Oracle's Database Vault
I had the chance to sit down with Oracle yesterday and discuss what their role in PCI compliance was and was pleasantly surprised when the topic of their Database Vault product came up.
The thrust of the offering is to encrypt and protect data at rest so that your DBA's don't know your financial results before the CFO does. It will take protection from the port of the app into the column level and this is pretty slick for a number of reasons:
1. It gives fine grained access control and auditability inside the database where all the juicy information is stored.
2. It will encrypt and fuzz the data so that you can only see subsets (i.e. last four of a social security number, etc.) of the data tied to a recored (PAN).
3. It is a proactive policy based mechanism for where the sensitive data is, and goverened by policy so once policy is set, access to data is too.
The one question I asked that has serious ramifications (good ones) was - is the Database vault product considered and validated as an application layer firewall for databases. No answer yet, but I'll keep the community updated.
pcistuff@gmail.com
The thrust of the offering is to encrypt and protect data at rest so that your DBA's don't know your financial results before the CFO does. It will take protection from the port of the app into the column level and this is pretty slick for a number of reasons:
1. It gives fine grained access control and auditability inside the database where all the juicy information is stored.
2. It will encrypt and fuzz the data so that you can only see subsets (i.e. last four of a social security number, etc.) of the data tied to a recored (PAN).
3. It is a proactive policy based mechanism for where the sensitive data is, and goverened by policy so once policy is set, access to data is too.
The one question I asked that has serious ramifications (good ones) was - is the Database vault product considered and validated as an application layer firewall for databases. No answer yet, but I'll keep the community updated.
pcistuff@gmail.com
Labels: database, Oracle, PCI, PCI Compliance tools
posted by Mark Mac Auley at 8:16 AM
1 Comments:
I also checked the oracle mapping of the PCI standards and posted it on my blog http://identitycontrol.blogspot.com
Post a Comment
<< Home