Oracle Audit Vault Reviews

We use this solution for regulatory compliance and reporting for the enterprise. This augments regular compliance and risk management solutions.

The organizations and clientele we work with include public sector and private sector businesses in the Financial Services industry, where they host data from global partners. The EU citizens and businesses now demand that GDPR be in place in order to host their data.

It has provided us with a unique opportunity to automate risk discovery.

The system provides both an audit system and a security solution through the database firewall that protects the data and databases being accessed.

The system uses BU internal risk management and audit teams for ease of IT and systems audits.

The most valuable features of this solution are:

• Autonomous data collection.
• Ease of deployment to work and integrate with heterogeneous platforms.
• Reporting infrastructure is awesome and very flexible.
• The interfaces are intuitive and easy to use and navigate through.
• The solution has a well designed RBAC for the support of the business and it is secure.

We would like to see the ability to administer and manage the solution through Enterprise Manager 13c, and development of the dashboards that are generally missing.

The system needs to be easy to manage, especially in terms of space management.

There is little to no technical references and use cases pointing to the resolution of technical challenges during implementation. Better documentation would be helpful.

The product is stable but extremely sensitive.

It is rather difficult to scale, but it works perfectly.

The technical support at Oracle is weak, but the documentation provided is detailed and good.

Unfortunately, there is little information available on Oracle MOS.

We have always used the product alongside Imperva.

This initial setup of this solution is straightforward.

Our solution was delivered through an Oracle partner, Nexim Solutions.

Our ROI was almost immediate.

It is affordable but technical skills are required to architect and set up the system.

We evaluated Imperva and Tivoli before choosing this solution.

We use Oracle Audit Vault to have a view of what is present on our network behind the firewall system. We use it to block threats and audit data for clients.

After we activate Oracle Audit Vault, our clients can see all of their past actions or the wrong activity done on the network. We can load most of the diagnostics for the business.

We have a situation for a bank as a client. We were able to deploy Oracle Audit Vault for them. The end-user is a key part of the system in the information department. 

For maintenance, only one person is required and he's an admin. Oracle Audit Vault was used extensively and our clients are quite comfortable with it.

We believe the product will be used for a long time.

One feature that was missing when we tried to update was the network activity analyzer. We found a request going through the database file before reaching the database. 

We don't have a database file in the middle. If it's possible to have that database file to analyze what's going on inside the network, it would be better.

Some of our customers were asking about the latency. When the application wants to get to the database, the database file is going to give some latency in operations.

The additional features we need are to be able to have the database firewall to scan the network to get the information from the database. 

I also want the database firewall to be able to block services with more granularity.

We have used Oracle technical support maybe twice. The support is nice. It was fast to install. The customer support is good.

We didn't have a previous solution. We had a company come in with IBM to produce a proprietary solution. We also did a demo. 

The initial set up was straightforward. It wasn't challenging. The implementation strategy for new customers doesn't take long. 

Our strategy is to increase the value of the software.

We used a reseller.

For the bank, the license was $48,000 last time. That was the licensing for the bank on just one license.

We had to do a demo to show management how the solution functions. That was useful for them to decide to go with Oracle Audit Vault over IBM.

Anyone can go to with Oracle Audit Vault, but be sure you know what is going on to be comfortable with it.

On a scale from one to ten, I would rate this product at 8.5. Some of the database functionality is not too good.

We use this solution to provide for separation of duties based on database encryption.

We use the separation of duty feature because part of the database is encrypted, and the database administrators, such as myself, should have no access to this area. It belongs to the security team.

Right now, the ownership of the database is automatically given to the database administrator. I would like to have a software solution, separate from the Oracle product itself, to assign ownership of the database to a specific team, being our security team, rather than the default owner.

One feature that is missing is the ability to have a secret server that is always encrypted. I would like to see this in the next release of this solution.

The solution is very stable and reliable.

I would say that the scalability of this solution is medium.

