ActiveBase Security™ is built on a patented SQL*Net software in-line proxy transparently intercepting SQL requests coming from application screens, canned reports and development tools applying Security Rules.
Security rules can be applied selectively based on condition values relating to specific applications, modules, screens, transactions and end-users, applying additional contextual access restrictions (e.g., row-level, column or object level) and restricting number of rows returned, and can be integrated with ActiveDirctory or ILM/IAM.

Security rules identify incoming requests retrieving sensitive and personal information from application screens, reports and DBA/developer tools to apply on them SQL rewrites - masking, scrambling, or blocking them in real-time. It can also restrict user access on row-level, column or object level by changing ´From´ clause objects and adding ´Where´ clause conditions.
Rule rewrites for masking, scrambling, hiding or blocking actions are applied after certain contextual conditions are met. Conditions can include specific SQL requests (or partial SQL text matching) from specific users, programs, hosts and users.

ActiveBase powerful Rule engine includes predefined and user defined rules
  Rules can be applied selectively on specific application screens, reports, tools, SQL*Loader scripts and specific users and hosts.
  Rules are applied in minutes or disabled in seconds, easily propagated across applications, development tools to various production and non-production environments, simplifying standardization and compliance.
  No production risks - no need to change schemas, grants, costly vaults or complex encryptions as joins, primary keys, form validations and external data flows are not touched.

Rule actions include the ability to dynamically mask or scramble specific fields within application screens and unauthorized requests, hide, block and audit incoming requests for PCI, HIPPA and newly defined regulations.
           
Solution Overview            Blocking Toad Return Message

ActiveBase Security includes three layers:
  A SQL*Net proxy that acts as an Oracle listener, where applications, reporting tools and development tools are configured to connect using it (by changing TNSNAMES.ORA file) or by simply switching the Oracle listener port with ActiveBase listener port.
  A switch receives all incoming connections, to determine which application connections to secure by routing them through ActiveBase rules, which to refuse, or to reconnect directly to the Oracle listener, bypassing ActiveBase Security completely.
  Rule engine automatically applies powerful security rules.

ActiveBase Security rules apply SQL rewrite actions including:
  Mask Social Security Numbers (SSN) and credit card numbers when accessed by IT teams
     and external support.
  Protect sensitive and personal information in training and reporting environments.
  Protect sensitive and personal information in non-production environments from development
      and QA teams.
  Scramble salary and employee information in non-production HR application.

Example:
The Security officer requires you to prevent outsourced support persons using Siebel application on-line screens to see real credit card numbers and SSN.
How it works:
When the outsourced support persons access the Siebel screens and perform an action to retrieve SSN, the Siebel application server submits a ´select´ SQL request to retrieve customer personal information including credit card numbers and SSN to populate the Siebel window.
Now things change:
As the Siebel application server is connected to the database through a Dynamic Data Masking solution, a rule identifies the outsourced support persons screen ´Select´ SQL request.
It automatically masks the credit card and SSN columns, by rewriting and anonymizing the original SQL request with a rewrite action: Select substr(credit_card,-4)||´xxxx´ (customer with credit card of ´1234-5678-1234-5678´ will be presented in the screen as ´1234-5678-1234-xxxx´).
For SSN, a rewrite action replaces to Select substr(SSN,1,3)||´***´ (customer with SSN of ´123456789´ will be presented in the screen as ´123******´).
Other rules can easily scramble credit card information when accessed not by other employees than the approved users using specific application on-line screens.

Comparison to other security solutions

 Comparing ActiveBase Security with Physical Masking Players, including Oracle Masking, Informatica and IBM Optim
Functionality
- Masks the actual data stored in the database by changing the real data into fictitious values
- Only applicable in Development environments, as physical masking changes the database columns irreversibly, making it impossible to use in Production, replications and training and User Acceptance Testing (UAT) environments
- Requires in-depth application knowledge into the data model
- Changing data columns might cause the application to break and stop working
- Requires long implementation (months compared with days for ActiveBase’s Dynamic Masking)
ActiveBase Security in non-production environments:
1. Provides physical masking by masking ETL EXPORT processes that extract data from production databases ensuring that only secured personal information leaves production. This is achieved by routing the EXPORT processes through ActiveBase Listener port
2. Complements physical masking by dynamically masking data that is too complex or is impossible to mask physically (e.g., when trying to mask referential data such as account numbers and SSN that flows across various business applications or credit card numbers that require validation with external applications that physically changing the data will prevent)

