10th August 2010
Xynomix examines how Oracle’s Database Vault and Audit Vault products tackle issues of internal data security and compliance.
The following article can be found in issue 11 of ‘Oracle One’ magazine.
Is Auditing Enough?
As with most security issues, whether or not monitoring and change tracking are adequate prevention mechanisms against the prohibited access of sensitive data is up for debate. For some organisations, a verbal request for DBAs to avoid accessing certain data tables followed by change tracking is enough.
However, in an increasingly security-conscious climate, many organisations are looking to implement a greater degree of security control for two key reasons:
Invest in Internal System Security
Oracle’s Database Vault and Audit Vault products provide a double layer of internal system security. At database level, Database Vault gives senior IT personnel the power to lock down privileged users and manage security from outside the database.
Built on top of Database Vault, the Audit Vault application layer pulls data from multiple database systems into a centralized audit warehouse, at which point Audit Vault’s in-built reporting and alerting functionality can be utilised.
Meet Security and Compliance Challenges
Many businesses are under increased pressure to align security policies with strict Sarbanes-Oxley, PCI, DSS, HIPAA and GLBA regulations. These regulations champion a separation-of-duties and user monitoring approach to security, but the high administrative workloads and costs associated with compliance is usually inhibitive to IT managers on tight budgets. In most cases, DBAs are left with the privileges to access and change data table structures and data content at will, with little consequence if changes are not effectively tracked and regularly audited.
Lock Down Privileges
Having recognised the security challenges presented to IT managers – to mitigate security risks and accomplish regulation compliance with limited administrative and financial resources – Oracle have delivered Oracle Database Vault as part of the Oracle Database 9i, 10g and 11g product families. At its core, this product is designed to secure existing database environments transparently, allowing security personnel to achieve true separation-of-duties and employee accountability for data security without consuming valuable resources.
In a nutshell, rule sets based on multi-factor policies such as IP connection origin, user or time of day can be used to develop realms, command rules and secure application roles that give security administrators granular control over all individual user privileges within an organisation.
It is worth noting that Database Vault is pre-loaded with a series of tamper-proof realms that control which users can create and manage database accounts. They also protect intrinsic Database Vault schemas including the catalogue, SYS and SYSTEM schemas, SYSMAN, DBSNMP, and application tables and structures. As can be expected from a security tool, Database Vault itself is very secure.
Produce Security Reports
For larger organisations in particular, monitoring the effects of implemented security measures can present quite a challenge. Database Vault reporting features tackle security monitoring through simplified audit reporting functions that allow security personnel to continually review security configurations:
Gain Complete Visibility of Audit Data
Storing data within database tables or OS files is secure, but in most cases data security and compliance fall under the remit of the DBAs working on individual database instances. This can compromise data security for a number of reasons, not least that the integrity of the entire organisation’s data security policies rests on the shoulders of a handful of employees.
Database Vault certainly deals with internal security through the management of individual privileges, the delivery of incisive audit reports and the removal of database security ownership from the DBA. However, the issue remains that audit information is still specific to each database. It is therefore difficult to pull together a comprehensive overview of security procedures and their effects across the organisation.
Audit Vault solves this through the consolidation of automated audit data that is drawn from separate databases into a secure and centralised warehouse. When the Audit Vault warehouse is populated, data can be accessed through the Audit Vault console and alerting, security, reporting and monitoring features can be applied.
Centralised Policy Management
Policy management on an organisational scale is typically viewed as an administrative headache and resource vacuum. Audit Vault challenges this notion by giving senior security administrators the knowledge and control required to enforce privacy policies and identify internal threats to their execution through the Audit Vault console. The cost and effort required to accurately monitor audit information across all database systems is significantly reduced and data can be extracted from one source for proof of regulatory compliance.
Instant Threat Detection
For internal security, the speed of threat detection is paramount. Regular examination and analysis of audit data can significantly reduce the risks of internal security violations: unauthorized activity can be identified and restricted quickly with minimal impact to the organisation.
With Audit Vault, conditions can be set up to record actions and automatically fire an alert when Audit Vault Collectors transfer data containing activities that violate security and governance policies. Issues can be detected and investigated in near real time.
Summary
Oracle’s Database Vault and Audit Vault products make it possible to:
