Oracle Data Safe Architecture

Oracle Data Safe Service

Oracle Data Safe is a multi-tenant service running in a service tenancy owned by Oracle. Service data associated with the instance is stored in a back-end Oracle Autonomous AI Database Serverless database that’s dedicated to the customer and region and is isolated from other customers' instances. For more information, refer to the Privacy and Security Feature Guidance for Oracle Autonomous AI Database Serverless available on My Oracle Support (Doc ID 114.2).

You can access the Oracle Data Safe service in Oracle Cloud Infrastructure. The features provided in the service are categorized by the following pages:

Overview: Register target databases with Oracle Data Safe by using a wizard, access documentation, and learn about Oracle Data Safe private endpoints and on-premises connectors.
Target databases: View details for target databases to which you have access, register new target databases (manually or by using a wizard), and manually create and manage Oracle Data Safe private endpoints and on-premises connectors.
Target database groups: View details for target databases groups to which you have access and create new target database groups.
Settings: Set global paid usage and global audit record retention policy settings for the regional Oracle Data Safe service.
Attribute sets: View details for attribute sets to which you have access and create new attribute sets.
Security assessment: Evaluate the security posture of your databases, receive recommendations on how to mitigate the identified risks, and work with assessment reports, assessment templates, baseline templates, assessment history, and schedules.
User assessment: Identify potential risk inherent in database accounts, assess the potential risk a compromised or misused account would pose, and work with user profiles, assessment history, and schedules.
Data discovery: Analyze schemas in your databases to understand which tables and columns are likely to contain sensitive data, and work with sensitive types, sensitive data models, and sensitive type exports.
Data Masking: Mask data to safely share it for non-production purposes (such as development and data analytics) and work with masking formats, masking policies, and pre-masking reports.
Activity auditing: Collect and store database audit data from all your target databases centrally in Data Safe and identify anomalous behavior with pre-defined audit policies, alerts and reports. Work with auditing reports, audit report history, audit policies, audit profiles, archive data retreivals, audit trails, and audit insights.
Security policies: View and manage Oracle predefined and custom security policies for target databases or target database groups. Work with security policy deployments and unified audit policies.
SQL firewall: Restrict database access to only authorized SQL statements/connections to provide real-time protection against common database attacks. Work with violation reports, SQL Firewall policies, SQL collections, and violation report history.
Alerts: Stay informed of unusual database activities as they happen and ensure you have configured appropriate audit policies to track those activities in the database. Work with alert reports, alert report history, alert policies, and target policy associations.

Oracle Data Safe Database Repository

Oracle Data Safe uses its own Oracle Autonomous AI Database to store your service information, such as audit data (trails), masking settings, reports, alerts, and many other things. However, only your Oracle Data Safe information is stored in this database and your information is not stored alongside other Oracle Data Safe information.

There is a dedicated database for each tenancy's Oracle Data Safe instance per region and the databases are automatically provisioned and included with the Oracle Data Safe service. The databases are secure and highly available in the Oracle Cloud.

Target Databases

Oracle Data Safe can connect to your Oracle databases, including Oracle Autonomous AI Databases, Oracle Cloud Databases (Bare Metal, Virtual Machine, and Exadata on Oracle Public Cloud), on-premises Oracle databases, Oracle Cloud@Customer databases (Oracle Exadata Database Service on Cloud@Customer and Oracle Autonomous AI Database on Exadata Cloud@Customer), and Oracle databases on compute instances in both Oracle Cloud Infrastructure and non-Oracle cloud environments.

You can choose to use all Oracle Data Safe features with a target database or just certain ones. For example, you may want to use Activity Auditing with one target database and use Data Discovery and Data Masking with another.

Two different protocols are supported for connecting Oracle Data Safe to your target databases:

TCP with network encryption, where your target database has to have network encryption enabled.
TCPS, where your target database has to be configured with TLS version 1.2.

Oracle recommends that you back up your target databases when using features like Data Masking. You can use services in Oracle Cloud Infrastructure, such as Oracle Storage Cloud Service or Oracle Cloud Infrastructure Storage Service to back up your target databases.

The following diagram illustrates the Oracle Data Safe components, including the Oracle Data Safe service, Oracle Data Safe's back-end database, and target databases.