Oracle is aiming to beef up its database auditing, security and compliance capabilities by giving users a centralized understanding of who is accessing data and why.
Priced at $50,000 per processor, Oracle's new Audit Vault lets organizations compile audit information from multiple Oracle Database deployments, thereby giving users insight into possible insider threats and aiding in reporting and regulatory compliance efforts, said Vipin Samar, Oracle's vice president of database security.
Audit Vault is designed to help users ensure the integrity of information by consolidating it into a central repository. As a result, Samar said, Audit Vault reduces the cost of managing data and makes it easer for auditors and security personnel to do their jobs. The software also includes an altering capability which, based on pre-set policies, sends warnings when an unauthorized access or some other possible threat is detected.
Oracle makes compliance progress
Oracle has been accused of falling behind its chief rival in the business applications market, Germany's SAP AG, in the area of compliance. In an interview last summer, Since that discussion, experts say Oracle has made some significant steps forward in regard to compliance, beginning with a governance, risk and compliance (GRC) software suite based on Stellent's technology.
But it's important to understand that Oracle Audit Vault does not directly help companies comply with any specific regulations found in, for example, the Sarbanes-Oxley Act, said Trent Henry, a senior analyst with the Midvale, Utah-based Burton Group. Instead, he explained, the software gives organizations a way of proving to auditors that they have control over users and the effects that they have on database management systems -- which are essentially the systems of record for financial status.
"The concern is that you don't want some control that's run amok or some individual to have undue influence that could change the financials, otherwise you might run into the same problem that you had with the WorldComs or the Enrons," Henry said. "Auditors are aware of this [and they] come in and they say, 'show me what your controls are to segregate duties and to limit the effects of privileged users."
Sizing up the competition
Oracle Audit Vault competes with products from the likes of Guardiam Inc., which make appliances that sit on the network and monitor database traffic, according to Henry. The key difference is that Oracle Database Vault resides directly in the database management system -- an approach that has its advantages and disadvantages, he said.
"It resides directly on the DBMS so it can tightly watch and monitor what's happening there," Henry said. "But there is a lot of concern about running audit capabilities on the database itself, because it's very intolerant of performance impact."
Samar said Oracle Audit Vault compliments Oracle Advanced Security, which lets users encrypt information at the column level, and Audit Vault is generally available now and currently supports just three Oracle databases, including Oracle Database 10g Release 1 and 2, and Oracle 9i Database Release 2. But the product will support Microsoft and IBM databases within the next year, according to Oracle.