Oracle’s database vault functionality is a part of Oracle Database security framework and share space with label security, data masking, auditing etc. Before delving into the details, let me quick explain why it’s so important to have such security framework in the system.
Oracle DBAs generally have a full database access through ‘DBA’ role, which has powerful privileges like ‘select any table’ and ‘drop any table’. Everyone is fallible to some degree and so the DBAs. What if a DBA accidently drops a production table? On the other hand, DBA don’t need to have access to sensitive tables for example payroll, HR related. As databases are growing more and more valuable, database security is at the top of the minds of IT heads. Nowadays, securing database from outside world (through firewall etc) is not sufficient as insider theft and hacking from inside firewall are major areas of concern. Also, regulatory compliances (PCI, SOX,HIPAA) are driving the need to have a security framework.
I used to work for a telecom organization where a DBA accidently dropped all major production tables (cloning script mistakenly executed on production database which included popular drop table X, create table X statements). You can imagine the impact of that. To avoid such incidents in future, in Oracle 9i we had developed a framework. It had a table with columns like username, corresponding privileges, machine name, start time, end time, IP address etc. Now for every drop table like statements, a trigger first scans the table and if user doesn’t has privilege, command gets failed. A sample table entry can be, username=system, privilege=drop table, object, schema=hr, start time=, end time=, machine name=. The framework was being managed by non-DBA administrator (security admin) through a front-end and sql commands. The point to note is, it built a clear separation of duties which is the very essence of a security design.
The framework we had in-built in 9i is now part of Oracle database and known as database vault, though it’s more efficient and manageable as it’s a part of Oracle kernel itself. In this and coming posts, I am going to explore database vault.
At the very basic level, database vault restricts access to specific areas in an Oracle database from any users, including privileged users like DBAs. This provides separation of duties, only HR schema administrator is able to execute any DDL, DML queries in HR schema, thus highly secured database system.
Just to summarize, with Oracle Database Vault, you can address the most difficult security problems remaining today: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty.
In my next post, I will explain components of database vault and a quick demo on how it works.