A Database Vault (DBV) is designed to provide a separate layer of protection around a database application. * Its purpose is to prevent access to data especially from highly privileged users, including Data Base Administrators (DBAs), application owners, hackers and cyber attackers.
A DBV introduces into the database environment the ability to define data domains, to specify applicable command rules, to assign who can access data, what data they can access, and the specific conditions that must be met in order to grant such access.
Databases consist of data domains, which define collections of data in the database to which security controls must be applied. They can consist of database objects such as a single table or multiple tables, procedures, programs, an entire application, or multiple applications. In an enterprise scenario, for example, data domains separate the data used by one department from that used by another. In the case of DoD the Army, Navy, Marine Corps and Air Force would have respective DBAs define and control the assignment of domains.
A DBV defines the rules and control processes how users can execute data base management statements, including within which domains and under what conditions they may do so. Command rules leverage individual or combinations of factors, such as identifying individuals and their access characteristics, in order to restrict access to data. Built-in factors include authentication method, identification type, enterprise identity, geographic origin, language, network protocol, client IP, database hostname, domain, machine, and others. In addition to these, custom factors can be defined. Restrictive factors can be assigned to all users, including DBA’s. Multi-factor authentication rules are supported. For example, a certain action could be restricted to being allowed only from a specific IP address within a specified time range.
To protect the database from even high privileged users such as DBAs, the vault includes a definition of the separation of duty in which the DBV is separated from DBA functions. The database vault information itself is protected by its own secure domain, which prevents tampering and therefore must be kept on physically separate servers. The database vault software requires that the DBV managers assume the responsibility for the creation of all new data domains in the database. This will then override all existing accounts with the create user privilege.
Finally, a built-in reporting mechanism provides reports, including those that detail as to who has access to what data and if there were any attempted violations.
A DoD enterprise level database will be accessed by possibly hundreds of applications originating from diverse Components. It will contain petabytes of data that are updated and accessed in real time. There is no question that such a database will become the target of choice for any cyber attack. Consequently, extraordinary precautions will be taken to offer protection from any unauthorized access to specific data domains, whether they come from external or internal sources.
Creating a Database Vault protection mechanism must be mandatory for mission critical cases. By this means DoD obtains not only an assured layer of protection but also creates a well-defined separation between the roles of the DBV, the DBA and the auditor or the supervising military personnel. All reporting of violations of restrictions occurring in the Database Vault would have to be routed as secure messages directly to those who are accountable for the data vault. Under defined conditions all alterations to the database could be then restricted automatically until human intervention authorizes what steps can be taken next.