Manage Database Security with Oracle Data Safe
Parent topic: How-to Guides
About Oracle Data Safe
Your corporate policy requires that you monitor your databases and retain audit records. Your developers are asking for copies of production data for that new application, and you're wondering what kinds of sensitive information it will contain. Meanwhile, you need to make sure that recent maintenance activities haven't left critical security configuration gaps on your production databases and that staff changes haven't left dormant user accounts on the databases. Oracle Data Safe assists you with these tasks and is included with your Exadata Database Service*.
Oracle Data Safe is a unified control center, that helps you to manage the day-to-day security and compliance requirements of Oracle Databases no matter if they are running in the Oracle Cloud Infrastructure, at Cloud@Customer, on-premises or in any other cloud.
Data Safe supports you to evaluate security controls, assess user security, monitor user activity, and address data security compliance requirements for your database by evaluating the sensitivity of your data as well as masking sensitive data for non-production databases.
Data Safe provides the following features:
- Security Assessment: Configuration errors and configuration drift are significant contributors to data breaches. Use security assessment to evaluate your database's configuration and compare it to Oracle and industry best practices. Security assessment reports on areas of risk and notifies you when configurations change.
- User Assessment: Many breaches start with a compromised user account. User Assessment helps you spot the riskiest database accounts - those accounts which, if compromised, could cause the most damage - and take proactive steps to secure them. User Assessment Baselines make it easy to know when new accounts are added, or an account's privileges are modified. Use OCI events to receive proactive notifications when a database deviates from its baseline.
- Activity Auditing: Understanding and reporting on user activity, data access, and changes to database structures supports regulatory compliance requirements and can aid in post-incident investigations. Activity auditing collects audit records from databases and helps you manage audit policies. Audit insights make it easy to identify inefficient audit policies, while alerts based on audit data proactively notify you of risky activity.
- Sensitive Data Discovery: Knowing what sensitive data is managed in your applications is critical for security and privacy. Data discovery scans your database for over 150 different types of sensitive data, helping you understand what types and how much sensitive data you are storing. Use these reports to formulate audit policies, develop data masking templates, and create effective access control policies.
- Data Masking: Minimizing the amount of sensitive data your organization maintains helps you meet compliance requirements and satisfy data privacy regulations. Data masking helps you remove risk from your non-production databases by replacing sensitive information with masked data. With reusable masking templates, over 50 included masking formats, and the ability to easily create custom formats for your organization's unique requirements, data masking can streamline your application development and testing operations.
- SQL Firewall Management: Protect against risks such as SQL injection attacks or compromised accounts. Oracle SQL Firewall is a new security capability built into the Oracle Database 23ai kernel and offers best-in-class protection against these risks. The SQL Firewall feature in Oracle Data Safe lets you centrally manage and monitor the SQL Firewall policies for your target databases. Data Safe lets you collect authorized SQL activities of a database user, generate and enable the policy with allowlists of approved SQL statements and database connection paths and provides a comprehensive view of any SQL Firewall violations across the fleet of your target databases.
*Includes 1 million audit records per database per month if using the audit collection for Activity Auditing
Parent topic: Manage Database Security with Oracle Data Safe
Get Started
To get started you just need to register your database with Oracle Data Safe:
- Pre-requisite: Obtain the necessary Identity and Access Management (IAM) permissions to register your target database in Data Safe: Permissions to register an Oracle Cloud@Customer Database
- Select an option for connecting your database to Data Safe
- Connect over VPN or FastConnect using a Data Safe private
endpoint
If you have FastConnect or VPN Connect set up between your Cloud@Customer environment and a virtual cloud network (VCN) in the Oracle Cloud Infrastructure (OCI), you can register your database with Oracle Data Safe by using an Oracle Data Safe private endpoint. You can create the private endpoint during the registration or before. You can find more details on how to create the private endpoint under Create an Oracle Data Safe Private Endpoint.
- Connect using a Data Safe on-premises connectors
If you don't have FastConnect or VPN set up between your Cloud@Customer environment and OCI or you don't want to use it for Data Safe, you can register your database with Data Safe by using an Oracle Data Safe on-premises connector. You can create and install the on-premises connector during the registration or before. You can find more details on how to create the connector under Create an Oracle Data Safe On-Premises Connector.
