Oracle Data Vault - Secure the "castle"
By Pankaj on Dec 06, 2006
Security is one of the major concerns for today's IT organizations and its driven by partially two issues. Firstly, how to protect against insiders attack (?) and secondly, How to put controls in place for compliances like HIPAA etc (?).
Oracle 10g Database Vault provides the option for the customers to address most of the security issues, protecting from insider threats and also meeting regulatory compliances.
Data Vault Architecture & Components
Database Vault is built into the kernel of the database and cannot be breeched by the DBA.It consists of a number of components that form the whole product. It is also integrated with Oracle Label Security and Virtual Private Database, extending the protection that is offered by those products.
It addresses the security concerns through the use of realms of responsibility and pre-defined reports. Realms allow companies to set up virtual fences around segments of the database, such as all the data around HR. These realms are so deeply established they go down to the very core of the DB Thus, a highly privileged user of a HR system cannot bypass the app, go directly to the db and be able to access information they are not authorized for. Another application of realms will be DB consolidation in future as companies are looking to reduce the costs associated with multiple databases as of current DB functionality lacks this, most have HR DB running on separate instances from Finance DB. Now, cost-savings can be achieved by setting up realms of responsibility and running multiple apps on a single DB.
Many Pre-defined reports have also been shipped with Data Vault that help companies to provide the audit trails of who has had access to what, and ensuring the activity of the most highly privileged users are tracked. No single person can turn off the auditing, before the DBA could do it.
Components of Data Vault:
- DVA Data Vault administrator
- DVSYS & DVF schema
- DVCA Config assistant
- PL/Sql interface
- Policy manager, label security
- Access control components
Access Control Components are the new and very powerful security concepts:
- Realms make it easy to restrict users with powerful DBA privileges to specified application schemas Separation of Duty; e.g. Easy to create an HR dba or Financials dba
- Factors extend access beyond User and Role based Access; e.g. IP Address
- Rules control database access based on factors in the environment ; e.g. Control access based on time of day, IP address, location
Installation & Configuration:
Oracle Data Vault has been released for 10gR2 (10.2.0.2) release of Database for Linux x86 & Solaris (SPARC) 64bit.
What all you require before starting Data Vault installation:
- 10.2.0.2 Db version (If you are on 10gR1, you have to upgrade, but before doing upgrade install OLS on 10gR1 as it a pre-req)
- OLS Oracle Label security also on 10.2.0.2 (this is a additional red)
- EM 10g
- Pls check latest install doc for updates.
- Installation will ask you to create a new account for DV manager & DV owner (very important to remember these, as these only will allow to access your db after install)
Installation Steps (assuming 10gR1, single instance):
1. Install OLS
Ã�ï¿½Ã�Â§ ./runInstaller -> Custom Install -> Oracle Label Security -> Install
2. Configure the DB to run with OLS
Ã�ï¿½Ã�Â§ ./Dbca -> Configure DB -> Add OLS schema -> Finish
3. Upgrade to 10gR2 10.2.0.2
Ã�ï¿½Ã�Â§ ./runInstaller -> Select OH -> Patch
4. Install Data Vault
Ã�ï¿½Ã�Â§ ./runInstaller -> Select OH -> User/Pass for DV owner -> User/pass for SYS of current DB -> Finish -> Install & Configure DVCA
This will install Data Vault on top of your existing database, but after the install you should do couple of post install steps:
1. Unlock Accounts that you want to use by accessing database using DV owner user/pass.
2. If you want Sysdba access, you have to recreate the password file with orapwd with some options that data vault recognizes:
E.g. : orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 force=y nosysdba=n
file name is :orapw$SID
nosysdba = n , this is default which will enable the sysdba access, if you want to disable the access just change this to y.
Data Vault installation will change couple of initialization parameters due to security, these are:
REMOTE_LOGIN_PASSWORDFILE = default, EXCLUSIVE
AUDIT_SYS_OPERATIONS = TRUE
REMOTE_OS_AUTHENT = FALSE
REMOTE_OS_ROLES = FALSE
OS_ROLES = FALSE
OS_AUTHENT_PREFIX = ''
SQL92_SECURITY = TRUE
O7_DICTIONARY_ACCESSIBILITY = FALSE
You are all set to go & access the Data Vault in EM.
Other Readings: OTN & OBE have good resources available on Data Vault
B25165-01- install guide