Hi,

We are looking at securing our Oracle Databases containing customer
Data with Oracle Database Vault and Audit Vault. Are there any other
alternative industry standard products besides these that could be
used with Oracle databases, with a view for PCI compliance ?


Thanks in advance,
PK

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

prashk2005 (AT) gmail (DOT) com wrote:
Audit Vault does not secure data ... but it can be invaluable for
providing an access audit trail. A new version of AV will be released
very soon so be sure you wait for it for your implementation.

Your primary PCI concerns are:
Requirement 2.2.4 - Remove all unnecessary functionality
Requirement 2.3 - Encrypt all non-console administrative access
Requirement 4 - Encrypt transmission of cardholder data across open,
public networks
Requirement 6 - Develop and maintain secure systems and applications
Requirement 6.5.1 - Unvalidated Input
Requirement 6.5.2 - Broken Access Control
Requirement 6.5.3 - Broken Authentication and Session Management
Requirement 6.5.4 - Cross Site Scripting (XSS) Flaws
Requirement 6.5.5 - Buffer Overflows
Requirement 6.5.6 - Injection Flaws
Requirement 6.5.7 - Improper Error Handling
Requirement 6.5.8 - Insecure Storage
Requirement 6.5.9 - Denial of Service
Requirement 6.5.10 - Insecure Configuration Management

For which Data Vault will only address a single issue: 6.5.8.

No built-in capability will address 2.2.4.
2.3, 4, and 6 are not database issues.
6.5.1 requires coding.
6.5.2 - 6.5.5 are not database issues.
6.5.6 is front-end, middle-tier, and database related. Be sure
you look at implementing safeguard with bind variables and the
DBMS_ASSERT package.
6.5.7 is a coding issue.
6.5.9 is usually not a database issue
6.5.10 is general to the entire system
--
Daniel A. Morgan
Oracle Ace Director & Instructor
University of Washington
damorgan@x.washington.edu (replace x with u to respond)
Puget Sound Oracle Users Group
www.psoug.org

Daniel,

Many thanks for throwing in that information.

However I also want to find out if anyone else out there has got any
experience in segregating roles (Database administration Vs Security)
and tightening security for PCI Compliance using an alternative
product on Oracle.

I gather that RSA Database Security Manager can do such things on
Oracle. Anyone used this product ?

Our Management wants to look at alternative products as Oracle's
quotes for Vault are quite pricey, in fact costlier than the Database
offering itself.

Thanks,
PK

Daniel,

Many thanks for throwing in that information.

However I also want to find out if anyone else out there has got any
experience in segregating roles (Database administration Vs Security)
and tightening security for PCI Compliance using an alternative
product on Oracle.

I gather that RSA Database Security Manager can do such things on
Oracle. Anyone used this product ?

Our Management wants to look at alternative products as Oracle's
quotes for Vault are quite pricey, in fact costlier than the Database
offering itself.

Thanks,
PK