How to protect your sensitive data using oracle database vault / Creating and Testing realms part 2
Download as DOCX, PDF0 likes496 views
Oracle Database Vault allows companies to better protect sensitive data by creating dedicated security accounts, enforcing controls over data access, and separating administration duties. It prevents privileged users like DBAs from accessing application data through realms, command rules, and factors like IP address. During setup of an HR Data Realm, the assistant ensured high-privileged users could still administer the database but not access HR data, and defined controls for what privileged and non-privileged users could do within the realm-protected objects. Realms therefore help secure existing databases against insider threats from stolen privileged credentials.
How to protect your sensitive data using oracle database vault / Creating and Testing realms part 2
- 1. 1 How to protect your sensitive data using Oracle Database Vault / Creating and Testing Realms Part II Any measures that should be taken for data security purposes should also beconsidered atthe databaselevel, similar to hardware,network and operation system levels. Generally,companies buy a firewall productand think that they have already solved the problems related to security. Researches show that despite it is possibleto take measures againstexternal attacks by the firewall products,no sufficientmeasures may be taken againstinternal attacks.In particular,no action related to protection of the data is executed on the server where the database operates. Taking into account that a user havingDBA authority will haveall typeauthority atthe databaseand may perform the same operations even when s/he gets connected from other computers, possiblesecurity gaps should be considered.Access of a databaseadmin to every data is as disadvantageous as him/her to connect from other computers and perform the same operations,and is even a security gap. OracleDatabaseVault,which is one of the security solutions of OracleDatabase,may be recommended as an application which may assistin solvingof the abovementioned problems. With the increased sophistication of attacks on data, the need to put more operational controls on the databaseis greater than ever. Given the fact that most customers have a small number of DBAs to manage their databases,it is very importantto keep databasesecurity related tasks separatein their own dedicated databaseaccounts. Creating dedicated databaseaccounts to manage databasesecurity helps customers prevent privileged DBA accounts from accessingapplication data,restricts ad hoc databasechanges,and enforces controls over how, when and where application data can beaccessed.OracleDatabaseVaultprovides security benefits to customers even when they have a singleDBA by: Preventing hackers from usingprivileged users’accounts to steal application data Protecting databasestructures from unauthorized and/or harmful changes Enforcingcontrols over how, when and where application data can beaccessed Securingexistingdatabaseenvironments transparently and without any application changes Among the more common auditfindings areunauthorized changes to databaseentitlements, includinggrants of the DBA role, as well as new accounts and databaseobjects.Preventing unauthorized changes to production environments is importantnot only for security,but also for complianceas such changes can weaken security and open doors to hackers,violatingprivacy and complianceregulations.OracleDatabaseVaultSQL Command Controls allow customers to control operations insidethedatabase,includingcommands such as createtable, truncate table, and create user. Various out-of-the-box factors such as IP address,authentication method, and program name help implement multi-factor authorization to deter attacks leveragingstolen passwords.These controls prevent accidental configuration changes and also preventhackers and malicious insiders fromtampering with applications.TheDuty Separation feature of OracleDatabaseVaultwill createthree different responsibilities such as the security administration on the database,the accountmanagement and the databaseadministration. The Security Administrator (Security Administration),the responsibleperson for Security is also themanager of the OracleDatabaseVault.S/he is responsiblefor all security operations atthe database.S/he may manage Realms, command rules and factors and may operate DatabaseVault report, while s/he may not get access to the application data. The Account Manager (Account Management) may create, delete and change user accounts. And the DatabaseAdministrator (DatabaseAdministration) hasdba functions such as backup/restoration,patch application and performancemanagement.
- 2. 2 Oraclecustomers today still havehundreds and even thousands of databases distributed throughout the enterprise and around the world.However, databaseconsolidation will continueas a cost-savingstrategy in the coming years.The physical security provided by the distributed databasearchitecturemust be availablein the consolidated environment. OracleDatabaseVaultaddresses the primary security concerns of database consolidation. First,it's importantto understand the basic architectureof the application you wish to protect. For example, are the objects associated with the application spread acrossmultipledatabaseschemas or arethey contained in a singledatabaseschema? This analysisshould includeall objects related to application data includingtables,views, materialized views,and stored procedures.Identify the programs,processes,middle tier connections,database users,and application administratorsthatinteractwith the application objects.Oncethis information is obtained, the OracleDatabaseRealmdefinitions can becreated and you can authorize who should be ableto access application data.Application end users typically accessapplication data through the middle tier. Some legacy applicationsmay still usethe clientserver architecturewhere end users havetheir own accountin the database. More sophisticated applicationsmay have application specific processes thatrun on the server hostingthe Oracle Database. Along this review document, we used the databaseVault Administrator (DVA) consoleto administrateOracle DatabaseVault. UsingDVA, we created an HR Data Realm to protect human resources data. In order to set up this realmwith DVA we should firstly click Realms,then click Create, and then namingand defining the realmHR Data Realm.
- 3. 3 Duringthe setup procedure, one of the main objective was to ensure that the users with the high privileges was not ableto access HR data but could still administer the databasecontainingthe HR Data Realm. . Once the realm was named and enabled, we selected Audit on failurein order to send a notification if rules areviolated.These are referred to as Realm Secured Objects. For each object in realmowner, object type and name need to be specified. In this case,we used the wildcard (%) option to identify all objects owned by the HR user. In this point of setup procedure, the next step was to determine controls of privileged user,such as System, when the user accesses objects in the realm.In this case, the goal is whenever System user or other privileged user attempt to query HR object resultin message should be likeSystem had insufficientprivileges or this object. Similarly,SYSTEM could not be ableto create objects in the HR Data Realm, and Oracle DatabaseVaultreturned a violation notification. We also run queries as the HR user to define what owner of the object could do when a Secured Realm existed for the object they owned. And also we ensure that no specific privileges had been granted within OracleDatabase
- 4. 4 Vault to HR atthis point. By default, the owner of the object could only be apply Data Manipulation language (DML) queries. Data Definition Language (DDL) could not be issued atthis point. Some employees will need authorization to modify the databaseas businessneeds dictate. After runningthe test above, the user,HR, was added to HR Data Realm usingrealmauthorizations. Once authorized, this user could issueany statement chosen, includingDDL and DML statements. Thus privileged databaseaccounts areone of the most commonly used pathways for gainingaccess to sensitive applicationsdata in the database.Whiletheir broad and unrestricted access facilitates databasemaintenance,the same access also creates a pointof attack for gainingaccess to largeamounts of data.OracleDatabaseVault Realms around application schemas,sensitivetables and stored procedures providecontrols to prevent privileged accounts from being exploited by hackers and insiders to access sensiti veapplication data. Source : Oracle® Database Vault Administrator's Guide 11gRelease 2 (11.2) https://docs.oracle.com/cd/B28359_01/server.111/b31222/dvintro.htm#DVADM001