1. Best practices for securing workloads in the cloud
  2. Secure Your Databases

Secure Your Databases

Ensure that the database servers, network access to them, and the actual data are secure.

Control User and Network Access

Enterprise Architect, Security Architect, Data Architect

Use passwords, private subnets, and network security groups to control user and network access.
  • Ensure that the passwords used to authenticate to the database are strong.
  • Attach the DB systems to private subnets.

    A private subnet doesn’t have internet connectivity. You can use a NAT gateway for secured egress traffic and a service gateway to connect to backup endpoints (object storage).

  • Use network security groups or security lists to permit only the required network access to your DB systems.

Restrict Permissions for Deleting Database Resources

Enterprise Architect, Security Architect, Data Architect

To prevent inadvertent or malicious deletion of databases, grant the delete permissions (DATABASE_DELETE and DB_SYSTEM_DELETE) to a minimum set of users and groups.

The following IAM policy statements allow DB users to manage databases, database systems, and database homes. But the condition where request.permission!='DB_SYSTEM_DELETE' ensures that the DB users can't delete databases. 

Allow group DBUsers to manage db-systems in tenancy where request.permission!='DB_SYSTEM_DELETE'
Allow group DBUsers to manage databases in tenancy where request.permission!='DATABASE_DELETE'
Allow group DBUsers to manage db-homes in tenancy where request.permission!='DB_HOME_DELETE'

Encrypt Data

Enterprise Architect, Security Architect, Data Architect

All databases created in Oracle Cloud Infrastructure are encrypted using transparent data encryption (TDE). Ensure that any migrated databases are also encrypted.
Periodically rotate the TDE master key. The recommended rotation period is 90 days or less.

Apply Security Patches

Enterprise Architect, Security Architect, Data Architect

Apply Oracle Database security patches (Oracle Critical Patch Updates) to mitigate known security issues, and keep the patches up-to-date.

Use DB Security Tools

Enterprise Architect, Security Architect, Data Architect

The Oracle Database Security Assessment Tool provides automated security configuration checks of Oracle databases in Oracle Cloud Infrastructure. Oracle Audit Vault and Database Firewall (AVDF) monitors database audit logs and creates alerts.

Enable Data Safe

Enterprise Architect, Security Architect, Data Architect

Data Safe is a unified control center for Oracle cloud and on-premises databases. Use Data Safe to asses database and data security configuration, detect associated risk for user accounts, identify existing sensitive data, implement controls to protect data, and audit user activity.
  • Extend Data Safe audit retention policy to one year.
  • Mask data identified as sensitive by Data Discovery.
  • Use Security Assessment to identify recommended security controls by Center for Internet Security (CIS), General Data Protection Regulation (GDPR), and Department of Defense library of Security Technical Implementation Guides (STIG).
  • Setup alerts for key events in Data Safe Activity Auditing.

Enable Private Endpoints for Autonomous Databases

Enterprise Architect, Security Architect, Data Architect

When possible, use private endpoints with Oracle Autonomous Transaction Processing.
A private endpoint is used to eliminate public access to shared autonomous databases. All traffic for the database remains private using a VCN in Oracle Cloud Infrastructure without the need for transit routing or use of a service gateway.
  • Use a dedicated private subnet when defining Private Endpoints.
  • For the Private Endpoint Network Security Group, define a stateless Ingress Rule with Protocol TCP and Destination Port equal to the Database Listener Port. Restrict source CIDR label to only subnets or, for on-premises, Dynamic Routing Gateways (DRGs), with allowed access.
  • For the Private Endpoint Network Security Group, define a stateless Egress Rule with Protocol TCP. Restrict destination CIDR to only subnets or, for on-premises, DRGs, with allowed access.

Learn More