Return-Path: Delivered-To: 2-oracle-l@orafaq.com Received: (qmail 30561 invoked from network); 8 Sep 2007 04:24:57 -0500 Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by 69.64.49.119 with SMTP; 8 Sep 2007 04:24:57 -0500 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 27E2373A6E1; Sat, 8 Sep 2007 04:46:16 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 24800-03; Sat, 8 Sep 2007 04:46:16 -0400 (EDT) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 9633E73C25D; Sat, 8 Sep 2007 04:46:15 -0400 (EDT) Received: with ECARTIS (v1.0.0; list oracle-l); Sat, 08 Sep 2007 04:01:17 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 296D573C00C for ; Sat, 8 Sep 2007 04:01:17 -0400 (EDT) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing.freelists.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 18240-08 for ; Sat, 8 Sep 2007 04:01:17 -0400 (EDT) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.179]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id BC1B573BFD8 for ; Sat, 8 Sep 2007 04:01:16 -0400 (EDT) Received: by wa-out-1112.google.com with SMTP id k22so910573waf for ; Sat, 08 Sep 2007 01:39:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=/QdD/Wk81eG5nSz7vepavOeMH//oVTlAuRiGWUuGSmg=; b=UgKqEH+TwHsE1HXGIFpiU4Ujwj0+3DVsHcA7BQKgJh5wIga2UZhys8IeblOO2iSJRJ9AEK56YDoeQpyWOWqsu/WZxRum3ujMwpfqy4ZGl8yI8yo310D0dCKlauJ6DKMqWB1+OM0GkY4CkxuXMRwKcA54udFCBsy6hjuWQmiQsWY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=nC+YMw4pVYeoVp0WO2BsOlhiCjwrIJNJFR6J6INdMYkPeB0I8jnqRjNC7yH3uG3Rh4b1lIlFCM3dsmKplJeQH2x2dKRJUyOxLJkGpoQh5XN1KGTI2ptcYows1CVL4YSHpCB9pyL+dfjchnpFLvJ3pESmdw2xW+FLlJQm2qtsr94= Received: by 10.114.38.2 with SMTP id l2mr1617204wal.1189240791766; Sat, 08 Sep 2007 01:39:51 -0700 (PDT) Received: by 10.114.173.3 with HTTP; Sat, 8 Sep 2007 01:39:51 -0700 (PDT) Message-ID: <486b2b610709080139n6ed18411s1767935e806722ef@mail.gmail.com> Date: Sat, 8 Sep 2007 10:39:51 +0200 From: "Stefan Knecht" To: Jay.Miller@tdameritrade.com Subject: Re: Oracle Vault? Cc: oracle-l In-Reply-To: <304CF4722010DD4FA19829D09DDB956BAC3103@prdhswsemlmb01.prod-am.ameritrade.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_4596_30613614.1189240791757" References: <6e9345580708051243h363c75a0qa0bdc01ff5861a93@mail.gmail.com> <01bd01c7d9d5$9d5c45c0$46fc4e89@jpl.nasa.gov> <304CF4722010DD4FA19829D09DDB956BAC2ED4@prdhswsemlmb01.prod-am.ameritrade.com> <304CF4722010DD4FA19829D09DDB956BAC3103@prdhswsemlmb01.prod-am.ameritrade.com> X-archive-position: 1357 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-to: oracle-l-bounce@freelists.org X-original-sender: knecht.stefan@gmail.com Precedence: normal Reply-to: knecht.stefan@gmail.com List-help: List-unsubscribe: List-software: Ecartis version 1.0.0 List-Id: oracle-l X-List-ID: oracle-l List-subscribe: List-owner: List-post: List-archive: X-list: oracle-l X-Virus-Scanned: Debian amavisd-new at localhost.localdomain ------=_Part_4596_30613614.1189240791757 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Jay I've recently set up an environment for just that purpose. What you're looking at is several important factors, to get as close as possible to prevent a dba from accessing the important data: - Separation of duties (once a DBA has got a shell as oracle software owner, your data can be viewed) - Use database vault to protect the sensitive data with a realm from direct access - Use TDE (transparent data encryption) to prevent a dba from restoring a backup, doing block dumps etc. The biggest "performance impact" you'll probably hit by the separation of duties ;-) TDE might also cost you some extra CPU, but you'd have to benchmark it in your environment. The Vault shouldn't do all that much to performance, but again, benchmark it to see if it works for you. Also, the vault isn't perfect. A lot of things don't work out of the box -- it's a very new product after all. I'll have a presentation on just this topic at SIOUG at the end of september. Once I'm done with it I can mail it your way if you're interested. Stefan On 9/7/07, Jay.Miller@tdameritrade.com wrote: > > Has anyone used this product and be able to comment on any performance > overhead involved? We're looking at means of encrypting senstive > information so sys/system accounts can't see it. > > > > -- ========================= Stefan P Knecht Consultant Infrastructure Managed Services Trivadis AG Europa-Strasse 5 CH-8152 Glattbrugg Phone +41-44-808 70 20 Fax +41-808 70 12 Mobile +41-79-571 36 27 stefan.knecht@trivadis.com http://www.trivadis.com OCP SCSA SCNA ========================= ------=_Part_4596_30613614.1189240791757 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Jay

I've recently set up an environment for just that purpose.

What you're looking at is several important factors, to get as close as possible to prevent a dba from accessing the important data:

- Separation of duties (once a DBA has got a shell as oracle software owner, your data can be viewed)
- Use database vault to protect the sensitive data with a realm from direct access
- Use TDE (transparent data encryption) to prevent a dba from restoring a backup, doing block dumps etc.

The biggest "performance impact" you'll probably hit by the separation of duties ;-) TDE might also cost you some extra CPU, but you'd have to benchmark it in your environment. The Vault shouldn't do all that much to performance, but again, benchmark it to see if it works for you.

Also, the vault isn't perfect. A lot of things don't work out of the box -- it's a very new product after all. I'll have a presentation on just this topic at SIOUG at the end of september. Once I'm done with it I can mail it your way if you're interested.

Stefan




On 9/7/07, Jay.Miller@tdameritrade.com < Jay.Miller@tdameritrade.com> wrote:
Has anyone used this product and be able to comment on any performance overhead involved?  We're looking at means of encrypting senstive information so sys/system accounts can't see it.
 
 
 



--
=========================

Stefan P Knecht
Consultant
Infrastructure Managed Services

Trivadis AG
Europa-Strasse 5
CH-8152 Glattbrugg

Phone +41-44-808 70 20
Fax +41-808 70 12
Mobile +41-79-571 36 27
stefan.knecht@trivadis.com
http://www.trivadis.com

OCP SCSA SCNA
========================= ------=_Part_4596_30613614.1189240791757-- -- http://www.freelists.org/webpage/oracle-l