Notes on the Oracle webinar, Label Based Access Controls in Oracle Database 11g by Kamal Tbeileh.
- Business requirements
- Implementation challenges
- Oracle Label Security solution
The principal business requirements are data subsetting and multi-tenancy. The example is given for subsetting data by country. That is, US users can see and modify US data only. Similarly for other countries.
Multi-tenancy has a similar functionality to VPD (Virtual Private Database). Different organisations can use the same physical database while maintaining separation of data at the logical level. The Oracle Label Security is touted as superior as there is no coding needed as for FGAC (Fine Grained Access Control) which is used to implement VPD.
Challenges of implementing security, especially data subsetting and multi-tenancy, in applications are:
- Not in design of application
- Application bypass (for example, power users, and application support teams)
- Performance and scalability is difficult at the application layer especially with the administration of groups
Oracle’s solution is to use the database kernel to enforce security policies.
Oracle Label Security
The recommended product is Oracle Label Security.
- Transparent through hidden column
- Scalable through one to many mapping.
- Extensible up to 9999 unique subsets
- Secure through the Oracle database kernel
The implementation cycle is:
- Create Label Security Policy
- Define Data Sub-Set Labels
- Identify Data Sub-Set Owners
- Apply Policy and Label Data Sets
- Enable Policy and Set Enforcement
The procedure is:
- Apply policy to application tables
- Customize enforcement based on requirements
- Enable policy enforcement
- Now users will see only their data subset
It looks like Oracle is touting Oracle Label Security against two (2) competitors: Java code for application security; and PL/SQL code for FGAC.
From the Oracle store, I got a quote for a four (4) processor perpetual licence for Oracle Label Security of AUD54,548.64 (including first year support). Apparently, I get a discount as well.
|Developer – Java / J2EE||Senior||$120,000|
Assuming that salary is about 50% of the total cost of a programmer, then the first year cost of Oracle Label Security on a four (4) processor server is equivalent to about three (3) months of a senior development programmer time. This is the break-even point for a one year pay back period.
Since the most of the cost is in the first year, a longer pay back period would equate to a shorter amount of programmer time. This could be a reasonable option for most organisations to purchase Oracle Label Security.