Educause Security Discussion mailing list archives

Re: ODBC Access to Oracle

From: Carrie Shumaker <shumakr () UMICH EDU>
Date: Fri, 17 Aug 2018 13:35:51 -0400

We do allow this at UM-Dearborn. It can be helpful for unique needs for
power users (Institutional Research, Registrar's Office, etc., that know
the data well and where it isn't worth writing a report.)

What I would recommend (we are working to get to this here since these
controls were not always in place):

1) Require VPN or a wired on campus connection for an ODBC connection
2) Do not allow updates from the ODBC connection (read only)
3) Throttle usage from an ODBC connection (I think we are throttling at 25%
database capacity)

I believe Oracle security is enforced on an ODBC connection.

On Wed, Aug 15, 2018 at 10:08 AM, George J. Silowash <gsilowas () norwich edu>
wrote:

Hello,



I am currently researching the security implications of allowing ODBC
access to an Oracle database, in particular, Ellucian Banner.  I have a
user requesting ODBC access to the Banner database. My gut feeling is to
prohibit this access, but I need more information.



Does anyone have best practices for implementing this? Or, what are the
reasons for prohibiting access? I am most concerned about:



-Data integrity

-Access control of tables and fields

-Accidental database denial of service (a query that is not constrained
appropriately, etc.)



Is Oracle security enforced on an ODBC connection? Some research on other
applications implies that it is not. Any help or guidance would be greatly
appreciated.



Regards,

George

----------------------------------------------------------------

*George J. Silowash, MSIA, CISSP-ISSMP, CCFP, GCFE*

*Chief Information Security Officer*

Norwich University

158 Harmon Drive
<https://maps.google.com/?q=158+Harmon+Drive+%0D%0A+Northfield+VT+05663&entry=gmail&source=g>

Northfield VT 05663
<https://maps.google.com/?q=158+Harmon+Drive+%0D%0A+Northfield+VT+05663&entry=gmail&source=g>

http://www.norwich.edu




-- 
Carrie Shumaker
Director of Information Technology, Strategy, and Operations
Chief Information Officer
University of Michigan - Dearborn
4901 Evergreen Road
Dearborn, MI 48128
Ph: 313-593-5113
shumakr () umich edu
umdearborn.edu

Current thread:

ODBC Access to Oracle George J. Silowash (Aug 15)
- Re: ODBC Access to Oracle Steve Niedzwiecki (Aug 15)
- Re: ODBC Access to Oracle Thomas Carter (Aug 15)
- Re: ODBC Access to Oracle Theresa Rowe (Aug 15)
  - Re: ODBC Access to Oracle Mahmud Rahman (Aug 15)
- Re: ODBC Access to Oracle Kevin Crider (Aug 15)
- Re: ODBC Access to Oracle Carrie Shumaker (Aug 17)