Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Windows Server System
Technologies A-Z

ARCHITECTURE

Enterprise 2.0
Extreme Transaction Processing
Grid
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

Oracle Database Vault FAQ

Questions

Answers

What is Oracle Database Vault?

Oracle Database Vault is a database security option that you use to protect application data from DBA access, enforce protection of database structures from unauthorized change, and set a variety of access controls to implement dynamic and flexible security requirements. These features help you to adhere to standards for separation of duties, regulatory compliance, and internal control. You configure Oracle Database Vault to manage the security for an individual Oracle database instance. You can use Oracle Database Vault on standalone Oracle Database installations and in Oracle Real Application Clusters (RAC) environments.

Is Oracle Database Vault available now and what platforms is it available for?

Yes. Oracle Database Vault release 10.2.0.3 is available today and downloadable from OTN. Oracle Database Vault is available on 9.2.0.8 Oracle Database as well. Oracle Database Vault release 10.2.0.3 is available on a number of platforms like Linux x86 (32-bit), Solaris Operating System (SPARC) (64-bit), HPUX, AIX, and MS Windows to name a few. For the complete list of available platforms for 10.2.0.3 and 9.2.0.8 visit: http://www.oracle.com/technology/software/products/database_vault/index.html

What Oracle software is required to run Oracle Database Vault?

Oracle Database Vault requires Oracle Database 9i (9.2.0.8) Enterprise Edition or Oracle Database 10g Release 2 (10.2.0.3) Enterprise Edition or higher.

What is driving security requirements for IT organizations today?

There are two macro issues driving security requirements for IT organizations today:

How to protect against the "insider threat" — attack from within an organization by rogue individuals with privileges who are thought to be trustworthy, but prove otherwise and
The need to put in place controls to address the compliance requirements resulting from a deluge of privacy and corporate governance regulations.

The latter include Sarbanes-Oxley, PCI, HIPAA, Gramm-Leach Bliley, the Japanese Privacy Act, BASEL II, and much more.

Who are super and privileged users?

Privileged users are users who have been granted powerful privileges or administrative roles within the database. Such users are generally administrators, but can be developers who are given access to the system for application development, partners who are given such privileges for application integration, or even an analyst who has access to database development tools such as Oracle Discoverer. A super user is the highest level of privileged user, oftentimes with SYSDBA access.

What else does Oracle Database Vault do?

In addition to that described above, Oracle Database Vault provides a web based management console that can be used to configure and manage the offering. Database Vault provides a dashboard to allow for monitoring of policies and configuration setup. Finally, Oracle Database Vault ships over three (3) dozen out-of-the box reports to show who has access to what helping to demonstrate proof of compliance.

Is Oracle Database Vault the same as Oracle Audit Vault?

No. Oracle Audit Vault is a new product from Oracle focuses on securing and consolidating audit data. Oracle Database Vault and Oracle Audit Vault are intended to co-exist in the enterprise to assist customers with security, compliance, and privacy needs.

Does Oracle have partners signed up to support Oracle Database Vault?

Yes, Oracle has been working closely with a number of partners. These include global System Integrators (SIs) with risk management and security practices and Independent Software Vendors (ISVs) who plan to leverage Oracle Database Vault to better secure and help address compliance requirements with their solutions. Examples of these partners include Protivity and BearingPoint as well as ArcSight, LogicalApps, Lumigent, Mantas, Tripwire, and Vormetric.

How does Oracle Database Vault help customers achieve separation of duty?

Oracle Database Vault helps customers achieve separation of duty by creating different responsibilities to manage the different aspects of the database environment. Oracle Database Vault creates responsibilities for managing security, managing user accounts, and managing database resources. Separation of duty helps customers prevent unauthorized access to business data. Preventing unauthorized access to business data is a crucial requirement for many regulations such as SOX, Basel II, HIPAA, Graham-Leach-Bliley, PCI, and J-SOX (Japan). By creating separation of duty in the database, Oracle Database Vault helps customers achieve better internal control on who does what and when in the database which is also part of the regulatory compliance requirements.

What performance overhead does Oracle Database Vault incur on the database?

Our TPC-C benchmark testing showed that Database Vault has a minimal overhead of less than 1%. Customers should test their custom security settings for performance and try to make them as simple as possible. Normal database tuning still applies when Database Vault is installed.

Does Database Vault require a separate database?

No. Oracle Database Vault is an option to the Oracle Database Enterprise Edition. It can be enabled on any Oracle Database Enterprise Edition release 9.2.0.8 or 10.2.0.3 and above.

Does Oracle Database Vault require Oracle Real Application Clusters (RAC)?

No. However, you can use Database Vault in Oracle Real Application Clusters (RAC) environments.

How does Oracle Database Vault enforce these security mechanisms?

