Security Assessment Overview

About Security Assessment

Misconfigured databases are a major contributor to database breaches. Human errors could leave your database open to everyone, or an attacker could maliciously exploit configuration mistakes to gain unauthorized access to sensitive data. This can have a devastating impact on your reputation and bottom line. Knowing where your database configuration introduces risk is the first step in minimizing that risk. Security Assessment provides you with an overall picture of your database security posture. It analyzes your database configurations, user and their entitlements as well as security policies to uncover security risks and improve the security posture of Oracle databases within your organization. A security assessment provides findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk. The information presented depends on the type of target database and whether it is running on-premises or in the cloud. Specific checks and recommendations are made for Autonomous Databases, Oracle Base Database Service, and on-premises Oracle Databases.

For all registered target databases, Security Assessment automatically generates an assessment once per week and saves a copy of it to the history. This report is referred to as the "latest" assessment. If needed, you can modify its schedule. You also have the option to create a schedule that saves a copy of the latest assessment to a different compartment and with a different name.

Security Assessment lets you refresh the latest assessment at any time by using the Refresh Now option. After the latest assessment is refreshed, Security Assessment saves the assessment to the history and also overwrites the latest assessment. To monitor security configuration drift on your target database, you need to set a baseline. Once your baseline is set, Data Safe automatically compares it against each assessment refresh. You can also manually compare two selected assessments. Lastly, you can generate a PDF or XLS report from an assessment.

The following are use cases for the Security Assessment feature:

Identify and mitigate risks:
- Quickly and easily assess your database configurations to learn which configuration choices may have introduced unnecessary risk and how you can remove, or mitigate risks.
- Leverage checks that range from Oracle Database security best practices, CIS Benchmark recommendations, best practices from the General Data Protection Regulation (GDPR) to Department of Defense Security Technical Implementation Guide (STIG) rules.
Compliance and best practices:
- Support your regulatory compliance efforts by adhering to security best practices and industry standards.
- Track remediation and compliance progress by customizing the risk level associated with a finding.
Improve database security insight:
- Get visibility to fleet-wide database security risks.
- Monitor security drift by comparing an assessment against a baseline.
- Get visibility into deployed security policies and get awareness of available database security controls to further protect your data.

Risk Levels

You can use the Risk Level values as guidelines for implementing Security Assessment recommendations. They can be used to prioritize and schedule changes based on the level of risk, and what it might mean to your organization. Security Assessment uses the following risk levels to measure the severity of a finding:

High: Needs immediate attention.
Medium: Plan to address this in the short term.
Low: Might be fixed during a scheduled downtime or bundled together with other maintenance activities.
Advisory: Improve security posture by enabling more security features and technology.
Evaluate: Needs manual analysis.
Pass: No risks found.
Deferred: The user deliberately decided to postpone or delay taking action on a particular identified risk for a specified period of time or indefinitely. When a risk is deferred, it means that, after evaluation, it has been acknowledged but not immediately addressed.

Security Assessment Dashboard

When you first access the main page for Security Assessment in the Data Safe Security Center, you are presented with a dashboard that consists of these components:

Risk level, Risks by category, and Top 5 common controls charts
Risk summary tab
Target summary tab
Notifications tab
Related resources
List scope

You can explore key features and workflows with the guided tour option by clicking the "Take the tour" button in the Security Assessment dashboard.

Note:

You can view assessments only within compartments where you have the required privileges.

Description of sa_security_assessment_dashboard.png follows

Description of the illustration sa_security_assessment_dashboard.png

Charts

At the top of the Security Assessment page, you can view the Risk Level, Risks by Category, and Top 5 common controls charts.

The Risk level chart shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, Evaluate, and Deferred) across all of your target databases.

The Risks by category chart shows you a percentage breakdown of the findings in each risk category (User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access Control, Auditing, and Database Configurations) across all of your target databases.

