Oracle Database Vault

Security : Oracle Database Vault


Oracle Database Vault restricts access to specific areas in an Oracle database from any user, including users who have administrative access. For example, you can restrict administrative access to employee salaries, customer medical records, or other sensitive information.
This enables you to apply fine-grained access control to your sensitive data in a variety of ways. It hardens your Oracle Database instance and enforces industry standard best practices in terms of separating duties from traditionally powerful users.
Oracle Database Vault this addresses common regulatory compliance requirements and reduces the risk of insider threats like.
  • Preventing highly privileged users (DBA) from accessing application data.
  • Enforcing separation of duty (DBA can’t create users, view data).
  • Providing controls over who, when, where and how applications, data and databases can be accessed.
  • Can be added to existing application environments without changes to the existing application code.
For Consulting people, lets try to understand three most important concept required from security .
1) Realms - These are boundaries within the Oracle database that act like a firewall to prevent privileged users from using their special privileges to access application data.
The realms can be used to protect an entire application or a specific set of tables within an application, providing highly flexible and adaptable security enforcement.
Look at the following diagram the DBA has been denied access to view the application data, in spite of the special privileges.
Oracle Databse Vault
2) Command Rules - Security rules that can be created for creating, dropping and altering tables inside the database and decide whether to block a command.
Factors - It can also reference out-of-the-box factors such as IP address, authentication method and program name.
In the diagram below, Database Vault has denied access as the applications are accessed either through wrong IP address or tool.
Oracle Audit Vault-2
3) Separation of duty - Oracle Database Vault systematically separates DBA duties to strengthen security controls and helps satisfy requirements found in many regulations.
Out-of-the-box, Database Vault creates following 3 distinct responsibilities within the database
  • Account Management :A user with account management responsibility can create, drop, or modify database users
  • Security Administration :A security administrator can manage realms, command rules, factors etc., but prevented from self-authorizing access to secured business data
  • Database Administration :D database administration responsibility enables a user to continue performing normal management and maintenance, such as backup and recovery without having access to secured business data
Therefore, Oracle Database Vault is an integral component of your enterprise.Typically companies configure Oracle Database Vault to manage the security of an individual Oracle Database instance.




No comments:

ORA-01552: cannot use system rollback segment for non-system tablespace 'TEMP'

 ORA-01552: cannot use system rollback segment for non-system tablespace "string" Cause: Used the system rollback segment for non...