The Oracle Database Vault security controls protect application data from unauthorized access, and helps you to comply with privacy and regulatory requirements.
You can deploy controls to block privileged account access to application data and control sensitive operations inside the database using trusted path authorization.
Oracle Database Vault helps you increase the security of existing applications by using least privilege best practices. Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.
Controls for Privileged Accounts
Privileged database accounts are one of the most commonly used pathways for gaining access to sensitive applications data in the database.
While their broad and unrestricted access facilitates database maintenance, the same access also creates a point of attack for gaining access to large amounts of data. Oracle Database Vault realms around application schemas, sensitive tables, and stored procedures provide controls to prevent privileged accounts from being exploited by intruders and insiders to access sensitive application data.
Fig1: Oracle Database Vault Realm Blocking DBA Access to Data”
Controls for Database Configuration
Common audit findings are unauthorized changes to database entitlements and grants of the
DBA role to too many users.
Preventing unauthorized changes to production environments is important not only for security, but also for compliance as such changes can weaken security and open doors to intruders, violating privacy and compliance regulations. Oracle Database Vault SQL command rules enable you to control operations inside the database, including commands such as
TRUNCATE TABLE, and
DROP TABLE. Various out-of-the-box factors such as IP address, authentication method, and program name help implement trusted path authorization to deter attacks leveraging stolen passwords. These controls prevent accidental configuration changes and also prevent hackers and malicious insiders from tampering with applications.
The Oracle Database Vault realms with the mandatory mode enables you to seal off access to application objects, even to those with direct object grants, including the object owner. With mandatory realms, you do not need to analyze who has access because this is clear from the list of authorized users
Application-specific Oracle Database Vault protection policies and guidelines are available for major enterprise applications.
These enterprise applications include Oracle Fusion Applications, Oracle E-Business Suit, Oracle PeopleSoft, Oracle Siebel, Oracle Financial Services (i-Flex), Oracle Primavera, SAP, and Finacle from Infosys. Because Oracle Database Vault does not modify the application nor require changes to the client, you can use it with most off-the-shelf and custom applications.
Oracle Database Vault provides database roles that enable different users to perform specific tasks, based on separation-of-duty guidelines.
The most commonly used roles are as follows:
DV_ADMINenable you to create and manage Database Vault policies.
DV_ACCTMGRenables you to manage user accounts.
When you configure and enable Oracle Database Vault, the
DV_OWNER role is granted to a user who must exist before you begin the configuration process, and the
DV_ACCTMGR role is granted to a second, optional user, who must also exist before configuration. You can grant the Database Vault roles to other users, but ensure that these users are trusted.
During the registration process, you must create backup accounts for the
DV_ACCTMGR users. As a best practice, Oracle strongly recommends that you keep and maintain these backup accounts.
Oracle Database Vault has a set of components that include PL/SQL packages and other special tools.