Oracle Data Vault - Secure the "castle"

Security is one of the major concerns for today's IT organizations and its driven by partially two issues. Firstly, how to protect against insiders attack (?) and secondly, How to put controls in place for compliances like HIPAA etc (?).

Oracle 10g Database Vault provides the option for the customers to address most of the security issues, protecting from insider threats and also meeting regulatory compliances.

Data Vault Architecture & Components

Database Vault is built into the kernel of the database and cannot be breeched by the DBA.It consists of a number of components that form the whole product. It is also integrated with Oracle Label Security and Virtual Private Database, extending the protection that is offered by those products.  

It addresses the security concerns through the use of realms of responsibility and pre-defined reports.  Realms allow companies to set up virtual fences around segments of the database, such as all the data around HR.  These realms are so deeply established they go down to the very core of the DB  Thus, a highly privileged user of a HR system cannot bypass the app, go directly to the db and be able to access information they are not authorized for.  Another application of realms will be DB consolidation in future as companies are looking to reduce the costs associated with multiple databases as of current DB functionality lacks this, most have HR DB running on separate instances from Finance DB.  Now, cost-savings can be achieved by setting up realms of responsibility and running multiple apps on a single DB.

Many Pre-defined reports have also been shipped with Data Vault that help companies to provide the audit trails of who has had access to what, and ensuring the activity of the most highly privileged users are tracked.  No single person can turn off the auditing, before the DBA could do it.  

Components of Data Vault:


  • DVA  Data Vault administrator
  • DVSYS & DVF schema
  • DVCA  Config assistant
  • PL/Sql interface
  •  Policy manager, label security
  • Access control components

Access Control Components are the new and very powerful security concepts:



  • Realms make it easy to restrict users with powerful DBA privileges to specified application schemas  Separation of Duty; e.g. Easy to create an HR dba or Financials dba


  • Factors extend access beyond User and Role based Access; e.g. IP Address


  • Rules control database access based on factors in the environment ; e.g. Control access based on time of day, IP address, location

Installation & Configuration:

Oracle Data Vault has been released for 10gR2 (10.2.0.2) release of Database for Linux x86 & Solaris (SPARC) 64bit.

What all you require before starting Data Vault installation:


  1. 10.2.0.2 Db version (If you are on 10gR1, you have to upgrade, but before doing upgrade install OLS on 10gR1 as it a pre-req)
  2. OLS  Oracle Label security also on 10.2.0.2 (this is a additional red)
  3. EM 10g
  4. Pls check latest install doc for updates.
  5. Installation will ask you to create a new account for DV manager & DV owner (very important to remember these, as these only will allow to access your db after install)

Installation Steps (assuming 10gR1, single instance):

1.    Install OLS
Ã��Ã�§    ./runInstaller -> Custom Install -> Oracle Label Security -> Install

2.    Configure the DB to run with OLS
Ã��Ã�§    ./Dbca -> Configure DB -> Add OLS schema -> Finish

3.    Upgrade to 10gR2  10.2.0.2
Ã��Ã�§    ./runInstaller -> Select OH -> Patch

4.    Install Data Vault
Ã��Ã�§    ./runInstaller -> Select OH -> User/Pass for DV owner -> User/pass for SYS of current DB -> Finish -> Install & Configure DVCA

This will install Data Vault on top of your existing database, but after the install you should do couple of post install steps:

1.    Unlock Accounts that you want to use by accessing database using DV owner user/pass.
2.    If you want Sysdba access, you have to recreate the password file with orapwd with some options that data vault recognizes:

E.g. : orapwd file=$ORACLE_HOME/dbs/orapworcl password=5hjk99 force=y nosysdba=n

Here:
file name is :orapw$SID
    nosysdba = n , this is default which will enable the sysdba access, if you want to disable the access just change this to y.

Data Vault installation will change couple of initialization parameters due to security, these are:
REMOTE_LOGIN_PASSWORDFILE = default, EXCLUSIVE
AUDIT_SYS_OPERATIONS = TRUE
REMOTE_OS_AUTHENT = FALSE
REMOTE_OS_ROLES = FALSE
OS_ROLES = FALSE
OS_AUTHENT_PREFIX = ''
SQL92_SECURITY = TRUE
O7_DICTIONARY_ACCESSIBILITY = FALSE

You are all set to go & access the Data Vault in EM.
 http://localhost:1158/dva

Other Readings: OTN & OBE have good resources available on Data Vault

B25165-01- install guide


Comments:

Panka, Great article. When will Data Vault be certfied with R11i 11.5.10 CU2? Thank you, David Atkins

Posted by David Atkins on December 16, 2006 at 04:24 AM PST #

We are trying to implement multiple realms on Oracle Collaboration Suite. Apparently oracel only supports multiple realms on portal and not collab. Is it possible to implement realms on OCS somehow

Posted by Mike Doyle on August 28, 2007 at 12:46 PM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog is authored by Pankaj Chandiramani , Product Manager for Enterprise Manager . Main Focus of the blog will be on Enterprise Manager 12c with deep coverage of Database Life Cycle Management that includes Database Provisioning , Database Patching , Config , Compliance etc .

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today