 Comparing ActiveBase Security with Oracle VPD (Virtual Private Database)
and RLS (Row Level Security)
Functionality and limitations
- Cannot mask personal information within application screens and packaged reports (it can only return null values, causing errors in application screens and packaged reports)
- Policies applied only on the object level, lacking policy enforcement on individual SQL requests (e.g., restricting row level access, yet allowing for aggregations and summary reports), and multi-tier application user context
- Complex to implement and requires experienced DBAs, in defiance with the requirement for separation of duties
- Performance overhead
ActiveBase Benefits
- ActiveBase uniquely provides the ability to mask, scramble and block (not only hide) sensitive fields within application screens, packaged reports and development/DBA tools
Policies can be applied selectively, based on context including SQL, session, object context, application user, ActiveDirctory and grants maintained in ILM/IDM systems
- ActiveBase ensures separation of duties, as it can be configured exclusively by security officers
- Implemented within days with no need for prior in-depth application knowledge into the data model
- Application and database transparent
- No database performance overhead

 Comparing ActiveBase Security with Oracle Database Vault
Functionality and limitations
- Restricts access to privileged users by using powerful access controls built into the Oracle database
- Does not secure privileged user’s direct access to database files in the OS level
- Does not block unauthorized access to the database server (not a database firewall)
- Database Vault access restriction to sensitive data can substantially delay or hurt problem resolution, as root cause analysis can be blocked
ActiveBase Benefits
- ActiveBase complements Database Vault implementations by adding Dynamic Data Masking that enables DBAs and developers to access applications and screens containing personal information in order to perform their job and fix production problems for operational purposes, while being exposed to only masked, scrambled or hidden personal and sensitive information in a secured and controlled way
- It also provides a database firewall that can block requests (Informed Block™) while notifying the
end-user (database firewall is a compliance requirement for certain regulations)

 Comparing ActiveBase Security with Database Encryption Solutions
Functionality and limitations
Organizations worldwide are trying to minimize the number of columns they have to encrypt because each encrypted table column requires changing all reference application source-code while adding severe performance penalties to any transaction accessing the encrypted column (due to the encrypt/decrypt function duration and resources)
- Encryption protects against infrastructure DBAs that have access to database files and backup tapes
- It does not prevent end-users from accessing personal information, as applications decrypt the values presented within screens and packaged reports
- Complex to implement, requires application source-code or database changes
- Performance overhead caused by the encryption/decryption algorithm
ActiveBase Benefits
- ActiveBase protects against application end-users as well as from privileged users
- Implemented within days with no need for prior in-depth application knowledge into the data model
- Application and database transparent
- No database performance overhead
- Can be implemented in databases along encryption solutions to secure sensitive information that is not encrypted such as names, SSN, addresses and account details
- No need to encrypt the personal data for protecting its privacy, saving application changes, database complexities and performance penalties

 Comparing ActiveBase Security with Database Access Monitoring (DAM) Solutions.
Players include Imperva, Guardium and Application Security
Functionality and limitations
- Monitors and audits past occurrences of users accessing personal and sensitive information
- Protects databases from SQL Injection
- Unauthorized SQL can be killed without any notification to the user, causing time and productivity loss
ActiveBase Benefits
- ActiveBase Security restricts end-users, IT support, outsourced developers and DBA teams from accessing personal information when it is not required to perform their job
- It actively secures packaged application screens, packaged reports, development and DBA tools by masking, scrambling or hiding sensitive information, delivering real-time row and column level security and restricting number of rows retrieved, proactively preventing data leakage
- It can also block requests that retrieve personal information without killing user sessions while notifying the user accordingly (ActiveBase Informed Block™), eliminating any risk of time or productivity loss
- ActiveBase Dynamic Data Masking enables to manage security necessities and operational requirements. By masking and scrambling sensitive and personal information access while allowing the performance of all required remedies, the information is kept out of the preying eyes of IT operations and outsourced support teams, while allowing them required access to solve production problems

 Why is your blocking better and safer then blocking provided by other solutions?
Only ActiveBase software enables to block a specific SQL requests in any application (2, 3 or n-tier applications) without killing sessions or touching application code, while returning a customized notification to the user (multi-language supported) - ActiveBase Informed Block™.
Application connections are not torn and sessions are not killed - only the specific request is blocked - protecting productivity. Other requests from different users using the same connection (using connection pool) continue with no application abstraction whatsoever, eliminating any risk of time or productivity loss.

Technical
 Can ActiveBase Security be deployed in training environments?
Short answer: Yes. Training environments are great - easy to mask, include many data elements where it is impossible to mask all columns. And when later on you consider securing production with ActiveBase, the same rules are simply propagated into production applications!!