The users include the database team, which has fifteen people, and in some areas of the business, there are in excess of fifty.

We are not currently planning to expand the use of this product.

Technical support for this solution is very good. It is strong.

I would say that the initial setup was of medium difficulty.

We used an Oracle consultant to assist us with the implementation.

I use this solution once or twice per month.

I would rate this solution an eight out of ten.

We have a few applications that use the Oracle Audit Vault as a broker service to log into the application. It uses the credentials provided by this solution. We are not using the firewall component.

This solution acts as a complete data warehouse for our audit data. Anytime we need to search for details about what happened, from a proactive monitoring perspective, or react to see what access permissions were granted or denied, we can look at this.

We have an alert mechanism implemented, and we also use some of the built-in reports. The reports are typically used by management, and we have a risk management dashboard. Management looks at the reports, and the indicators in them, to determine what level the security has been at over the past month. They can tell whether it has improved or gone down.

The most valuable feature is that Oracle Access Vault is integrated with our SIM (Security Information Management tool), which gives us a complete picture of what access is being provisioned in our organization. We do not use the interface provided by Oracle Audit Vault, except to export the data into our SIM.

The reporting is an area of the solution that needs to be improved.

Customized reporting is something that we are struggling with, and it is quite tough for us. Every time we need to prepare a custom report, we have to involve the vendor. This is unlike other solutions where the reports are easy to customize.

Another problem with reporting emerges on the topic of compliance and certain international standards. The standard set of reports do not provide sufficient details for the PCS and ISO standards.

It is important to have better integration with most of the tools to manage unstructured data or SIM solutions. If we change vendors for our SIM then we want to have the best possible support.

This product is quite stable and robust. We have not faced any issues with respect to stability in the past few years.

We do not have heavy requirements in terms of scalability on our end, so I am unsure.

We currently have between ten and twelve users. These people are middle management, our database administrator, and I am the Data Center Lead.

This solution is extensively used on a daily basis, as it is one of the pillars of our overall monitoring solution. We have no plans to increase usage at this time.

Since our first contact with Mannai, they have been able to resolve most of our issues. Only in cases of problems that they cannot fix will they raise an SR with Oracle. Generally, they are quite capable.

We did not use a specific solution prior to this one.

We do not use the database firewall component that is included with this solution. For our database activity monitoring, we rely on IBM Guardium.

The installation itself is quite straightforward, but the configuration does not happen at the same time. We have fine-tuned our configuration over the past year or two, which has reduced the high number of false positives. We now only receive clear, actionable alerts. Most of these kinds of tools require a lot of fine-tuning to be done, based on your environment. It all depends on how fast you can do it, based on your database requirements.

It took approximately three months to deploy this solution and bring it into production.

We used a reseller for assistance with the implementation of this solution. They are the Mannai Corporation, here in Doha, and they are quite good.

The majority of the deployment was handled by them, and we only had two people involved. These people were our DBA and backup DBA, and they are now users of the solution.

For the maintenance of this solution, if we have an issue then we simply call Mannai and they will come and fix it.

When it comes to security solutions it is very difficult to calculate ROI. There is no clear cut ROI for which you can put a number in terms of operational effectiveness or security-related components.

This solution is definitely not expensive, and it is a small fraction of the overall database licensing costs. It is a simple add-on license, but it is not perpetual so we have to pay licensing fees every year.

We evaluated a lot of solutions before choosing this one, and some of them were used for a very long time. One of these was Imperva. The determining factor was the cost. Since we are already an Oracle customer, we received a large discount on the product.

Other than pricing, most of the solutions in the same space provide a similar type of output. The benefit of going with Oracle is, if you are using an Oracle database then the integration is quite strong internally.

If you are with Oracle completely and you do not have a mix of databases then this is a great solution. However, if you have a solution that includes a mix of databases then it has a lot of limitations.

