Solved

Oracle segregation/separation of duties

Posted on 2011-09-22
10
604 Views
Last Modified: 2012-06-27
Oracle Expert$$$$$$$

how to technically enforce SOD in an Oracle Database environment

i have one DBA who is controlling every thing.

goal: DBA can not read data (useful info) from the tables, DBA should do only Admin job
0
Comment
Question by:osloboy
  • 5
  • 3
  • 2
10 Comments
 
LVL 7

Expert Comment

by:Jacobfw
ID: 36579727
Consider data encription for key/sensitive table columns.
0
 
LVL 7

Expert Comment

by:Jacobfw
ID: 36579937
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 36579948
The only way I know of to ensure the DBA cannot see data is using Oracle Vault.  There is an encryption Wallet Admin that is necessary to properly open the database.

This is a separately licensed product.

http://www.oracle.com/us/products/database/options/database-vault/index.html


There comes a time in every organization when they realize that they have to eventually trust someone with the keys.  DBAs and System Administrator typically hold the keys.

If you have a trust issue with your DBA it may be time to find another DBA.
0
 
LVL 76

Expert Comment

by:slightwv (䄆 Netminder)
ID: 36579961
From the link provided by Jacobfw

Principle 1: Encryption Does Not Solve Access Control Problems
Principle 2: Encryption Does Not Protect Against a Malicious DBA
Principle 3: Encrypting Everything Does Not Make Data Secure
0
 
LVL 7

Expert Comment

by:Jacobfw
ID: 36579965
Oracle Database does support limited partitioning of DBA privileges. Oracle Database provides native support for SYSDBA and SYSOPER users. SYSDBA has all privileges, but SYSOPER has a limited privilege set (such as startup and shutdown of the database).

0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:osloboy
ID: 36589917
slightwv: problem is not trust but security Standardization, to have SOD is batter, you can not make one person as ORACLE GOD.

thanks guys for giving great tips but my problem still stands if Encryption is not right call and buying new solution can be out of question at this point.

is there any alternatives    
0
 
LVL 7

Expert Comment

by:Jacobfw
ID: 36590959
Two Options:

1) custom roles for speciallized individuals to enforce SOD

Furthermore, an organization can create smaller roles encompassing a number of system privileges. A JR_DBA role might not include all system privileges, but only those appropriate to a junior DBA (such as CREATE TABLE, CREATE USER, and so on).

2) enable auditing to secure location to ensure SOD compliance

Oracle Database also enables auditing the actions taken by SYS (or SYS-privileged users) and storing that audit trail in a secure operating system location. Using this model, a separate auditor who has root privileges on the operating system can audit all actions by SYS, enabling the auditor to hold all DBAs accountable for their actions.

However, in the end someone has to be be ORACLE GOD in a small shop, just like in a small town somebody plays sheriff and carries the GUN.
0
 

Author Comment

by:osloboy
ID: 36592023
Jacobfw: thanks a lot, Sheriff must be systematic :p

option 1 seems to be cool but you need additional resources.

where as option 2 can be carried out even with 3rd party auditor.
any good documentation on OPTION 2  
0
 
LVL 7

Accepted Solution

by:
Jacobfw earned 500 total points
ID: 36592257
0
 

Author Closing Comment

by:osloboy
ID: 36814092
good one
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
When we talk about DevOps toolchains, I sometimes wonder how many people really get what we’re talking about. I don’t know if it’s just semantics or tone or something else, but sometimes I think it just sounds like buzzword sausage. So it’s always …
This video explains what a user managed backup is and shows how to take one, providing a couple of simple example scripts.
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now