Security Assessment Overview

The Security Assessment feature in Oracle Data Safe helps you assess the security of your Oracle database configurations

This article has the following topics:

About Security Assessment

Poor database configurations, such as weak password policies, no controls on over-privileged accounts, and lack of activity monitoring, are the most common causes of database vulnerabilities. Security Assessment provides you an overall picture of your database security posture. It analyzes your database configurations, users and user entitlements, as well as security policies to uncover security risks and improve the security posture of Oracle Databases within your organization. A security assessment provides findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk. The information presented depends on the type of target database and whether it is running on-premises or in the cloud. Specific checks and recommendations are made for Autonomous Databases, DB systems, and on-premises Oracle Databases.

For all registered target databases, Security Assessment automatically generates an assessment once per week and saves a copy of it to the history. This report is referred to as the "latest" assessment. If needed, you can modify its schedule. You also have the option to create a schedule that saves a copy of the latest assessment to a different compartment and with a different name.

Security Assessment lets you refresh the latest assessment at any time by using the Refresh Now option. After the latest assessment is refreshed, Security Assessment saves the assessment to the history and also overwrites the latest assessment. To monitor security drift on your target database, you can compare two assessments. You can define a baseline assessment and compare other assessments to it, or, you can compare two selected assessments. Lastly, you can generate a PDF or XLS report from an assessment.

The following are use cases for the Security Assessment feature:

  • Quickly and easily assess your database configurations to learn which configuration choices may have introduced unnecessary risk into your environment and how you can remove, or mitigate risks.
  • Support your regulatory compliance program.
  • Identify deployed security policies.
  • Learn about the available Oracle Database security controls and how they help to protect your sensitive data.
  • Promote database security best practices.
  • Monitor security drift by comparing an assessment against a baseline.

Risk Levels

You can use the Risk Level values as guidelines to implementing Security Assessment recommendations. They can be used to prioritize and schedule changes based on the level of risk, and what it might mean to your organization. Security Assessment uses the following risk levels to measure the severity of a finding:

  • High: Needs immediate attention.

  • Medium: Plan to address this in the short term.
  • Low: Might be fixed during a scheduled downtime or bundled together with other maintenance activities.

  • Advisory: Improve security posture by enabling more security features and technology.

  • Evaluate: Needs manual analysis.

  • Pass: No risks found.

Categories

Security Assessment categorizes its findings as follows:

  • User Accounts
  • Privileges and Roles
  • Authorization Control
  • Fine-Grained Access Control
  • Auditing
  • Encryption
  • Database Configuration

Security Assessment Dashboard

When you first access the main page for Security Assessment in the Security Center in Oracle Cloud Infrastructure, you are presented with a dashboard that consists of these components:

  • Risk Level and Risks by Category charts
  • Risk Summary tab
  • Target Summary tab
  • Related Resources
  • List Scope

Note:

You can view assessments only within compartments where you have the required privileges.
Description of sa_security_assessment_dashboard.png follows
Description of the illustration sa_security_assessment_dashboard.png

Risk Level and Risks by Category Charts

At the top of the Security Assessment page, you can view the Risk Level and Risks by Category charts. Risk level shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, and Evaluate) across all of your target databases. Risks by category chart shows you a percentage breakdown of the different risk categories (User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access Control, Auditing, and Database Configurations) across all of your target databases.

Risk Summary

The Risk Summary tab lets you quickly view the number of risk findings per risk level across all of your target databases in a selected compartment. There is one table row for each risk level: High, Medium, Low, Advisory, Evaluate. For each risk level, you can view the number of findings for the following categories: User Accounts, Privileges and Roles, Authorization Control, Fine-Grained Access Control, Data Encryption, Auditing, and Database Configuration. From this page, you can drill down to view more information about the identified risks, and then drill down further to view information about a particular target database.

Description of sa_risk_summary.png follows
Description of the illustration sa_risk_summary.png

Target Summary

The Target Summary tab shows you the number of findings for each risk level (high, medium, low, advisory, and evaluate) per target database, the date of the last assessment, and whether the latest assessment deviates from the baseline assessment (assuming you set a baseline assessment). You can also access a link to the latest Security Assessment report for each target database. If an assessment failed, a FAILED icon (yellow yield sign with an exclamation mark) is displayed in the Last Assessed On column for the target database.

Description of sa_target_summary.png follows
Description of the illustration sa_target_summary.png

Related Resources

The Related Resources list varies, depending what is most useful in relation the page you are currently looking at. At the level of the dashboard, it includes links to the Assessment History and the Scheduling options. If you are looking at a particular assessment it provides options to compare that assessment with other assessments.

List Scope

List Scope is where you set the scope of the lists in the Risk Summary and Target Summary tabs. It determines which compartments are included in those lists.

Description of ua_and_sa_list_scope.png follows
Description of the illustration ua_and_sa_list_scope.png

You can set the scope of your view of Security Assessment to the root compartment alone or root with all of its child compartments or to any compartment under root with or without that compartment's child compartments.

When you look at risk findings and target database users in Security Assessment, you can set the scope to root with its child compartments to review the overall security posture of your tenancy. You can also set the scope to focus on a specific compartment of interest.