The Top 5 common controls chart shows a bar graph of the number of target databases at each risk level for each of the top five common controls. The top five common controls are the five security controls that Oracle considers the most important to the security of your target databases. Clicking on any of the bars will show you the list of target databases associated with the selected data.

Note:

The Potential risk category in the Top 5 common controls chart includes any high, medium, and low risk findings.

Risk Summary

The Risk Summary tab lets you quickly view the number of risk findings per risk level across all of your target databases in a selected compartment. There is one table row for each risk level: High, Medium, Low, Advisory, Evaluate, and Deferred. For each risk level, you can view the number of findings for the following categories: User Accounts, Privileges and Roles, Authorization Control, Fine-Grained Access Control, Data Encryption, Auditing, and Database Configuration. From this page, you can drill down to view more information about the identified risks, and then drill down further to view information about a particular target database.

Description of the illustration sa_risk_summary.png

Target Summary

The Target Summary tab shows you the number of findings for each risk level (High, Medium, Low, Advisory, Evaluate, and Deferred) per target database, the date of the last assessment, and whether the latest assessment deviates from the baseline (assuming you set a baseline). You can also access a link to the latest Security Assessment report for each target database. If an assessment failed, a FAILED icon (yellow yield sign with an exclamation mark) is displayed in the Last Assessed On column for the target database.

Description of the illustration sa_target_summary.png

Notifications

The Notifications tab shows you what event notifications and subscriptions you have created for Security Assessment. More specifically, it displays the event, rule name, topic name, and when the event notification was created. This table will only show events that you have created directly within Data Safe. If you haven't created any event notifications for Security Assessment in Data Safe yet, you will see the list of quick start templates allowing you to create a notification for the most common events. In addition to displaying existing event notifications, you can also create new notifications by using the Create notification button. See Create and Modify Event Notifications in Security Assessment for more information.

Related Resources

The Related Resources list varies, depending on what is most useful in relation to the page you are currently looking at. At the level of the dashboard, it includes links to the Assessment reports, Assessment history, Assessment templates, and Schedules pages. If you are looking at a particular assessment it provides options to compare that assessment with other assessments.

List Scope

List Scope is where you set the scope of the lists in the Risk Summary and Target Summary tabs. It determines which compartments are included in those lists.

Description of the illustration ua_and_sa_list_scope.png

You can set the scope of your view of Security Assessment to the root compartment alone or root with all of its child compartments or to any compartment under root with or without that compartment's child compartments.

Setting the scope to root with its child compartments allows you to review the overall security posture of your tenancy, or you can focus on a specific compartment by narrowing the scope to that compartment.

Note:

It's important to remember that within the selected scope, your view within Security Assessment is determined by the privileges your account has been granted in OCI.

Structure of a Security Assessment

A Security Assessment for a target database consists of the following five sections:

Assessment Summary tab
Assessment Information tab
Tags tab
Assessment Details section
Resource and Filters section

Assessment Summary Tab

This tab shows you at a glance the security posture of your target database. This tab presents the risk level of the Top 5 common controls and the number of findings per category per risk level. The Top 5 common controls are the five security controls that Oracle considers the most important to the security of your target databases. Clicking on any of the top 5 common controls will direct you to the specific finding in the Assessment Details, where you can find more information.

Description of sa_assessment_summary.png follows

Description of the illustration sa_assessment_summary.png

Assessment Information Tab

This tab shows you the following metadata for the report:

Name and OCID of the assessment.
Compartment in which the assessment is stored, the target database name and version
Assessment date and time
The schedule of the assessment (you can change this schedule as needed)
Baseline (if set)
Complies with Baseline (Yes, No, or No Baseline Set). This field is populated depending on if a baseline was previously set and you compared this assessment with the baseline.

Description of sa_assessment_information_tab.png follows

Description of the illustration sa_assessment_information_tab.png

Tip:

On the Assessment Information tab you can change the auto-generated name of the assessment to a name that has specific meaning for your organization. You and other users can then more easily identify assessments. For example, you could change the name of the autogenerated security assessment SA_1670530009857 to SA_target05.

