ORACLE DAT A SHEET

Oracle Database Vault

Oracle Database 18c

Oracle Database Vault provides powerful security controls to help protect application data
from unauthorized access, and implement separation of duties between database
administrators and data owners to comply with privacy and regulatory requirements.
Controls can be deployed to block privileged account access to application data and
control sensitive operations inside the database using authorized trusted path. Security of
existing applications can be increased with automated analysis of privileges and roles
used. Oracle Database Vault secures existing database environments transparently,
eliminating costly and time consuming application changes.

KEY FEATURES AND BENEFITS

Controls for Privileged Accounts
• Implement preventive controls to Privileged database accounts are one of the most commonly used pathways for gaining access to
block privileged users and DBAs from
sensitive data. While their broad and unrestricted access facilitates database maintenance, the same
accessing sensitive data in the
databases access also creates a point of attack for gaining access to large amounts of data. Oracle Database
• Enforce operational controls inside Vault Realms defined around application schemas, tables and stored procedures provide controls to
the database to lock down the prevent privileged accounts from being exploited by malicious users to access sensitive data. Various
configuration from potential threats out-of-the-box factors such as IP address, authentication method, and program name help implement
and prevent audit findings
trusted path authorization to deter attacks leveraging stolen passwords.
• Seal off highly sensitive application
objects during maintenance periods
and in response to cyber threats
• Identify used and unused privileges
and roles with Privilege Analysis to
reduce the attack surface
• Quickly verify security controls using
simulation mode to test custom and
packaged applications.
• Save time and secure environments
with application-specific protection Figure 1. Oracle Database Vault Realms block access from privileged accounts
policies for enterprise applications
including Fusion Applications, E- Controls for Database Configuration
Business Suite, PeopleSoft, Siebel,
and SAP Among the most common audit findings are unauthorized changes to database entitlements,
including grants of the DBA role, as well as new accounts and database objects. Preventing
unauthorized changes to production environments is important not only for security, but also for
compliance as these changes can weaken security and open doors to hackers, violating privacy and
compliance regulations. Oracle Database Vault Command Rules allow customers to control
operations inside the database, including commands such as create table, truncate table, and create
user. These controls prevent accidental configuration changes and also prevent hackers and
malicious insiders from tampering with and making application changes.
ORACLE DAT A SHEET

Separation of Duty
RELAT ED PRODUCTS
Oracle Database Vault provides three distinct separation of duty controls out-of-the-box for security
Oracle Database 18c Defense-in-Depth
administration, account management, and day-to-day database administration activities. Oracle
Security Solutions:
Database Vault separation of duty controls can be customized and organizations with limited
• Oracle Advanced Security resources can assign multiple Oracle Database Vault responsibilities to the same administrator.
• Oracle Key Vault
• Oracle Data Masking and Subsetting Run-time Privilege Analysis for Users and Applications
• Oracle Label Security
Privilege Analysis helps increase the security of applications by identifying the actual privileges and
• Oracle Audit Vault and Database roles used at run-time. The additional unused roles and privileges can then be audited or revoked by
Firewall
the administrators to reduce the attack surface and implement a least privilege model for shared
application accounts and database users. Privilege analysis can also be applied to administrators to
help limit the roles and privileges they are granted in order to fulfill their responsibilities.

Enterprise Applications Protection Policies

Application-specific Oracle Database Vault protection policies are available for major enterprise
applications including Oracle Fusion Applications, Oracle E-Business Suit, Oracle PeopleSoft, Oracle
Siebel, Oracle Financial Services (i-Flex), Oracle Primavera, SAP, and Finacle from Infosys.

Customer applications can be swiftly validated with Database Vault security controls using simulation
mode. Simulation mode captures security violations instead of enforcing them, allowing a single
regression test to capture the required security changes. Simulation mode allows customers to
quickly deploy new controls into production without compromising existing security.

Manageability
Oracle Database Vault is built into Oracle Database 18c and can be enabled easily. Oracle Database
Vault administration is fully integrated with Oracle Enterprise Manager Cloud Control, providing
Security Administrators with a streamlined and centralized interface to manage Oracle Database
Vault. Security responsibility can be delegated to domain security experts.

Controls for Consolidation and Cloud Environments

Consolidation and cloud environments reduce cost but potentially expose large amounts of sensitive
application data to those without a true need-to-know. Data from one country may be hosted in an
entirely different country, but access to that data must be restricted based on regulations of the
country to which the data belongs. Oracle Database Vault controls provide increased security for
these environments by preventing database administrators from accessing the applications data. In
addition, controls can be used to help block application bypass and enforce a trusted-path from the
application tier to the application data.

2 | ORACLE DATABASE VAULT DATA SHEET

ORACLE DAT A SHEET

CONTACT US

For more information about [insert product name], visit oracle.com or call +1.800.ORACLE1 to speak to
an Oracle representative.

CONNECT W ITH US

blogs.oracle.com/oracle Copyright © 2018, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the
contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other
warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or
facebook.com/oracle fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are
formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means,
twitter.com/oracle electronic or mechanical, for any purpose, without our prior written permission.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
oracle.com
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and
are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are
trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0218

3 | ORACLE DATABASE VAULT DATA SHEET