Note:

It's important to remember that within the selected scope, your view within Security Assessment is determined by the privileges your account has been granted in OCI.

Structure of a Security Assessment

A Security Assessment consists of the following five sections:

  • Assessment Summary tab
  • Assessment Information tab
  • Tags tab
  • Assessment Details section
  • Resource and Filters section

Assessment Summary Tab

This tab presents number of findings per category per risk level. It shows you at a glance the security posture of your target database.

Description of sa_assessment_summary.png follows
Description of the illustration sa_assessment_summary.png

Assessment Information Tab

This tab shows you the following metadata for the report:

  • Name and OCID for the assessment.
  • Compartment that stores the assessment target database name and version
  • Assessment date and time
  • The schedule for the assessment (You can change this schedule as needed. )
  • Baseline assessment (if set)
  • Complies with Baseline (Yes or No Baseline Set). This field is populated if a baseline was previously set and you compared this assessment with the baseline.
Description of sa_assessment_information_tab.png follows
Description of the illustration sa_assessment_information_tab.png

Tip:

On the Assessment Summary tab you can change the auto-generated name of the assessment to a name that has specific meaning for your organization. You and other users can then more easily identify assessments. For example, you could change the name of the autogenerated security assessment SA_1631303036184 to SA_main_compartment6_db15a.

Tags Tab

This tab lets you manage Oracle Cloud Infrastructure tags for the Security Assessment.

Security Assessment Workflow

This is a workflow for Security Assessment.

  1. Register your target databases in Oracle Data Safe and obtain the necessary permissions in IAM.

    When registration of a target database is complete, a security assessment of the target database runs automatically and is scheduled to run again each week at the same day and time as the registration day and time. This is the default schedule. Every time the job is executed, the new results are designated the latest assessment for the target database and copy is saved to the history.

  2. On the Security Assessment Dashboard, view and analyze the risks across all target databases in compartments where you have access rights. This gives you a broad view of your overall security posture.
  3. On the dashboard, check for the highest level risks and then drill down to the latest assessements for the target databases where these risks occur. The details about these risk are explained in each assessment.
  4. When think you have taken the appropriate actions to mitigate risk levels in a target database, refresh the assessment and check the findings again to see if the risk levels have lowered as expected. If so, you may want to consider setting this assessment as the baseline.
  5. Adjust the schedules of your security assessments to suit the needs of your organization.
  6. Change the names of your security assessments to names that are meaningful to you. The default names that Oracle Data Safe assigns follow this pattern: SA_<unique number>. It's helpful to choose your own names. You may want to retain the SA_ prefix because it will distinguish security assessments from user assessments (UA_).
  7. If the risk findings in security assessment of a target database are low and you are confident that it represents a reasonably solid security posture, consider setting that assessment as the baseline for that target database. This is optional, but highly recommended because gives you the means to compare future assessments against a known good assessment.
  8. When you have accumulated two or more security assessments of a target, run a comparison of the latest assessment with earlier assessments (or with the baseline) to determine if there is any security drift.
  9. Create a downloadable PDF or XLS versions of the your security assessments.
  10. Save a copy or schedule saves of a copy of the latest assessment for a target database. All assessments are saved in the history provided by Security Assessment, but the Save As option can be useful if you want an additional backup or want to export the assessment findings to another compartment.

Tip:

You can subscribe to the SecurityAssessmentDriftFromBaseline event to be automatically informed if a security assessment differs from the baseline.

Prerequisites for Using Security Assessment

Security Assessment requires registered, properly provisioned target databases. Users must be granted specific permissions in IAM.

These are the prerequisites for using Security Assessment:

  • Register the target databases that you want to assess with Security Assessment.

    After you register the target database, Oracle Data Safe automatically runs a Security Assessment job for your target database and updates it according to the schedule (once per week by default).

  • Grant the ASSESSMENT role to the Oracle Data Safe service account on the target database (non-Autonomous databases only).

    An Autonomous Database is automatically provisioned with the equivalent DS$ASSESSMENT_ROLE when it is registered as a target database; therefore, you do not need to grant a role.

  • Obtain permission in Oracle Cloud Infrastructure Identity and Access Management (IAM).

    Obtain either the view or manage permission for the security-assessments resource in IAM in the relevant compartments.

    An OCI administrator can grant these permissions.

  • Obtain read permission on the data-safe-work-requests resource in IAM if you need to set baselines or compare assessments.

Note:

Because Security Assessment and User Assessment have moved from the Oracle Data Safe Console to the Security Center in Oracle Cloud Infrastructure, an administrator must migrate existing Security Assessment and User Assessment privileges to IAM . After this migration is completed, additional user groups can be granted privileges in IAM to use the Security Assessment feature.

See Also:

The Administering Oracle Data Safe guide provides these sections to help with establishing the prerequisites:

Recommended Before You Start

Oracle recommends you try the Get Started with Oracle Data Safe Fundamentals workshop in LiveLabs before you use Security Assessment.

The Get Started with Oracle Data Safe Fundamentals workshop includes hands-on training for Security Assessment. Whether or not you've taken the workshop before, you'll find that the lab for Security Assessment provides an up-front familiarity with this feature that makes it easier for you to put it to work in your organization. Consider going through the workshop to learn about Security Assessment before you proceed.