- Connect over VPN or FastConnect using a Data Safe private
endpoint
- Register your Cloud@Customer database in Data Safe
Parent topic: Manage Database Security with Oracle Data Safe
Using Oracle Data Safe
Once your database is registered in Data Safe, you can leverage all features.
Security Assessment
Security Assessments are automatically scheduled once a week in Data Safe and provide an overall picture of your database security posture. It analyzes your database configurations, users and user entitlements, as well as security policies to uncover security risks and improve the security posture of Oracle Databases within your organization. A security assessment provides findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk.
Start by reviewing the security assessment report for your database: View the latest assessment for a target database
You can find more details on Security Assessment under Security Assessment Overview.
User Assessment
User Assessments are automatically scheduled once a week in Data Safe and help you to identify highly privileged user accounts that could pose a threat if misused or compromised. User Assessment reviews information about your users in the data dictionaries on your target databases and then calculates a potential risk for each user, based on system privileges and role grants.
Start by reviewing the user assessment report for your database: View the latest user assessment for a target database
You can find more details on User Assessment under User Assessment Overview.
Data Discovery
Data Discovery searches for sensitive columns in your database. It comes with over 150 pre-defined sensitive types and you can also create your own sensitive types. You tell Data Discovery if you want to scan your entire database or just certain schemas and what type of sensitive information to look for, and it finds the sensitive columns that meet your criteria and stores them in a sensitive data model (SDM).
Start by discovering sensitive data in your database: Create Sensitive Data Models
You can find more details on Data Discovery under Data Discovery Overview.
Data Masking
Data masking, also known as static data masking helps you to replace sensitive or confidential information in your non-production databases with realistic and fully functional data with similar characteristics as the original data. Data Safe comes with pre-defined masking formats for each of the pre-defined sensitive types that can also be leveraged for your own sensitive types.
Once you know where sensitive data is stored in your database (for instance after running Data Discovery in Data Safe), you can start by creating a masking policy: Create Masking Policies
After you created a masking policy and copied your production database, you can mask your non-production copy: Mask Sensitive Data on a Target Database
You can find more details on Data Masking under Data Masking Overview.
Activity Auditing
Activity Auditing in Oracle Data Safe helps to ensure accountability and improve regulatory compliance. With Activity Auditing, you can collect and retain audit records per industry and regulatory compliance requirements and monitor user activities on Oracle databases with pre-defined reports and alerts. For example, you can audit access to sensitive data, security-relevant events, administrator and user activities, activities recommended by compliance regulations like the Center for Internet Security (CIS), and activities defined by your own organization.
If you are using the audit collection in Data Safe, up to 1 million audit records per target database per month are included for your Cloud@Customer database.
To use activity auditing, start the audit trail for your target database in Data Safe: Start an Audit Trail
Once the audit trail is started, you can monitor and analyze your audit data with pre-defined audit reports: View a Predefined or Custom Audit Report
You can find more details on Activity Auditing under Activity Auditing Overview.
SQL Firewall*
SQL Firewall in Oracle Data Safe lets you centrally manage the SQL Firewalls and provides a comprehensive view of SQL Firewall violations across the fleet of your target databases. Data Safe lets you collect authorized SQL activities of a database user you wish to protect, monitor the progress of the collection, generate and enable the policy with allowlists of approved SQL statements and database connection paths.
Start by enabling the SQL Firewall in your 23ai target database: Enable SQL Firewall On Your Target Database.
Next, you need to generate and enable a SQL Firewall policy with allowlists for the database user you wish to protect: Generate and Enforce SQL Firewall Policies.
Once you start enforcing the SQL Firewall policy, you can monitor and analyze the violations in the pre-defined violation reports: View and Manage Violations Reports.
You can find more details on SQL Firewall under SQL Firewall Overview.
*SQL Firewall is only available for Oracle Databases 23ai.
Parent topic: Manage Database Security with Oracle Data Safe