1. Get rid of all advertisements and get unlimited access to documents by upgrading to Premium Membership. Upgrade to Premium Now and also get a Premium Badge!

Oracle Security versus MySQL Security

Discussion in 'Server Administration and Options' started by tyro, Oct 8, 2008.

  1. tyro

    tyro Forum Genius

    Messages:
    368
    Likes Received:
    20
    Trophy Points:
    260
    Location:
    India
    There are several aspects to Oracle security, and whole books have been written on the subject. The below only scratches the surface of what is available.

    The criteria upon which data is handled, and by specific people, is more sophisticated in Oracle RDBMS than most other database technologies, including MySQL.

    As Oracle is still the database of choice amongst large corporations such as financial institutions, it is important that the security measures implemented are of the highest possible standard. This also includes provision of high security measures demanded by government legislation.

    Oracle provides sophisticated backup and recovery routines. Access to data is governed by a set of privileges. Users can be given the right of view or modify or create data depending on their particular role.

    The recent Oracle 11G release has addressed concerns over privacy, complaints and insider threats. It also complies with requirements specified by various financial bodies, on a worldwide basis.

    The Security concepts which need study are:

    1. The Oracle Database Vault:

    This is a new concept which allows highly privileged user access controls, and when, where and how applications, data and databases are accessed.

    2. Oracle Advanced Security Transparent Data Encryption (TDE)

    Oracle have also provided []“Oracle Advanced Security Transparent Data Encryption (TDE)”[/], allowing the injection of sensitive data without any changes to existing application code.

    3. Audit Vault,

    They have also introduced the Audit Vault, providing enterprise reporting, consolidation, alerting and protection of audit data

    4. Transparent data encryption

    Transparent data encryption tool, introduced in 10G encrypts and decrypts data when it is read back to an authorised user. Applications don't even have to be modified, and authorised users will be protected from the process by its transparency. They won't notice that it has been involved in an encryption process.

    Like I said, the above only scratches the Oracle Security features surface...
     
  2. tyro

    tyro Forum Genius

    Messages:
    368
    Likes Received:
    20
    Trophy Points:
    260
    Location:
    India
    How does MySQL security compare to Oracle?

    Oracle has the advantage of years of experience in providing security at several levels for large organisations on a distributed level. Therefore MySQL cannot really be expected to compete on the same terms from a security perspective. However, in recent times Open Source products such as MySQL are becoming more popular, and are being used on a distributed, networked, basis.

    MySQL is becoming more sophisticated with its security offerings and has distributed versions providing security mechanisms, albeit not as sophisticated as the Oracle product.

    Access Controls List (ACL)

    MySQL bases its main security technique on an Access Controls List (ACL). It works by allowing different users to have varying levels of access to databases and tables, and the ability to perform operations, as permitted in their individual user profiles. Some users are allowed full privileges which allow all of the standard database operations such as SELECT, DELETE, UPDATE and INSERT. A user with limited privileges would only be able to use the SELECT operation. The level of access is determined by the DBA and the needs of the user.

    The MySQL system includes the hostname in identifying a specific user and to ensure similar user names on other hosts are not confused. This is particularly true of the internet, where it is highly likely users may have the same userid but on another host. This is also true of the privileges, which may be different for user of the same name on a different host.

    The MySQL server perfoms its actions in the following order:

    Step 1: Check to see if the user can connect.
    Step 2: The security mechanism checks the statements coded by each user to ensure that appropriate privileges are provided and are sufficient for the user. For instance, if the user calls a “drop” statement a check is made to ensure the user is allowed to perform this action.

    If, during the process any privileges are changed, these may not become operational immediately. The timing of the new privileges is dependant on the copy of the grant tables currently in memory.

    The grant tables can be amended by the DBA with appropriate “GRANT” or “REVOKE” commands. There are three types of tables used for access control in the MySQL database.

    These are the
    1. user,
    2. db and
    3. host tables.
    Once a connection is established, and effectively Step 1 has succeeded, the server ventures into step 2. This is where the operations to be performed by the user are determined. The user requests a specific operation. The server then looks at the privileges available and permits or denies the operation. The privileges come from the grant tables.

    When comparing Oracle security to the MySQL version there is a world of difference. Oracle has had years of experience, and has responded to changing security needs. In contrast, as good as MySQL is for an open source product, it would not be suitable for large corporations and the security aspects are still evolving.