Note:

• This tutorial requires access to Oracle Cloud. To sign up for a free account, see Get started with Oracle Cloud Infrastructure Free Tier.
• It uses example values for Oracle Cloud Infrastructure credentials, tenancy, and compartments. When completing your lab, substitute these values with ones specific to your cloud environment.

Simplify Database Security Posture Management with Oracle Data Safe

Introduction

Customers can use Oracle Data Safe to gain visibility on their database security whether running on-premises, in Oracle Cloud Infrastructure (OCI), or in third-party cloud. Oracle Data Safe provides a comprehensive suite of security capabilities such as security and user assessment, activity auditing, Oracle SQL Firewall management, data discovery, and data masking for non-production environments.

Oracle Data Safe tightly integrated with assessment capabilities provides the ability to simultaneously run assessments on multiple databases, schedule assessments, establish a security baseline, and get a comparison report highlighting the drift between that baseline and the current database security assessment.

Audience

• Database administrators and OCI security administrators.

Objective

• Enable features and functionality of Oracle Data Safe and achieve the database security posture management with minimal steps.

Prerequisites

• Oracle Database provisioned in OCI. For more information, see Oracle Database.

• Register the database with Oracle Data Safe. In this tutorial, register an Oracle Autonomous Database Register an Oracle Autonomous Database and for other databases registration, see Target Database Registration.

Task 1: Register an Oracle Autonomous Database with Oracle Data Safe

1. Log in to the OCI Console, navigate to Oracle Databases, Autonomous Database, Data Safe and click Register.

   

2. You can see the registered database in target databases section. Click Oracle Databases, Data Safe and Target databases.

   

Task 2: Set the Default Global Settings

1. Open the OCI Console, navigate to Oracle Databases, Data Safe and Settings.

2. By default, Oracle Data Safe allows audit collection to continue after the free one million audit records limit is reached within a month. You can disable or enable Global Paid usage settings.

3. In Global Audit record retention policy, the default Online retention period is 12 months. The Archive retention period is 0-72 months. Click Save.

   

Task 3: Set Baseline and Update Schedules in Security Assessment

Security assessment dashboard will give a fleet view for all your database configuration checks.

1. Open the OCI Console, navigate to Oracle Databases, Data Safe, Security Center and Security Assessment.

   

2. Navigate to Oracle Databases, Data Safe, Security Center, Security Assessment and click Target Summary to show the number of findings for each risk level per target database. Click View report to see the latest one.

   

3. Navigate to Oracle Databases, Data Safe, Security Center, Security Assessment, Security Assessment Details and Set baseline to analyze the security risks and set the latest security assessment for a target database as a baseline. Click Yes in Set as baseline?.

   

   It will set the baseline and we can view it on the Oracle Data Safe console. Navigate to Oracle Databases, Data Safe, Security Center, Security Assessment, Security Assessment Details and Assessment Information.

   

4. Update the schedule to run the assessment daily, weekly or monthly. We can view it on the Oracle Data Safe console. Weekly once in non-business hours will be a good start to generate scheduled reports. Navigate to Oracle Databases, Data Safe, Security Center, Security Assessment, Security Assessment Details and click Update schedule.

   

   We can view the schedules on the Oracle Data Safe console. Click Oracle Databases, Data Safe, Security Center, Security Assessment and Schedules.

   

Task 4: Identify High Risk Users, Set Baseline and Update Schedules in User Assessment

The User assessment dashboard will give a fleet view for all your database configuration checks.

1. Open the OCI Console, click Data Safe, Security Center and User Assessment.

   

2. Navigate to Oracle Databases, Data Safe, Security Center, User Assessment and click Target Summary to show the number of findings for each risk level per target database. Click View report to see the latest one.

   

3. Navigate to Oracle Databases, Data Safe, Security Center, User Assessment, Security Assessment Details and Set baseline to analyze the high risk users and set the latest User assessment for a target database as a baseline. Click Yes in Set as baseline?.

   

   It will set the baseline and we can view it on the Oracle Data Safe console. Navigate to Oracle Databases, Data Safe, Security Center, User Assessment, User Assessment Details and Assessment Information.

   

4. Update the schedule to run the assessment daily, weekly or monthly. We can view it on the Oracle Data Safe console. Weekly once in non-business hours will be a good start to generate scheduled reports. Navigate to Oracle Databases, Data Safe, Security Center, User Assessment, User Assessment Details and click Update schedule.

   We can view the schedules on the Oracle Data Safe console. Click Oracle Databases, Data Safe, Security Center, User Assessment and Schedules.

   

Task 5: Set up Email Notification for Configuration and User Changes

In Oracle Data Safe, you can create event notifications for security assessment related events.

1. Open the OCI Console, navigate to Oracle Databases, Data Safe, Security Center, Security Assessment, Notifications and click A security assessment has drifted from baseline.

   

2. You can use the quickstart template for common events or the advanced event notification workflows to create notifications.

   Click Quickstart to add the alert policies to the target database and click Create notification.

   

3. To receive messages, you must confirm subscriptions from your email inbox.

   

   Navigate to Data Safe, Security Center, Security Assessment and Notifications to see the added alert policies in the Oracle Data Safe console.

