Securing OCI GoldenGate

Oracle Cloud Infrastructure GoldenGate provides a secure and easy to use data replication solution in accordance with industry-leading security best practices.

Responsibilities

To use OCI GoldenGate securely, learn about your security and compliance responsibilities.

In general, Oracle provides security of cloud infrastructure and operations, such as cloud operator access controls and infrastructure security patching. You are responsible for securely configuring your cloud resources. Security in the cloud is a shared responsibility between you and Oracle.

Oracle is responsible for the following security requirements:

  • Physical security: Oracle is responsible for protecting the global infrastructure that runs all services offered in Oracle Cloud Infrastructure. This infrastructure consists of the hardware, software, networking, and facilities that run Oracle Cloud Infrastructure services.
  • Encryption and confidentiality: Encryption keys and secrets are stored in wallets and vaults to protect your data and connect to secured resources.
  • Network traffic: Encrypted access to the OCI GoldenGate deployment console is enabled over SSL on port 443 only. By default, only access to the OCI GoldenGate deployment console is only available from an OCI private endpoint from the customer’s private network. Public endpoints can be configured allowing encrypted public access to the GoldenGate Deployment Console over SSL on port 443.

Your security responsibilities include the following:

  • Access control: Limit privileges as much as possible. Users should be given only the access necessary to perform their work.
  • OCI GoldenGate deployment console account management: Access to the OCI GoldenGate deployment console is managed directly within the Oracle Cloud console. Accounts and permissions are managed directly in the OCI GoldenGate deployment console. Learn more about deployment users.
  • Network traffic: Connections specify network connectivity to sources and targets. When you create a connection, you can configure SSL parameters to ensure the connection can be secure and encrypted. Learn more about connections.
  • Network encryption: By default, all network connectivity to OCI GoldenGate is encrypted over SSL with Oracle provided certificates. Ensure that any certificate or encryption keys you provide are current and valid.
  • Audit of security events: The OCI GoldenGate deployment console logs security events. You can access and review this log from the OCI GoldenGate deployment backup. Ensure that you monitor this log regularly. Learn more about deployment backups.
  • Patching: Ensure that OCI GoldenGate deployments are up to date. Updates are released monthly, and you must upgrade to the latest deployment patch level as soon as possible to prevent vulnerabilities. Learn more about patching deployments.
  • Audit of remote access over Load Balancer or Bastion: Ensure auditing of any remote access that is not directly to OCI GoldenGate is enabled and configured appropriately. Learn more.

Recommendations

  • Create additional OCI GoldenGate deployment console users with roles other than Security.
  • Assign the minimum necessary privilege access for IAM users and groups to resource types in goldengate-family.
  • To minimize loss of data from inadvertant deletes by an unauthorized user or malicious deletes, Oracle recommends giving the GOLDENGATE_DEPLOYMENT_DELETE and GOLDENGATE_CONNECTION_DELETE permissions to the minimum possible set of IAM users and groups. Give these permissions only to tenancy and compartment administrators.
  • OCI GoldenGate only needs USE level access to capture data from connections.

Examples

Prevent the deletion of deployments

Create this policy to allow the group ggs-users to perform all actions on deployments, except deleting them: 

Allow group ggs-users to manage goldengate-family in tenancy where request.permission!='GOLDENGATE_DEPLOYMENT_DELETE'

See Oracle Cloud Infrastructure GoldenGate Policies for more information about creating policies.