Frequently Asked Questions
Oracle Database Vault is a database security option that you use to protect application data from DBA or privileged user access, enforce protection of database structures from unauthorized change, and set a variety of access controls to implement dynamic and flexible security requirements. These features help you adhere to standards for separation of duties, regulatory compliance, and internal control. With Oracle Database Vault you can securely consolidate applications, outsource / off-shore back end operations, and build a secure private Oracle Database Cloud. You can use Oracle Database Vault on standalone Oracle Database installations and in Oracle Real Application Clusters (RAC) environments.
Oracle Database Vault requires Oracle Database Enterprise Edition. Oracle Database Vault is available with Oracle Database 11g and Oracle Database 10g Release 2. Oracle Database Vault has been back-ported to Oracle Database 9i on a limited number of platforms, as well.
There are three macro issues driving security requirements for IT organizations today:
The latter include Sarbanes-Oxley, PCI, HIPAA, Gramm-Leach Bliley, the Japanese Privacy Act, BASEL II, and much more.
Privileged users are users who have been granted powerful privileges or administrative roles within the database. Such users are generally administrators, but can be developers who are given access to the system for application development, partners who are given such privileges for application integration, or even an analyst who has access to database development tools such as Oracle Discoverer. A super user is the highest level of privileged user, oftentimes with SYSDBA access.
In addition to that described above, Oracle Database Vault provides a web based management console that can be used to configure and manage the offering. Oracle Database Vault provides a dashboard to allow for monitoring of policies and configuration setup. Finally, Oracle Database Vault ships over three (3) dozen out-of-the box reports to show who has access to what helping to demonstrate proof of compliance.
No. Oracle Audit Vault is a new product from Oracle focuses on securing and consolidating audit data. Oracle Database Vault and Oracle Audit Vault are intended to co-exist in the enterprise to assist customers with security, compliance, and privacy needs.
Yes, Oracle has been working closely with a number of partners. These include global System Integrators (SIs) with risk management and security practices and Independent Software Vendors (ISVs) who plan to leverage Oracle Database Vault to better secure and help address compliance requirements with their solutions. Examples of these partners include Protivity and BearingPoint as well as ArcSight, Accenture, HP, Deloitte & Touche LLP, and PriceWaterhouse Coopers.
Oracle Database Vault helps customers achieve separation of duty by creating different responsibilities to manage the different aspects of the database environment. Oracle Database Vault creates responsibilities for managing security, managing user accounts, and managing database resources. Separation of duty helps customers prevent unauthorized access to business data. Preventing unauthorized access to business data is a crucial requirement for many regulations such as SOX, Basel II, HIPAA, Graham-Leach-Bliley, PCI, and J-SOX (Japan). By creating separation of duty in the database, Oracle Database Vault helps customers achieve better internal control on who does what and when in the database which is also part of the regulatory compliance requirements.
Our internal TPC-C benchmark testing showed that Oracle Database Vault has a minimal overhead of less than 2%. Customers should test their custom security settings for performance and try to make them as simple as possible. Normal database tuning still applies when Oracle Database Vault is installed.
No. Oracle Database Vault is an option to the Oracle Database Enterprise Edition. It can be enabled on any Oracle Database Enterprise Edition release including 11g, 10g Release 2, and 188.8.131.52.
No. However, you can use Oracle Database Vault in Oracle Real Application Clusters (RAC) environments.
Oracle Database Vault introduces several new concepts:
Virtual Private Database is a fine-grained solution within the Database that enables customers to build customized row level security solutions using PL/SQL. Oracle Database Vault provides a higher level solution that provides security for the database and applications, by controlling access of privileged users (DBAs) and implementing separation of duty inside the database.
Yes. All security features available with the Oracle Database Enterprise Edition, for example VPD and Secure Application Roles, work with Oracle Database Vault. In Addition, other security options, like ASO and OLS, work with Oracle Database Vault as well.
Yes. Oracle Database Vault works with TDE. Oracle Database Vault Realms, Mutli-Factor Authorization, and Command Rules provide security controls around access to databases and applications as well as controlling activity within the database through separation of duty. While TDE protects data from direct operating system access to database files.
In an Oracle Database Vault environment, if a realm protects a database role, then only the Realm Owner can grant this role to others. For example the Oracle Data Dictionary realm protects the DBA role. The SYS user by default is the owner of the Oracle Data Dictionary realm and can grant the DBA role to others.
