Oracle Database Vault provides powerful security controls to protect application data from any kind of unauthorized access, and it also adheres to privacy and regulatory requirements. Controls can be given to block privileged account access to application data and control sensitive operations inside the database using multi-factor authorization. Security of existing application data can be enhanced through analysis of roles and accesses given to the users. Oracle Database Vault also secures existing database environments with transparency, eliminating the cost, and time-consuming application changes.
Oracle Database Vault does not allow access to specific areas in an Oracle database from any type of user, including users who have administrative access. With Data Vault, you can restrict access to customer medical records, employee salaries, or any other sensitive information. This enables you to apply clear access control to your sensitive data in different kinds of ways. It enhances your Oracle DB instance and enforces industry-standard best practices in terms of varying duties from traditionally powerful users. Most importantly, Data Vault ] protects your data from super-privileged users but also allows them to maintain your Oracle databases.
Here you will learn:
- Controls for Privileged Accounts
- Controls for Database Configuration
- Components of Oracle Database Vault
- How Oracle Database Vault Addresses Compliance Regulations
- How Oracle Database Vault Allows for Flexible Security Policies
Controls for Privileged Accounts
Privileged database accounts are one of the most commonly used accounts for gaining access to important application data in the database. While their broad and unrestricted access gives them database maintenance, the same access also creates a point of attack for allowing access to large amounts of data. Oracle Database Vault Realms around application schemas, important tables, and stored procedures provide controls to prevent privileged accounts from being exploited by hackers and intruders to access sensitive application data.
Controls for Database Configuration
Among the more common security breaches are unauthorized changes to database entitlements, including grants of the DBA role, as well as new accounts and database objects. Preventing unauthorized changes or entries to production environments is important not only for security but also for compliance as such changes can weaken the security and pave a path to intruders or hackers, violating privacy and compliance regulations.
Oracle Database Vault SQL Command Controls allows customers to control operations inside the database, including commands such as create a table, delete table, create a user, and many more. Various exterior factors such as a change in IP address, authentication method, and program name can help implement multi-factor authorization to reduce attacks related to the stealing of passwords. These controls prevent accidental configuration changes and also prevent hackers and malicious insiders from changing the application data.
Oracle Database Vault along with Oracle Database 12c introduces new Mandatory Realm controls which allows the customers to block access to application objects, even to those with direct object grants, even to the object owner. This is useful when Support must access the application schema directly as the application owner. Mandatory Realms can be enabled at runtime and used in response to a cyber threat which, prevents all access until the threat has been detected and analyzed.
Components of Oracle Database Vault
- Oracle Database Vault Access Control Components
Oracle Database Vault enables you to create the following components
Realms: A realm is a functional grouping of database schemas, objects, and roles that must be secured
Command rules: A command rule is a special rule that you can create to control how users can execute almost any SQL statement, including SELECT, ALTER SYSTEM database definition language (DDL), and data manipulation language (DML) statements
Factors: A factor is a named variable or attribute, such as a user location, database IP address, or session user.
Rulesets: A ruleset is a collection of one or more rules that you can associate with a realm authorization, command rule, factor assignment, or secure application role
- Oracle Database Vault Administrator (DVA)
Oracle Database Vault Administrator is a Java application that is built on the Oracle Database Vault PL/SQL API. This application allows security managers who are not proficient in PL/SQL to configure the access control policies through a user-friendly interface. Oracle Database Vault Administrator provides an extensive collection of security-related reports that assist in understanding the baseline security configuration.
How Oracle Database Vault Addresses Compliance Regulations
One of the biggest advantages of regulatory compliance has been security awareness.
Historically, the focus of the IT department has been on performance and availability. The focus on regulatory compliance has pushed everyone to take a step back and look at their IT infrastructure, databases, and applications from a security angle.
Some of the Common questions while addressing compliance regulations include:
Where is the sensitive information stored?
Who has access to this information?
Compliance Regulations such as:
Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act (HIPAA),
International Convergence of Capital Measurement and Capital Standards
Japan Privacy Law, Payment Card Industry Data Security Standard (PCI DSS)
European Union Directive on Privacy and Electronic Communications
All the above have common regulations that include internal controls, separation of duty, and access control.
While most of the changes required by regulations such as Sarbanes-Oxley and HIPAA are procedural in nature, the remainder requires a few technology investments. Common security need found in regulations is strict and stringent internal controls.
How Oracle Database Vault Allows for Flexible Security Policies
Oracle Database Vault allows a user to design flexible security policies for their database.
For instance, any database user who has the Database Administrator role can make modifications to basic parameters and changes in a database. For example, an inexperienced administrator who has system privileges wants to start a new redo log file but does not understand that doing so at a particular time may cause problems for the database. With Oracle Database Vault, the user can create a command rule to prevent this user from making such modifications by limiting his or her usage of the ALTER SYSTEM SWITCH LOGFILE statement. Furthermore, you can attach rule sets to the command rule to restrict any activity further.
Such as limiting the statement’s execution in the following ways:
By the time (for example, only from 8 p.m. to 9 a.m. on Wednesday Mornings)
By local access only, that is, not remotely
By IP address (for example, allowing the action to only a specified range of IP addresses)