Oracle Database Vault introduces several new concepts:

Realm - A container that serves as a "protection zone". The Database Vault administrator can create a Realm and define the content within the realm. This realm can be comprised of database objects such a single table, multiple tables or an entire application, or multiple applications
Command Rules - A collection of rules that you can create to control how users can execute almost any SQL statements, including SELECT, ALTER SYSTEM, database definition language (DDL), and data manipulation language (DML) statements. Command rules can work with rule sets to determine whether or not the statement is allowed. Rule Sets use Factors such as time of day, IP address, host name, or any number of identifiable attributes associated with the user. For example, a user will only be granted access to certain data if the command rules states that access to the application is restricted to working hours, from an internal IP address, and/or any other number of configurable parameters. These restrictions can be applied to all system users, including the most powerful DBAs.
Multi-Factor Authorization - Rule sets that leverage multiple factors in their decision process. Security administrator's can define rules that are based on specific compliance requirements or security requirements. For example, limiting connections to a specific IP or range of IP addresses.

How is Oracle Database Vault different from Virtual Private Database?

Virtual Private Database is a fine-grained solution within the Database that enables customers to build customized row level security solutions using PL/SQL. Oracle Database Vault provides a higher level solution that provides security for the database and application, by controlling access of privileged users (DBAs) and implementing separation of duty inside the database.

Do the existing Oracle Database Security Features co-exist with Oracle Database Vault?

Yes. All security features available with the Oracle Database Enterprise Edition, for example VPD and Secure Application Roles, work with Oracle Database Vault. In Addition, other security options, like ASO and OLS, work with Oracle Database Vault as well.

Does Oracle Database Vault work with Oracle Transparent Data Encryption (TDE)?

Yes. Oracle Database Vault works with TDE. Database Vault Realms, Mutli-Factor Authorization, and Command Rules provide security controls around access to databases and applications as well as controlling activity within the database through separation of duty.

Who can grant roles like the DBA role in a Database protected by Database Vault?

In a database Vault environment, if a realm protects a database role, then only the Realm Owner can grant this role to others. For example the Data Dictionary Realm protects the DBA role. The SYS user by default is the owner of the Data Dictionary Realm and can grant the DBA role to others.

Can the Database Vault Administrator (owner) see data protected by a Realm?

No. The Database Vault owner account can only setup realms. It cannot see data protected by a realm. It also cannot add itself to the list of authorized users for any Realm it creates. This is part of the separation of duty that Oracle Database Vault enforces.

Does Oracle Database Vault allow database connections using Java?

Yes. Database Vault honors all connection types supported by any regular database.

How do you move Oracle Database Vault security Policies from a development system to a production system?

There are two ways to do this currently:

You can either clone the database that has Database Vault policies in it, or
you can use the Database Vault API to create your security policies in a development system and apply the same scripts to s production system when ready.

In the future we are planning to leverage Enterprise manager Grid Control to move Database Vault security policies between databases.

How do you apply patches in a Database that has the Oracle Database Vault option enabled?

For each released database patch, there would be a section describing how to apply it in a Database Vault enabled Database.

Who can create new users in a Database Vault environment?

In an Oracle Database with the Database Vault option enabled, a new account management responsibility is created. Only a user with the account management responsibility can create new users in a Database Vault environment. This helps customers achieve separation of duty. Separation of duty is good for regulatory compliance.

Would Enterprise Manager Grid Control continue to work on a Database Vault environment?

Yes. It would continue to work. However, the restrictions that Database Vault put in place would apply to EM Grid Control administrators as well.

Does Oracle Database Vault integrate with Oracle Label Security (OLS)? Can OLS leverage Oracle Database Vault Factors?

Oracle Database Vault integrates well with Oracle Label Security (OLS). Oracle Database Vault factors can provide an additional dimension in deciding the security clearance of a user's session. For example, let us assume a user has been authorized to access sensitive data. However the security administrator wants to ensure the user accesses sensitive data only if he / she is in the office and connected to the trusted network. A Database Vault factor like Network Domain can be used to determine the security clearance of a user's database session. If the user is coming from the public Internet, he / she can see only non-sensitive data. If the user is coming from the trusted network, then the user is allowed access to sensitive data.

Do customers need to pay license fee for Oracle Label Security (OLS) when using Oracle Database Vault?

Customer use of Oracle Database Vault does not require a separate license of Oracle Label Security.
Background: When a customer installs Oracle Database Vault, it implicitly installs Oracle Label Security. Oracle Database Vault needs Oracle Label Security to be installed for technical reasons. Customers do not need to pay additional license for Oracle Label Security when using Oracle Database Vault. Only if the customer wants to implement Oracle Label Security, the additional license fee is required.

How is Database Vault packaged?

Oracle Database Vault is an option for the Oracle Database Enterprise Edition. Oracle Database Vault can be installed into Oracle Database release 9i (9.2.0.8) or 10g Release 2 (10.2.0.3) or higher.

