ActiveBase Security™ is built on patented in-line proxy software, transparently intercepting SQL requests coming from application screens, canned reports and development tools and applying real-time Security Rules on them. It can be installed on the database server on a dedicated server, supporting hundreds of databases with a single installation. No changes to the applications or databases are required.
Security rules can be applied selectively based on context, identifying users based on ActiveDirectory/LDAP/IAM, IPs, applications, modules, screens and SQL requests. A multitude of actions is applied in real-time anonymizing, blocking, auditing and alerting about unauthorized usage.

For IT personnel, outsourcing and production support teams:
  Anonymize financial, personal and credit card information (presenting only the last four digits) to IT
      personnel who do not need to see it to perform their job, with no changes to the databases or
      hindering production support tasks.
  Restrict login using general accounts - ActiveBase informs and blocks users upon unauthorized
      usage of general application accounts.
  Apply Role Based Access Control (RBAC) on developers and DBA tools.
  Provide detailed audit trail and alerting with segregation of duties.

For Business Applications:
  Anonymize financial, personal and credit card information (presenting only the last four digits) to IT
      personnel who do not need to see it to perform their job, with no changes to the databases or
      hindering production support tasks.
  Enable transparent credit card tokenization implementation with no changes to source-code
      or databases.
  Provide detailed audit trail and alerting with segregation of duties.

           
Solution Overview            Blocking Toad Return Message

ActiveBase Security rules apply SQL rewrite actions including:
  Mask Social Security Numbers (SSN) and credit card numbers when accessed by IT teams
     and external support.
  Protect sensitive and personal information in training and reporting environments.
  Protect sensitive and personal information in non-production environments from development
      and QA teams.
  Scramble salary and employee information in non-production HR application.

Example:
The Security officer requires you to prevent outsourced support persons using Siebel application on-line screens to see real credit card numbers and SSN.
How it works:
When the outsourced support persons access the Siebel screens and perform an action to retrieve SSN, the Siebel application server submits a ´select´ SQL request to retrieve customer personal information including credit card numbers and SSN to populate the Siebel window.
Now things change:
As the Siebel application server is connected to the database through a Dynamic Data Masking solution, a rule identifies the outsourced support persons screen ´Select´ SQL request.
It automatically masks the credit card and SSN columns, by rewriting and anonymizing the original SQL request with a rewrite action: Select substr(credit_card,-4)||´xxxx´ (customer with credit card of ´1234-5678-1234-5678´ will be presented in the screen as ´1234-5678-1234-xxxx´).
For SSN, a rewrite action replaces to Select substr(SSN,1,3)||´***´ (customer with SSN of ´123456789´ will be presented in the screen as ´123******´).
Other rules can easily scramble credit card information when accessed not by other employees than the approved users using specific application on-line screens.

Comparison with other security solutions
 Comparing ActiveBase Security with Database Access Monitoring (DAM) Solutions.
Players include Imperva, Guardium and Application Security.
DAM Functionality
- Monitors and audits past occurrences of users accessing personal and sensitive information
- Protects databases from SQL Injection
Why do you need ActiveBase?
- ActiveBase Security™ is the first product on the market in a new category coined by Gartner - “Dynamic Data Masking” - which uses in-line SQL proxies to provide real-time preventive security capabilities.
-It is the only solution that can mask, scramble, hide (both row level, column or cell level) and block access within business applications and tools in production, training, Datawarehouses, replications and non-production environments by end-users, customers, and production support teams, as well as offshore and outsourced personnel.
-ActiveBase enables Role Based Access Control (RBAC) with seamless integration with ActiveDirectory, LDAP and IAM implementations.

 Why is your blocking better and safer than blocking provided by other solutions?
Only ActiveBase software enables to block a specific SQL requests in any application (2, 3 or n-tier applications) without killing sessions or changing application code, while returning a customized notification to the user (multi-language supported) - ActiveBase Informed Block™.
Application connections are not torn and sessions are not killed - only the specific request is blocked - protecting productivity. Other requests from different users using the same connection (using connection pool) continue with no application abstraction whatsoever, eliminating any risk of time or productivity loss.

