Re: Alternative Products to Oracle Database Vault and Audit Vault

From: DA Morgan <damorgan_at_psoug.org>
Date: Thu, 05 Jun 2008 09:44:27 -0700
Message-ID: <1212684265.445638@bubbleator.drizzle.com>


prashk2005_at_gmail.com wrote:
> Hi,
>
> We are looking at securing our Oracle Databases containing customer
> Data with Oracle Database Vault and Audit Vault. Are there any other
> alternative industry standard products besides these that could be
> used with Oracle databases, with a view for PCI compliance ?
>
>
> Thanks in advance,
> PK

Audit Vault does not secure data ... but it can be invaluable for providing an access audit trail. A new version of AV will be released very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality Requirement 2.3 - Encrypt all non-console administrative access Requirement 4 - Encrypt transmission of cardholder data across open, public networks
Requirement 6 - Develop and maintain secure systems and applications

Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.

2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
-- 
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan_at_x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org
Received on Thu Jun 05 2008 - 11:44:27 CDT

Original text of this message