used during READ access mediation.  For example, if a user is given the group Manager, he will be able to view data which has the Manager group but not data which has the Senior VP group.

Write Groups � The set of groups assigned to the user and used during WRITE access mediation.  For example, a user can be given READ and WRITE access to group Senior VP and READ-ONLY access to group Manager.  If an application record is labeled with the single group, Manager, the user will not be allowed to update the record because he or she does not have WRITE access on the Manager group.

ORACLE9i LABEL SECURITY SPECIAL ACCESS PRIVILEGES
Oracle9i Label Security provides a comprehensive set of special access privileges.  The access privileges are designed for special reporting needs and to protect the data label separate from the actual data.  Oracle9i Label Security special access privileges are defined as follows:

READ  �  The READ privilege allows a user to access all data protected by Oracle9i Label Security, however, access mediation is still enforced on UPDATE, INSERT and DELETE operations.  Oracle9i Label Security makes no mediation check on SELECT operations.

FULL  � The FULL privilege turns off all Oracle9i Label Security access mediation.  A user with the FULL privilege can perform SELECT, UPDATE, INSERT and DELETE operations with no label authorizations.  Note that Oracle SYSTEM and OBJECT privileges are still enforced.  For example, a user must still have SELECT on the application table.  The FULL privilege turns off the access mediation check at the individual row level.

WRITEDOWN � The WRITEDOWN privilege allows a user to modify the level component of a label and lower the sensitivity of the label.  For example, application data which is labeled Top Secret: Alpha, Beta could be changed to Secret: Alpha, Beta.

WRITEUP � The WRITEUP privilege allows a user to modify the level component of a label and raise the sensitivity of the label. For example, application data which is labeled  Secret: Alpha, Beta could be changed to Top Secret: Alpha, Beta.  Note that the Maximum Level label authorization assigned to the user would limit modification.

WRITEACROSS  � The WRITEACROSS privilege allows a user to modify the compartments and groups in a label to any valid compartment and group defined in Oracle9i Label Security for the policy.  For example, application data labeled Secret: Alpha, Beta can be modified to Secret: Alpha, Beta, Delta even though the user was is authorized for the Delta compartment.

PROFILEACCESS � The PROFILE ACCESS privilege allows a user to assume the Oracle9i Label Security authorizations of another user.  For example, an application user who has access to compartments A,B, and C can assume the profile of another application user who has access to compartments A,B, C and D. 

POLICY ENFORCEMENT OPTIONS
Oracle9i Label Security enforcement can be customized on a per policy basis.  For example, a Human Resources policy and a Defense policy can exist in the same Oracle database and provide different degrees of protection.  The Oracle9i Label Security enforcement options are as follows:

READ CONTROL � Applies policy enforcement to all queries; only authorized rows are accessible for SELECT, UPDATE, and DELETE operations.

INSERT CONTROL � Applies policy enforcement to INSERT operations, according to the Oracle Label Security algorithm for write access.

UPDATE CONTROL � Applies policy enforcement to UPDATE operations on the data columns within a row, according to the Oracle Label Security algorithm for write access.

DELETE CONTROL � Applies policy enforcement to DELETE operations, according to the Oracle Label Security algorithm for write access.

WRITE CONTROL �  Determines the ability to INSERT, UPDATE, and DELETE data in a row. If this option is set, it enforces INSERT_CONTROL, UPDATE_CONTROL, and DELETE_CONTROL.

LABEL DEFAULT � If the user does not explicitly specify a label on INSERT, the users default row label value is used.  By default, the row label value is computed internally by Oracle9i Label Security using the label authorization values specified for the user.  A user can set the row label independently, but only to: 

• A level which is less than or equal to the level of the session label, and greater than or equal to the users minimum level.
• Include a subset of the compartments and groups from the session label, for which the user is authorized to have write access.

LABEL CHECK �  Applies READ_CONTROL policy enforcement to INSERT and UPDATE statements to assure that the new row label is read accessible by the user after an INSERT or UPDATE statement.

NO CONTROL �  Applies no enforcement options.  A labeling function or a SQL predicate can nonetheless be applied.
 