 Comparing ActiveBase Security with Physical Masking Players, including Oracle Masking, Informatica and IBM Optim
Functionality
- Masks the actual data stored in the database by changing the real data into fictitious values
- Only applicable in Development environments, as physical masking changes the database columns irreversibly, making it impossible to use in Production, replications and training and User Acceptance Testing (UAT) environments
- Requires in-depth application knowledge into the data model
- Changing data columns might cause the application to break and stop working
- Requires long implementation (months compared with days for ActiveBase’s Dynamic Masking)
Why do you need ActiveBase Security in non-production environments?
1. Provides physical masking by masking ETL EXPORT processes that extract data from production databases ensuring that only secured personal information leaves production. This is achieved by routing the EXPORT processes through ActiveBase Listener port
2. Complements physical masking by dynamically masking data that is too complex or is impossible to mask physically (e.g., when trying to mask referential data such as account numbers and SSN that flows across various business applications or credit card numbers that require validation with external applications that physically changing the data will prevent)

 Comparing ActiveBase Security with Oracle VPD (Virtual Private Database)
and RLS (Row Level Security)
Functionality and limitations
- Cannot mask personal information within application screens and packaged reports (it can only return null values, causing errors in application screens and packaged reports)
- Policies applied only on the object level, lacking policy enforcement on individual SQL requests (e.g., restricting row level access, yet allowing for aggregations and summary reports), and multi-tier application user context
- Complex to implement and requires experienced DBAs, in defiance with the requirement for separation of duties
- Performance overhead
Why do you need ActiveBase?
- ActiveBase uniquely provides the ability to mask, scramble and block (not only hide) sensitive fields within application screens, packaged reports and development/DBA tools
Policies can be applied selectively, based on context including SQL, session, object context, application user, ActiveDirctory and grants maintained in ILM/IDM systems
- ActiveBase ensures separation of duties, as it can be configured exclusively by security officers
- Implemented within days with no need for prior in-depth application knowledge into the data model
- Application and database transparent
- No database performance overhead

 Comparing ActiveBase Security with Oracle Database Vault
Functionality and limitations
- Restricts access to privileged users by using powerful access controls built into the Oracle database
- Does not secure privileged user’s direct access to database files in the OS level
- Does not block unauthorized access to the database server (not a database firewall)
- Database Vault access restriction to sensitive data can substantially delay or hurt problem resolution, as root cause analysis can be blocked
Why do you need ActiveBase?
- ActiveBase complements Database Vault implementations by adding Dynamic Data Masking that enables DBAs and developers to access applications and screens containing personal information in order to perform their job and fix production problems for operational purposes, while being exposed to only masked, scrambled or hidden personal and sensitive information in a secured and controlled way
- It also provides a database firewall that can block requests (Informed Block™) while notifying the
end-user (database firewall is a compliance requirement for certain regulations)

 Comparing ActiveBase Security with Database Encryption Solutions
Functionality and limitations
Organizations worldwide are trying to minimize the number of columns they have to encrypt because each encrypted table column requires changing all reference application source-code while adding severe performance penalties to any transaction accessing the encrypted column (due to the encrypt/decrypt function duration and resources)
- Encryption protects against infrastructure DBAs that have access to database files and backup tapes
- It does not prevent end-users from accessing personal information, as applications decrypt the values presented within screens and packaged reports
- Complex to implement, requires application source-code or database changes
- Performance overhead caused by the encryption/decryption algorithm
Why do you need ActiveBase?
- ActiveBase protects against application end-users as well as from privileged users
- Implemented within days with no need for prior in-depth application knowledge into the data model
- Application and database transparent
- No database performance overhead
- Can be implemented in databases along encryption solutions to secure sensitive information that is not encrypted such as names, SSN, addresses and account details
- No need to encrypt the personal data for protecting its privacy, saving application changes, database complexities and performance penalties

Technical
 What applications and databases does ActiveBase support?
ActiveBase supports ALL applications, reporting and development tools running on Oracle (Oracle8 - Oracle11g) as well as SQL Server (2008 R2/2008/2005/2000), where DB2 and Sybase will be released later this year. We already provide Knowledge Packs for leading packaged applications such as PeopleSoft, Oracle Apps, Siebel, Business Objects, Cognos and more.

