Security Benefits of Implementing Database Vault -Arpita Ghatak
Topics to be covered Why Do we need Database Vault? The Benefits Components of Database Vault Oracle Database access control Components Other Components of DB Vault DBA Operations in Database Vault Environments Summary
Why Do we need Database Vault? The Benefits Increase in the Security of existing applications Requirement of fine grained access control Protecting data against insider threats Protects data from super privileged users while still allowing them to maintain the database without any issues. Meeting regulatory compliance requirements, Enforcing separation of duty Flexible Security Policies as per the standards and requirement of organizations.
Components of Database Vault Oracle Database Vault has the following components: Oracle Database Vault Access Control Components Oracle Database Vault Administrator - Java application that is built on top of the Oracle Database Vault PL/SQL API Oracle Database Vault Configuration Assistant (DVCA) This is required for performing maintenance tasks on your Oracle Database Vault installation Oracle Database Vault DVSYS and DVF Schemas - Stores the database objects needed to process Oracle data for Oracle Database Vault(DBV) Oracle Database Vault PL/SQL Interfaces and Packages - Allow security managers or application developers to configure the access control policy as required. Oracle Database Vault and Oracle Label Security PL/SQL APIs - It is integrated with Oracle Enterprise Manager Database Control, which enables the security manager to define label security policy and apply it to database objects. Oracle Database Vault Reporting and Monitoring Tools Reports on the activities monitored by DBV.
Oracle Database access Control Components Following are the Access control Components of Database Vault: Realms Functional grouping of DB schemas and roles that need to be secured for a given application Command rules Rule created to protect SELECT, ALTER SYSTEM, DDL, and DML statements that affect one or more database objects. Factors - Named variable or attribute, such as a user location, database IP address, or session user, that Oracle Database Vault can recognize. Rule sets - Collection of one or more rules that you can associate with a realm authorization, factor assignment, command rule, or secure application role. Secure application roles - Roles to prevent users from accessing data from outside an application. Components of Database Vault continued
Realms What are Realms Functional grouping of DB objects that must be secured Default Realms Creating Realm - Secured Objects Defining Realm Authorization Establish set of DB accounts that access objects protected in a realm Working of Realms and Authorization in a Realm Enabling Access to Objects protected by a Realm Effect of Realms on Performance Effect of Realms on other DB vault Components Components of Database Vault continued
Working of a Realm
Command Rules About Command Rules Rule to protect SELECT, ALTER SYSTEM, DDL and DML statements Default Command Rules SQL statements protected by Command Rules Working of Command Rules Effect on Performance Components of Database Vault continued
Working of Command Rules grant resource to IDMUSRMGT * ERROR at line 1: ORA-47410: Realm violation for GRANT on UNLIMITED TABLESPACE Components of Database Vault continued
Factors, Rule Sets and Secure Application Roles Factors Named variables or attribute that Oracle DBV can recognize. What are factors Identities Working of a Factor Effect on performance Rule Sets What are Rule Sets Working of Rule Sets Effect on performance Secure Application Roles What are Secure Application Roles Working of a Secure application Role Effect on performance Components of Database Vault continued
Other Components of DB Vault Oracle Database Vault Administrator Oracle Database Vault Configuration Assistant (DVCA) Oracle Database Vault DVSYS and DVF Schemas Oracle Database Vault PL/SQL Interfaces and Packages Oracle Database Vault and Oracle Label Security PL/SQL APIs Oracle Database Vault Reporting and Monitoring Tools Components of Database Vault continued
DBA Operations in Oracle Database Vault Environments Using Oracle Database Vault with Oracle Enterprise Manager Setting the DB Vault Administrator URL Propagating DB Vault policies to Other databases Using EM Grid Control alerts for DB Vault policies Effect on DBSNMP Account Using Data Pump Utility in a DB Vault environment Using Data Masking in DB Vault enabled environment
Summary Oracle DB Vault An important data security solution Protection of data from external as well as internal threats Separation Of duties Flexible Security Policies Data Manageability
Thank You