Oracle wants to rein in database admins

In the age of insider threats and regulatory compliance, Oracle doesn't think administrators should have full rein over the information in databases they manage.

The business software giant is readying new software that puts access restrictions on database administrators. The new Oracle Database Vault, due out next month, enforces access controls to help companies meet regulatory and privacy mandates and protect against employees with malicious intentions, said Wynn White, a senior director at Oracle.

"We're taking away the keys to the kingdom from these guys," White said. "You want to be able to give them access to information they need to do their job, but you don't want to give them more than they need."

The Database Vault features will be in demand, especially for databases that contain private data, Forrester Research Analyst Noel Yuhanna said. He estimates that to be one-third of all database systems that are in use. "Enterprises want their administrators to manage their databases, not data," he said.

Oracle is leading the pack of database makers with the new access restriction features, Yuhanna said. "Microsoft, IBM and Sybase don't have anything like this," he said. However, the competition likely will have similar features available in the not-too-distant future, he added.

In addition to the database makers tightening the security of their databases, several other companies including Guardium, Tizor and Crossroads Systems offer products that monitor access to the data stores. These companies also pitch their products as the solution to regulatory woes.

Oracle plans to sell Database Vault as an add-on for the Enterprise Edition of the Oracle Database. It will cost $20,000 per processor or $400 per unique user and work with version 10g Release 2, the most recent version of the company's top-of-the-line database product released last year.

Instead of selling the access restriction functionality as an add-on, Oracle should have included it in their core database product, Yuhanna said. "A lot of customers are going to be demanding that," he said. "It has to be seen if IBM and Microsoft are going to offer similar products at similar cost, or as part of their databases."

In addition to the Database Vault, Oracle on Wednesday plans to announce new software that allows encrypted backups of information stored in databases. Called Oracle Secure Backup, the software can encrypt and copy data onto a tape storage device, Oracle said. The software, available now, works with many versions of Oracle's database and costs $3,000 per tape drive, Oracle said in a statement.

[JustJim0183]

How about Data Analysis

Its an unfortunate fact of life but in many instances we simply don't know what data resides in a given column.

One of the jobs of a Data Analyst is to review the contents of columns with an eye to identifying what data resides in that column. And I'm sorry folks but sometimes that means the Data Analyst is poking through what we sometimes as sensitive data. If the analyst is to carry out this function that is the way it has to be.

Of course, companies can continue to disregard data management but sooner or later that will get them in trouble with the compliance gestapo also.

[baswwe]

I haven't see a DBA do this in years

The DBA job has become stupified.

Developers are doing more and more responsibilites of the DBA's.

[JustJim0183]

How about Data Analysis

Its an unfortunate fact of life but in many instances we simply don't know what data resides in a given column.

One of the jobs of a Data Analyst is to review the contents of columns with an eye to identifying what data resides in that column. And I'm sorry folks but sometimes that means the Data Analyst is poking through what we sometimes as sensitive data. If the analyst is to carry out this function that is the way it has to be.

Of course, companies can continue to disregard data management but sooner or later that will get them in trouble with the compliance gestapo also.

[baswwe]

I haven't see a DBA do this in years

The DBA job has become stupified.

Developers are doing more and more responsibilites of the DBA's.

[enzomedici]

Not sure about this...

The DBA doesn't really need to see sensitive data, but a DBA has access to create users and grant further access. If that is restricted or taken away, not sure what a DBA can really do except, backups, restores, etc. You can already grant a role to do this.

Not sure how this helps security either. Someone, somewhere has to have access and if you can trust them, not sure why you cannot trust your DBA.

[enzomedici]

Not sure about this...

The DBA doesn't really need to see sensitive data, but a DBA has access to create users and grant further access. If that is restricted or taken away, not sure what a DBA can really do except, backups, restores, etc. You can already grant a role to do this.

Not sure how this helps security either. Someone, somewhere has to have access and if you can trust them, not sure why you cannot trust your DBA.

[Jim Hubbard]

This is absolutely ridiculous......

If you can't trust your DB Admin, you have an HR problem....not a software problem.

It's just like all the spying on people's surfing habits at work.... Why don't they spy on thier phone use...or breaks.....or conversations they engage in at work?

An employee that is going to waste company time will do so with or without the internet.

An employee that will steal company secrets will find a way to do so with or without authorization to look at the data.