 Can ActiveBase Security be deployed in training environments?
Short answer: Yes. Training environments are great - easy to mask, include many data elements where it is impossible to mask all columns. And when later on you consider securing production with ActiveBase, the same rules are simply propagated into production applications!!

 How will ActiveBase be deployed in an existing environment?
ActiveBase can be downloaded from our site and installed on your database server OR a dedicated server. Nothing is installed on the client desktop.
We support Unix, Linux and Windows OS. After installing ActiveBase you need to route the tools or applications you want to secure to the ActiveBase listener instead of the database listener. Another deployment option is to configure ActiveBase listener to the port used by the database listener port - so you do not even need even to change the application routing.

 How is Rule Based Access Control (RBAC) configuration done in ActiveBase?
We have a GUI rule editor where we define the masking/scrambling/blocking/auditing rules and can also use hooks into ActiveDirectory, ILM/IDM and are even able to execute web services to access proprietary RBAC repositories.

 How can I apply your solution in a cloud computing domain?
Cloud computing infrastructures take advantage of virtualization, where the machines (both virtual and physical machines) running the database are likely to change over the course of a day or a week. Dictating the server, hostname, or network segment that the database is hosted on is not possible.

ActiveBase Security software can be automatically started, configured in such a way that it transparently replaces the database listener port configuring the automatic startup of the Database listener port on a different secured port) - automating the process of deploying the cloud-based database servers.
By providing security personnel with the ability to dynamically mask, scramble, hide or block access to sensitive information you will gain complete visibility into the privileged activities of the cloud provider's administrative users. The same capabilities used to ensure segregation of duties for regulatory purposes are available remotely to meet regulatory compliance requirements.

 Our production instances are setup with multiple ports for performance/failover reasons. How are multiple listener ports handled through ActiveBase?
ActiveBase supports multiple listener setup (many to many) in a manner identical to the database multi listener function.

 How can the ActiveBase security features be used to manage security in an environment where individuals accessing databases are not authenticated as an individual at the db user level (where individuals share db accounts with the application)?
We can manage security by various request contextual attributes such as OSuser, Host name, ActiveDirectory group assignment, program, module, user identification comments injected in the requests and database user, to name a few.

 How do the ActiveBase security features work for ETL tools and inter-database connections
(via db links)?
ActiveBase allows you to define which applications/processes will connect through ActiveBase
(and be secured) and which applications/processes will bypass ActiveBase and connect directly to the database (for example, scheduled ETL and batch processes).
If required, ActiveBase can also be deployed on inter-database connections (DBlinks) which behave in a manner identical to any client (enable masking/scrambling/blocking...).

 What if various allowed and non-allowed processes are connected to the same db user and accessing the same remote db user and objects?
ActiveBase can add a comment to the SQL request connecting to the main database based on user identification. The DBlink request will include the comment - allowing ActiveBase to identify it and apply security rules specifically to unauthorized users

 Can ActiveBase support both ‘hub’ approach (nothing installed on the DB server) as well as installation on the database server?
ActiveBase can be installed on its own dedicated server that will act as a Hub for many different databases (like a database firewall) or on each of the database servers.
We recommend installing ActiveBase on the database server in case you route heavy OLTP application for dynamic data masking administrators and specific user screens.
In all other cases, such as securing reporting and development tools or applications in non-production environments, we recommend you install ActiveBase on a ‘hub’.
Details:
Install ActiveBase on a Hub: Manage different databases centrally, without installing anything on each database server with central management of rules to all database servers.
Benefits:
1. As nothing is installed on the database server, no database changes are required.
2. Allows installation to be done by Security or application managers without requiring DBAs.
3. Increases the Separation of Duties.
4. Can put disparate user groups into different “network segments” than the production database’s network segment where ActiveBase acts as a database firewall in between.
5. Rules are automatically propagated across all databases managed by the Hub.
Downside:
1. Requires another network hop before reaching the database and managing the health of the Hub server.
Installing ActiveBase on Database Server:
Benefits:
1. Simplifies application connections by switching the database listener with the ActiveBase listener.
2. Less network response-time overhead compared with the ‘hub’ approach - therefore recommended in large production OLTP installations.
3. Performance is not dependent on the health of another server.
Downside:
1. Company policies might preclude this strategy, or may require a lengthy approval process before installation on database servers.
2. Requires installing ActiveBase on each database server.

