Oracle Database Vault: Database Controls for

Application Security and Regulatory Compliance

Pierre Leon
Database Technology Group
Oracle Database Security
 Noel Yuhanna
Research Analyst, Forrester

“Database Vault features will be in demand, especially

for databases that contain private data. Oracle is
leading the pack of database makers with the new
access restriction features. Microsoft, IBM, and Sybase
don't have anything like this.”

© 2008 Oracle Corporation

50
 Database Applications Under Attack
Applications Typically Weakest Link

• Little built-in security, require DBA privileges

• Vulnerable to many different exploits
• SQL injections, buffer overflows, etc.
• Insiders by-passing applications to get access
to unauthorised data at the database level
• Phishing and malware mean even enterprise
credentials can’t be trusted unconditionally
• Application database consolidation means
break one app, get the keys to the kingdom

© 2008 Oracle Corporation

51
 Database Applications Under Scrutiny
Compliance Requires Securing Entire Application

• Data privacy regulations getting tougher

• 90% companies fail compliance
• Breach disclosure laws can cost $239/record
• “Controls In Depth”
• Auditors (and Lawyers) look for preventive
controls that ensure data privacy is protected
• PCI DSS, SOX, GLBA, HIPAA, etc.
• Separation of Duties
• Least Privilege

© 2008 Oracle Corporation

52
 Data Privacy and Regulatory Compliance
Database Security Challenges

Protecting Access
to Application Data

Database Protecting
Monitoring Data-at-Rest

De-Identifying
Information for Data
Sharing Classification

© 2008 Oracle Corporation

53
 What we heard from our customers…
Protecting Access to Application Data

• “Legal says our DBA should not be able to read

financial records, but the DBA needs to access the
database to do her job. What do we do?”
• “Our SOX auditors require that we separate account
creation from granting privileges to accounts.”
• “No user should be able to by-pass our application to
access information in the database directly.”
• “How do we keep the Finance department from
running reports during production hours?”
• “New DBAs should not be able to make database
changes without a senior DBA being present.”

© 2008 Oracle Corporation

54
 STOP PRESS

• Now this is an
inflammatory headline but…

• In the recession, data assets

become even more tempting
targets of opportunity.

• You cannot shy away from

your data protection
responsibilities to your
customers and your own
organisation.

© 2008 Oracle Corporation

55
 Oracle Database Vault
Key Features
Protection
Realms

Separation Multi-Factor
of Duties Authorisation

Realm Violation Rule-Based

Reports Authorisation

No Application Changes!

© 2008 Oracle Corporation

56
 Privileged User Controls
Using Protection Realms

• Prevent privileged users from SELECT * FROM HR.EMP

accessing application data

beyond their authorisation DBA

• Consolidate application data

HR Realm
securely in one database
HR
HR App
• Enforce preventive controls DBA

• Separation of Duties
• Least Privilege FIN Realm
FIN
FIN App
DBA

© 2008 Oracle Corporation

57
 Real-Time Access Control
Rule-Based Multi-Factor Authorisation

• Grant access to application

data based on rules that CONNECT …
consider multiple factors
HR
• Prevent application by-
pass and ad-hoc access HR Application
User
• Protect application data CREATE …
against unintentional harm
FIN
• Prevent unmonitored changes
• Require strong authentication FIN Application
for DBAs DBA

© 2008 Oracle Corporation

58
 Built-In Database Vault Factors
Extensible Via APIs
BUILT-IN FACTORS
USER NETWORK DATABASE RUN-TIME
Name Machine Database IP Language
Name Address
Authentication Client IP Database Date
Type Address SID
Session User Network Database Time
Protocols Instance
Proxy Network IP Database Day of
Enterprise Address Hostname Week
Identity

© 2008 Oracle Corporation

59
 Separation of Duties
Database Vault Controls

Security Account Application

Administrator Administrator Administrator

Extensible
Database (e.g.,
Administrator Database
Tester)

© 2008 Oracle Corporation

60
 Realm Violation Reports
Provable Preventive Controls

• Built-in Auditing and Reporting

• Realm violation reports
• Privilege reports such as “Who has
the DBA Role?”
• More than 2 dozen reports total
• Easy to setup and administer
• Web interface
• API

© 2008 Oracle Corporation

61
 Oracle Application Certification
Extensible Out-of-the Box Polices Protect Applications

• Oracle PeopleSoft
• Oracle E-Business Suite
• Oracle Siebel CRM
• Oracle Content Database
• Oracle Internet Directory
• Separation of Duties
• Data access restricted to application related accounts
• No access by other privileged users with DBA role
• Application Data Access Control
• Customisable CONNECT rule protects against application bypass

© 2008 Oracle Corporation

62
 5 Steps to Protect Database Applications
Easy to Deploy Database Vault for Any Application

1 Define Realms (

2 Add SQL Command Rules (Optional)

3 Add other security policies (Optional)

4 PL/SQL scripts to deploy security policies

5 Test your application

6 Deploy

© 2008 Oracle Corporation

63
 D E M O N S T R A T I O N

Oracle Database Vault

Protecting Application Data with Realms
and Multi-Factor Rules

© 2008 Oracle Corporation

64
 Oracle Database Vault Case Study
Financial Services Customer
Customer Requirement
Restrict DBA access to sensitive data
Enforce application access through middle
tier processes running on geographically
allocated servers
Protect mission-critical business data from
intentional or accidental harmful changes
Control use of ad-hoc query tools during
peak load times
Enforce patching and backup to specific
maintenance periods and monitor the
patching process.
© 2008 Oracle Corporation
Database Vault Solution
Realm around application data allowing only the
authorised application owner to access data
Rule restricting database access based on
middle tier server IP addresses
Rule restricting dropping or wiping out
associated database structures
Rule restricting connections by ad-hoc query
tools to maintenance day/time
Rule restricting database maintenance DBA’s
login to maintenance day/time
Rule requiring two DBAs to authenticate during
maintenance periods from internal IP addresses
65
 Industry Leading Innovation
2007 Product Excellence Award Winner

© 2008 Oracle Corporation

66
 Oracle Database Security
Solutions for Privacy and Compliance

Database Vault
Advanced
Security
47986 $5%&*
Audit
Vault
Secure
Configuration Backup
Management
Label
Total Security
Recall
Data
Masking

© 2008 Oracle Corporation

67
 For More Information

http://search.oracle.com
database security

or
oracle.com/database/security

© 2008 Oracle Corporation

68
© 2008 Oracle Corporation
69
© 2008 Oracle Corporation
70
 Release Wide Map of Security Products
Oracle Oracle Oracle Oracle Oracle
Oracle
Solution Database Database Database Database Database
8i
9iR1 9iR2 10g R1 10g R2 11gR1

Database Auditing

Network Encryption

Virtual Private Database

Label Security

Database Vault

Audit Vault

Fine Grained Auditing

Total Recall
EM Configuration Scanning

TDE Column Encryption

TDE Tablespace Encryption

EM Data Masking

© 2008 Oracle Corporation

Data Masking is available starting with EM 10.2.0.4 and works against Oracle Database 9.2 and higher databases. 71