Oracle Database Vault Frequently Asked Questions

Questions

1. What is Oracle Database Vault?
2. What Oracle software is required to run Oracle Database Vault?
3. What is driving security requirements for IT organizations today?
4. Who are super and privileged users?
5. What else does Oracle Database Vault do?
6. Is Oracle Database Vault the same as Oracle Audit Vault?
7. Does Oracle have partners signed up to support Oracle Database Vault?
8. How does Oracle Database Vault help customers achieve separation of duty?
9. What performance overhead does Oracle Database Vault incur on the database?
10. Does Oracle Database Vault require a separate database?
11. Does Oracle Database Vault require Oracle Real Application Clusters (RAC)?
12. What security mechanisms does Oracle Database Vault introduce?
13. How is Oracle Database Vault different from Virtual Private Database?
14. Do the existing Oracle Database security features co-exist with Oracle Database Vault?
15. Does Oracle Database Vault work with Oracle Transparent Data Encryption (TDE)?
16. Who can grant roles like the DBA role in a Database protected by Oracle Database Vault?
17. Can the Oracle Database Vault Administrator (owner) see data protected by a realm?
18. Does Oracle Database Vault allow database connections using Java?
19. How do you move Oracle Database Vault security policies from a development system to a production system?
20. How do you apply patches in a database that has Oracle Database Vault enabled?
21. Who can create new users in an Oracle Database Vault environment?
22. Does Oracle Database Vault integrate with Oracle Label Security (OLS)? Can OLS leverage Oracle Database Vault Facgtors?
23. Do customers need to pay license fee for Oracle Label Security (OLS) when using Oracle Database Vault?
24. How is Oracle Database Vault packaged?
25. Are there example business use cases for Oracle Database Vault?
26. Can I use Oracle Database Vault to meet compliance requirements found in regulations such as SOX, PCI, HIPAA, ITAR and the EU privacy laws?
27. How does Oracle Database Vault address the "insider threat"?
28. Is there training available for Oracle Database Vault?
29. Where do I go to learn more about Oracle Database Vault?
30. Is Oracle Database Vault certified with major packaged Applications?
31. How do Oracle Database Vault protections complement applications' security mechanisms?
32. Did Oracle Database Vault undergo a formal security evaluation?
33. How does Oracle Database Firewall work when a target Oracle Database is protected by Oracle Database Vault? Do I need both to protect my Oracle Database?

Answers

1. What is Oracle Database Vault?

   Oracle Database Vault is a database security option that you use to protect application data from DBA or privileged user access, enforce protection of database structures from unauthorized change, and set a variety of access controls to implement dynamic and flexible security requirements. These features help you adhere to standards for separation of duties, regulatory compliance, and internal control. With Oracle Database Vault you can securely consolidate applications, outsource / off-shore back end operations, and build a secure private Oracle Database Cloud. You can use Oracle Database Vault on standalone Oracle Database installations and in Oracle Real Application Clusters (RAC) environments.

---

2. What Oracle software is required to run Oracle Database Vault?

   Oracle Database Vault requires Oracle Database Enterprise Edition. Oracle Database Vault is available with Oracle Database 11g and Oracle Database 10g Release 2. Oracle Database Vault has been back-ported to Oracle Database 9i on a limited number of platforms, as well.

---

3. What is driving security requirements for IT organizations today?

   There are three macro issues driving security requirements for IT organizations today:

   1. how to protect against the "insider threat" - attack from within an organization by rogue individuals with privileges who are thought to be trustworthy, but prove otherwise;
   2. how to protect against outside hackers who manage to compromise a privileged user account and would use that account to steal sensitive data from the database, and
   3. the need to put controls in place to address the compliance requirements resulting from a deluge of privacy and corporate governance regulations.

   The latter include Sarbanes-Oxley, PCI, HIPAA, Gramm-Leach Bliley, the Japanese Privacy Act, BASEL II, and much more.

