How to protect your sensitive data using oracle database vault / Creating and Testing realms part 2
1. 1
How to protect your sensitive data using Oracle Database Vault / Creating and Testing Realms
Part II
Any measures that should be taken for data security purposes should also beconsidered atthe databaselevel,
similar to hardware,network and operation system levels. Generally,companies buy a firewall productand think
that they have already solved the problems related to security. Researches show that despite it is possibleto take
measures againstexternal attacks by the firewall products,no sufficientmeasures may be taken againstinternal
attacks.In particular,no action related to protection of the data is executed on the server where the database
operates. Taking into account that a user havingDBA authority will haveall typeauthority atthe databaseand may
perform the same operations even when s/he gets connected from other computers, possiblesecurity gaps should
be considered.Access of a databaseadmin to every data is as disadvantageous as him/her to connect from other
computers and perform the same operations,and is even a security gap. OracleDatabaseVault,which is one of
the security solutions of OracleDatabase,may be recommended as an application which may assistin solvingof
the abovementioned problems.
With the increased sophistication of attacks on data, the need to put more operational controls on the databaseis
greater than ever. Given the fact that most customers have a small number of DBAs to manage their databases,it
is very importantto keep databasesecurity related tasks separatein their own dedicated databaseaccounts.
Creating dedicated databaseaccounts to manage databasesecurity helps customers prevent privileged DBA
accounts from accessingapplication data,restricts ad hoc databasechanges,and enforces controls over how,
when and where application data can beaccessed.OracleDatabaseVaultprovides security benefits to customers
even when they have a singleDBA by:
Preventing hackers from usingprivileged users’accounts to steal application data
Protecting databasestructures from unauthorized and/or harmful changes
Enforcingcontrols over how, when and where application data can beaccessed
Securingexistingdatabaseenvironments transparently and without any application changes
Among the more common auditfindings areunauthorized changes to databaseentitlements, includinggrants of
the DBA role, as well as new accounts and databaseobjects.Preventing unauthorized changes to production
environments is importantnot only for security,but also for complianceas such changes can weaken security and
open doors to hackers,violatingprivacy and complianceregulations.OracleDatabaseVaultSQL Command
Controls allow customers to control operations insidethedatabase,includingcommands such as createtable,
truncate table, and create user. Various out-of-the-box factors such as IP address,authentication method, and
program name help implement multi-factor authorization to deter attacks leveragingstolen passwords.These
controls prevent accidental configuration changes and also preventhackers and malicious insiders fromtampering
with applications.TheDuty Separation feature of OracleDatabaseVaultwill createthree different responsibilities
such as the security administration on the database,the accountmanagement and the databaseadministration.
The Security Administrator (Security Administration),the responsibleperson for Security is also themanager of the
OracleDatabaseVault.S/he is responsiblefor all security operations atthe database.S/he may manage Realms,
command rules and factors and may operate DatabaseVault report, while s/he may not get access to the
application data.
The Account Manager (Account Management) may create, delete and change user accounts.
And the DatabaseAdministrator (DatabaseAdministration) hasdba functions such as backup/restoration,patch
application and performancemanagement.
2. 2
Oraclecustomers today still havehundreds and even thousands of databases distributed throughout the
enterprise and around the world.However, databaseconsolidation will continueas a cost-savingstrategy in the
coming years.The physical security provided by the distributed databasearchitecturemust be availablein the
consolidated environment. OracleDatabaseVaultaddresses the primary security concerns of database
consolidation.
First,it's importantto understand the basic architectureof the application you wish to protect. For example, are
the objects associated with the application spread acrossmultipledatabaseschemas or arethey contained in a
singledatabaseschema? This analysisshould includeall objects related to application data includingtables,views,
materialized views,and stored procedures.Identify the programs,processes,middle tier connections,database
users,and application administratorsthatinteractwith the application objects.Oncethis information is obtained,
the OracleDatabaseRealmdefinitions can becreated and you can authorize who should be ableto access
application data.Application end users typically accessapplication data through the middle tier. Some legacy
applicationsmay still usethe clientserver architecturewhere end users havetheir own accountin the database.
More sophisticated applicationsmay have application specific processes thatrun on the server hostingthe Oracle
Database.
Along this review document, we used the databaseVault Administrator (DVA) consoleto administrateOracle
DatabaseVault. UsingDVA, we created an HR Data Realm to protect human resources data. In order to set up this
realmwith DVA we should firstly click Realms,then click Create, and then namingand defining the realmHR Data
Realm.
3. 3
Duringthe setup procedure, one of the main objective was to ensure that the users with the high privileges was
not ableto access HR data but could still administer the databasecontainingthe HR Data Realm. . Once the realm
was named and enabled, we selected Audit on failurein order to send a notification if rules areviolated.These are
referred to as Realm Secured Objects. For each object in realmowner, object type and name need to be specified.
In this case,we used the wildcard (%) option to identify all objects owned by the HR user.
In this point of setup procedure, the next step was to determine controls of privileged user,such as System, when
the user accesses objects in the realm.In this case, the goal is whenever System user or other privileged user
attempt to query HR object resultin message should be likeSystem had insufficientprivileges or this object.
Similarly,SYSTEM could not be ableto create objects in the HR Data Realm, and Oracle DatabaseVaultreturned a
violation notification.
We also run queries as the HR user to define what owner of the object could do when a Secured Realm existed for
the object they owned. And also we ensure that no specific privileges had been granted within OracleDatabase
4. 4
Vault to HR atthis point. By default, the owner of the object could only be apply Data Manipulation language
(DML) queries. Data Definition Language (DDL) could not be issued atthis point.
Some employees will need authorization to modify the databaseas businessneeds dictate. After runningthe test
above, the user,HR, was added to HR Data Realm usingrealmauthorizations.
Once authorized, this user could issueany statement chosen, includingDDL and DML statements.
Thus privileged databaseaccounts areone of the most commonly used pathways for gainingaccess to sensitive
applicationsdata in the database.Whiletheir broad and unrestricted access facilitates databasemaintenance,the
same access also creates a pointof attack for gainingaccess to largeamounts of data.OracleDatabaseVault
Realms around application schemas,sensitivetables and stored procedures providecontrols to prevent privileged
accounts from being exploited by hackers and insiders to access sensiti veapplication data.
Source : Oracle® Database Vault Administrator's Guide 11gRelease 2 (11.2)
https://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM001