Security Assessment Overview

About Security Assessment

Misconfigured databases are a major contributor to database breaches. Human errors could leave your database open to everyone, or an attacker could maliciously exploit configuration mistakes to gain unauthorized access to sensitive data. This can have a devastating impact on your reputation and bottom line. Knowing where your database configuration introduces risk is the first step in minimizing that risk. Security Assessment provides you with an overall picture of your database security posture. It analyzes your database configurations, users and their entitlements as well as security policies to uncover risks and strengthen the security posture of Oracle databases within your organization. A security assessment provides findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk. The information presented depends on the type of target database and whether it is running on-premises or in the cloud. Specific checks and recommendations are made for Autonomous AI Databases, Oracle Base Database Services, and on-premises Oracle databases.

For all registered target databases, Security Assessment automatically generates an assessment once per week and saves a copy of it to the Assessment History. This report is referred to as the "latest" assessment. If needed, you can modify its schedule. You also have the option to create a schedule that saves a copy of the latest assessment to a different compartment under a different name.

Security Assessment lets you refresh the latest assessment at any time. After the latest assessment is refreshed, Security Assessment saves the assessment to the Assessment History and also overwrites the latest assessment. To monitor security configuration drift on your target database, you need to set a baseline. Once your baseline is set, Oracle Data Safe automatically compares it against each assessment refresh. You can also manually compare two selected assessments. Lastly, you can generate a PDF or XLS report from an assessment.

The following are use cases for the Security Assessment feature:

Identify and mitigate risks:
- Quickly and easily assess your database configurations to learn which configuration choices may have introduced unnecessary risk and how you can remove or mitigate risks.
- Leverage checks that range from Oracle database security best practices, CIS Benchmark recommendations, best practices from the European Union General Data Protection Regulation (EU-GDPR) to Department of Defense Security Technical Implementation Guide (STIG) rules.
Compliance and best practices:
- Support your regulatory compliance efforts by adhering to security best practices and industry standards.
- Track remediation and compliance progress by customizing the risk level associated with a finding.
Improve database security insight:
- Gain visibility to fleet-wide database security risks.
- Monitor security drift by comparing an assessment against a baseline.
- Get visibility into deployed security policies and get awareness of the available database security controls to further protect your data.

Risk Levels

You can use the risk level values as guidelines for implementing Security Assessment recommendations. They can be used to prioritize and schedule changes, and help to determine what it might mean to your organization. Security Assessment uses the following risk levels to measure the severity of a finding:

High: Needs immediate attention.
Medium: Plan to address this in the short term.
Low: Might be fixed during a scheduled downtime or bundled together with other maintenance activities.
Advisory: Improve security posture by enabling more security features and technology.
Evaluate: Needs manual analysis.
Pass: No risks found.
Deferred: The user deliberately decided to postpone or delay taking action on a particular identified risk for a specified period of time or indefinitely. When a risk is deferred, it means that, after evaluation, it has been acknowledged but not immediately addressed.

Security Assessment Landing Page

The Security Assessment landing page provides several views about the security risks across all of your target databases. It consists of the following interactive tabs: Overview, Risk summary, Target summary, and Target group summary.

Overview tab

There are three charts on this tab.

Risk level: This chart shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, Evaluate, and Deferred) across all of your target databases.
Risks by category: This chart shows you the number of findings in each risk category (User Accounts, Privileges and Roles, Authorization Control, Data Encryption, Fine-Grained Access Control, Auditing, and Database Configurations) across all of your target databases.
Top 5 common security controls: This chart shows you a bar graph of the number of target databases at each risk level for each of the top five common controls. The top five common controls are the five security controls that Oracle considers the most important to the security of your target databases. Hovering over any of the bars shows you the value from the legend (for example, ADVISORY), group (for example, Patch compliance), and value (for example, 1.0).

Risk summary tab

The table on this tab displays counts of various categories for each potential risk level. Categories include target databases, user accounts, privileges and roles, authorization control, fine-grained access control, data encryption, auditing, database configuration, and total findings.

Target summary tab

The table on this tab lists your target databases within the selected scope. For each target database, you can access a link to the latest security assessment, view the target's status, view whether the assessment deviates from the baseline, and view the last assessed date/time. You can also view total counts for high risk, medium risk, low risk, advisory, and evaluate findings for each target.

Target group summary tab

The table on this tab lists your target database groups within the selected scope. For each target database group, you can view the number of checks, number of compliant and non-compliant findings, number of compliant and non-compliant target databases, and the date and time when the group was last compared to the baseline assessment.

Structure of a Security Assessment for a Target Database

A security assessment for a target database is organized into three tabs: Details, Assessment summary, and Assessment details.

Details tab

This tab shows you the following general, baseline, and template information.

OCID of the security assessment
Compartment in which the security assessment is stored
Created (timestamp) - when the security assessment was created
Database version
Assessed time (timestamp) - the last assessed date/time for the target database
Target database name
Schedule - if one exists
Baseline - "No baseline set" or the name of the baseline
Complies with baseline - "No baseline set", Yes, or No
Assessment template - name of the associated assessment template (if one exists)
Template baseline - name of the template baseline (if one exists)

Assessment summary tab

This tab has two sections: Top 5 common security controls and Summary.

The Top 5 common security controls section shows you what Oracle considers to be the top 5 most important findings to the security of your target database, their risk levels, and a brief summary of each finding.
The Summary section consists of a table that shows you totals for each risk level by finding category.

Assessment details tab

This tab consists of a table that explains all of the findings for your target database. For each finding listed in the table, you can view the risk level, finding category, references, and documentation sources (if they exist). You can expand findings to view additional information, including the following:

Overview: This is a brief description of the finding.
Summary: This is a summary of what Security Assessment discovered on your target database.
Details: This is a detailed description of what Security Assessment discovered on your target database.
Remarks: This is an explanation of why the finding is important and how you can mitigate the finding.
CIS Benchmark: If it applies, the recommendation number is listed (for example, Recommendation 3.7)
DISCA STIG: If it applies, the recommendation code is listed (for example, V-270561)
EU GDPR: If it applies, the recommendation code is listed (for example, Article 6, 32, 34)
Oracle recommended practices: States whether Oracle recommends it or not

Compare with baseline tab

This tab provides options to compare the latest security assessment for your target database to a baseline or baseline template, if they are available.

Risk modification report tab

This tab lists any modified risk levels for findings in the target database's lastest security assessment. For each modified risk, you can view the justification (if one was provided), expiration date (if one was set), when the modification occurred, and who made the modification.

Security Assessment Workflow

This is an example workflow for Security Assessment.

Register your target databases in Oracle Data Safe and obtain the necessary permissions in IAM.
When registration of a target database is complete, a security assessment of the target database runs automatically and is scheduled to run again each week at the same day and time as the registration day and time. This is the default schedule. Every time the job is executed, the new results are designated the latest assessment for the target database and a copy is saved to the history.
On the Security Assessment landing page, view and analyze the risks across all target databases in compartments where you have access rights. This gives you a broad view of your overall security posture.
- Check for the highest level risks and then drill down to the latest assessments for the target databases where these risks occur. The details about these risks are explained in each assessment.
- Analyze the risk details, take appropriate actions to mitigate risk levels in a target database, and adjust risk levels based on your analysis or requirements. You might need to adjust certain risk levels to match your policies or reflect that other security controls are in place, or choose to defer that risk.
Once you have taken the appropriate actions to address the identified risks in a target database, refresh the assessment and check the findings again to see if the risk levels have lowered as expected. If so, you may want to consider setting this assessment as the baseline (see step 8 for more information).
If required, adjust the schedules of your security assessments to suit the needs of your organization.
Change the names of your security assessments to names that are meaningful to you. The default names that Oracle Data Safe assigns follow this pattern: SA_<unique number>. It's helpful to choose your own names. You may want to retain the SA_ prefix because it will distinguish security assessments from user assessments (UA_).
If the risk findings in a security assessment for a target database are low and you are confident that it represents a reasonably solid security posture, consider setting that assessment as the baseline for that target database. This is optional, but highly recommended because it gives you the means to compare future assessments against a known good assessment.
When you have accumulated two or more security assessments for a target database, run a comparison of the latest assessment with earlier assessments (or with the baseline) to determine if there is any security drift.
Create downloadable PDF or XLS versions of your security assessments.
Save a copy or schedule saves of a copy of the latest assessment for a target database. All assessments are saved in the Assessment History provided by Security Assessment, but the Save latest assessment as option can be useful if you want an additional backup or want to export the assessment findings to another compartment.
In the Event service in Oracle Cloud Infrastructure, set up event notifications. For example, you can subscribe to the SecurityAssessmentDriftFromBaseline event to be automatically informed if a security assessment differs from the baseline.

Prerequisites for Using Security Assessment

Security Assessment requires registered, properly provisioned target databases. Users must be granted specific permissions in Oracle Cloud Infrastructure Identity and Access Management (IAM).

These are the prerequisites for using Security Assessment:

Register the target databases that you want to assess with Security Assessment.
After you register the target database, Oracle Data Safe automatically runs a Security Assessment job for your target database and updates it according to the schedule (once per week by default).
Grant the ASSESSMENT role to the Oracle Data Safe service account on the target database (non-Autonomous AI Databases only).
An Autonomous AI Database is automatically provisioned with the equivalent DS$ASSESSMENT_ROLE when it is registered as a target database; therefore, you do not need to grant a role.
To use Security Assessment: Obtain the view or manage permission for the security-assessments resource in IAM in the relevant compartments. An OCI administrator can grant these permissions. As an alternative to selectively granting permissions, you can grant permissions on data-safe-assessment-family in the relevant compartments, which would include permissions on all of the resources above as well as user-assessments. See data-safe-assessments-family Resource in the Administering Oracle Data Safe guide for more information.
To set baselines or compare assessments: Obtain read permission on the data-safe-work-requests resource in IAM.

Recommended Before You Start

Oracle recommends you try the Get Started with Oracle Data Safe Fundamentals workshop in LiveLabs before you use Security Assessment.

The Get Started with Oracle Data Safe Fundamentals workshop includes hands-on training for Security Assessment. Whether or not you've taken the workshop before, you'll find that the lab for Security Assessment provides an up-front familiarity with this feature that makes it easier for you to put it to work in your organization. Consider going through the workshop to learn about Security Assessment before you proceed.

Try it now:

Get Started with Oracle Data Safe Fundamentals