Re: Alternative Products to Oracle Database Vault and Audit Vault
Date: Thu, 05 Jun 2008 09:44:27 -0700
> We are looking at securing our Oracle Databases containing customer
> Data with Oracle Database Vault and Audit Vault. Are there any other
> alternative industry standard products besides these that could be
> used with Oracle databases, with a view for PCI compliance ?
> Thanks in advance,
Audit Vault does not secure data ... but it can be invaluable for providing an access audit trail. A new version of AV will be released very soon so be sure you wait for it for your implementation.
Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality Requirement 2.3 - Encrypt all non-console administrative access Requirement 4 - Encrypt transmission of cardholder data across open, public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input Requirement 6.5.2 - Broken Access Control Requirement 6.5.3 - Broken Authentication and Session Management Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws Requirement 6.5.5 - Buffer Overflows Requirement 6.5.6 - Injection Flaws Requirement 6.5.7 - Improper Error Handling Requirement 6.5.8 - Insecure Storage Requirement 6.5.9 - Denial of Service Requirement 6.5.10 - Insecure Configuration Management
For which Data Vault will only address a single issue: 6.5.8.
No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues. 6.5.1 requires coding. 6.5.2 - 6.5.5 are not database issues. 6.5.6 is front-end, middle-tier, and database related. Be sureyou look at implementing safeguard with bind variables and the DBMS_ASSERT package.
6.5.7 is a coding issue. 6.5.9 is usually not a database issue 6.5.10 is general to the entire system
-- Daniel A. Morgan Oracle Ace Director & Instructor University of Washington damorgan_at_x.washington.edu (replace x with u to respond) Puget Sound Oracle Users Group www.psoug.orgReceived on Thu Jun 05 2008 - 11:44:27 CDT