---

4. Who are super and privileged users?

   Privileged users are users who have been granted powerful privileges or administrative roles within the database. Such users are generally administrators, but can be developers who are given access to the system for application development, partners who are given such privileges for application integration, or even an analyst who has access to database development tools such as Oracle Discoverer. A super user is the highest level of privileged user, oftentimes with SYSDBA access.

---

5. What else does Oracle Database Vault do?

   In addition to that described above, Oracle Database Vault provides a web based management console that can be used to configure and manage the offering. Oracle Database Vault provides a dashboard to allow for monitoring of policies and configuration setup. Finally, Oracle Database Vault ships over three (3) dozen out-of-the box reports to show who has access to what helping to demonstrate proof of compliance.

---

6. Is Oracle Database Vault the same as Oracle Audit Vault?

   No. Oracle Audit Vault is a new product from Oracle focuses on securing and consolidating audit data. Oracle Database Vault and Oracle Audit Vault are intended to co-exist in the enterprise to assist customers with security, compliance, and privacy needs.

---

7. Does Oracle have partners signed up to support Oracle Database Vault?

   Yes, Oracle has been working closely with a number of partners. These include global System Integrators (SIs) with risk management and security practices and Independent Software Vendors (ISVs) who plan to leverage Oracle Database Vault to better secure and help address compliance requirements with their solutions. Examples of these partners include Protivity and BearingPoint as well as ArcSight, Accenture, HP, Deloitte & Touche LLP, and PriceWaterhouse Coopers.

---

8. How does Oracle Database Vault help customers achieve separation of duty?

   Oracle Database Vault helps customers achieve separation of duty by creating different responsibilities to manage the different aspects of the database environment. Oracle Database Vault creates responsibilities for managing security, managing user accounts, and managing database resources. Separation of duty helps customers prevent unauthorized access to business data. Preventing unauthorized access to business data is a crucial requirement for many regulations such as SOX, Basel II, HIPAA, Graham-Leach-Bliley, PCI, and J-SOX (Japan). By creating separation of duty in the database, Oracle Database Vault helps customers achieve better internal control on who does what and when in the database which is also part of the regulatory compliance requirements.

---

9. What performance overhead does Oracle Database Vault incur on the database?

   Our internal TPC-C benchmark testing showed that Oracle Database Vault has a minimal overhead of less than 2%. Customers should test their custom security settings for performance and try to make them as simple as possible. Normal database tuning still applies when Oracle Database Vault is installed.

---

10. Does Oracle Database Vault require a separate database?

    No. Oracle Database Vault is an option to the Oracle Database Enterprise Edition. It can be enabled on any Oracle Database Enterprise Edition release including 11g, 10g Release 2, and 9.2.0.8.

---

11. Does Oracle Database Vault require Oracle Real Application Clusters (RAC)?

    No. However, you can use Oracle Database Vault in Oracle Real Application Clusters (RAC) environments.

---

12. What security mechanisms does Oracle Database Vault introduce?

    Oracle Database Vault introduces several new concepts:

    1. Realms - A Realm is a "protection zone" inside the database that prevents privileged users such as DBAs from accessing any protected data inside it. The Oracle Database Vault administrator can create a Realm and define the sensitive database objects to be secured in it and the users who need to be authorized to the realm. The realm's secured objects can be comprised of a single table, multiple tables, an entire application, or multiple applications.
    2. Command Rules - A Command Rule is a security policy that you can create to control how users can execute almost any SQL statements, including SELECT, ALTER SYSTEM, database definition language (DDL) statements, and data manipulation language (DML) statements. Command rules evaluate security policy (rule set) to determine whether or not the statement is allowed. Rule Sets use Factors such as time of day, IP address, host name, or any number of identifiable attributes associated with the user. For example, a user will only be granted access to certain data if the command rule states that access to the application is restricted to working hours, from an internal IP address, and/or any other number of configurable parameters. These restrictions can be applied to all system users, including the most powerful DBAs.
    3. Multi-Factor Authorization - Rule sets that leverage multiple factors in their decision process. Security administrators can define rules that are based on specific compliance requirements or security requirements. For example, limiting connections to a specific IP or range of IP addresses.

