Security Benefits of Implementing Database Vault Introduction: Increase in the security of existing applications and address regulatory makes it necessary to have a fine-grained access control over the data of your database. Database vault enforces separation of accesses and privileges for various users. Oracle Database Vault proactively protects application data from being accessed by privileged database users. Components of Database Vault:Oracle Database Vault Access Control Components - Database vault enables you to create various Access Control Components that manage the security of the database. The various components are - Realms, Command rules, Factors, Rule sets, Secure application roles. Oracle Database Vault Administrator - This is a Java based application built on top of the Oracle Database Vault PL/SQL API. This enables security managers to control the access to the database through a user-friendly interface. Oracle Database Vault Administrator provides an extensive collection of security-related reports that assist in understanding the baseline security configuration.Oracle Database Vault Configuration Assistant (DVCA) - To perform maintenance tasks on your Oracle Database Vault installation, use the command-line utility DVCA. Oracle Database Vault DVSYS and DVF Schemas - Oracle Database Vault provides a schema, DVSYS, which stores the database objects needed to process Oracle data for Oracle Database Vault. This schema contains the roles, views, accounts, functions, and other database objects that Oracle Database Vault uses. The DVF schema contains public functions to retrieve (at run time) the factor values set in the Oracle Database Vault access control configuration. Oracle Database Vault PL/SQL Interfaces and Packages - Oracle Database Vault provides a collection of PL/SQL interfaces and packages that allow security managers or application developers to configure the access control policy as required. The PL/SQL procedures and functions allow the general database account to operate within the boundaries of access control policy in the context of a given database session. Oracle Database Vault and Oracle Label Security PL/SQL APIs - Oracle Database Vault provides access control capabilities that can be integrated with Oracle Label Security. The Oracle Label Security database option is integrated with Oracle Enterprise Manager Database Control, which enables the security manager to define label security policy and apply it to database objects. Oracle Label Security also provides a collection of PL/SQL packages that can be used by a database application developer to provide label security policy and protections. Oracle Database Vault Reporting and Monitoring Tools - You can generate reports on the various activities that Oracle Database Vault monitors. In addition, you can monitor policy changes, security violation attempts, and database configuration and structural changes.
Working: After installation of the database vault, the first step is to create a realm(Oracle Database Vault Access Control Components) that will contain the database schemas, database objects and roles that are required to be secured. This realm can be further secured by creating the other access control components like Command rules, Factors, Rule sets, Secure application roles.
For example say there is a table called HR_SAL_PAYMENTS under HR realm. A user from the FIN realm will not be able to access the data in another realm which is HR in this case. Another example of security from insider threat is where a DBA tries to grant some access to user, in this case IDMUSRMGT. The following error is encountered while executing the grant statement: grant resource to IDMUSRMGT *ERROR at line 1:ORA-47410: Realm violation for GRANT on UNLIMITED TABLESPACE. Thus, with the help of this, sensitive data is protected from insider threats as well as external threats. Even the privileged users like DBA will not be able to access the schemas in another realm or misuse any privileges while the Database Vault is enabled.
Arpita Ghatak is currently working with Cognizant Technology Solutions for the past 2.5 years. She has earlier worked with Tata Consultancy Services for approximately 4 years first as part of Configuration management team and later as an Oracle Apps DBA.She has been working as a lead DBA in one of the biggest retail chains, 7-Eleven for Cognizant Technology Solutions. She has had the opportunity to be a part of several important milestones like the Data Centre Migration, Exadata Migration and EBS R12 Upgrade. Her major roles and responsibilities include Patching, Cloning, Database Administration and support, Maintenance Activities, Code Migrations, Alert Management and working on Database Vault.