Call: +44 (0)7759 277220 Call
PeteFinnigan.com Limited Products, Services, Training and Information
Blog
Home / Archives / May 2026 / Archive For Month

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Securing Data in Oracle without Cost Options

May 5th, 2026 by Pete
I did a presentation at the UKOUG conference at the East Side rooms in Birmingham at the end of 2025. The focus of this talk was to highlight the problem of securing data held in an Oracle database without using cost options from Oracle such as VPD, OLS, Database vault and more.

I have nothing against these cost options, in fact I love to work with them when customers ask me to help design and implement VPD or Database vault or others such as masking. BUT, some customers cannot justify paying for cost options or they cannot use them because they have licensed standard edition. Yes, I know VPD is included in Enterprise Edition of the database, it is just an example of the options.

This presentation covers the problem and then uses an example of the UNIFIED_AUDIT_TRAIL to show how Oracle protects this table and also showing that it is not protected using cost options. I then investigate how we might protect a table using standard features of the database. We then quickly discover that if we use one feature such as a trigger then we need to stop anyone disabling or removing or changing the trigger. Similarly if we use a grant then we need to stop anyone from changing that grant.

We cannot replicate 100% what Oracle does with cost options BUT we can get close. What we are trying to implement as an example is a read only table with some extras. The table is READ ONLY but data must be added to it in the first place. So we allow data adding BUT only through one specific interface. We must allow purging of the data so we also allow limited delete but again through a controlled interface. No UPDATE of data is allowed. We use this design scope as a basis to build a sample design and this is shown.

The whole design also should be audited to ensure any attempts to bypass the security model are caught

I implement the design as an example and then add the protections of the protections.

This is layered security. The slides for A Design Pattern To Secure Your Database are available.

#oracleace #sym_42 #oracle #security #lockdown #protection #data #hacking #data #databreach #readonly

May 2026

Archives

Weblog Home
Weblog Archives

Syndication

RSS 1.0 FEED RSS 2.0 FEED Atom 0.3 FEED Powered by gm-rss 2.0.0