---

13. How is Oracle Database Vault different from Virtual Private Database?

    Virtual Private Database is a fine-grained solution within the Database that enables customers to build customized row level security solutions using PL/SQL. Oracle Database Vault provides a higher level solution that provides security for the database and applications, by controlling access of privileged users (DBAs) and implementing separation of duty inside the database.

---

14. Do the existing Oracle Database security features co-exist with Oracle Database Vault?

    Yes. All security features available with the Oracle Database Enterprise Edition, for example VPD and Secure Application Roles, work with Oracle Database Vault. In Addition, other security options, like ASO and OLS, work with Oracle Database Vault as well.

---

15. Does Oracle Database Vault work with Oracle Transparent Data Encryption (TDE)?

    Yes. Oracle Database Vault works with TDE. Oracle Database Vault Realms, Mutli-Factor Authorization, and Command Rules provide security controls around access to databases and applications as well as controlling activity within the database through separation of duty. While TDE protects data from direct operating system access to database files.

---

16. Who can grant roles like the DBA role in a Database protected by Oracle Database Vault?

    In an Oracle Database Vault environment, if a realm protects a database role, then only the Realm Owner can grant this role to others. For example the Oracle Data Dictionary realm protects the DBA role. The SYS user by default is the owner of the Oracle Data Dictionary realm and can grant the DBA role to others.

---

17. Can the Oracle Database Vault Administrator (owner) see data protected by a realm?

    No. The Oracle Database Vault owner account can only setup the realm. It cannot see data protected by a realm. This is part of the separation of duty that Oracle Database Vault enforces.

---

18. Does Oracle Database Vault allow database connections using Java?

    Yes. Oracle Database Vault honors all connection types supported by the Oracle Database.

---

19. How do you move Oracle Database Vault security policies from a development system to a production system?

    There are two ways to do this:

    1. Oracle Enterprise manager Grid Control allows you to move Oracle Database Vault security policies from one database to multiple other databases.
    2. Or You can call the oracle Database Vault API using scripts to create your security policies in a development system and then apply the same scripts to a production system when ready. In release 11.2.0.1 or higher, Oracle Database Control also allows you to generate the API scripts for your security policies and save them to file which you can use to apply to other databases.

---

20. How do you apply patches in a database that has Oracle Database Vault enabled?

    The DV_PATCH_ADMIN role allows a DBA to patch the database without having access to protected sensitive applications data. The Security Administrator grants the DV_PATCH_ADMIN role to a DBA so the DBA can patch the database. Once patching is done, the Security Administrator revokes the DV_PATCH_ADMIN role from the DBA.

---

21. Who can create new users in an Oracle Database Vault environment?

    In an Oracle Database Vault environment, only a user with the account management responsibility can create new users. The DV_ACCTMGR role can be granted to user to give that user the account management responsibility. This helps customers achieve strong operational controls by controlling who can create new users in their database environment.

---

22. Does Oracle Database Vault integrate with Oracle Label Security (OLS)? Can OLS leverage Oracle Database Vault Facgtors?

    Oracle Database Vault integrates well with Oracle Label Security (OLS). Oracle Database Vault factors can provide an additional dimension in deciding the security clearance of a user's session. For example, let us assume a user has been authorized to access sensitive data. However the security administrator wants to ensure the user accesses sensitive data only if he / she is in the office and connected to the trusted network. A Database Vault factor like Network Domain can be used to determine the security clearance of a user's database session. If the user is coming from the public Internet, he / she can see only non-sensitive data. If the user is coming from the trusted network, then the user is allowed access to sensitive data.

