Database Vault

Database Vault realms

Block unauthorized access to sensitive data by creating restricted application environments within Oracle Database. Oracle Database Vault security controls also help organizations address compliance with data privacy laws and standards such as the European Union General Data Protection Regulation (EU GDPR), the Payment Card Industry Data Security Standard (PCI-DSS), and numerous other regulations that require strong internal controls on access, disclosure, or modifications to sensitive information.

Database Vault command rules

Prevent malicious or accidental changes that disrupt operations by privileged user accounts. Command controls prevent unauthorized commands such as DROP TABLE or ALTER SYSTEM outside of specific maintenance windows.

Database Vault trusted paths

Use factors like client IP address, program, username, and time of day to enforce zero trust access to data and data operations. Since an attacker can't simply use a stolen account to access sensitive data, Database Vault can block unauthorized access to sensitive data and generate high value alerts notifying administrators of suspicious data access activity to help stop data theft before it happens.

Separation of duties

Enforce checks and balances on privileged users, preventing attackers from disabling security controls, creating rogue users, and accessing sensitive data by leveraging credentials from a single privileged account.

Integrated, performant, and scalable

Secure new and existing Oracle Database environments without the need for costly and time-consuming application changes. Database Vault is compatible with enterprise architectures, including Oracle Real Application Clusters (RAC), Oracle GoldenGate, and Oracle Data Guard, all without the need to deploy additional servers and agents.

Detect or block SQL injection attacks

Detecting and preventing SQL injection attacks is crucial for safeguarding databases from unauthorized access and potential data breaches. With 23ai SQL Firewall, organizations gain a powerful tool to combat the risk of SQL injection and block the misuse of stolen credentials. With it, you can significantly bolster your resilience against SQL injection attacks, protect sensitive data, and preserve the integrity of your databases.

23ai SQL Firewall works by learning normal application behavior, including what SQL statements an application issues and the context that an application uses to connect to the database, such as network address, operating system user, and program used. Once trained, 23ai SQL Firewall can do the following:

• Log and block deviations from normal behavior
• Identify unusual SQL statements
• Identify connections coming from addresses or programs not in the application’s profile

23ai SQL Firewall uses an allow-list approach, defining the finite set of allowable behavior, instead of attempting to guess at the near infinite choices an attacker might use to try and break into the database.

Because 23ai SQL Firewall is built into the Oracle Database kernel, it cannot be bypassed. The firewall is not fooled by the use of synonyms or dynamic SQL, and it is not impacted by network encryption.

In addition to threat mitigation, 23ai SQL Firewall logs provide a valuable detective capability, logging all deviations from policy even if the firewall is not placed in blocking mode. If desired, audit records of firewall violations can be created for use in database activity monitoring solutions, such as Oracle Audit Vault and Database Firewall or Oracle Data Safe.

• Oracle SQL Firewall FAQ (PDF)