Educause Security Discussion mailing list archives

Re: ODBC Access to Oracle

From: Thomas Carter <tcarter () AUSTINCOLLEGE EDU>
Date: Wed, 15 Aug 2018 14:57:28 +0000

It's been a number of years since I worked with Oracle, but I believe security is enforced on an ODBC connection; 
however I still believe it's a bad idea, especially for such a critical application. Back when I did deal with Oracle, 
only approved core applications could connect to critical databases, and only after all queries were signed off by an 
Oracle DBA. They may have gotten better, but Oracle was worse than Microsoft about the number of security holes and 
restricting what (hosts, applications, etc) can connect to the database is a good security measure. The other big issue 
is bad queries, as you mentioned below. Also keeping up with database users and their permissions can be a headache.

To meet this type of need, we had a data warehouse with summarized, sanitized, etc data that users could ad-hoc query 
for their purposes without affecting the critical production databases. We sold it as a win-win by making the data 
easier to understand and query for end users. Of course this is a large project that won't be able to meet the needs of 
this user any time soon, but might be something to think about for the future.

Thomas Carter
Network & Operations Manager / IT
Austin College
900 North Grand Avenue
Sherman, TX 75090
Phone: 903-813-2564
www.austincollege.edu<http://www.austincollege.edu/>

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. 
Silowash
Sent: Wednesday, August 15, 2018 9:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ODBC Access to Oracle

Hello,

I am currently researching the security implications of allowing ODBC access to an Oracle database, in particular, 
Ellucian Banner.  I have a user requesting ODBC access to the Banner database. My gut feeling is to prohibit this 
access, but I need more information.

Does anyone have best practices for implementing this? Or, what are the reasons for prohibiting access? I am most 
concerned about:

-Data integrity
-Access control of tables and fields
-Accidental database denial of service (a query that is not constrained appropriately, etc.)

Is Oracle security enforced on an ODBC connection? Some research on other applications implies that it is not. Any help 
or guidance would be greatly appreciated.

Regards,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE
Chief Information Security Officer
Norwich University
158 Harmon Drive
Northfield VT 05663
http://www.norwich.edu

Current thread:

ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
  - Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)