how to protect your sensitive data using oracle database vault
1. 1
How to protect your sensitive data using Oracle Database Vault
Any measures that should be taken for data security purposes should also beconsidered atthe databaselevel,
similar to hardware,network and operation system levels. Generally,companies buy a firewall productand think
that they have already solved the problems related to security. Researches show that despite it is possibleto take
measures againstexternal attacks by the firewall products,no sufficientmeasures may be taken againstinternal
attacks.In particular,no action related to protection of the data is executed on the server where the database
operates. Taking into account that a user havingDBA authority will haveall typeauthority atthe databaseand may
perform the same operations even when s/he gets connected from other computers, possiblesecurity gaps should
be considered.Access of a databaseadmin to every data is as disadvantageous as him/her to connect from other
computers and perform the same operations,and is even a security gap. OracleDatabaseVault,which is one of
the security solutions of OracleDatabase,may be recommended as an application which may assistin solvingof
the abovementioned problems.
What is Oracle Database Vault?
OracleDatabaseVaultprovides powerful security controls to help protect application data fromunauthorized
access,and comply with privacy and regulatory requirements. Controls can be deployed to block privileged
accountaccess to application data and control sensitiveoperations insidethe databaseusingmulti -factor
authorization.Security of existingapplicationscan beincreased through anal ysisof privileges and roles.Oracle
DatabaseVaultsecures existingdatabaseenvironments transparently,eliminatingcostly and time consuming
application changes.OracleDatabaseVaultis a productenablingyou to conduct dynamic and flexible
communication controls aboutthe security of your database’s security and to make reports, which comes together
with OracleDatabaseand take an optional placein the databaseconfiguration.This property which operates at
the database’s kernel level is much more effective than the security applications applied by usingPLSQL. The
DatabaseVault, which is also used where the required security level per databaseis different,may be applied to
your single-instanceOracledatabaseand similarly,may be successfully used in the buildings of RAC architecture.
It may prevent even an access of a databasemanager to your critical data (such as creditcard,clientpersonal
information,accountdetails,personnel salary information,calculations,expenses and conversation details).
It keeps your databasefrom any changes not authorized by you.
It enables you to add a temporary controller or alter or trace itreal timely.
DatabaseVault, which is a productof Oraclefamily,is configured,created and managed very easily,and
may be used by influencingthe performance of the system very inconsiderably.
DatabaseVaultis a product which exists insidethe OracleDatabase,which may be configured by an easy
setup. It serves by sections of realm, command rule,factor, rulesets and reporting.
OracleDatabaseVaultensures a very strongand safesetting to protect the applicationsand the data.
OracleDatabasemay restrictauthorized users (SELECT ANY TABLE). It may even restrictthe rights of even
DBA users who have the most competent role.
Any changes to be made on the objects at the database(alter,drop, truncate, and etc.) or in the data
content (insert, delete, update, and etc.) may be restricted, by determining how, when and by what
means they may be made.
OracleDatabaseVaultprotects the existingdatabaseenvironment. Shutdown of any unwanted software
may be prevented. It may protect the databasefrom unwanted attacks.
It may take the principleof DatabaseDuty separation.
2. 2
Controls for Privileged Accounts
Privileged databaseaccounts areone of the most commonly used pathways for gainingaccess to sensitive
applicationsdata in the database.Whiletheir broad and unrestricted access facilitates database
maintenance, the same access also creates a pointof attack for gainingaccess to largeamounts of data.
OracleDatabaseVaultRealms around application schemas,sensitivetables and stored procedures
providecontrols to prevent privileged accounts from being exploited by hackers and insiders to access
sensitiveapplication data.
Controls for Database Configuration
Among the more common auditfindings areunauthorized changes to databaseentitlements, includinggrants of
the DBA role, as well as new accounts and database objects.Preventing unauthorized changes to production
environments is importantnot only for security,but also for complianceas such changes can weaken security and
open doors to hackers,violatingprivacy and complianceregulations.OracleDatabaseVaultSQL Command
Controls allowcustomers to control operations insidethedatabase,includingcommands such as createtable,
truncate table, and create user. Various out-of-the-box factors such as IP address,authentication method, and
program name help implement multi-factor authorization to deter attacks leveragingstolen passwords.These
controls prevent accidental configuration changes and also preventhackers and malicious insiders fromtampering
with applications.
