Compare Security Assessments for Single Target Databases

It's important to be able to track how the potential risks in a target database change over time so that you have the data you need to maintain the optimal security posture and to observe trends and patterns in changes that affect security.

About Comparing Security Assessments

You can compare the latest assessment to a baseline assessment or a saved assessment from the Assessment history.

Note:

The compare options are visible only when you are viewing the latest security assessment.

Compare with Baseline

When an assessment indicates that the level of potential risk on a target database is low, consider setting that assessment as the baseline. You can then compare the latest assessment of the same target database against the baseline.

For example, let's say that in January you spent a month addressing all of the findings for your target database. On February 1, all of the risks have been resolved. You may then want to set the security assessment from February 1 as your new baseline. First, refresh the target database assessment to ensure the fixed findings no longer appear as risks. Then you can set the February 1 assessment as the baseline. From that point on, you are able to observe any security drift since the February 1 assessment.

Compare with Other Assessments

You may also want to compare the current security posture with one from a previous point in time. You can go back into Assessment History and set an older assessment (for the same target database) as the baseline.

Structure of a Comparison Report for Security Assessment

When you use the Compare with baseline option, the report shows deviations from the baseline that appear in the latest assessment of the target database. When you use the Compare with other assessments option, the deltas reported are between the latest assessment and the selected saved assessment.

The comparison report consists of the following elements:

  • Baseline name and Comparison created time
  • Summary table
  • Details table

Baseline name and Comparison created time

You can view the name of the baseline assessment used in the comparison and the date and time the comparison was done. The date and time for a baseline displays when the first baseline was set for any target in the current compartment. It is not necessarily the date and time the target specific baseline you are viewing was created.

Summary table

The summary table helps you to identify where the risk level changes are occurring on your target database and whether the risk levels are increasing, decreasing, or staying the same. The risk levels are categorized as High, Medium, Low, Evaluate, Advisory, Pass, and Deferred. The categories represent types of findings, which are User accounts, Privileges and roles, Authorization control, Data encryption, Fine-grained access control, Auditing, and Database configuration. You can view the number of new risks added, the number of risks remediated (removed), and the number of risks that have changed to a different risk level (modified). The change value is the total count of new, remediated, and modified risks on the target database for each category/risk level.

Details table

The details table describes the changes on the target database. For each change, you can view the risk level, category, and finding name. You can also expand each line in the table to view specifics about what is changed, added, or removed from the target database since the baseline report was generated.

Set a Baseline Security Assessment for a Target Database

You can make the latest security assessment or any saved one in the Assessment history the baseline for a target database.

After you set a baseline, future assessments for the target database automatically include a check for security drift, which is any deviation from the baseline. You are also then able to manually compare any saved assessment with the baseline to check for security drift.

  1. If needed, prepare a security assessment to be the baseline:
    1. Assess your target database.
    2. Review the findings and fix them as needed.
    3. Assess the target database again. You can either wait for the next scheduled assessment or immediately refresh the assessment. If the new assessment shows fewer or no risks for the target database or target database group and you are satisfied that this assessment represents an optimal security posture, then you are ready to set it as the baseline.
  2. Open the security assessment that you want to use as the baseline. You can open the latest assessment or one from the Assessment history.
  3. Verify that the assessment’s overall potential risk level is acceptable.
  4. If you're using the latest assessment: From the Actions menu, select Set as baseline.
  5. If you're using a saved assessment: Select Set as baseline.
  6. In the confirm dialog box, select Yes to confirm.

Compare the Latest Security Assessment to a Baseline Assessment

You can compare the latest security assessment to a baseline assessment of the same target database to check for security drift. Setting a baseline assessment is a prerequisite.

  1. Open the latest security assessment for your target database.
  2. Select the Compare with baseline tab.
  3. Select View comparison report. The Comparison with baseline panel opens and shows a table listing what has changed in the latest assessment relative to the baseline.
  4. To view more detail about a change:
    1. At the end of a line in the table, select the three dots, and then select the option to view more detail. The Comparison details panel opens.
    2. Review the information, and then select Close.

Compare the Latest Security Assessment to a Saved Assessment

You can compare the latest security assessment to any saved assessment in the Assessment history to check for security drift in a target database.

  1. Open the latest security assessment for your target database.
  2. From the Actions menu, select Compare with other assessments. The Comparison with other assessments panel opens.
  3. Select the compartment and assessment that you want to compare to the latest assessment.
  4. Select Compare.
  5. Review the list of changes in the table. The comparison shows what has changed in the latest assessment relative to the saved assessment that you selected.
  6. At the end of each line in the table, select the three dots and select the option to view more detail about the change. The Comparison details panel opens. Review the information, and then select Close.

Compare a Security Assessment to a Template Baseline

You can compare a security assessment for a target database to a template baseline.

Note:

To obtain a template baseline, you must first create an assessment template and apply it to your target database. The "apply" step generates a template baseline.
  1. Open the latest security assessment or a saved assessment for a target database.
  2. From the Actions menu, select Compare with template baselines. The Compare with template baselines panel opens.
  3. For Select assessment compartment, select the compartment for the template baseline.
  4. For Select assessment, select the baseline template.
  5. Select Compare.
  6. Select Close.
  7. Select the Compare with baseline tab.
  8. In the Template baseline section, select View comparison report. The Comparison with template baseline panel opens.
  9. If a comparison has not been done yet, select Compare.
  10. Review the comparison data.
  11. Select Close to close the panel.