   

4. In Oracle Data Safe, you can create event notifications for user assessment related events.

   Open the OCI Console, navigate to Oracle Databases, Data Safe, Security Center, User Assessment, Notifications and click A user assessment has drifted from baseline.

   

5. You can use the quickstart template for common events or the advanced event notification workflows to create notifications.

   Click Quickstart to add the alert policies to the target database and click Create notification.

   

   Navigate to Data Safe, Security Center, User Assessment and Notifications to see the added alert policies in the Oracle Data Safe console.

   

6. You will receive a sample email for the event of security assessment drift from baseline.

   

Task 6: Start Audit Trails and Enable Audit Policies in Activity Auditing

1. An audit trail is an audit table in a target database that stores audit data. The most common audit trail is the UNIFIED_AUDIT_TRAIL data dictionary view, which consolidates all Oracle Database audit trails into one location and in a unified format.

   Open the OCI Console, navigate to Data Safe, Security Center and Activity Auditing.

   

2. Navigate to Data Safe, Activity Auditing, Audit Trails and click the target database. Oracle Data Safe automatically discovers the audit trails on a target database and creates one audit trail resource per target database.

   

3. Click Start. When you start an Oracle Data Safe audit trail, Oracle Data Safe begins copying audit records from the target database audit trail into the Oracle Data Safe repository. You can start and stop audit data collection as needed.

   You can see the state change to be Active.

   

4. An audit policy represents all available audit policies relevant to a target database, along with their corresponding audit conditions and their provisioning status on the target database. Navigate to Data Safe, Activity Auditing, Audit Policies and click the target database.

   

5. Oracle Data Safe automatically creates one audit policy resource for your target database. It does this after it retrieves the audit policies from the target database. The audit policy resource lets you provision unified audit policies within your target database, with conditional enablement of users or roles.

   Navigate to Data Safe, Activity Auditing, Audit Policy, Audit Policy Information and click Update and Provision.

   

   Enable Audit Policies: The audit policy resource lets you provision unified audit policies within your target database, with conditional enablement of users or roles. Different categories of audit policies available for provisioning include:

   • Basic auditing policies.

   • Administrator activity auditing policy.

   • User activity auditing policy.

   • Audit compliance standards policies.

   • Custom and Oracle predefined audit policies.

   

   Once the audit policy is provisioned to the target database, audit records are generated for activities within the target database that match the audit policies. For more information, see About Oracle Data Safe Audit Policies.

Task 7: Enable Alert Policies

1. You can enable alerts on your target database to track and be notified of particular user activities and unusual behaviour.

   Open the OCI Console, navigate to Oracle Databases, Data Safe, Security Center and Alerts.

   

   You are successfully connected to the Oracle Autonomous Database as an Administrator.

2. We can choose to be alerted when a database parameter or audit policy changes, a failed log in by an admin occurs, a user entitlement changes, and when a user is created or deleted. To add the alert policies to the target database, navigate to Data Safe, Security Center, Alerts, Target-Policy Associations and click Apply Policy.

   

   Navigate to Data Safe, Security Center, Alerts, Target-Policy Associations to see the added alert policies in the Oracle Data Safe console.

Task 8: Find out the Sensitive Data Types by Data Discovery

Data discovery helps you find sensitive data in your Oracle Database. Protecting sensitive data begins with knowing what sensitive data you have, and where it is located. Data discovery searches for sensitive columns in your Oracle Database using the Oracle predefined and user-defined sensitive types that you choose. You define in data discovery what to look for, and it finds the sensitive columns that meet your criteria. For more information, see Data Discovery Overview.

Task 9: Data Masking for Sensitive Columns in Non-production Database

Data masking also known as static data masking, is the process of permanently replacing sensitive data with fictitious yet realistic looking data. It helps you generate realistic and fully functional data with similar characteristics as the original data to replace sensitive or confidential information. For more information, see Data Masking Overview.

Task 10: Use Oracle SQL Firewall with Oracle Data Safe

Oracle SQL Firewall provides real-time protection against common database attacks by restricting database access to only authorized SQL statements or connections for a designated user.

Oracle Data Safe unified console has been extended to manage and monitor the Oracle SQL Firewall for Oracle Database 23ai databases. Administrators can use Oracle Data Safe to collect SQL activities of database accounts, monitor the collection progress, create Oracle SQL Firewall policies with allow list rules (allowed contexts and allowed SQL statements) from the collected SQL activities, and enable Oracle SQL Firewall policies. For more information, see Use Oracle SQL Firewall with Oracle Data Safe.

Note:

• Hands on tour of Oracle Data Safe, see Oracle LiveLabs: Get Started with Oracle Data Safe Fundamentals.
• Try Oracle Data Safe with your own databases with the 30-days Oracle Cloud Free Tier. For more information on Oracle Cloud free tier to sign up, see Oracle Cloud Free Tier.

Related Links

• Use Identity and Access Management (IAM) Authentication with Autonomous Database

• Getting Started with Oracle Data Safe

• YouTube video: Introduction to Oracle Data Safe

Acknowledgments

• Author - Alex Kovuru

• Contributor - Indira Balasundaram

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.

---

Title and Copyright Information

Simplify Database Security Posture Management with Oracle Data Safe

F94866-02

May 2024

Copyright ©2024,

Oracle and/or its affiliates.