DB Vault Configuration Advices
Advice 1 : The relevant lineunder /var/opt/oracle/oratab mustbe smooth $ORACLE_HOME. Otherwise, Configure
Option button will be passivewhen dbca is operated.
Advice 2 : PASSWORD_VERIFY_FUNCTION in the default profilemust be NULL. Otherwise, ORA-29504 error will
appear.Solution Doc ID 1509963.1
Advice 3 : ORA-29504 error may appear in about 85 percent of configuration with DBCA. This error may be ignored
in 11g. It seems as edited in 12c. For solution: Doc ID 1509963.1)
Control of DB Vault Option
We enter sqlplus by sysdba,to control it.
Connected to: OracleDatabase11gEnterpriseEdition Release 11.2.0.3.0 - 64bit Production
We will seeno incomingtext related to Vault. If itwere configured,we would also see With the OracleLabel
Security, OracleDatabaseVaultoptions text.
3. 3
We may benefit from the below described view for additional control.
SELECT * FROM V$OPTION WHERE PARAMETER = 'OracleDatabaseVault';
OracleDatabaseVault----- FALSE (that is,disabled )
Example:
Enabling of DB Vault Option for Oracle
STEP 1- Relevant Databaseis shutdown
SQL> shutdown immediate
STEP 2-Dbconsole (Enterprise Manager) is shutdown, if any
$ emctl stop dbconsole
STEP 3- Shutdown listener
lsnrctl stop listener
STEP 4- DB Vault Option is enabled for Oracle
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_on lbac_on ioracle
COMMON NOTICE : When an option is enabled in Oraclebinary,choptcommand may also beused instead of
Make –f. Its configuration is described in the following Link
Example :
chopt enable lbac
Writingto /u01/app/oracle/product/11.2.0/dbhome_2/install/enable_lbac.log...
/usr/bin/make-f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk lbac_on
ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
/usr/bin/make-f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk ioracle
ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
chopt enable dv
4. 4
Writingto /u01/app/oracle/product/11.2.0/dbhome_2/install/enable_dv.log...
/usr/bin/make-f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk dv_on
ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
/usr/bin/make-f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk ioracle
ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
STEP 5-Database and Listener must be opened and it must be checked whether DB Vault is enabled or not.
Sqlplus>startup;
SELECT * FROM V$OPTION WHERE PARAMETER = 'OracleDatabaseVault';OracleDatabase
Vault -- TRUE (that is,enabled)
When sqlplusisentered again, With the Oracle Label Security, Oracle Database Vault options will appear.
Example
It comes as selected in the configuration of OracleDatabaseVaultdatabase.DatabaseVaultmay either be selected
whileOracleis configured or activated after the configuration of Oracleinstance.In order to activateit after the
configuration of the Oracleinstance,DatabaseConfiguration Assistantmustbe operated by dbca command.
User/ password description isused for DatabaseVaultOwner and optionally for Account Manager (Entry is
recommended).
5. 5
After the configuration ends,a browser is written in https://hostname(or host ip):port number/ and the Oracle
DatabaseVaultscreen is entered.
Datatabase Vault Duty Separation
The Duty Separation feature of OracleDatabaseVaultwill createthree different responsibilities such asthe
security administration on the database,the account management and the databaseadministration.
The Security Administrator (Security Administration),the responsibleperson for Security is also themanager of the
OracleDatabaseVault.S/he is responsiblefor all security operations atthe database.S/he may manage Realms,
command rules and factors and may operate DatabaseVault report, while s/he may not get access to the
application data.
The Account Manager (Account Management) may create, delete and change user accounts.
And the DatabaseAdministrator (DatabaseAdministration) hasdba functions such as backup/restoration,patch
application and performancemanagement.