DB Security Research

Q: I wonder if proxy authentication and secure application roles are of any benefit in a business intelligence context....
A: Combining secure application roles with proxy authentication is a very useful technique that prevents users to direclty assume application roles. "Proxy authentication distinguishes between a middle tier creating a session on behalf of a user and the user connecting directly" and prevents the user from assuming the role when directly connected to the database.

The additional benefit of a secure application role is that it can count on additional security restrictions as the IP Address of the middle tier server or the original session assuming the role.

Another useful feature available through OCI, JDBC and thin JDBC is the use of client identifiers when the middle tier is configured to use connection pooling, this allows the middle tier to reuse connections while still being able to audit on behalf of which "CLIENT IDENTIFIER" (IP, Middle tier user. Not DB user) an operation is being executed.

Q: Which are Oracle 10g's main authentication mechanisms?
A:

• Database Authentication: The user account is created and administered in the Oracle database, which is automatically able to authenticate that user. This method works well for application users/roles and small user communities, as the number of user accounts is directly related to the DBA maintenance effort required.
• External Authentication: The user account is still maintained in the database but both password management and authentication are performed by an external entity/service. The main benefits of this method are the chance to provide a single sign-on capability and the wider array of authentication mechanisms available which enables the organization to leverage some user repositories already in place. Types of External Authentication include:

1. OS Authentication: Once validated by the OS an user would be able to gain access to the database trasparently and the authorization part would use the OS credentials to determine the privileges of the user. This method should not be recommended and requires extensive planning before it is rolled out.
2. Network Authentication: Requires that Oracle Advanced Security be enabled and configured to use third-party authentication mechanisms
   

• Global Authentication and Authorization: By using Enterprise Roles a central LDAP directory can be in charge of both centrally maintaining user accounts and their authorized privileges. This, to the limit of my knowledge, would require you to use Oracle Internet Directory which would be duplicated effort if you already have a directory server.
• Proxy Authentication and Authorization: More suited for multi-tier applications, it allows the database to distinguish between the privileges granted to the middle-tier and those of the end user of the application. See the Oracle Database Security Guide - 3.2 Recommended Application Design Practices to Reduce Risk for more information.
  

NOTE: If you end up using Oracle Advanced Security and the business requires a strong level of encryption it is always nice to incorporate SSL in your configuration (See also How SSL works with other authentication methods...).