 How to secure DBAs and administrators that connect directly to the database without passing through ActiveBase Security listener?
Depending on your organization security policy, ActiveBase can audit or block local administrative users that bypass ActiveBase Security rules using both tighter database listener security configuration and database connection trigger.

 Where will the list of authorized and non authorized users be built?
The list of authorized or unauthorized users does not need to be built nor duplicated in ActiveBase. ActiveBase comes with an extensive set of APIs that can be extracted the information from ActiveDirectory/LDAP, user responsibilities within the applications or from the database - preventing unneeded user authorization definition.

 How can ActiveBase ensure that it is not adding a single point of failure?
As ActiveBase inline acts as a database listener, the built-in transparent failover client-feature ensures that ActiveBase does not add a single point of failure.
In addition, ActiveBase can be installed as a high-availability cluster for failover and load balance with large Billing, Datawarehouse and large scale enterprise application production environments since early 2005.

 Does ActiveBase support a high availability configuration?
Yes from both perspectives:
a.) During database failover, ActiveBase will follow the failover transparently, servicing the failover database automatically.
b.) During an ActiveBase failover, clients are automatically bypassed to a failover instance of ActiveBase or bypassed directly to the database.

 What load does the additional ActiveBase server impose, if ActiveBase server is installed on the database server?
ActiveBase is a proxy based product, where the overhead is calculated based on the number of SQL*Net packets per second flowing through ActiveBase. A rule of thumb is 1Ghz per 10,000 packets a second, and when installed on the database server, it is in average about 1% CPU load.

 Installed inline, what latency does the additional routing imposes on the database requests?
ActiveBase adds less than a fraction of a millisecond (~150 Microsecond) to each statement on its way to the database server in massive OLTP environments. The results from the database return to the client through ActiveBase, yet propagation is negligible, since no processing is involved.

Installation
 What exactly do I need to install?
In order to run ActiveBase products, you need to download and install the ActiveBase server software. It can be installed on a dedicated server or on the database server, or on one of the application servers with Unix HP/Solaris, AIX, Linux or Windows OS. For testing purposes, even a desktop is enough (though we would not recommend it for a production environment).

 How large is the download and what does it include?
The download for the server software is 35mb and includes documentation and management console installation.

 How long will it take to install and configure ActiveBase software on a single database?
Installation only takes a few minutes. You will first install the server software, followed by the database configuration wizards and rule-pack sample. Predefined rules will be available immediately, and you will be able to define custom rules using a wizard. For most applications, creating initial rules should not take more than an hour.

 Do I need to change my applications or database?
Absolutely not. ActiveBase Security is completely transparent to both applications and databases. No client side installation is required. No database configuration change is required.
ActiveBase Security software listener configuration requires:
1. Add a new entry to the database client centralized routing flat file, (tnsnames.ora or oranames) with ActiveBase server host and listener port number. This file is centrally managed for all clients, thus a single and simple configuration change immediately affects all clients to be routed via the ActiveKnowledge server.
OR...
2. Change the database listener port to listen to another port (hidden) and configure ActiveBase listener port to listen to the primary port.

 What permissions do I need in order to install ActiveBase?
You need sufficient access to allow installation of software on the server. No DBA privileges are required for the database itself.

 My company has a strict policy of not installing any 3rd party software on our database servers; does that mean I cannot install ActiveBase?
No. You can install ActiveBase on a dedicated server or on any application server, supporting Windows, UNIX (HP, Sun or IBM AIX) and Linux.

Backup
 What should be the backup procedure for ActiveBase?
You should backup the full installation files once in: home/active/java and home/active/[activebase Product].In addition, to backup full configuration and rules you need to regularly backup home/active/[ActiveBase Product]/cfg/directory.

  What processes should be monitored?
All ActiveBase products run using a single OS process that is defined during product installation-during the administration setup.
Default service name is the machine name, but it is always recommended to add a prefix: ab_[server_name] for easy identification. The specific process name can be identified in the machine top command.
ActiveBase also provides a script (monitor.zip found in our FTP site) that verifies user experience by testing user connection time regularly, returning error code and triggering email/SMS notification.