These are hiring issues - plain and simple. Hire good people. Make more than 1 individual responsible for important tasks (as a backup in case one dies or quits and as a means of discouraging bad behavior).

Don't blame the software because you have idiots doing the hiring.

Not that Oracle is above making a big "todo" about this to pump up sales or anything.....

[asmartin88]

Hiring good people is key!!!

Well put. HR must review the character and make-up of an individual, and apply the same to a candidate's references. If HR is "reading" from a checklist, you probably aren't valued too highly.

I contract at a government facility and have to pass a backgroud check and obtain a clearance before I can login to any system and see any data. If I can't be trusted, an audit trail will expose my bad intent. Security regularly reviews these logs, so we share the responsibility.

Note that I could manipulate my copy of the audit trail, but if it's also written to a protected OS directory, I'm exposed. You've got to trust someone, somewhere.

As for the cost of the Database Vault, forget it. Wait for IBM and Microsoft to develop similar products, and we'll all avoid the add-on.

[Jim Hubbard]

This is absolutely ridiculous......

If you can't trust your DB Admin, you have an HR problem....not a software problem.

It's just like all the spying on people's surfing habits at work.... Why don't they spy on thier phone use...or breaks.....or conversations they engage in at work?

An employee that is going to waste company time will do so with or without the internet.

An employee that will steal company secrets will find a way to do so with or without authorization to look at the data.

These are hiring issues - plain and simple. Hire good people. Make more than 1 individual responsible for important tasks (as a backup in case one dies or quits and as a means of discouraging bad behavior).

Don't blame the software because you have idiots doing the hiring.

Not that Oracle is above making a big "todo" about this to pump up sales or anything.....

[asmartin88]

Hiring good people is key!!!

Well put. HR must review the character and make-up of an individual, and apply the same to a candidate's references. If HR is "reading" from a checklist, you probably aren't valued too highly.

I contract at a government facility and have to pass a backgroud check and obtain a clearance before I can login to any system and see any data. If I can't be trusted, an audit trail will expose my bad intent. Security regularly reviews these logs, so we share the responsibility.

Note that I could manipulate my copy of the audit trail, but if it's also written to a protected OS directory, I'm exposed. You've got to trust someone, somewhere.

As for the cost of the Database Vault, forget it. Wait for IBM and Microsoft to develop similar products, and we'll all avoid the add-on.

[umbrae]

As if it is not already hard enough to get an ORA DBA to do something....

Now they can use the "I don't have access excuse". Time to pick up my campaign to move to MySQL.

[umbrae]

As if it is not already hard enough to get an ORA DBA to do something....

Now they can use the "I don't have access excuse". Time to pick up my campaign to move to MySQL.

[nethed]

its about time...

if anyone has actually done security reviews and audits, they'll understand..wayyy too easy to do a select all, drop to ipod, walk out the door.

Same argument about 'passwords'. OS admins don't need to have cleartext passwords to admin the os, so they don't get it. I don't need to read tables, just to do tuning and standard operations.

IMO, should be a standard offering from the vendor tho. hosing client for licensing for standard security features is a joke.

[nethed]

its about time...

if anyone has actually done security reviews and audits, they'll understand..wayyy too easy to do a select all, drop to ipod, walk out the door.

Same argument about 'passwords'. OS admins don't need to have cleartext passwords to admin the os, so they don't get it. I don't need to read tables, just to do tuning and standard operations.

IMO, should be a standard offering from the vendor tho. hosing client for licensing for standard security features is a joke.

[nethed]

its about time...

if anyone has actually done security reviews and audits, they'll understand..wayyy too easy to do a select all, drop to ipod, walk out the door.

Same argument about 'passwords'. OS admins don't need to have cleartext passwords to admin the os, so they don't get it. I don't need to read tables, just to do tuning and standard operations.

IMO, should be a standard offering from the vendor tho. hosing client for licensing for standard security features is a joke.

[nethed]

its about time...

if anyone has actually done security reviews and audits, they'll understand..wayyy too easy to do a select all, drop to ipod, walk out the door.

Same argument about 'passwords'. OS admins don't need to have cleartext passwords to admin the os, so they don't get it. I don't need to read tables, just to do tuning and standard operations.

IMO, should be a standard offering from the vendor tho. hosing client for licensing for standard security features is a joke.