1. Graph Developer's Guide for Property Graph
  2. Getting Started with Oracle Property Graphs
  3. Property Graph Support Overview
  4. Security Best Practices with Graph Data

1.6 Security Best Practices with Graph Data

Several security-related best practices apply when working with graph data.

Sensitive Information

Graph data can contain sensitive information and should therefore be treated with the same care as any other type of data. Oracle recommends the following considerations when using a graph product:

  • Avoid storing sensitive information in your graph if that information is not required for analysis. If you have existing data, only model the relevant subset you need for analysis as a graph, either by applying a preprocessing step or by using subgraph and filtering techniques that are part of graph product.
  • Model your graph in a way that vertex and edge identifiers are not considered sensitive information.
  • Do not deploy the product into untrusted environments or in a way that gives access to untrusted client connections.
  • Make sure all communication channels are encrypted and that authentication is always enabled, even if running within a trusted network.

Least Privilege Accounts

The database user account that is being used by the graph server (PGX) to read data should be a low-privilege, read-only account. PGX is an in-memory accelerator that acts as a read-only cache on top of the database, and it does not write any data back to the database.

If your application requires writing graph data and later analyzing it using PGX, make sure you use two different database user accounts for each component.

Public Health Endpoint Security

Unless you run multiple graph servers behind a load balancer (Deploying Oracle Graph Server Behind a Load Balancer), it is a good security practice to disable the public endpoint of the graph server, which load balancers need to determine the health of the graph servers.

To disable the endpoint:

  1. Locate the WAR file of the graph server. If you installed the graph server via RPM, then the file is located at /opt/oracle/graph/pgx/server/pgx-webapp-<version>.war.
  2. Unzip the .war file into a location of your choice and then edit the WEB-INF/web.xml file inside the unzipped directory with a text editor of your choice.
  3. Locate the pgx.auth.exceptions parameter in the file. The list of public endpoints can be seen as shown:
    <init-param>
    <param-name>pgx.auth.exceptions</param-name>
    <param-value>isReady;isRunning;auth/token</param-value>
</init-param>
  4. Remove the isReady endpoint from the list of public endpoints as shown:
    <init-param>
    <param-name>pgx.auth.exceptions</param-name>
    <param-value>isRunning;auth/token</param-value>
</init-param>
  5. Save your changes, repackage the WAR file and redeploy the file to its original location.
  6. Restart the graph server.

Parent topic: Property Graph Support Overview