Locking Down the Grid

By Lisa Vaas  |  Posted 2003-09-19

Locking Down the Grid

Core to security in Oracle Corp.s upcoming 10g grid technology will be a component called Oracle Internet Directory, an LDAP directory with an Oracle database back-end that leverages the databases scalability, high availability and security features, according to Oracle Chief Security Officer Mary Ann Davidson.

In an interview with eWEEK, Davidson said that Oracle Internet Directory, which is also a component in Oracle9i, is part of identity and access management features of 10g that are "particularly critical for grid."

"Without identity management, you cant reap the benefits of the flexibility of grid computing," she said. 10gs identity and access management features will enable enterprises to provision users and network resources in one central place, as well as to define what applications and systems given users are allowed to access. From one spot, administrators will be able to provision, deprovision, create credentials for users, specify new applications, add new server resources and allow for resources to participate in single sign-on, Davidson said.

Having an easy way to identify and provision users and resources will be critical to the success or failure of grid computing, which in Oracles view relies on the quick and easy provisioning of computing resources as needs dictate. As it is, security experts and users fear that the pools of low-cost commodity servers promised in 10g will actually be cesspools of security vulnerabilities.

"Any distributed architecture is by nature, as more nodes are attached and more ports opened, more prone to security risk," Craig Read, IT director at MTrilogix Inc., in Toronto, and president of the Toronto Oracle Users Group, said in an e-mail interview. "If a company does not have a coherent plan to manage database and application security [and many dont], 10g will make their lives miserable."

Indeed, the idea of adding a multitude of commodity Lintel (Linux/Intel) server grid nodes at a pop should be a daunting one to DBAs, said Aaron Newman, CTO and co-founder of Application Security Inc., in New York. "Theres a question that now that you have 50 grid computers rather than one grid computer, you have a little more work to lock down 50 instead of one," he said. "Which leads to the fact that you need to automate the process at this point. Theres an ever-growing need with 10g to automate and find tools to help you lock all these things down. Youre going to be dealing with a lot more systems."

Davidson said that such fears are groundless and that Oracles grid technology is inherently more secure than most enterprise infrastructures. "Grid natively in a way has some defensibility, because if a resource fails or is compromised, you have failover," she said. "Its transparent, and you can get other resources without having to unplug the box and cable everything.

"Another aspect of security is when we deliver our products, part of our overall release criteria is to make things secure by default," Davidson said. "Theres a construct of, Is it installed securely, and is it hardened properly?"

Other familiar security ghosts have been lurking in the halls of grid, such as the perennial problem of public privileges or grants. This long-standing security vulnerability ships with almost every major database, including Oracle, Microsoft Corp.s SQL Server and Sybase Inc. databases.

ASIs Newman said that his research shows the grants often harbor PL*SQL injection—executable code that can be maliciously exploited. The problem is, you cant just turn off the grants—particularly in a production environment—without running the risk of breaking something.

The specter of public grants rose once again at OracleWorld last week during a security panel that included Davidson, Newman and Gartner Inc. analyst John Pescatore. One audience member managed to stump the panel when he asked how he could turn off the grants in Oracle9i without breaking anything.

"The gentleman had obviously run [ASIs security scanning tool] and gotten those reports back," Newman said. "If he turns them off, it might break something. Even Oracle says, We dont know what will happen if you turn that off. Ninety-nine percent can be turned off without a problem. It depends on what youre running."


The use of PUBLIC is both a feature and a weakness, agreed Nancy Malpass, an Oracle DBA at Interstate Batteries System of America Inc., in Dallas, Texas. "The Public schema, synonyms, and public packages are necessary. Often they are mechanism that software vendors use to deploy their software on an Oracle database platform." she said.

Because application vendors dont develop to a specific platform, they have to take advantage, for example in installation scripts, of creating public names for the tables to avoid creating and managing complex database security. Hence, "public" gets used often by software vendors so users of the application can use the database, she said. "Thats one of the features of the database. Its "open". You can create a PL*SQL package, you can then grant access to anybody to run it. ... But if you have 3rd party applications in your Oracle databases, its a problem you have to deal with, and you have to rely on application security built into the 3rd party application."

Davidson admitted, during the panel, that public is a problem that Oracle is dealing with. But the Redwood Shores, Calif., company has been locking default configurations down further and further with each iteration, she said, and continues to look for ways to lock it down further.

Default accounts, used to install schemas and objects and to allow access to certain features, are reasonably easy to eliminate. Default privilege grants, on the other hand, are tough to get rid of, since they grant privileges to "public" users in partner products or custom applications.

9is database creation wizard locks some down but still leaves eight open if the GUI database creation tool is used. Six more default grants have been shut down in 10g, Davidson said, and Oracle is working to pin more down.

Why are databases shipped with default accounts in the first place? Because of issues with backwards compatibility, of the complexities of shutting something down without breaking something else, and of yanking rights away from customers who are used to them, Davidson said. "You cant do it instantaneously," she said. "Because of bootstrap and backwards compatibility, as a DBA, you just cant say, Oh, by the way, when you update, the Connect As DBA syntax doesnt work anymore.

"Thats the next big area in general for industry—secure by default. Partly its the issue of dependencies, partly its the inability to please all user groups at once, partly not everybody knows how everybody uses their products."

Another factor is the number of software vendors who rely on the drug-addict model, she said. In that scenario, software sellers roll out the red carpet to get developers hooked on their software. "They encourage people to have fun with demo scripts, and you have accounts open and sample Java pages to see the cool things you can do on their product," Davidson said. "You get the development community hooked and you want to make it easy on them. Then when people go into production, they want everything locked down. The challenge is that vendors cant have one size fits all."

Discuss this in the eWEEK forum.

Rocket Fuel