Oracle Data Safe Overview

Oracle Data Safe is a unified control center for your Oracle databases which helps you understand the sensitivity of your data, evaluate risks to data, mask sensitive data, implement and monitor security controls, assess user security, monitor user activity, and address data security compliance requirements.

This article has the following topics:

Features of Oracle Data Safe

Oracle Data Safe provides the following set of features for protecting sensitive and regulated data in Oracle databases, all in a single, easy-to-use management console:

  • Security Assessment helps you assess the security of your database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk.
  • User Assessment helps you assess the security of your database users and identify high risk users. It reviews information about your users in the data dictionary on your target databases, and calculates a risk score for each user. For example, it evaluates the user types, how users are authenticated, the password policies assigned to each user, and how long it has been since each user has changed their password. It also provides a direct link to audit records related to each user. With this information, you can then deploy appropriate security controls and policies.
  • Data Discovery helps you find sensitive data in your databases. You tell Data Discovery what kind of sensitive data to search for, and it inspects the actual data in your database and its data dictionary, and then returns to you a list of sensitive columns. By default, Data Discovery can search for a wide variety of sensitive data pertaining to identification, biographic, IT, financial, healthcare, employment, and academic information.
  • Data Masking provides a way for you to mask sensitive data so that the data is safe for non-production purposes. For example, organizations often need to create copies of their production data to support development and test activities. Simply copying the production data exposes sensitive data to new users. To avoid a security risk, you can use Data Masking to replace the sensitive data with realistic, but fictitious data.
  • Activity Auditing lets you audit user activity on your databases so you can monitor database usage.
  • Alerts keep you informed of unusual database activities as they happen.

Key Concepts and Terminology

Understand the following concepts and terminology to help you get started with Oracle Data Safe.

Oracle Cloud Infrastructure

Oracle Cloud Infrastructure is a set of complementary cloud services that enables you to build and run a wide range of applications and services in a highly available hosted environment. Oracle Cloud Infrastructure offers high-performance compute capabilities (as physical hardware instances) and storage capacity in a flexible overlay virtual network that is securely accessible from your on-premises network. Oracle Data Safe is integrated as a service into Oracle Cloud Infrastructure.

Oracle Cloud Infrastructure Console

The Oracle Cloud Infrastructure Console is a simple and intuitive web-based user interface that you can use to access and manage Oracle Cloud Infrastructure. You can access Oracle Data Safe in the Oracle Cloud Infrastructure Console.

Tenancy

A tenancy is a secure and isolated partition within Oracle Cloud Infrastructure where you can create, organize, and administer your cloud resources.

Region and Availability Domain

Oracle Cloud Infrastructure is physically hosted in regions and availability domains. A region is a localized geographic area, and an availability domain is one or more data centers located within a region. A region is composed of one or more availability domains. Oracle Cloud Infrastructure resources are either region-specific, such as a virtual cloud network, or availability domain-specific, such as a compute instance.

Oracle Data Safe

Oracle Data Safe is a fully-integrated Cloud service in Oracle Cloud Infrastructure focused on the security of your data. It provides a complete and integrated set of features for protecting sensitive and regulated data in Oracle databases. The Security Center in Oracle Data Safe is the main area where you can access all the features. You can enable Oracle Data Safe in each region of your tenancy in Oracle Cloud Infrastructure.

Oracle Cloud Infrastructure Identity and Access Management (IAM)

The IAM service is the default, fully integrated, identity management service for Oracle Cloud Infrastructure. It lets you control who has access to your cloud resources, what type of access user groups have, and to which specific resources user groups have access. Oracle Data Safe uses all the shared services in Oracle Cloud Infrastructure, including IAM.

IAM Compartment

In IAM, compartments allow you to organize and control access to your cloud resources. A compartment is a collection of related resources, such as database instances, virtual cloud networks, and block volumes. A compartment should be thought of as a logical group and not a physical container. When you begin working with resources in the Oracle Cloud Infrastructure Console, the compartment acts as a filter for what you are viewing. A group requires permission by an administrator to access a compartment.

IAM User Group

A user group in IAM is a collection of users who all need the same type of access to a particular set of resources or compartment. Tenancy administrators can create users and groups in the root compartment of a tenancy with the IAM service in Oracle Cloud Infrastructure. Oracle Data Safe retrieves user groups from IAM, and in some cases, individual users.

Oracle automatically creates a tenancy administrator for you and adds it to the tenancy's Administrators group. This group has all permissions on all resources in the tenancy, and is responsible for creating the users, groups, and compartments for the tenancy.

IAM Policy

An IAM policy is a document that specifies who can access which resources in Oracle Cloud Infrastructure, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. If you give a group access to your tenancy, the group automatically gets the same type of access to all the compartments inside your tenancy. Only tenancy administrators can create policies. An administrator can create IAM policies to define user privileges for all Oracle Data Safe resources.

Oracle Data Safe Console

The Oracle Data Safe Console is the former user interface for Oracle Data Safe. Administrators need to migrate content from this Console to the new Security Center in Oracle Cloud Infrastructure.

Oracle Data Safe Repository

The Oracle Data Safe repository is an Oracle database that stores audit data and metadata for Oracle Data Safe.

Target Database

A target database is an Oracle Database on which Oracle Data Safe can perform user and security assessment, data discovery, data masking, activity auditing, and alerts.

Sensitive Type

A sensitive type is a classification of sensitive data and defines the kind of sensitive columns to search for. For example, the US Social Security Number (SSN) sensitive type helps you discover columns containing Social Security numbers. Data Discovery searches for sensitive data in your databases based on the sensitive types that you choose. You can choose from a wide variety of predefined sensitive types and can also create your own sensitive types.

Sensitive types are divided into categories. The top-level categories are Identification Information, Biographic Information, IT Information, Financial Information, Healthcare Information, Employment Information, and Academic Information. You can choose individual sensitive types or sensitive categories to search sensitive data.

Sensitive Data Model

A sensitive data model is a collection of sensitive columns and referential relationships. Data Discovery identifies sensitive columns and referential relationships and creates a sensitive data model. Data Discovery automatically searches the Oracle data dictionary to find relationships between primary key columns and foreign key columns and flags them as sensitive. It can also discover non-dictionary referential relationships, which are relationships defined in applications and not in the Oracle data dictionary.

Masking Format

A masking format defines the logic to mask sensitive data in a database column. For example, the Shuffle masking format randomly shuffles values in a column. The Email Address masking format replaces values in a column with random email addresses. Oracle Data Safe provides many predefined masking formats. If needed, you can create your own.

Masking Policy

A masking policy maps sensitive columns to masking formats that should be used to mask the data. You can use a masking policy to perform data masking on a target database. You can create a masking policy using a sensitive data model.

Audit Data Retrieval

An audit data retrieval represents an archive retrieve request for audit data. You can retrieve audit data for a target database from the archive and store it online.

Audit Policy

An audit policy represents the audit policies for the target database and their provisioning status on the target database.

Audit Profile

An audit profile represents audit profile settings and audit configurations for the database target, and helps determine the audit data volume available on the target and the volume collected by Oracle Data Safe.

Alert Policy

In Oracle Data Safe, you can provision alert policies on your target databases. An alert policy defines an event in a database to monitor. Alert policies are rule-based and are triggered based on the audit data collected.

Audit Trail

An audit trail represents the source of audit records that provides documentary evidence of the sequence of activities in the target database.

Alert

An alert is a message that notifies you when a particular audit event happens on a target database.