The advantage of going with Oracle Audit Vault comes from its integration with data encryption, masking, and all of the Oracle security technologies.

Overall, this solution delivers what it is intended to do and we are quite happy with the product. There are, however, improvements required in terms of reporting.

I would rate this solution an eight out of ten.

We use this solution primarily for GDPR and PCI compliance for the bank.

We were implementing this solution for our client, who was required to do PCI compliance. Their project was initially scheduled to run over a year and a half, but by just deploying this product they were able to do the compliance reports within three months, so the time to roll out was quite significant. The time was very short, which meant the turnaround time for compliance was much shorter and the value was realized, so that is one positive aspect that we experienced with our clients.

The most valuable feature is the ability to create inbuilt reports for compliance, which have dealt with the rules made it easier. This means that we don't have to develop them from scratch, which makes life so much easier.

One of the biggest challenges that we are facing is the inability to use more than one account for the platform, so the whole organization cannot make their own compliance audits at their own pace. I think that's one feature that really is giving us a bit of a problem. That is one of our biggest challenges.

The fact that it doesn't audit the network is also quite a downfall for the product. Maybe it should be improved to allow one to log on to network devices and do audits to check compliance at that level.

Finally, the ability to integrate with well-known applications like SAP, Microsoft, and common ERP would be helpful. If it included templates that are used for audits that can be used in those platforms and checking compliance, that would be really helpful, because half the time there isn't enough documentation to help someone check the compliances of specific applications. The second bit is the ability to audit middleware, like application servers and spatial and detection platforms. That is quite lacking in this product.

It's not a stable product, especially around log management and log generation. There are lots of logs and the administration or management is not as easy as one would expect. So you need a lot of DBA and unique skills in order to handle the virtual appliances. For us it was in our domain, but I don't think for any other organization it would be easy to readminister, especially when cable spaces are full and there are other challenges.

It's very scalable. It can do real application, remote sites, and DR, so it's quite scalable. I think it's very easy to scale from that test; I think they've done well.

We've got at least 60 users, including IT demonstrators, auditors, and the risk department, so it's widely used.

It's currently used extensively at the bank because they have to measure their compliance in real time and they cannot do that without this solution. There were plans to integrate the solution with the ERT to start looking at certain components within ERT, as well as opportunities for them to expand it to be used on their distributions. I'm not too sure how far they have gone because we just deployed and left. We've not been back to these clients for this product so far.

Oracle does not have very good documentation on this. I think Oracle abandoned the product, especially on the support side. It's not really one of the most friendly platforms where you can actually find help, but we've hung in there. We hope there will be a lot more opportunities for them to improve the support, half the people you talk to don't really know how to support the product. It's just frustrating, honestly.

The documentation is there, if very basic, but it doesn't help you address some of the more technical challenges.

I had not used any other solution before Oracle. We deployed this particular solution because we are required to do PCI compliance. I don't think they could have used any other solution for this, without resorting to using lots of Excel sheets, reports, etc.

It was very straightforward to set up, not too complex.

Deployment took a month, and then the next month we set up the reports. However, the technical deployment took us only two weeks to do, including both the products and the development of the appliances. Our strategy was to deploy as is, using the standard report and customize the report as we go, instead of trying to come up with custom reports before deployment. That made it much easier, while still being adequate to satisfy the compliance department.

We are an integrator and our name is Making Solutions. So we are the ones who did the job. I only have three guys running the platform, so its quite easy to manage. From the client's staff, there are only two guys managing the platform.

They have had a good ROI because they were literally being audited and given lots of fines. All those things have disappeared within eight months. They were able to comply, submit reports on time, and actively correct whatever mistakes were picked up by the product. We use Oracle Enterprise Manager, which looks at other components to really add all the valuable information.

For the bank, the licensing cost is about $360,000, annually.

For the value and cost of being compliant, the price is worth paying, because then you don't get auditors coming in left, right and center. Our clients spend a lot of money, but they also get their compliance guaranteed, so I think it's overall saving them money.