 How will ActiveBase be deployed in an existing environment?
ActiveBase can be downloaded from our site and installed on your database server OR a dedicated server. Nothing is installed on the client desktop.
We support Unix, Linux and Windows OS. After installing ActiveBase you need to route the tools or applications you want to secure to the ActiveBase listener instead of the database listener. Another deployment option is to configure ActiveBase listener to the port used by the database listener port - so you do not even need even to change the application routing.

 How is Rule Based Access Control (RBAC) configuration done in ActiveBase?
We have a GUI rule editor where we define the masking/scrambling/blocking/auditing rules and can also use hooks into ActiveDirectory, ILM/IDM and are even able to execute web services to access proprietary RBAC repositories.

 How can I apply your solution in a cloud computing domain?
Cloud computing infrastructures take advantage of virtualization, where the machines (both virtual and physical machines) running the database are likely to change over the course of a day or a week. Dictating the server, hostname, or network segment that the database is hosted on is not possible.

ActiveBase Security software can be automatically started, configured in such a way that it transparently replaces the database listener port configuring the automatic startup of the Database listener port on a different secured port) - automating the process of deploying the cloud-based database servers.
By providing security personnel with the ability to dynamically mask, scramble, hide or block access to sensitive information you will gain complete visibility into the privileged activities of the cloud provider's administrative users. The same capabilities used to ensure segregation of duties for regulatory purposes are available remotely to meet regulatory compliance requirements.

 Our production instances are setup with multiple ports for performance/failover reasons. How are multiple listener ports handled through ActiveBase?
ActiveBase supports multiple listener setup (many to many) in a manner identical to the Oracle multi listener function.

 How can the ActiveBase security features be used to manage security in an environment where individuals accessing databases are not authenticated as an individual at the db user level (where individuals share db accounts with the application)?
We can manage security by various request contextual attributes such as OSuser, Host name, ActiveDirectory group assignment, program, module, user identification comments injected in the requests and Oracle user, to name a few.

 How do the ActiveBase security features work for ETL tools and inter-database connections
(via db links)?
ActiveBase allows you to define which applications/processes will connect through ActiveBase
(and be secured) and which applications/processes will bypass ActiveBase and connect directly to the database (for example, scheduled ETL and batch processes).
If required, ActiveBase can also be deployed on inter-database connections (DBlinks) which behave in a manner identical to any client (enable masking/scrambling/blocking...).

 What if various allowed and non-allowed processes are connected to the same db user and accessing the same remote db user and objects?
ActiveBase can add a comment to the SQL request connecting to the main database based on user identification. The DBlink request will include the comment - allowing ActiveBase to identify it and apply security rules specifically to unauthorized users

 Can ActiveBase support both ‘hub’ approach (nothing installed on the DB server) as well as installation on the database server?
ActiveBase can be installed on its own dedicated server that will act as a Hub for many different databases (like a database firewall) or on each of the database servers.
We recommend installing ActiveBase on the database server in case you route heavy OLTP application for dynamic data masking administrators and specific user screens.
In all other cases, such as securing reporting and development tools or applications in non-production environments, we recommend you install ActiveBase on a ‘hub’.
Details:
Install ActiveBase on a Hub: Manage different databases centrally, without installing anything on each database server with central management of rules to all database servers.
Benefits:
1. As nothing is installed on the database server, no database changes are required.
2. Allows installation to be done by Security or application managers without requiring DBAs.
3. Increases the Separation of Duties.
4. Can put disparate user groups into different “network segments” than the production database’s network segment where ActiveBase acts as a database firewall in between.
5. Rules are automatically propagated across all databases managed by the Hub.
Downside:
1. Requires another network hop before reaching the database and managing the health of the Hub server.
Installing ActiveBase on Database Server:
Benefits:
1. Simplifies application connections by switching the Oracle listener with the ActiveBase listener.
2. Less network response-time overhead compared with the ‘hub’ approach - therefore recommended in large production OLTP installations.
3. Performance is not dependent on the health of another server.
Downside:
1. Company policies might preclude this strategy, or may require a lengthy approval process before installation on database servers.
2. Requires installing ActiveBase on each database server.

 How to secure DBAs and administrators that connect directly to the database without passing through ActiveBase Security listener?
Depending on your organization security policy, ActiveBase can audit or block local administrative users that bypass ActiveBase Security rules using both tighter Oracle listener security configuration and database connection trigger.

 Where will the list of authorized and non authorized users be built?
The list of authorized or unauthorized users does not need to be built nor duplicated in ActiveBase. ActiveBase comes with an extensive set of APIs that can be extracted the information from ActiveDirectory/LDAP, user responsibilities within the applications or from the database - preventing unneeded user authorization definition.

