DatabaseVault<br />Jarosław Jóźwiak<br />
2<br />What we hear from our customers…Protecting Access to Application Data<br />“Legal says our DBA should not be able t...
3<br />Privacy and Regulatory ComplianceData Security Challenges<br />Protecting Access to Application Data<br />Data Encr...
4<br />Oracle Database Security Solutions for Privacy and Compliance<br />Database Vault<br />Advanced Security<br />Confi...
5<br />Oracle Database VaultFeature Overview<br />Controls on privileged users<br />Restrict privileged users from accessi...
6<br />Oracle Database Vault                         Protection Realms<br />Security firewalls<br />Block select any, upda...
7<br />select * from HR.emp<br /> DBA<br />HR<br /> Fin<br />Oracle Database Vault Protection Realms<br /><ul><li>Database...
8<br />Oracle Database VaultCommand Rules<br />Provide extensible controls<br />Assign security rules to database commands...
9<br />HR<br />FIN<br />Oracle Database VaultCommand Rules and Multi-factor Authorization<br />CONNECT ….<br />Unexpected ...
10<br />Oracle Database VaultBuilt-In Factors Overview<br /><ul><li>User Factors
Name
Authentication type
Session User
Proxy Enterprise Identity
Network Factors
Machine name
Client IP
Network Protocols
Extensible
Upcoming SlideShare
Loading in …5
×

Database Vault

1,442 views

Published on

Oracle Security Summit 2011

Published in: Technology

Database Vault

  1. 1. DatabaseVault<br />Jarosław Jóźwiak<br />
  2. 2. 2<br />What we hear from our customers…Protecting Access to Application Data<br />“Legal says our DBA should not be able to read financial records, but the DBA needs to access the database to do her job. What do we do?”<br />“Our SOX auditors require that we separate account creation from granting privileges to accounts.”<br />“No user should be able to by-pass our application to access information in the database directly.”<br />“New DBAs should not be able to make database changes without a senior DBA being present.”<br />
  3. 3. 3<br />Privacy and Regulatory ComplianceData Security Challenges<br />Protecting Access to Application Data<br />Data Encryption<br /> Database Monitoring <br />De-Identifying Information for Sharing<br />Data Classification<br />
  4. 4. 4<br />Oracle Database Security Solutions for Privacy and Compliance<br />Database Vault<br />Advanced Security<br />Configuration Management<br />Secure<br />Backup<br />Total<br />Recall<br />Label <br />Security<br />Audit <br />Vault<br />Data Masking<br />
  5. 5. 5<br />Oracle Database VaultFeature Overview<br />Controls on privileged users<br />Restrict privileged users from accessing application data<br />Enforces separation of duty <br />Real time access controls<br />Controls access based on IP address, authentication method, time of day,….<br />Transparency<br />No changes to applications required<br />Protection Realms<br />Multi-Factor<br />Authorization<br />Realm Violation<br />Reports<br />Separation<br />of Duty<br />Command<br />Rules<br />Existing Oracle Database<br />
  6. 6. 6<br />Oracle Database Vault Protection Realms<br />Security firewalls<br />Block select any, update any, delete any, insert any, execute privileges <br />Protect single object or entire application schema<br />Include tables, views, roles, functions, stored procedures,….<br />Audit blocked access attempts<br />Easily applied<br />Define using web interface or API<br />Protected objects can be by schema, object type and wildcard<br />Low performance overhead<br />1-5%<br />
  7. 7. 7<br />select * from HR.emp<br /> DBA<br />HR<br /> Fin<br />Oracle Database Vault Protection Realms<br /><ul><li>Database DBA views HR data</li></ul>Compliance and protection from insiders<br /><ul><li>HR APP views Fin. data</li></ul>HR App<br />HR Realm<br />Eliminates security risks from server consolidation<br />FIN Realm<br />FIN App<br />
  8. 8. 8<br />Oracle Database VaultCommand Rules<br />Provide extensible controls<br />Assign security rules to database commands<br />Enforce a "trusted" path by checking Database Vault built-in factors such as program names, IP addresses, host names<br />Enforce 2 man rule for specific DBA activities<br />Customize Separation of Duty<br />Easily applied<br />Rule sets associates multiple rules with a single command<br />Define using web interface or API<br />
  9. 9. 9<br />HR<br />FIN<br />Oracle Database VaultCommand Rules and Multi-factor Authorization<br />CONNECT ….<br />Unexpected IP address <br />HR account<br />CREATE …<br />Business hours<br />FIN DBA<br />
  10. 10. 10<br />Oracle Database VaultBuilt-In Factors Overview<br /><ul><li>User Factors
  11. 11. Name
  12. 12. Authentication type
  13. 13. Session User
  14. 14. Proxy Enterprise Identity
  15. 15. Network Factors
  16. 16. Machine name
  17. 17. Client IP
  18. 18. Network Protocols
  19. 19. Extensible
  20. 20. Define custom factors
  21. 21. Database Factors
  22. 22. Database IP
  23. 23. Database Instance
  24. 24. Database Hostname
  25. 25. Database SID
  26. 26. Runtime Factors
  27. 27. Language
  28. 28. Date
  29. 29. Time</li></li></ul><li>11<br />Oracle Database VaultSeparation of Duty<br />Account Management <br />Account administrator creates new database accounts<br />Security administration<br />Management of Database Vault Realms, Command rules, Rule Sets,……<br />Database Administration<br />Traditional DBA tasks such as space management, tuning<br />
  30. 30. 12<br />Oracle Database VaultReports<br />Built-in Auditing and Reporting<br />Realm violation audit report built-in<br />Privileges reports such as Who has the DBA Role?<br />Other reports<br />2 dozen other Database Vault and security reports<br />Easy to administer<br />Web interface and API<br />
  31. 31. 13<br />Database Vault Administration Page<br />
  32. 32. 14<br />Defining a Realm<br />
  33. 33. 15<br />Adding Application to Realm<br />
  34. 34. 16<br />Oracle Database VaultApplication Certification <br />PeopleSoft<br />E-Business Suite <br />Siebel<br />Oracle Content DB<br />Oracle Internet Directory<br />Partner applications (Underway)<br />
  35. 35. 17<br />Oracle Database VaultAvailability<br />Supported Oracle Database releases<br />Oracle Database 11g<br />Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5)<br />
  36. 36. 18<br />Noel Yuhanna<br />Research Analyst, Forrester<br />“Database Vault features will be in demand, especially for databases that contain private data. Oracle is leading the pack of database makers with the new access restriction features. Microsoft, IBM, and Sybase don't have anything like this.”<br />
  37. 37. 19<br />Oracle Database VaultKey Benefits Summary<br />Controls on privileged users<br />Restrict privileged users from application data<br />Enforces Separation of Duty<br />Real time access controls<br />Control who, when, where and how data is accessed<br />Make decision based on IP address, time, auth. method,…<br />Transparency<br />No changes to applications required<br />Minimal performance impact<br />

×