Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Database Security: Oracle Database Vault

Oracle Database Vault


Oracle Database Vault

Price: Starts at $20,000 per CPU or $400 per user

Oracle Database Vault enables advanced separation of duty to help organizations meet compliance and data security business challenges.

While database administrators and engineers may be responsible for securing, managing, backing up and performance tuning, they shouldn't need access to data. Vault allows admins and application owners to manage databases and applications without accessing credit card numbers, customer information, company secrets, etc.

Installation/Configuration B+  
Set aside one morning to complete the installation; you'll be installing it on your current Oracle server (Oracle 9i R2, 10g and 11 are supported), and will need both system and database admin accounts--strong passwords are required. The configuration agent helps automatically configure the key components--adapter configurations, DNS name, host name and host file updates.

Security Features A  
User Realms ensure data protections are implemented properly. A Realm is similar to a database software firewall. They can be put around an entire application or a particular table within an application.

Vault uses two technology concepts to control application access, Command Rules and Factors. Factors are properties or elements--users, IP addresses, network ranges and specific databases--that can be included within Command Rules.

Vault implements Command Rules to control the execution of SQL commands and can control Data Definition Language and Data Manipulation Language SQL commands. This level of protection can be useful in locking down permissions and accessibility for application service accounts and internal users alike. For example, a rule could be created to disallow any application user from executing a CREATE DATABASE LINK command on a particular database, a command that is typically reserved when creating applications. Or, you might prohibit any application user or service account from leveraging SQL INJECT commands to thwart injection attacks.

Auditing/Reporting B  
Each created Realm can include auditing, or in this case, event logging. If enabled, auditing comes in two flavors, audit on failure and audit on success or failure. The audit on failure option enables you to see who is attempting to break the rules/Realms, while the more robust audit on success or failure option will give you a picture of everyone who successfully or unsuccessfully attempts to conduct an operation that is protected by Vault.

While the reporting options are straightforward and somewhat effective, there is room for significant improvement if you intend to use these for daily operations. For instance, it would be beneficial to run operational reports within specific windows of time, or to correlate events across all databases throughout the enterprise.

Global reporting allows you to analyze results from the entire database. The auditor and executive reports include high-level statistics such as number of successes and failures as well as user permission reports. User reports and statistics can help you identify users, their corresponding roles and access levels.

Surprisingly mature for a first release, Oracle Database Vault may prove valuable for large environments that have made heavy investments in Oracle.

Testing methodology: We tested Oracle Database Vault on Oracle 10g with Red Hat Linux. All components of the application were tested to include user administration and application development.

Article 1 of 16

Dig Deeper on Data security technology and strategy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All