 How do you identify users bypassing ActiveBase listener?
We differentiate between users who connect through the listener and those who bypass the listener by a logon trigger and valid node checking.
Connections bypassing the listener will have SYS$USERS in the ‘select service_name from v$session’. Connections using the listener will have orcl (the oracle listener name).

 How can ActiveBase ensure that it is not adding a single point of failure?
As ActiveBase inline acts as an Oracle listener, the Oracle built-in transparent failover client-feature ensures that ActiveBase does not add a single point of failure.
In addition, ActiveBase can be installed as a high-availability cluster for failover and load balance with large Billing, Datawarehouse and large scale enterprise application production environments since early 2005.

 Does ActiveBase support a high availability configuration?
Yes from both perspectives:
a.) During database failover, ActiveBase will follow the failover transparently, servicing the failover database automatically.
b.) During an ActiveBase failover, clients are automatically bypassed to a failover instance of ActiveBase or bypassed directly to the database.

 What load does the additional ActiveBase server impose, if ActiveBase server is installed on the database server?
ActiveBase is a proxy based product, where the overhead is calculated based on the number of SQL*Net packets per second flowing through ActiveBase. A rule of thumb is 1Ghz per 10,000 packets a second, and when installed on the database server, it is in average about 1% CPU load.

 Installed inline, what latency does the additional routing imposes on the database requests?
ActiveBase adds less than a fraction of a millisecond (~150 Microsecond) to each statement on its way to the database server in massive OLTP environments. The results from the database return to the client through ActiveBase, yet propagation is negligible, since no processing is involved.

 What platforms does ActiveBase support?
ActiveBase is currently available for Oracle8.0 and higher running on Windows, UNIX (HP, Sun or IBM AIX) and Linux OS.

 When will ActiveBase be available for DBMSs other than Oracle?
Support for SQL Server and IBM DB2 is planned for 2010.

Installation
 What exactly do I need to install?
In order to run ActiveBase products, you need to download and install the ActiveBase server software. It can be installed on a dedicated server or on the database server, or on one of the application servers with Unix HP/Solaris, AIX, Linux or Windows OS. For testing purposes, even a desktop is enough (though we would not recommend it for a production environment).

 How large is the download and what does it include?
The download for the server software is 35mb and includes documentation and management console installation.

 How long will it take to install and configure ActiveBase software on a single database?
Installation only takes a few minutes. You will first install the server software, followed by the database configuration wizards and rule-pack sample. Predefined rules will be available immediately, and you will be able to define custom rules using a wizard. For most applications, creating initial rules should not take more than an hour.

 Do I need to change my applications or database?
Absolutely not. ActiveBase Security is completely transparent to both applications and databases. No client side installation is required. No database configuration change is required.
ActiveBase Security software listener configuration requires:
1. Add a new entry to the Oracle client centralized routing flat file, (tnsnames.ora or oranames) with ActiveBase server host and listener port number. This file is centrally managed for all clients, thus a single and simple configuration change immediately affects all clients to be routed via the ActiveKnowledge server. For testing purposes, a tnsnames.ora copy can be saved on a local directory on your client.
OR...
2. Change the database listener port to listen to another port (hidden) and configure ActiveBase listener port to listen to the primary port (e.g. Oracle port 1521).
It includes specific functionality to support this type of configuration by enabling selective bypass to specific clients (clients are identified by an include/exclude list of program/host name and OS users).
This bypass enables all clients to connect to ActiveBase Security listener port, where specific clients will be routed with security rules, and other applications will be routed directly to the hidden database listener, thus bypassing security rules (e.g. ETL processes or jobs).

 What permissions do I need in order to install ActiveBase?
You need sufficient access to allow installation of software on the server. No DBA privileges are required for the database itself.

 My company has a strict policy of not installing any 3rd party software on our database servers; does that mean I cannot install ActiveBase?
No. You can install ActiveBase on a dedicated server or on any application server, supporting Windows, UNIX (HP, Sun or IBM AIX) and Linux.

Backup
 What should be the backup procedure for ActiveBase?
You should backup the full installation files once in: home/active/java and home/active/[activebase Product].In addition, to backup full configuration and rules you need to regularly backup home/active/[ActiveBase Product]/cfg/directory.

  What processes should be monitored?
All ActiveBase products run using a single OS process that is defined during product installation-during the administration setup.
Default service name is the machine name, but it is always recommended to add a prefix: ab_[server_name] for easy identification. The specific process name can be identified in the machine top command.
ActiveBase also provides a script (monitor.zip found in our FTP site) that verifies user experience by testing user connection time regularly, returning error code and triggering email/SMS notification.