Educause Security Discussion mailing list archives
Re: ODBC Access to Oracle
From: Kevin Crider <kcrider () SKIDMORE EDU>
Date: Wed, 15 Aug 2018 16:41:39 +0000
I've gone from allowing to disallowing this...I don't recommend it, unless you have zero options. For us, the bad part was that the client was MS Access...which is simply not at all good to use as a front end to Oracle/Banner tables....security issues, performance issues, and risk of inadvertently changing data...I can speak to all those. You will also have to maintain the Oracle client, among other things, on every desktop. Oracle will apply the proper security based on whatever user is logged in through ODBC...but that's not Banner security either...so one of the problems will be when someone needs SATURN plus 4 General tables...how to do that, in a sustainable way, without giving them all of General... Kevin From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of George J. Silowash Sent: Wednesday, August 15, 2018 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] ODBC Access to Oracle Hello, I am currently researching the security implications of allowing ODBC access to an Oracle database, in particular, Ellucian Banner. I have a user requesting ODBC access to the Banner database. My gut feeling is to prohibit this access, but I need more information. Does anyone have best practices for implementing this? Or, what are the reasons for prohibiting access? I am most concerned about: -Data integrity -Access control of tables and fields -Accidental database denial of service (a query that is not constrained appropriately, etc.) Is Oracle security enforced on an ODBC connection? Some research on other applications implies that it is not. Any help or guidance would be greatly appreciated. Regards, George ---------------------------------------------------------------- George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE Chief Information Security Officer Norwich University 158 Harmon Drive Northfield VT 05663 http://www.norwich.edu
Current thread:
- ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
- Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)