Security and Compliance with Oracle Database 12c

Oracle Key Vault

Master Key in Vault – Transparent Data Encryption.

– Validate encryption keys

– Create encrypted tablespace

– Move data into encrypted tablespace

– Verify encryption

– Drop unencrypted tablespace without dropping database files

– Securely delete unencrypted database files

Audit Vault

– Separate instance

– Audit data sent to this instance

Database Firewall

– Only allow certain sql statements

– Can use unique so predicate values do not result in duplicate entries

– Can first capture and login data

– Can select whitelist policy (Pass,Logging Level Unique)

– Does not pickup local connections as these are not over the network

– New SQL Statements go to default rule and can be blocked.

– Default rule can also substitute the statement.

– Assigned Firewall Policy to secured target.

– Create dba user set

– Add exception to policy for dba user set

Database Firewall works at OSI Application (SQL*Net) layer.

Multiple Database Firewalls can connect to 1 Audit Server.

Privileged Account Management – proxy server bob->oracle

Database Vault

– Realms, transparently Block DBA privileges from accessing data

– Command Rules – grant with admin option – can filter

– Installed by default with 12c, just need to enable.

– DBA, Account Administrator, Security Administrator (Database Vault,Realms,Command Rules)

– Oracle 12c adds Mandatory Realm, even table owner cannot access table unless part of the realm.

– Oracle 12c adds privilege analysis, run db in training mode.

– Realm Audit Report shows attempted violations

– Need to enable OLS (Oracle Label Security) to use Database Vault

– Still need traditional object privileges access as well.

– Can specify that a user can only access a realm during business hours

– Can use PL/SQL procedure to apply restrictions

– User can be in multiple realms and all realms must allow access.

– PL/SQL function DVSYS.SQL_TEXT is parsed sql text without comments.

Dask Masking and Subsetting

– Change but keep checksum the same

– Keep primary/foreign keys in sync.

Oracle Internet Directory, Oracle Virtual Directory, Now Oracle Unified Directory consume user/group information from Active Directory, do not need to change AD schema. Roles for users done via groups in AD.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s