Oracle Database Vault with Oracle Database 18c includes Privilege Analysis to further harden the application by identifying unused privileges and roles based upon the actual usage of the roles and privileges by the user or from within the application.
Understanding the set of unused roles and privileges is important because it helps identify the least number of privileges the application needs to run there by making the application more secure. This feature extends the capabilities of Oracle Database Vault to include least privilege analysis for existing applications and a continuous analysis of privileges used during new application development. Privilege Analysis allows customers to:
Using the Privilege Analysis feature, the set of run-time roles and privileges required for specific job functions or application can be determined and then encapsulated within a new database role. Unused privileges can be audited to track their use before revoking them from users or roles. Privilege Analysis allows organizations to increase security of existing applications as well as monitor privileges required during the application development process.
Increasing controls on privileged and DBA accounts is vital to improving security. Oracle Database Vault creates a highly restricted application environment (“Realm”) inside the Oracle database that prevents access to application data from privileged accounts while continuing to allow the regular authorized administrative activities on the database. Realms can be placed around all or specific application tables and schemas to protect them from unauthorized access while continuing to allow access to owners of those tables and schemas, including those who have been granted direct access to those objects.
Oracle Database Vault with Oracle Database 12c introduced “Mandatory Realms” that effectively seal off application tables, views, or other objects from all access, including the object owner and privileged users, unless access has been specifically granted. Mandatory Realms can be pre-configured and then enabled during maintenance operations. Mandatory Realms can also be used as an additional line of defense to protect applications. In this case, they would not only prevent privileged user access, just like regular realms, but also provide an additional check on all users who have access to the application including those with direct object grants and the application owner. These users can be authorized to the Mandatory Realm and additional checks can be performed before gaining access to application data.
Technical controls can prevent changes that could lead to an insecure database configuration, prevent configuration drift, reduce the possibility of audit findings, and improve compliance. Changes to database structures such as application tables and roles, privileged role grants, and ad hoc creation of new database accounts are just a few examples of configuration drift that can have serious consequences. To prevent these audit findings and to comply with regulations, customers need to put in place strong operational controls inside the database. Oracle Database Vault allows customers to prevent configuration drift by controlling the use of commands such as ALTER SYSTEM, ALTER USER, CREATE USER, DROP USER, etc.
Oracle Database Vault can be used to control SQL commands that can impact the security and availability of the application and the database. Oracle Database Vault Command Controls introduce an additional layer of rules and checks before any SQL command is executed including CONNECT to the database, DROP TABLE, TRUNCATE TABLE, and DROP TABLESPACE, to name a few. The Command Controls can be used to restrict access to databases to a specific subnet, application server, and program, creating a trusted path from the application to the database. Built-in factors such as IP address, host name, and session user name can be used to enforce SQL Command Controls inside the database. Oracle Label Security factors can also be used to control activity based on the security clearance of the database session. In addition, Oracle APEX applications’ native functions and factors can be used with Oracle Database Vault Command Controls to determine whether to allow access to specific DML or DDL statements.