Tags Tab

This tab lets you manage Oracle Cloud Infrastructure tags for the Security Assessment.

Security Assessment Workflow

This is an example workflow for Security Assessment.

Register your target databases in Oracle Data Safe and obtain the necessary permissions in IAM.
When registration of a target database is complete, a security assessment of the target database runs automatically and is scheduled to run again each week at the same day and time as the registration day and time. This is the default schedule. Every time the job is executed, the new results are designated the latest assessment for the target database and a copy is saved to the history.
On the Security Assessment Dashboard, view and analyze the risks across all target databases in compartments where you have access rights. This gives you a broad view of your overall security posture.
On the dashboard, check for the highest level risks and then drill down to the latest assessements for the target databases where these risks occur. The details about these risk are explained in each assessment.
Analyze the risk details, take appropriate actions to mitigate risk levels in a target database, and adjust risk levels based on your analysis or requirements. You might need to adjust certain risk levels to match your policies or reflect that other security controls are in place, or choose to defer that risk.
Once you have taken the appropriate actions to address the identified risks in a target database, refresh the assessment and check the findings again to see if the risk levels have lowered as expected. If so, you may want to consider setting this assessment as the baseline (see step 8 for more information).
If required, Adjust the schedules of your security assessments to suit the needs of your organization.
Change the names of your security assessments to names that are meaningful to you. The default names that Oracle Data Safe assigns follow this pattern: SA_<unique number>. It's helpful to choose your own names. You may want to retain the SA_ prefix because it will distinguish security assessments from user assessments (UA_).
If the risk findings in security assessment of a target database are low and you are confident that it represents a reasonably solid security posture, consider setting that assessment as the baseline for that target database. This is optional, but highly recommended because it gives you the means to compare future assessments against a known good assessment.
When you have accumulated two or more security assessments of a target, run a comparison of the latest assessment with earlier assessments (or with the baseline) to determine if there is any security drift.
Create a downloadable PDF or XLS versions of the your security assessments.
Save a copy or schedule saves of a copy of the latest assessment for a target database. All assessments are saved in the history provided by Security Assessment, but the Save As option can be useful if you want an additional backup or want to export the assessment findings to another compartment.
Set up event notifications. For example, you can subscribe to the SecurityAssessmentDriftFromBaseline event to be automatically informed if a security assessment differs from the baseline.

Prerequisites for Using Security Assessment

Security Assessment requires registered, properly provisioned target databases. Users must be granted specific permissions in IAM.

These are the prerequisites for using Security Assessment:

Register the target databases that you want to assess with Security Assessment.
After you register the target database, Oracle Data Safe automatically runs a Security Assessment job for your target database and updates it according to the schedule (once per week by default).
Grant the ASSESSMENT role to the Oracle Data Safe service account on the target database (non-Autonomous databases only).
An Autonomous Database is automatically provisioned with the equivalent DS$ASSESSMENT_ROLE when it is registered as a target database; therefore, you do not need to grant a role.
Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM).
Obtain either the view or manage permission for the security-assessments resource in IAM in the relevant compartments.

An OCI administrator can grant these permissions.
Obtain read permission on the data-safe-work-requests resource in IAM if you need to set baselines or compare assessments.

As an alternative to selectively granting permissions, you can grant permissions on data-safe-assessment-family in the relevant compartments, which would include permissions on all of the resources above as well as user-assessments. See data-safe-assessments-family Resource in the Administering Oracle Data Safe guide for more information.

Recommended Before You Start

Oracle recommends you try the Get Started with Oracle Data Safe Fundamentals workshop in LiveLabs before you use Security Assessment.

The Get Started with Oracle Data Safe Fundamentals workshop includes hands-on training for Security Assessment. Whether or not you've taken the workshop before, you'll find that the lab for Security Assessment provides an up-front familiarity with this feature that makes it easier for you to put it to work in your organization. Consider going through the workshop to learn about Security Assessment before you proceed.

Try it now:

Get Started with Oracle Data Safe Fundamentals