1. Using Oracle Data Safe
  2. Security Assessment
  3. Compare Security Assessments

Compare Security Assessments

For target database, you can generate a comparison report that shows the differences between an assessment and the baseline or between any two assessments of the target. This report identifies the security drift that has occurred between the time of the two assessments.

Overview of Security Assessment Comparison

There are two ways to compare security assessments:

  • Compare a saved security assessment with the baseline. In this case, you need to set one of your security assessments as the baseline.
  • Compare the latest security assessment with a saved assessment from the Assessment History.

After you have fixed any significant findings in an assessment you can either wait for the next scheduled assessment or use the Refresh Now option to immediately refresh the assessment. You can then recheck the assessment to confirm that the fixes have successfully reduced the risks in the target database. If you are satisfied that this assessment represents an optimal security posture, you can set it as the baseline to compare against other assessments.

For example, let's say that in January you spent a month addressing all of the findings for your target database. On February 1, all of the risks have been resolved. You may then want to set the security assessment from February 1 as your new baseline. First, refresh the target database assessment to ensure the fixed findings no longer appear as risks. Then you can set the February 1 assessment as the baseline. From that point on, you are able to observe any security drift since the February 1 assessment.

The baseline can be the latest assessment, but this is not required. You can also go back into Assessment History and set an older assessment as the baseline.

If you have set a baseline for a target, then on the Security Assessment page you can check for any drift from the baseline assessment. Click the Target Summary tab. If there has been any security drift in a target database, then the Deviation From Baseline column in the summary alerts you to the deviation. This column also tells you whether or not a baseline has been set for the target database.

Summary of Tasks to do before Setting a Baseline

  1. Assess the target database.
  2. Identify the risks and review.
  3. Fix the findings that need to be addressed.
  4. Assess the target database again.
  5. If the new security assessment shows fewer or no risks, then set it as the baseline.

Structure of a Comparison Report

A Comparison Report consists of a summary table and a details table.

The summary table helps you to identify where the risk level changes are occurring on your target database and whether the risk levels are increasing, decreasing, or staying the same. The details table describes the changes on the target database. The risk levels are categorized as High, Medium, Low, Advisory, Evaluate, Deferred, and Pass. The categories represent types of findings, which are User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access Control, Auditing, and Database Configuration. You can view the number of new risks added, the number of risks remediated (removed), and the number of risks that have changed to a different risk level (modified). The change value is the total count of new, remediated, and modified risks on the target database for each category/risk level. The green color is used to indicate a positive change whereas the red color indicates the change needs your attention.

In the details table, you can view the risk level for each change, the findings category to which the change belongs, and a description of the change. The Comparison column is important because it provides explanations of what is changed, added, or removed from the target database since the baseline report was generated. The column also tells you if the change is a new risk or a remediated risk.

Set the Latest Assessment or a Saved Assessment as the Baseline for a Target Database

You can set the latest security assessment or an archived security assessment for a target database as a baseline.

  1. Under Security Center, click Security Assessment.
  2. From the Security Assessment page, click the Target Summary tab.
  3. From the Compartment drop-down list, select the compartment that contains your target database.
  4. (Optional) Under Filters, select a target database from the Target databases list to narrow the scope of displayed metrics and charts.
  5. In the Target Summary table, locate your target database and then click the View Report link to open the latest assessment report.

    The Security Assessment Details page shows the latest assessment.

  6. To set the latest assessment as the baseline, do the following:
    1. Click Set as Baseline.

      The Set as Baseline dialog box is displayed asking you to confirm setting the latest saved assessment report as a baseline.

    2. Click Yes to confirm.
  7. To set an earlier assessment as the baseline, do the following:
    1. Click View History.
    2. Review the risk findings for the listed assessments and identify a particular assessment to use as the baseline.
    3. Click the name of the assessment.
    4. Click Set As Baseline. The Set as Baseline dialog box is displayed asking you to confirm setting the assessment report as a baseline.
    5. Click Yes to confirm.

Tip:

You can also set an assessment as the baseline through the Assessment History page.

  1. Navigate to the Security assessment page.
  2. Under Related resources, click Assessment history. The Security assessment history page is displayed, listing all previous auto-generated assessments.
  3. (Optional) Under Filters select a time period from the Time period list to narrow the scope of displayed metrics and charts.
  4. (Optional) Under Filters select a target database from the Target databases list to narrow the scope of displayed metrics and charts.
  5. Click an assessment name to view its details.
  6. Click Set as baseline. The Set as baseline dialog box is displayed asking you to confirm setting the assessment report as a baseline.
  7. Click Yes to confirm.

Compare the Latest Assessment with the Baseline

You can compare the latest security assessment with the baseline. To do this, open the latest assessment report and use the Compare with Baseline feature. Setting a baseline assessment report is a prerequisite.

  1. Under Security Center, click Security Assessment.
  2. From the Compartment drop-down list, select the compartment that contains your target database. Optionally, deselect INCLUDE CHILD COMPARTMENTS to not list target databases in the child compartments.
  3. Click the Target Summary tab.
  4. Open the latest assessment report. To do this, in the Target Summary table, locate the line for your target database, and click View Report in the Last Assessed On column.

    The Security Assessment Details page is displayed, showing you the latest assessment report for the target database. On the left under Resources, you now have two options to compare assessment reports.

  5. Under Resources, click Compare With Baseline.

    A Comparison With Baseline section is displayed on the page. If a previous comparison was done, the latest Comparison report is displayed in the section, including the name and creation date of the baseline report.

    Note:

    The Created time for a baseline will display the date and time when the first baseline was set for any target in the current compartment. It is not necessarily the date and time the target specific baseline you are viewing was created.
  6. To do a comparison, click Compare Now.

    The Comparison report is displayed.

  7. View the Comparison report.

    Review the number of findings per risk category for each risk level. Categories include User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access Control, Auditing, and Database Configuration.

    You can identify where the changes have occurred on your target database by viewing cells that contains Modified. The number represents the total count of new, remediated, and modified risks on the target database.

Compare a Saved Security Assessment With the Latest Assessment

You can compare any saved assessment with the Latest Assessment of the same target database.

  1. Under Security center, click Security assessment.
  2. Click the Target summary tab.
  3. From the Compartment drop-down list, select the compartment that contains your target database. Optionally, deselect INCLUDE CHILD COMPARTMENTS to not list target databases in the child compartments.
  4. (Optional) Under Filters, select a target database from the Target databases list to narrow the scope of displayed metrics and charts.
  5. Open the latest assessment report for your target database. To do this, in the Target summary table, locate the line for your target database, and click View report in the Last assessed time column.

    The Security Assessment Details page is displayed, showing you the latest assessment report for the target database.

  6. Under Resources on the left, click Compare Assessments.

    The Security Assessment Details page updates to include a comparison section.

  7. (Optional) If the assessment report that you want to select is located in a different compartment than the one that is shown, click Change Compartment, and select a different compartment.
  8. From the Select Assessment drop-down list, select an assessment report. .
  9. Click Compare Now.

    While Security Assessment is comparing the two reports, you see the message Comparison in Progress. When the comparison is completed, the report is displayed on the same page.

    If there are no differences between the reports, the message Assessments Are Identical is displayed in the Finding column.