New security tool can restrict even the rights of database administrators
Oracles new database Vault technology restricts data access rights of even powerful users, while its new encryption technology, Secure Backup, encrypts data to tape.
Oracle introduced two new security tools on April 25: Database Vault, which restricts data access rights of powerful users such as database administrators, and Secure Backup encryption technology, which ensures that even tapes that get lost or misplaced wont be readable by the wrong set of eyes.
Database Vault is designed to meet organizations need to comply with regulatory and privacy and related separation-of-duty mandates that require more than one person to complete a sensitive task. Its also designed to protect businesses against security threats from insiders.
Mark Townsend, Oracles senior director of product management for the database, in Redwood Shores, Calif., said that customers are increasingly looking to be able to prove to auditors that theyre on top of controlling data privacy.
"Databases hold [sensitive data such as] end-of-quarter results, etc.," Townsend said. "Companies need to be able to prove DBAs havent had access to that information."
The two products are part of a series Oracles pushing to address the "last mile" of encryption, regulatory compliance and security, said Townsend. An earlier product release in the series was Oracle Secure Enterprise Search 10g. That search product scours and indexes internal and external data sources, including Web sites, databases, file servers, portals and e-mail, all while minding security policies regarding whos allowed to see what.
Database Vault has security controls that allow for incremental restrictions on data access. The product establishes realms that can encapsulate an application or a set of database objects inside a protection zone. Rules can also be set to restrict operations based on business-specific factors such as a particular database, a machine, IP addresses, the time of day or authentication modes.
Thus, the software can be set up to prevent a DBA from changing the database from outside the corporate intranet or after normal working hours, for example.
"This is automated prevention where you can come into a large, existing database and say, This data over here, we want to make sure DBAs arent seeing end-of-quarter results," Townsend said. "We can make users control access from existing applications. [Companies] may have users with access through their [Microsoft] Access spreadsheet but dont want [them] to have access through the command line or [during] a certain part of the day or through a particular location.
"This is the final mile, we think, in terms of security and separation of duty," Townsend said.
Rules can be applied to all SQL commands. Database Vault also includes detailed reports that can be used to satisfy audits.
Oracle also announced Oracle Secure Backup, a high--performance network tape backup for Oracle databases and file systems on Linux, Unix and Windows. It supports more than 200 tape devices from leading vendors.
Secure Backup encrypts data to tape to ensure that it doesnt get tinkered with even in the event that backup tapes are lost or stolen.
"There are two aspects [of security] we address: One, we provide a fully integrated disk-to-tape backup solution. Oracles database can now talk to over 200 tape devices. Two, were also encrypting those backups as well. If those tapes get lost in transit, theres no chance to intercept or recover the database and read data out of it," Townsend said.
Oracle claims that the back-up product is the first to embed backup logic directly within a relational database engine. Townsend said that the integration with the database means that Secure Backup has tighter security levels, higher performance and greater ease of use than would be possible otherwise.
"Because its integrated with Oracle [databases], its very fast," Townsend said. "We know which data has been changed in the database and can back that up very quickly because securitys fully built into [the database] as well."
Oracle Database Vault is a stand-alone security technology. Oracle expects to deliver the Linux version of both Database Vault and Secure Backup within the next 30 days, while versions for other platforms will be available in the coming six months for both products.