ORACLE9i LABEL SECURITY LABEL FUNCTIONS
Label functions are defined in the Oracle9i database and referenced in an Oracle9i Label Security policy definition.  Label functions compute label values for application data during INSERT and UPDATE operations.  Labeling functions enable you to consider, in your rules for assigning labels, information drawn from the Oracle virtual private database (VPD) application context.  For example, you can use as a labeling consideration the IP address to which the user is attached.  A labeling function is called in the context of a special before-row trigger.  This enables the label function designer to pass in the old and new values of the data record, as well as the old and new labels.  Label functions can be written in PL/SQL and assigned to Oracle9i Label Security policies through the Oracle9i Policy Manager (OPM) graphical user interface.  Label functions are an extremely powerful feature of Oracle9i Label Security.

ORACLE9i LABEL SECURITY  � SQL PREDICATES
SQL predicates are used to provide extensibility for selective enforcement of data access rules.  Oracle9i Label Security provides an interface for SQL predicates to be easily added to Oracle9i Label Security policies.  For example, the following SQL predicate can be added to the READ algorithm:

AND my_function(col1) = 1

OR SYS_CONTEXT (�USERENV�,�SESSION_USER�) = employee_name

ORACLE9i LABEL SECURITY TRUSTED PROGRAM UNITS
Oracle9i Label Security special access privileges can be assigned to stored program units.  For example, the READ and FULL privileges can be assigned to a stored program unit.  Trusted program units reduce or eliminate the need to grant Oracle9i Label Security special access privileges directly to users.

ORACLE9i LABEL SECURITY POLICY ENFORCEMENT
Oracle9i Label Security policies can be applied to individual tables or entire schemes.  Typically, the number of tables in an application requiring sensitivity labels is small in comparison to the total number of tables in an application.  If Oracle9i Label Security is applied at the schema level, all subsequent table creation statements will automatically have the policy applied.  After Oracle Label Security is applied to a schema, individual table enforcement options can be customized.

ORACLE9i POLICY MANAGER GUI INTERFACE
The Oracle9i Policy Manager is the new GUI tool for administering Oracle9i Label Security.  Oracle9i Policy Manager is part of the Oracle Enterprise Manager framework.  Security administrators can use the interface to create Oracle9i Label Security policies, apply policies, create labels, manage user label authorizations, add SQL predicates and label functions.  Oracle9i Policy Manager can also be used to manage Oracle VPD FGAC policies and Oracle VPD application contexts.
 

 

Oracle9i Policy Manager Administrative Interface

 

EVALUATIONS
Oracle9i Label Security will be evaluated under the ISO/IEC 15408 Common Criteria.  Security evaluations provide an independent security assessment of the security protection mechanisms provided with Oracle9i Label Security.
 

SUMMARY
Oracle9i Label Security is a powerful database technology to control access to critical data.  Based on government classification needs and designed for the commercial e-business market, it provides sophisticated and flexible row level database security.
 
 

 

KEY FEATURES
Policy Based Administration Multiple policies per database Multiple policies per table Each policy has its own set of sensitivity labels Enforcement options can be customized on a per policy basis  SQL predicate option per policy Label function option per policy Policies can be assigned to multiple tables or entire schemes Policies can use standard groups or inverse groups  Mediate Access Using Sensitivity Labels Create sensitivity labels using levels, compartments and groups Assign user read and write compartments Assign user read and write groups Assign maximum user read level Assign minimum user write level User controlled default session label Define up to 10000 levels Define up to 10000 compartments Define up to 10000 groups Define up to 10000 releasabilities Special Access Privileges READ FULL PROFILE_ACCESS WRITEUP  WRITEDOWN  WRITEACROSS	Customizable Enforcement Options READ CONTROL  INSERT CONTROL  UPDATE CONTROL  DELETE CONTROL  LABEL CHECK LABEL UPDATE NO CONTROL Auditing Audit apply and remove policy operations Audit Oracle9i Label Security special access privileges Oracle9i Policy Manager GUI Administration Tool Create policies Define sensitivity labels Apply policies Set user label authorizations Manage trusted program units Add SQL predicates Add label functions Manage Oracle VPD FGAC policies Manage Oracle VPD application contexts
RELATED PRODUCTS AND SERVICES Oracle9i Advanced Security Database Option Enterprise user security / LDAP directory integration Single sign-on Network encryption Public Key Infrastructure (PKI) Strong authentication Visit http://oraclestore.oracle.com	GETTING STARTED Oracle9i Label Security is an add-on option available with the Oracle9i Enterprise Edition.  Oracle9i Policy Manage is installed by default with the Oracle9i Enterprise Edition. Oracle9i Label Security is not installed by default with the Oracle9i Enterprise Edition.  To install Oracle9i Label Security, start the installer, select the custom installation option and then check the box beside Oracle9i Label Security.