Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Alternative Products to Oracle Database Vault and Audit Vault

675 views
Skip to first unread message

prash...@gmail.com

unread,
Jun 4, 2008, 8:12:10 PM6/4/08
to
Hi,

We are looking at securing our Oracle Databases containing customer
Data with Oracle Database Vault and Audit Vault. Are there any other
alternative industry standard products besides these that could be
used with Oracle databases, with a view for PCI compliance ?


Thanks in advance,
PK

DA Morgan

unread,
Jun 5, 2008, 12:44:27 PM6/5/08
to

Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damo...@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prash...@gmail.com

unread,
Jun 6, 2008, 12:37:24 AM6/6/08
to
Daniel,

Many thanks for throwing in that information.

However I also want to find out if anyone else out there has got any
experience in segregating roles (Database administration Vs Security)
and tightening security for PCI Compliance using an alternative
product on Oracle.

I gather that RSA Database Security Manager can do such things on
Oracle. Anyone used this product ?

Our Management wants to look at alternative products as Oracle's
quotes for Vault are quite pricey, in fact costlier than the Database
offering itself.

Thanks,
PK

DA Morgan

unread,
Jun 6, 2008, 12:45:44 PM6/6/08
to

I have worked in a number of engagements where segregation of roles
was mandated by auditors and legal. The good news ... technically it
is a no-brainer. Getting humans to behave logically? Well that is
quite another matter.

The issue of Data Guard alternatives goes something like this.
Step 1: Have management put a price tag, in $ or your local
business currency, on the damage that could be done if your data
were stolen or misused.

Step 2: Write a clear and concise definition of what you need to achieve.

For example do you need to secure the data in the database? From what?
Do you need to secure the archived redo logs?
The flashback logs?
Your backups onsite? Offsite?

Step 3: Look at solutions for all of these challenges and be prepared
to validate that they work well together.

The one advantage of the Oracle solution is that Oracle is responsible
for making it all work together. Remember a backup that can not be
restored using RMAN is nearly worthless.

From my experience forcing management to do Step 1 makes the rest of
the job much easier.

prash...@gmail.com

unread,
Jun 6, 2008, 9:14:43 PM6/6/08
to
Daniel,

Thanks very much, that has cleared my mind before I write a detailed
proposal to the management.

Many thanks again,
PK

SC

unread,
Jun 12, 2008, 8:27:23 AM6/12/08
to
Look at Guardium.com

http://www.guardium.com/index.php/pr/368

we are evaluating S-Gate product. DB Vault is evil and not designed
for enterprise users. It can't even work with Oralce Enterprise
Manager :-(((

On Jun 4, 7:12 pm, prashk2...@gmail.com wrote:
> Hi,
>
> We are looking at securing our Oracle Databases containing customer

> Data with Oracle DatabaseVaultand AuditVault. Are there any other

DA Morgan

unread,
Jun 13, 2008, 1:26:46 PM6/13/08
to

Oracle, yesterday, released a new version of Audit Vault (v 10.2.3).

It can be downloaded at http://otn.oracle.com.
Click on Downloads
Click on More

0 new messages