Published: 01 Sep 2007
Oracle Database Vault
REVIEWED BY JAMES C. FOSTER
Price: Starts at $20,000 per CPU or $400 per user
Oracle Database Vault enables advanced separation of duty to help organizations meet compliance and data security business challenges.
While database administrators and engineers may be responsible for securing, managing, backing up and performance tuning, they shouldn't need access to data. Vault allows admins and application owners to manage databases and applications without accessing credit card numbers, customer information, company secrets, etc.
Vault uses two technology concepts to control application access, Command Rules and Factors. Factors are properties or elements--users, IP addresses, network ranges and specific databases--that can be included within Command Rules.
Vault implements Command Rules to control the execution of SQL commands and can control Data Definition Language and Data Manipulation Language SQL commands. This level of protection can be useful in locking down permissions and accessibility for application service accounts and internal users alike. For example, a rule could be created to disallow any application user from executing a CREATE DATABASE LINK command on a particular database, a command that is typically reserved when creating applications. Or, you might prohibit any application user or service account from leveraging SQL INJECT commands to thwart injection attacks.
While the reporting options are straightforward and somewhat effective, there is room for significant improvement if you intend to use these for daily operations. For instance, it would be beneficial to run operational reports within specific windows of time, or to correlate events across all databases throughout the enterprise.
Global reporting allows you to analyze results from the entire database. The auditor and executive reports include high-level statistics such as number of successes and failures as well as user permission reports. User reports and statistics can help you identify users, their corresponding roles and access levels.
Testing methodology: We tested Oracle Database Vault on Oracle 10g with Red Hat Linux. All components of the application were tested to include user administration and application development.