Neeraj Bhatia's Blog

October 1, 2010

Oracle Database Vault (Part-1 Introduction)

Filed under: Database Security — neerajbhatia @ 23:09
Tags: ,

Oracle’s database vault functionality is a part of Oracle Database security framework and share space with label security, data masking, auditing etc. Before delving into the details, let me quick explain why it’s so important to have such security framework in the system.

Oracle DBAs generally have a full database access through ‘DBA’ role, which has powerful privileges like ‘select any table’ and ‘drop any table’. Everyone is fallible to some degree and so the DBAs. What if a DBA accidently drops a production table? On the other hand, DBA don’t need to have access to sensitive tables for example payroll, HR related. As databases are growing more and more valuable, database security is at the top of the minds of IT heads. Nowadays, securing database from outside world (through firewall etc) is not sufficient as insider theft and hacking from inside firewall are major areas of concern. Also, regulatory compliances (PCI, SOX,HIPAA) are driving the need to have a security framework.

I used to work for a telecom organization where a DBA accidently dropped all major production tables (cloning script mistakenly executed on production database which included popular drop table X, create table X statements). You can imagine the impact of that. To avoid such incidents in future, in Oracle 9i we had developed a framework. It had a table with columns like username, corresponding privileges, machine name, start time, end time, IP address etc. Now for every drop table like statements, a trigger first scans the table and if user doesn’t has privilege, command gets failed. A sample table entry can be, username=system, privilege=drop table, object, schema=hr, start time=, end time=, machine name=. The framework was being managed by non-DBA administrator (security admin) through a front-end and sql commands. The point to note is, it built a clear separation of duties which is the very essence of a security design.

The framework we had in-built in 9i is now part of Oracle database and known as database vault, though it’s more efficient and manageable as it’s a part of Oracle kernel itself. In this and coming posts, I am going to explore database vault.

At the very basic level, database vault restricts access to specific areas in an Oracle database from any users, including privileged users like DBAs. This provides separation of duties, only HR schema administrator is able to execute any DDL, DML queries in HR schema, thus highly secured database system.

Just to summarize, with Oracle Database Vault, you can address the most difficult security problems remaining today: protecting against insider threats, meeting regulatory compliance requirements, and enforcing separation of duty.

In my next post, I will explain components of database vault and a quick demo on how it works.


1 Comment »

  1. The security aspect which has been explained here could be done same way as creating views and assigning to the user group.
    The vault comes in the picture when the data which is encrypted need not be accessed even if you have DBA level privilege.
    Even if the the Oracle is open at the database level the vault system should be enabled so the required which has the key could access the Data.

    Comment by Ravi — July 1, 2016 @ 11:46 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: