Oracle Audit Vault

Trust-but-Verify
An Oracle White Paper
May 2007

Introduction
Auditing is playing an increasingly important role in the areas of compliance,
privacy, and security. Satisfying compliance regulations such as SarbanesOxley and mitigating the risks associated with the insider threat are among the
top security challenges businesses face today. Today, the use of audit data as a
security resource remains very much a manual process, requiring IT security and
audit personnel to first collect the audit data, and then sift through enormous
amounts of dispersed audit data using custom scripts and other methods. Oracle
Audit Vault automates the audit collection and analysis process, turning audit
data into a key security resource to help address today's security and compliance
challenges.

Compliance & Privacy Challenges

Governments worldwide have enacted a wide range of regulations relating to
financial controls, health care, and privacy.

AMERICAS

Sarbanes-Oxley (SOX )

Healthcare Insurance Portability and

Accountability Act (HIPAA)

CA SB 1386 and other State Privacy Laws

Payment Card Industry Data Security Act

FDA CFR 21 Part 11

FISMA (Federal Info Security Mgmt Act)

EMEA

EU Privacy Directives

UK Companies Act of 2006

APAC

Financial Instruments and Exchange Law

(J-SOX)

CLERP 9: Audit Reform and Corporate

Disclosure Act (Australia)
GLOBAL

International Accounting Standards

Basel II (Global Banking)

OECD Guidelines on Corporate

Governance

Figure 1: Compliance & Privacy Challenges

Each regulation has its own characteristics and requirements. Sarbanes-Oxley

(SOX) requires executives to certify the accuracy of financial statements. SOX
regulations require strong internal controls supporting the financial statement.
The Healthcare Insurance Portability and Accountability Act (HIPAA) requires
the protection of sensitive healthcare information. The Payment Card Industry
(PCI) Data Security Act requires that businesses track and monitor all access to
cardholder data.
Key to supporting compliance and privacy regulations are proper security
policies and procedures for access control, encryption, reporting, and
monitoring. Access control policies are important for enforcing need-to-know
policies on application data, especially for highly privileged users such as the
DBA. Encryption policies are an important aspect of data protection for privacy
ORACLE AUDIT VAULT

-2-

related data such as social security numbers or credit cards on the underlying
storage media. Numerous high profile cases have been published regarding lost
or stolen disk drives and backup tapes. Reporting and monitoring process help
enforce the trust-but-verify principle by auditing the activities of all users,
especially the privileged users. In addition, such audit data can be used to alert
IT security personnel to issues that may violate a specific compliance regulation.
However, leveraging audit data today is an inefficient, time consuming and
costly process due to the fact that audit data is distributed across multiple
systems. Audit data needs to be consolidated, secured, and easily accessible by
IT security and audit personnel.

Insider Threat Challenges

The increasingly sophisticated nature of information theft and insider threats
requires businesses to not only protect sensitive information, but also monitor
access to sensitive information, including access by privileged and powerful
users. The CSI/FBI 2005 Computer Crime and Security studies have
documented that more than 70% of information system data losses and attacks
have been perpetrated by insiders, that is, by those authorized at least some level
of access to the system and its data. Insider security breaches can be much more
costly than attacks from outside the enterprise.
Examination of numerous incidents has shown that had audit data been
examined, the resulting impact could have been substantially reduced.
However, leveraging audit data has proven to be a very difficult task due to the
fact that audit data is distributed, making analysis, reporting, and alerting
difficult.
Information protection has become a top-level issue for the enterprise. In light
of the numerous data breaches, many businesses are adopting the principle of
trust-but-verify. Trust-by-verify simply means that users are trusted to do their
assigned tasks and duties, while ensuring that their actions are monitored for
verification and compliance with the policies. Auditing is an important
component of the overall defense-in-depth security architecture.

Oracle Audit Vault

Businesses need to consolidate, manage, monitor and report on audit data for a
complete view of enterprise data access. IT security and audit personnel must
have the ability to analyze audit data in a timely fashion across disparate
systems. Oracle Audit Vault addresses this requirement by consolidating audit
data across all systems into a secure, scalable, and highly available repository.
Oracle Audit Vault collects database audit data from the Oracle database audit
trail tables, database audit trails from operating system files, and database
transaction logs to capture before/after value changes of transactions from
Oracle9i Database Release 2, Oracle Database 10g Release 1, Oracle Database
10g Release 2, and Oracle Database 11g Release 1. Future releases will include
the ability to collect audit data from non-Oracle databases sources and build
custom audit collectors for other sources.

ORACLE AUDIT VAULT

-3-

Simplify Compliance
Reporting

Monitor Policies
Reports

Detect Threats
With Alerts

Security

Lower Costs With

Audit Policies
Provide Secure and
Scalable Repository

Oracle Database
9iR2

(Future)
Other Sources,
Databases
Oracle Database
Oracle Database
10gR1 Oracle Database 11gR1
10gR2

Figure 2: Oracle Audit Vault Overview

Using Oracle Audit Vault businesses are able to consolidate large volumes of
audit data from multiple sources and thereby obtain a complete view of audit
data using over one dozen built-in reports for analyzing audit data. In addition,
the collected audit data is analyzed for any suspicious activity, and an alert is
raised when that event occurs. Oracle Audit Vaults graphical user interface
also allows the IT Security Officers and IT Auditors to create and provision
auditing policies to the databases.
Central to Oracle Audit Vault is a secure data warehouse built on Oracle's
industry leading data warehousing technology and secured with Oracle's
industry leading Database security products such as Oracle Database Vault and
Oracle Advanced Security. Oracle Audit Vault includes Oracle Partitioning to
improve manageability and performance.
Oracle Audit Vault helps businesses improve their ability to comply with
regulatory requirements by ensuring the collection and accuracy of the audit
data, and by lessening the time and effort to demonstrate that mandated controls
are in effect and working.

Simplify Compliance Reporting

Oracle Audit Vault provides interfaces to efficiently report on enterprise wide
audit information and user activities, and thus simplify and expedite compliance
reporting. With Oracle Audit Vault, the dispersed audit data can be consolidated
in a single location where the data can be protected, analyzed, and reported upon
using predefined or custom reports.
Compliance & Security Reports
IT Auditors, Compliance and IT security officers can utilize built-in reports to
monitor user access and activity. Reports relating to privileged user access,
failed login attempts, use of system privileges, and changes to database
structures are very helpful for SOX reporting and other compliance

ORACLE AUDIT VAULT

-4-

requirements. The drill-down capability provides full visibility into the details
of the what, where, when, and who of the audit events.
Oracle Audit Vault provides standard audit assessment reports on activities
associated with account management, roles and privileges, object management,
and system management across the enterprise. For example, the account
management report can be used to monitor creation of new accounts as it might
violate internally or externally mandated security policies.

Figure 3: Oracle Audit Vault Activity Reports

Oracle Audit Vault provides the capability to generate parameter driven reports
from the interface as well. For example, a report showing user login activity
across multiple sensitive databases can be easily generated. Reports can be
defined for specific time frames. For example, a Weekend report could be
defined and saved within Oracle Audit Vault based on audit data from a subset
of particularly sensitive databases. The report could then be used each Monday
morning to monitor the weekend activities. Another report might be defined to
help support an internal investigation involving a specific user on specific
databases.
The foundation of the Oracle Audit Vault has been developed on a flexible data
warehouse infrastructure that provides the ability to consolidate and organize
audit data so it can be easily managed, accessed, and analyzed. The Oracle
Audit Vault audit data warehouse schema can be accessed from any Oracle
Business Intelligence or reporting tools including Oracle BI Publisher and 3rd
party reporting tools to build custom reports for compliance and security
requirements.

ORACLE AUDIT VAULT

-5-

Early Detection with Oracle Audit Vault Alerts

Security alerts can be used to rapidly address compliance, privacy, and insider
threat issues across the enterprise. Oracle Audit Vault provides IT security
personnel with the ability to detect and alert on suspicious activity, attempts to
gain unauthorized access, and abuse of system privileges.
Oracle Audit Vault can generate notifications on specific events, acting as an
early warning system against insider threats and helping detect changes to
baseline configurations or activity that could potentially violate compliance. It
provides an alert generation capability to mitigate the insider security threats by
generating alerts for system defined and user defined events. Oracle Audit
Vault continuously monitors the audit data collected, evaluating the activities
against defined alert conditions.

Audit Vault Alerts

Oracle Audit Vaults interface can be used to monitor alerts and audited events
across the business. Alerts can be defined on database activity including failed
login, suspicious login times, and failed attempts to view or access data. Alerts
can be associated with any auditable database event including system events
such as changes to application tables and creating privileged users. For instance,
the Security Officer could receive an alert when a user attempts to access
sensitive corporate information.
The Oracle Audit Vault interface provides graphical summaries of activities
causing alerts across the entire enterprise. The Oracle Audit Vault interface
provides a summary of the alerts over a specified time period. These graphical
summaries include Alert Severity Summary, Summary of Alert Activity, Top
Sources by Number of Alerts, and Alert by Audit Event Category frequency.
Users can click on the graphics to drill down to a more detailed report.

Figure 4: Oracle Audit Vault Dashboard for Alerts

ORACLE AUDIT VAULT

-6-

Oracle Audit Vault continuously monitors inbound audit data, and generates
alerts when data in a single audit record matches a custom defined alert rule
condition. For example, a rule condition may be defined to raise alerts
whenever a privileged user attempts to grant someone access to sensitive data.
An alert can also be generated when a privileged user creates another privileged
user within the database. When an audit event is evaluated and the rule
condition is met, an alert is raised. Alerts for the purpose of reporting are
grouped by the sources with which they are associated. Alerts can be grouped
by the event category to which the event belongs, and by the severity level of the
alert (warning, critical, or informational).

Lower IT Costs with Oracle Audit Vault Policies

Oracle Audit Vault provides centralized management of database audit settings
or policies, simplifying the job of the IT security officers and internal auditors.
Many businesses are required to actively monitor systems for specific audit
events or audit policies. Today, typically the definition and management of
these audit events is a manual process where IT security personnel work with
internal auditors to define audit settings on databases and other systems across
the enterprise. In addition, the IT security personnel must periodically ensure
the audit settings have not been altered once the settings have been defined. The
collection of audit settings is sometimes referred to as an audit policy.
Oracle Audit Vault provides the ability to define audit policies from a central
console that can be used by internal auditors and IT security to demonstrate
compliance and repeatable controls to auditors. Oracle Audit Vault eliminates
manual scripting of audit settings and reduces the associated maintenance costs.
The policy mechanism also allows businesses to define the specific audit
policies that can alert administrators to misuse of authorization rights by
generating a record of such events.

Oracle Audit Vault Security

Enterprise audit data is an important and critical record of business activity.
Audit data needs to be protected against modification so that reports and
investigations based on audit data have a high level of integrity. Oracle Audit
Vault protects audit data during transfer with network encryption, preventing
anyone from reading or tampering with the data during transmission. Timely
transfer of audit data from source systems to Oracle Audit Vault is critical to
close the window on intruders who may attempt to modify audit data and cover
their tracks.
Access to the audit data within Oracle Audit Vault is strictly controlled. IT
security managers and auditors can be given access for review purposes only.
Privileged DBA users cannot view or modify the audit data within the Oracle
Audit Vaults audit warehouse due to the protection mechanism provided by
Oracle Database Vault. These mechanisms are used to protect audit data from
unauthorized access, enforce separation of duty, and prevent unauthorized
changes to the audit data.

ORACLE AUDIT VAULT

-7-

Oracle Audit Vault Scalability

Oracle Audit Vault provides a secure data warehouse environment designed for
the storage and analysis of large amounts of audit data. Oracle Audit Vault
includes Oracle Partitioning to enhance manageability and performance,
enabling audit data to be physically partitioned based on business requirements.
Oracle Audit Vault can optionally be deployed with Oracle Real Application
Clusters (RAC), enabling scalability, high availability, and flexibility at low
cost. Oracle RAC allows Oracle Audit Vault to scale-out by adding additional
server machines to accommodate additional audit sources or audit records rather
than having to scale-up by replacing the existing machine with a more powerful
machine.

Conclusion
Auditing is playing an increasingly important role in helping address global
regulatory compliance requirements and insider threats. Today, the use of audit
data as a security resource remains very much a manual process, requiring IT
security and audit personnel to first collect the audit data, and then sift through
enormous amounts of dispersed audit data using custom scripts and other
methods. Businesses need to consolidate, manage, monitor, and report on audit
data for a complete view of enterprise data access, giving IT security and audit
personnel the ability to analyze audit data in a timely fashion.
Oracle Audit Vault provides a powerful audit solution that helps simplify
compliance reporting, detect threats with early alerting, lower the cost of
compliance, and secure audit data. Oracle Audit Vault automates the
consolidation and analysis process, turning audit data into a key security
resource to help address today's security and compliance challenges. Numerous
built-in reports provide easy compliance reporting and the open data warehouse
provides extensible reporting using Oracle BI Publisher or 3rd party business
reporting solutions.
Oracle Audit Vault leverages Oracle's proven data warehousing and partitioning
capabilities to achieve massive storage scalability. Oracle Audit Vault can be
configured with Oracle RAC for high availability and flexibility at low cost.
Oracle Audit Vault uses Oracle's industry leading security capabilities to protect
audit data end-to-end, encrypting audit data during transmission and enforcing
separation of duty within Oracle Audit Vault.
Addressing regulatory compliance requirements and protecting against insider
threats in a global economy requires a defense-in-depth approach to security.
Auditing is a critical component of the defense-in-depth architecture, enforcing
the trust-but-verify principle.

ORACLE AUDIT VAULT

-8-

Oracle Audit Vault Trust-but-Verify

April 2007
Author: Jack Brinson, Tammy Bednar, Paul Needham,
Oracle Corporation
World Headquarters
500 Oracle Parkway
Redwood Shores, CA 94065
U.S.A.
Worldwide Inquiries:
Phone: +1.650.506.7000
Fax: +1.650.506.7200
oracle.com
Copyright 2007, Oracle. All rights reserved.
This document is provided for information purposes only and the
contents hereof are subject to change without notice.
This document is not warranted to be error-free, nor subject to any
other warranties or conditions, whether expressed orally or implied
in law, including implied warranties and conditions of merchantability
or fitness for a particular purpose. We specifically disclaim any
liability with respect to this document and no contractual obligations
are formed either directly or indirectly by this document. This document
may not be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without our prior written permission.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
Other names may be trademarks of their respective owners.