Security of Enterprise-Wide Client-Server Oracle Systems
Date: Wed, 13 Oct 1993 20:09:26 GMT
Message-ID: <1993Oct13.200926.26765_at_bnr.ca>
- HP-UX Oracle (70%), Sun Oracle (15%), Motorola Oracle (5%), and
HP-UX Informix (10%) servers
- Mac (60%), Unix (20%), and Windows (20%) clients
I have broadly categorized alternative approaches as follows:
- Use Oracle Stored Procedures throughout, ensuring that the client
application has execute only privileges on these procedures and must
pass authentication parameters to each procedure. Under this
alternative, the client application can login as a 'guest' as it must
access all data through OSPs.
- Establish an Oracle 'security' database which maintains a unique Oracle userid for every potential user (i.e. every employee). Under this alternative, the client application logs in on behalf of the current user. Does anyone have any experience in managing 20-100K registered users under Oracle? I had once rejected this out of hand, but it might be practical.
- Buy SecurID (or build equivalent) to provide dynamic password generation. Under this alternative, security of login transaction is not an issue as login password expires every 60 seconds.
Is anyone out there working on voice print authentication? I know that this is used forensically in law enforcement; is anyone using this proactively, to secure access to real property and data.
I will be developing these alternative ideas in greater detail and would appreciate any experience, expertise, or insight that you could share. We already have very good overall systems security but are keen on architecting an elegant solution that is performance-oriented, flexible and scalable.
Please feel free to reply by mail, news, phone or fax as appropriate.
Jason Lisenchuk
Enterprise Management Systems
Northern Telecom Limited
<hris_at_bnr.ca>
Voice +1 905/452-2188
Fax +1 905/452-2298
Received on Wed Oct 13 1993 - 21:09:26 CET