how to protect your sensitive data using oracle database vault
DESCRIPTION
TRANSCRIPT
1
How to protect your sensitive data using Oracle Database Vault
Any measures that should be taken for data security purposes should also be considered at the database level, similar to hardware, network and operation system levels. Generally, companies buy a firewall product and think that they have already solved the problems related to security. Researches show that despite it is possible to take measures against external attacks by the firewall products, no sufficient measures may be taken against internal attacks. In particular, no action related to protection of the data is executed on the server where the database operates. Taking into account that a user having DBA authority will have all type authority at the database and may perform the same operations even when s/he gets connected from other computers, possible security gaps should be considered. Access of a database admin to every data is as disadvantageous as him/her to connect from other computers and perform the same operations, and is even a security gap. Oracle Database Vault, which is one of the security solutions of Oracle Database, may be recommended as an application which may assist in solving of the abovementioned problems.
What is Oracle Database Vault?
Oracle Database Vault provides powerful security controls to help protect application data from unauthorized access, and comply with privacy and regulatory requirements. Controls can be deployed to block privileged account access to application data and control sensitive operations inside the database using multi-factor authorization. Security of existing applications can be increased through analysis of privileges and roles. Oracle Database Vault secures existing database environments transparently, eliminating costly and time consuming application changes.Oracle Database Vault is a product enabling you to conduct dynamic and flexible communication controls about the security of your database’s security and to make reports, which comes together with Oracle Database and take an optional place in the database configuration. This property which operates at the database’s kernel level is much more effective than the security applications applied by using PLSQL. The Database Vault, which is also used where the required security level per database is different, may be applied to your single-instance Oracle database and similarly, may be successfully used in the buildings of RAC architecture. It may prevent even an access of a database manager to your critical data (such as credit card, client personal information, account details, personnel salary information, calculations, expenses and conversation details).
It keeps your database from any changes not authorized by you. It enables you to add a temporary controller or alter or trace it real timely. Database Vault, which is a product of Oracle family, is configured, created and managed very easily, and
may be used by influencing the performance of the system very inconsiderably. Database Vault is a product which exists inside the Oracle Database, which may be configured by an easy
setup. It serves by sections of realm, command rule, factor, rule sets and reporting. Oracle Database Vault ensures a very strong and safe setting to protect the applications and the data. Oracle Database may restrict authorized users (SELECT ANY TABLE). It may even restrict the rights of even
DBA users who have the most competent role. Any changes to be made on the objects at the database (alter, drop, truncate, and etc.) or in the data
content (insert, delete, update, and etc.) may be restricted, by determining how, when and by what means they may be made.
Oracle Database Vault protects the existing database environment. Shutdown of any unwanted software may be prevented. It may protect the database from unwanted attacks.
It may take the principle of Database Duty separation. Controls for Privileged Accounts
Privileged database accounts are one of the most commonly used pathways for gaining access to sensitive
2
applications data in the database. While their broad and unrestricted access facilitates database maintenance, the same access also creates a point of attack for gaining access to large amounts of data. Oracle Database Vault Realms around application schemas, sensitive tables and stored procedures provide controls to prevent privileged accounts from being exploited by hackers and insiders to access sensitive application data.
Controls for Database Configuration Among the more common audit findings are unauthorized changes to database entitlements, including grants of the DBA role, as well as new accounts and database objects. Preventing unauthorized changes to production environments is important not only for security, but also for compliance as such changes can weaken security and open doors to hackers, violating privacy and compliance regulations. Oracle Database Vault SQL Command Controls allow customers to control operations inside the database, including commands such as create table, truncate table, and create user. Various out-of-the-box factors such as IP address, authentication method, and program name help implement multi-factor authorization to deter attacks leveraging stolen passwords. These controls prevent accidental configuration changes and also prevent hackers and malicious insiders from tampering with applications.
DB Vault Configuration Advices
Advice 1 : The relevant line under /var/opt/oracle/oratab must be smooth $ORACLE_HOME. Otherwise, Configure Option button will be passive when dbca is operated.
Advice 2 : PASSWORD_VERIFY_FUNCTION in the default profile must be NULL. Otherwise, ORA-29504 error will appear. Solution Doc ID 1509963.1
Advice 3 : ORA-29504 error may appear in about 85 percent of configuration with DBCA. This error may be ignored in 11g. It seems as edited in 12c. For solution: Doc ID 1509963.1)
Control of DB Vault Option
We enter sqlplus by sysdba, to control it.
Connected to: Oracle Database 11g Enterprise Edition Release 11.2.0.3.0 - 64bit Production
We will see no incoming text related to Vault. If it were configured, we would also see With the Oracle Label Security, Oracle Database Vault options text.
We may benefit from the below described view for additional control.
3
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';
Oracle Database Vault ----- FALSE (that is, disabled )
Example:
Enabling of DB Vault Option for Oracle
STEP 1- Relevant Database is shutdown
SQL> shutdown immediate
STEP 2-Dbconsole (Enterprise Manager) is shutdown, if any
$ emctl stop dbconsole
STEP 3- Shutdown listener
lsnrctl stop listener
STEP 4- DB Vault Option is enabled for Oracle
cd $ORACLE_HOME/rdbms/lib
make -f ins_rdbms.mk dv_on lbac_on ioracle
COMMON NOTICE : When an option is enabled in Oracle binary, chopt command may also be used instead of Make –f. Its configuration is described in the following Link
Example :
chopt enable lbac
Writing to /u01/app/oracle/product/11.2.0/dbhome_2/install/enable_lbac.log... /usr/bin/make -f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk lbac_on ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2 /usr/bin/make -f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
chopt enable dv
Writing to /u01/app/oracle/product/11.2.0/dbhome_2/install/enable_dv.log...
4
/usr/bin/make -f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk dv_on ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2 /usr/bin/make -f /u01/app/oracle/product/11.2.0/dbhome_2/rdbms/lib/ins_rdbms.mk ioracle ORACLE_HOME=/u01/app/oracle/product/11.2.0/dbhome_2
STEP 5-Database and Listener must be opened and it must be checked whether DB Vault is enabled or not.
Sqlplus> startup;
SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault'; Oracle Database
Vault -- TRUE (that is, enabled)
When sqlplus is entered again, With the Oracle Label Security, Oracle Database Vault options will appear.
Example
It comes as selected in the configuration of Oracle Database Vault database. Database Vault may either be selected while Oracle is configured or activated after the configuration of Oracle instance. In order to activate it after the configuration of the Oracle instance, Database Configuration Assistant must be operated by dbca command.
User/ password description is used for Database Vault Owner and optionally for Account Manager (Entry is recommended).
5
After the configuration ends, a browser is written in https://hostname(or host ip):port number/ and the Oracle Database Vault screen is entered.
Datatabase Vault Duty Separation The Duty Separation feature of Oracle Database Vault will create three different responsibilities such as the security administration on the database, the account management and the database administration.
The Security Administrator (Security Administration), the responsible person for Security is also the manager of the Oracle Database Vault. S/he is responsible for all security operations at the database. S/he may manage Realms, command rules and factors and may operate Database Vault report, while s/he may not get access to the application data. The Account Manager (Account Management) may create, delete and change user accounts. And the Database Administrator (Database Administration) has dba functions such as backup/restoration, patch application and performance management.
6
Source : Oracle® Database Vault Administrator's Guide 11g Release 2 (11.2) http://docs.oracle.com/cd/E11882_01/server.112/e23090/dvdisabl.htm#BAJJCDGD