Database Vault

Oracle Database Vault implements data security controls within Oracle Database to restrict access to application data by privileged users. Reduce the risk of insider and outside threats and address compliance requirements, including separation of duties.

Watch the Database Vault video (7:45)

Meer informatie over beveiliging van Oracle Database.

Explore Oracle Database Vault

Database Vault realms

Block unauthorized access to sensitive data by creating restricted application environments within Oracle Database. Oracle Database Vault security controls also help organizations address compliance with data privacy laws and standards such as the European Union General Data Protection Regulation (EU GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and numerous other regulations that require strong internal controls on access, disclosure, or modifications to sensitive information.


Database Vault command rules

Prevent malicious or accidental changes that disrupt operations by privileged user accounts. Command controls prevent unauthorized commands such as DROP TABLE or ALTER SYSTEM outside of specific maintenance windows.


Database Vault trusted paths

Use factors like client IP address, program, username, and time of day to enforce zero trust access to data and data operations. Since an attacker can't simply use a stolen account to access sensitive data, Database Vault can block unauthorized access to sensitive data and generate high value alerts notifying administrators of suspicious data access activity to help stop data theft before it happens.


Separation of duties

Enforce checks and balances on privileged users, preventing attackers from disabling security controls, creating rogue users, and accessing sensitive data by leveraging credentials from a single privileged account.


Integrated, performant, and scalable

Secure new and existing Oracle Database environments without the need for costly and time-consuming application changes. Database Vault is compatible with enterprise architectures, including Oracle Real Application Clusters (RAC), Oracle GoldenGate, and Oracle Data Guard, all without the need to deploy additional servers and agents.


Detect or block SQL injection attacks

Detecting and preventing SQL injection attacks is crucial for safeguarding databases from unauthorized access and potential data breaches. With 23ai SQL Firewall, organizations gain a powerful tool to combat the risk of SQL injection and block the misuse of stolen credentials. With it, you can significantly bolster your resilience against SQL injection attacks, protect sensitive data, and preserve the integrity of your databases.

23ai SQL Firewall works by learning normal application behavior, including what SQL statements an application issues and the context that an application uses to connect to the database, such as network address, operating system user, and program used. Once trained, 23ai SQL Firewall can do the following:

  • Log and block deviations from normal behavior
  • Identify unusual SQL statements
  • Identify connections coming from addresses or programs not in the application’s profile

23ai SQL Firewall uses an allow-list approach, defining the finite set of allowable behavior, instead of attempting to guess at the near infinite choices an attacker might use to try and break into the database.

Because 23ai SQL Firewall is built into the Oracle Database kernel, it cannot be bypassed. The firewall is not fooled by the use of synonyms or dynamic SQL, and it is not impacted by network encryption.

In addition to threat mitigation, 23ai SQL Firewall logs provide a valuable detective capability, logging all deviations from policy even if the firewall is not placed in blocking mode. If desired, audit records of firewall violations can be created for use in database activity monitoring solutions, such as Oracle Audit Vault and Database Firewall or Oracle Data Safe.


Oracle Database Vault use cases

  • Protect sensitive data

    Block attackers from accessing sensitive data with stolen privileged user credentials—the most common attack vector today.

  • Prevent inadvertent access

    Block accidental access by database administrators to sensitive data without compromising their ability to perform necessary tasks.

  • Prevent unauthorized database changes

    Block accidental or malicious changes to production databases and restrict authorized changes to defined maintenance periods.

  • Enforce policy-based access control

    Prevent misuse of privileged credentials outside allowed IP address, time of day, client programs, and more.

  • Separation of duties

    Define and separate roles for security and administration so administrators can’t modify security policies or access sensitive data.

Resources

customer community

AskTOM Oracle Database Security Office Hours

AskTOM Office Hours offers free, open Q&A sessions with Oracle Database experts who are eager to help you fully leverage the multitude of enterprise-strength database security tools available to your organization.

cloud learning

LiveLabs Workshop: Oracle Database Vault

This workshop introduces Oracle Database Vault's features and functionality. Explore how to configure Database Vault to protect databases and the sensitive data contained therein with features like realms and trusted paths. Run this workshop on your own tenancy or reserve a time to run the workshop on LiveLabs, free of charge.

You may also be interested in

Technical report

Learn more about Database Vault

Datasheet

Features, benefits and more

Frequently asked questions

Get the answers

Oracle database security

Learn about more security solutions

Get started with Oracle Database Vault


Run the Database Security Assessment Tool

Quickly identify your database security posture and get recommendations to mitigate risks.


Try Oracle Autonomous Database

Try Autonomous Database with tools such as Oracle Application Express and Oracle SQL Developer.


Contact sales

Interested in learning more? Contact one of our industry-leading experts.