There are no additional fees to pay.

Our client did check another provider. I forgot the name of that product, but it was a big competitor of Oracle's solution.

Those who want to implement it better have a proper detection in place, especially regarding documents. That's one thing that really drove us nuts because without having reference documentation of the platforms that they were targeting, it became a nightmare.

I would rate this solution as eight out of ten, because of the previous reasons that I gave around some of the features that are important for my clients. If it was not for that I would have given it a ten.

It is used as a central audit repository and reporting for all my databases, which has reduced the stress of collecting database event logs in silos from each database.

Out-of-the-box policies ensure our compliance with standards like SOX, ISO 27001, and so on.

The critical event alerts and reporting features have greatly reduced loss of man hours that would have been spent on going through the whole audit event logs.

An easy, friendly user interface would be nice to have, since this would enable administrators to identify important events with a prompt response.

AVDF can monitor SQL traffic to look for alerts on and prevent unauthorized or out-of-policy SQL statements. Because the final target of external attacks is SQL, it's very effective to check SQL level. In addition, this product transparently monitors the traffic; changing the applications is not necessary.

AVDF not only has an audit function, but it also has a database firewall function that protects the database, which is an important company asset, from external attacks typified by SQL injection. It supports a wide range of databases (Oracle Database, IBM DB2, Microsoft SQL Server and so on).

By integrating two major functions (auditing and database firewall)
into a single product, it became easier to use and the scope is really wide.

I would like to see a link-state tracking feature that quickly notices network failures. The benefit would be quick detection of network disconnection in DPE (inline) mode. If there is a network disconnection inline configuration, AVDF notices the network failure, but it cannot pass a link-state to the other side of the network (NIC). The problem currently is that handling of network failure cannot be performed correctly (depending on the point of failure).

I have used it for around two years.

I actually encountered stability issues in DPE mode, but it was with the first release.

I have not encountered any scalability issues.

Technical support is now 8/10. For the first release, it was 5. It took time because technical support was dispatched to overseas teams using translation. Now, a local team can support the technical issues.

We were using the audit product for memory reference types. We chose this product because of its integration with Oracle database and because it has the DB firewall function.

Initial setup was not straightforward, because we should have considered the network environment when we decided the policy configuration. The complexity of AVDF depends on the system (network) environment. If the number of DBs to be protected is high, you should consider organizing the network environment.

AVDF is very reasonable for Oracle products. The license cost is determined by the number of DB servers that will be protected. If you integrate the DB servers or use a multitenant environment, the number of licenses can also be aggregated.

Before choosing this product, I did not evaluate other options. Although there're some competitive third-party products for individual functions, as a comprehensive product, there are no other options.

I recommend conducting a performance and availability test before implementing AVDF.

Audit reporting and its user-friendliness that is required by auditors are valuable features.

It provides reports that are directly related to the compliance issues, i.e., for example SOX Compliance.

Policy defining should be more user-friendly. It still should be implemented and handed over to the end users. This policy defining cannot be done by an end user. It should be implemented initially, by a person who knows the Audit Vault along with the implementing business organization and their audit requirements. There should be a system analysis carried out and then this should be implemented. If the Oracle Audit Vault can give the administration interface to the end user itself, then he/she could generate the reports that they need, just by creating the customized report formats.

I have used this solution for three years.

Some of the earlier versions have not matured enough.

There were no scalability issues.

The technical support is good. I would give them a 7 out of 10 rating because there is no as such major implementation help given by the Oracle Support. There are a few people to support the same.

It is easy to work with the Oracle ERP and Oracle Database.

It is a little bit complex. The installation, implementation and policy defining should be done by experienced technical staff.

You can use this as a good audit reporting tool and it is worth to use it as a high compliance risk tool.

The installation and configurations should be done by experienced technical people, so as to achieve project success.