---

23. Do customers need to pay license fee for Oracle Label Security (OLS) when using Oracle Database Vault?

    Customer use of Oracle Database Vault does not require a separate license of Oracle Label Security.
    Background: When a customer installs Oracle Database Vault, it implicitly installs Oracle Label Security. Oracle Database Vault needs Oracle Label Security to be installed for technical reasons. Customers do not need to pay additional license for Oracle Label Security when using Oracle Database Vault. Only if the customer wants to implement Oracle Label Security, the additional license fee is required.

---

24. How is Oracle Database Vault packaged?

    Oracle Database Vault is a licensable option for the Oracle Database Enterprise Edition. Oracle Database Vault is available for Oracle Database 11g and higher, Oracle Database 10g Release 2 and Oracle Database release 9.2.0.8.

---

25. Are there example business use cases for Oracle Database Vault?

    Yes. These are available on the Oracle Technology Network

---

26. Can I use Oracle Database Vault to meet compliance requirements found in regulations such as SOX, PCI, HIPAA, ITAR and EU privacy laws?

    Oracle Database Vault is designed to help customers address technical security requirements found in various regulations, including Sarbanes-Oxley (SOX), PCI, HIPAA, ITAR and Eurepean privacy laws. Oracle Database Vault provides strong internal controls inside the Oracle Database through restricting privileged user access to sensitive data and through multi-factor authorization to control who, when, where, and how sensitive data can be accessed.

---

27. How does Oracle Database Vault address the "insider threat"?

    Oracle Database Vault addresses the "insider threat" by enabling powerful controls on how databases, applications and data are accessed. In addition, Oracle Database Vault enables additional protections against power users in the database such as those with super-privileges (DBAs). Oracle Database Vault places restrictions on what data these users can access using a security feature called a realm. In addition, Oracle Database Vault provides command rules and multi-factor authorization to control who, when, how, and where databases, applications and data can be accessed.

---

28. Is there training available for Oracle Database Vault?

    Yes. Oracle University has a training class for Oracle Database Vault. This is a two-day class. Customers can enroll in it. For the latest schedule go to the Oracle University website and search for Oracle Database Vault.

---

29. Where do I go to learn more about Oracle Database Vault?

    For white papers, data sheets and other materials, visit http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html or contact an Oracle representative near you.

---

30. Is Oracle Database Vault certified with major packaged Applications?

    Yes. Oracle Database Vault is now certified with all major Oracle applications including Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel, and Oracle JD Edwards EnterpriseOne. Vertical applications like Oracle Retial (Retek), Oracle Financial Services (iFlex), Oracle Utilities, and Oracle Enterprise Tax Management are also certified with Oracle Database Vault. In addition, Oracle Database Vault is certified with SAP applications and other partner applications like Infosys Finacle.

---

31. How do Oracle Database Vault protections complement applications' security mechanisms?

    Oracle Database Vault protections complement application security mechanisms by securing the database and preventing direct access to the application tables by super-privileged users (DBAs). This helps customers outsource their backend operations without allowing access to their sensitive applications data and prevents hackers from stealing sensitive data even if they manage to compromise a privileged user account.

---

32. Did Oracle Database Vault undergo a formal security evaluation?

    Yes. Oracle Database Vault has been awarded Common Criteria EAL4+.

---

33. How does Oracle Database Firewall work when a target Oracle Database is protected by Oracle Database Vault? Do I need both to protect my Oracle Database?

    While Oracle Database Firewall protects a target Oracle Database from SQL injection attacks by inspecting and blocking harmful SQL traffic on the network before it reaches the database, Oracle Database Vault provides strong operational controls inside the target Oracle Database. Oracle Database Vault protections restrict privileged user access to sensitive data inside the Oracle Database. So, Oracle Database Firewall protections complement those of Oracle Database Vault. For maximum security and depending on customers' requirements, both Oracle Database Firewall and Oracle Database Vault can be used at the same time to protect the target Oracle Database.