No. The Oracle Database Vault owner account can only setup the realm. It cannot see data protected by a realm. This is part of the separation of duty that Oracle Database Vault enforces.
Yes. Oracle Database Vault honors all connection types supported by the Oracle Database.
There are two ways to do this:
The DV_PATCH_ADMIN role allows a DBA to patch the database without having access to protected sensitive applications data. The Security Administrator grants the DV_PATCH_ADMIN role to a DBA so the DBA can patch the database. Once patching is done, the Security Administrator revokes the DV_PATCH_ADMIN role from the DBA.
In an Oracle Database Vault environment, only a user with the account management responsibility can create new users. The DV_ACCTMGR role can be granted to user to give that user the account management responsibility. This helps customers achieve strong operational controls by controlling who can create new users in their database environment.
Oracle Database Vault integrates well with Oracle Label Security (OLS). Oracle Database Vault factors can provide an additional dimension in deciding the security clearance of a user's session. For example, let us assume a user has been authorized to access sensitive data. However the security administrator wants to ensure the user accesses sensitive data only if he / she is in the office and connected to the trusted network. A Database Vault factor like Network Domain can be used to determine the security clearance of a user's database session. If the user is coming from the public Internet, he / she can see only non-sensitive data. If the user is coming from the trusted network, then the user is allowed access to sensitive data.
Customer use of Oracle Database Vault does not require a separate license of Oracle Label Security.
Background: When a customer installs Oracle Database Vault, it implicitly installs Oracle Label Security. Oracle Database Vault needs Oracle Label Security to be installed for technical reasons. Customers do not need to pay additional license for Oracle Label Security when using Oracle Database Vault. Only if the customer wants to implement Oracle Label Security, the additional license fee is required.
Oracle Database Vault is a licensable option for the Oracle Database Enterprise Edition. Oracle Database Vault is available for Oracle Database 11g and higher, Oracle Database 10g Release 2 and Oracle Database release 184.108.40.206.
Yes. These are available on the Oracle Technology Network
Oracle Database Vault is designed to help customers address technical security requirements found in various regulations, including Sarbanes-Oxley (SOX), PCI, HIPAA, ITAR and Eurepean privacy laws. Oracle Database Vault provides strong internal controls inside the Oracle Database through restricting privileged user access to sensitive data and through multi-factor authorization to control who, when, where, and how sensitive data can be accessed.
Oracle Database Vault addresses the "insider threat" by enabling powerful controls on how databases, applications and data are accessed. In addition, Oracle Database Vault enables additional protections against power users in the database such as those with super-privileges (DBAs). Oracle Database Vault places restrictions on what data these users can access using a security feature called a realm. In addition, Oracle Database Vault provides command rules and multi-factor authorization to control who, when, how, and where databases, applications and data can be accessed.
Yes. Oracle University has a training class for Oracle Database Vault. This is a two-day class. Customers can enroll in it. For the latest schedule go to the Oracle University website and search for Oracle Database Vault.
For white papers, data sheets and other materials, visit http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html or contact an Oracle representative near you.
Yes. Oracle Database Vault is now certified with all major Oracle applications including Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel, and Oracle JD Edwards EnterpriseOne. Vertical applications like Oracle Retial (Retek), Oracle Financial Services (iFlex), Oracle Utilities, and Oracle Enterprise Tax Management are also certified with Oracle Database Vault. In addition, Oracle Database Vault is certified with SAP applications and other partner applications like Infosys Finacle.
Oracle Database Vault protections complement application security mechanisms by securing the database and preventing direct access to the application tables by super-privileged users (DBAs). This helps customers outsource their backend operations without allowing access to their sensitive applications data and prevents hackers from stealing sensitive data even if they manage to compromise a privileged user account.
Yes. Oracle Database Vault has been awarded Common Criteria EAL4+.
While Oracle Database Firewall protects a target Oracle Database from SQL injection attacks by inspecting and blocking harmful SQL traffic on the network before it reaches the database, Oracle Database Vault provides strong operational controls inside the target Oracle Database. Oracle Database Vault protections restrict privileged user access to sensitive data inside the Oracle Database. So, Oracle Database Firewall protections complement those of Oracle Database Vault. For maximum security and depending on customers' requirements, both Oracle Database Firewall and Oracle Database Vault can be used at the same time to protect the target Oracle Database.
More Database Downloads