Re: ODBC Access to Oracle

[Kevin Crider <kcrider () SKIDMORE EDU>]

I've gone from allowing to disallowing this...I don't recommend it, unless you have zero options.

For us, the bad part was that the client was MS Access...which is simply not at all good to use as a front end to 
Oracle/Banner tables....security issues, performance issues, and risk of inadvertently changing data...I can speak to 
all those.

You will also have to maintain the Oracle client, among other things, on every desktop.
Oracle will apply the proper security based on whatever user is logged in through ODBC...but that's not Banner security 
either...so one of the problems will be when someone needs SATURN plus 4 General tables...how to do that, in a 
sustainable way, without giving them all of General...


Kevin



From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. 
Silowash
Sent: Wednesday, August 15, 2018 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] ODBC Access to Oracle

Hello,

I am currently researching the security implications of allowing ODBC access to an Oracle database, in particular, 
Ellucian Banner.  I have a user requesting ODBC access to the Banner database. My gut feeling is to prohibit this 
access, but I need more information.

Does anyone have best practices for implementing this? Or, what are the reasons for prohibiting access? I am most 
concerned about:

-Data integrity
-Access control of tables and fields
-Accidental database denial of service (a query that is not constrained appropriately, etc.)

Is Oracle security enforced on an ODBC connection? Some research on other applications implies that it is not. Any help 
or guidance would be greatly appreciated.

Regards,
George
----------------------------------------------------------------
George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE
Chief Information Security Officer
Norwich University
158 Harmon Drive
Northfield VT 05663
http://www.norwich.edu