Oracle?s Latest Offers One-Two Security Punch

Oracle’s Database Vault should ship soon on Linux, with Solaris, Windows and other versions to follow.

Database Vault and the upcoming Audit Vault from Oracle could be ideal for companies hoping to prevent unauthorized viewing, copying or tampering of data. Audit Vault, due out later this year, would “watch” database activity and funnel all that data to a separate, secure repository.

Database Vault, which is available for the current Oracle Database 10g Release 2, will enable companies to “put firewalls around financial data” so that DBAs and system administrators cannot see information they shouldn’t see, said Andy Mendelsohn, senior vice president of database server technologies at the Redwood Shores, Calif.-based company. “DBAs right now are pretty much all-powerful. They can see anything. [Database] Vault lets you put a wall around that data,” he said. “Once you do that, folks with no need to see financial data are locked out of that realm.”

Oracle partners can use the technology—costing $20,000 per CPU—to ease customers’ regulatory compliance, ISVs and solution providers said.

This is a “clean method to control who can do what [with the data] and protect against insider threats,” said Dwayne Melancon, vice president of business development at Tripwire, a Portland, Ore., ISV specializing in IT auditing software.Jay Thompson, managing director of Protiviti, an Irvine, Calif.-based company specializing in internal audit and technology-risk-assessment consulting services, concurred.

“On the tech side, Database Vault could raise the bar as to what companies can do in providing controls. There’s nothing similar on the market yet,” he said. Database Vault provides the preventive side, and Audit Vault, which watches the database, detects bad behavior, Thompson added.

Audit Vault, which was previewed along with Database Vault at Oracle World last fall, collects information on who accesses, deletes and changes data and when they do it, and sends that information to a separate, secure repository.

Mike Rudolph, vice president of product management at LogicalApps, Irvine, another Oracle ISV, said the software will help his company plug security holes at customer sites. Companies running enterprise applications off databases now realize that DBAs and other IT professionals can “go in underneath the application, directly to the database, and get access to pretty much anything,” Rudolph noted.

The new Oracle technology “lets you create realms that isolate user access to a subset of the data [for which they are authorized],” he said.Exactly who sees which data and when is of crucial importance with heightened financial reporting regulations in place, according to solution providers. And increasingly, companies will have to show auditors that their information is cordoned off and viewable by only those who are supposed to see it.