Are there example business use cases for Database Vault?

Yes. These are available on OTN at http://www.oracle.com/technology/deploy/security/database-security/database-vault.

Are other Oracle Database Security Options included in Oracle Database Vault?

Both Oracle Label Security and Oracle Advanced Security can be used with Oracle Database Vault, but are licensed separately. Oracle Label Security provides the ability to turn on security clearances inside the Oracle Database and enforce multi level security. Oracle Advanced Security provides encryption of network traffic, strong authentication and Transparent Data Encryption. Transparent Data Encryption provides key management and encryption transparency to applications, protecting personally identifiable information (PII) on disk and backup tape.

Can I use Oracle Database Vault to meet Sarbanes-Oxley requirements?

Oracle Database Vault is designed to help address technical security requirements found in various regulations, including Sarbanes-Oxley. Oracle Database Vault provides strong internal controls inside the database through separation of duty and preventing the DBA from viewing application data.

How does Oracle Database Vault help address customer compliance requirements?

Database Vault can be used by organizations as a preventive control. In other words, organizations can configure Database Vault to prevent users with super-privileges (DBAs) from accessing application data. By instituting a control in this manner, an organization can demonstrate compliance with specific regulations that require separation of duties among individuals accessing a system. Such is a common requirement across a number of regulations and is specifically called out in Section 404 of Sarbanes-Oxley. Payment Card Industry regulations such as PCI Requirement 7 calls for restricting access to cardholder data by business need-to-know. This can be enforced with Oracle Database Vault help. Additionally, Oracle Database Vault ships with a set of pre-defined reports that show who is accessing what data and under what conditions. These reports offer a means by which to demonstrate proof of compliance for organizations.

How does Database Vault address the "insider threat"?

Database Vault addresses the "insider threat" by enabling powerful controls on how databases, applications and data are accessed. In addition, Database Vault enables additional protections against power users in the database such as those with super-privileges (DBAs). Database Vault places restrictions on what data these users can access using a security feature called a realm. Additionally, Database Vault provides command rules and multi-factor authorization to control when, how, and where databases, applications and data can be accessed.

What are internal controls?

Internal controls are mechanisms put in place to enforce business best practices. They are generally closely associated with addressing regulatory compliance requirements. Internal controls can be preventive, detective or corrective in nature. Preventive controls are designed to discourage or pre-empt errors or irregularities from occurring. They are generally thought to be more cost-effective than detective controls. Oracle Database Vault serves as an automated preventive control — something highly desirable by the internal audit function of companies.

Is there training available for Oracle Database Vault?

Yes. Oracle University has developed a training class for Oracle Database Vault. This class is a two-day, instructor-led class. Customers can enroll in it. For the latest schedule and location check the Oracle University website at: http://education.oracle.com and search for Oracle Database Vault.

Where do I go to learn more about Oracle Database Vault?

Visit http://www.oracle.com/goto/databasevault for white papers, data sheets, and other materials or contact an Oracle representative near you - http://www.oracle.com/corporate/contact/index.html

Will Oracle Database Vault be certified with Oracle Applications?

Yes. Validation with Oracle PeopleSoft applications has been completed and was announced at RSA Conference 2007. You can find more information on Oracle PeopleSoft validation with Oracle Database Vault at: http://www.oracle.com/technology/software/products/database_vault/index.html. Oracle is working to certify Oracle Database Vault with the Oracle E-business Suite, Siebel, Retek, and iFlex among others. Please watch for announcements. The Oracle Partner Network is also working with Oracle partners to validate partner applications with Oracle Database Vault.

Does Oracle Database Vault replace the security mechanisms in applications?

No. Oracle Database Vault secures the database and application by adding security protections within the database kernel, preventing direct access to the application tables by super-privileged users (DBAs). Oracle Database Vault complements any application security mechanisms.

Will Oracle Database Vault undergo a formal security evaluation?

Oracle Database Vault is now undergoing a formal evaluation under the Common Criteria security certification program.

What platforms are supported by Oracle Database Vault for the 10.2.0.3 release?

The following platforms are currently supported by Oracle Database Vault release 10.2.0.3:

Windows (32-bit)
Linux x86
Linux Itanium
Linux x86-64
Solaris Operating System (SPARC) (64-bit)
Windows Itanium
Windows (x64)
HP-UX PA-RISC (64-Bit)
AIX 5L Based Systems (64-Bit)
HP-UX Itanium

Additional platforms are being added based on customer demand.

What platforms are supported by Oracle Database Vault for the 9.2.0.8 release?

The following platforms are currently supported by Oracle Database Vault release 9.2.0.8:

Solaris Operating System (SPARC) (32-bit)
Solaris Operating System (SPARC) (64-bit)
Linux x86-64
AIX 5L Based Systems (64-Bit)
HP-UX PA-RISC (64-Bit)