Choose and Implement Your Deployment

Use the methods presented in this section to secure Oracle Autonomous Database Serverless@Azure:

  1. Use Transparent Data Encryption and Azure Key Vault
  2. Configure and Enable Oracle Database Vault
  3. Register the Database with Oracle Data Safe
  4. Centralize User Authentication and Authorization by Integrating with Entra ID
  5. Unify Audit and Database Pipeline to Export Data to Azure Blob Storage
  6. Use Oracle SQL Firewall for Oracle Database 23ai

Option 1: Use Transparent Data Encryption and Azure Key Vault

Oracle Transparent Data Encryption (TDE) is configured and enabled by default in all Oracle Autonomous Database Serverless databases.

The following steps will show you how to validate the default TDE setup. Then, it will walk through the steps for implementing customer managed encryption with Azure Key Vault for the Oracle Autonomous Database Serverless.


Description of adbs-key-vault-arch.png follows
Description of the illustration adbs-key-vault-arch.png

adbs-key-vault-arch-oracle.zip

To implement the plan presented here, you must first meet the following prerequisites:

  • Deploy the Oracle Autonomous Database Serverless instance by using the Microsoft Azure Console
  • Create the Azure Key Vault (either Standard or Premium)
  • Create an RSA 2048-bit key in the Azure Key Vault
  • Create a service principal for Autonomous Database

To use TDE and Azure key vault, perform the following steps:

  1. Assign the service principal vault access policies to the azure service principal for Oracle Autonomous Database Serverless instance:
    1. Go to the Azure Key Vault instance.
    2. Click Settings then click Access Configuration.
    3. Click Vault Access Policy.
    4. Click Go to access policies.
  2. Create the Vault Access Policy:
    1. Select the Permissions:
      • Get
      • List
      • Encrypt
      • Sign
      • Verify
    2. Click Next.
  3. Select the service principal that was created for the Oracle Autonomous Database Serverless instance
    1. Continue to click Next until you get to Review and Create.
    2. Click Create.
  4. Collect the following pieces of information to be used in Oracle Cloud Infrastructure (OCI) to configure Oracle Autonomous Database Serverless for key management.
    • Vault URI
    • Key Name
  5. From within the Azure Key Vault instance, copy the name of the key.
  6. In OCI, go to your Oracle Autonomous Database Serverless instance.
    1. Click More Actions.
    2. Click Manage Encryption Key.
    3. Click Encrypt using a customer-managed key.
    4. From the Key Type menu, select Azure.
    5. Populate the following fields with the information from Azure:
      • Vault URI (do not include the trailing slash)
      • Key name
    6. Click Save.
      The Autonomous Database will take a moment to update when it will again show Available and you will be able to see the newly assigned key in the Autonomous Database Details.

      The key history should also show that Customer managed-key (Microsoft Azure) is now the master encryption key being used for TDE.

  7. Sign in to the database as an admin and validate TDE.

    Open your database client and connect to your newly provisioned database. Once you are connected, use CloudShell or similar to run this SQL query to validate that your database has a TDE Master Key and that your tablespaces are encrypted using AES256.

    SQL> set page 900
SQL> set linesize 900
column activation_time format a40
column tag format a150
column pdb_name format a40
column tablespace_name format a30
column algorithm format a10SP2-0158: unknown SET option "page"
SQL> SQL> SQL> SQL> SQL> SQL>
SQL> select KEY_ID,ACTIVATION_TIME,KEY_USE from V$ENCRYPTION_KEYS;

KEY_ID
------------------------------------------------------------
ACTIVATION_TIME                          KEY_USE
---------------------------------------- -----------------
ATAQECQ0Q8NaSEBa0dDOQ8EPMAAAAAAAAAAAAAAAAAA== 06-MAY-25 01.41.04.516182 PM +00:00  TDE IN PDB
AVAK/QOQ6Bac3xAJEBAQDAUAAAAAAAAAAAAAAAAAAA== 06-MAY-25 01.58.34.616781 PM +00:00  TDE IN PDB

SQL> select a.name pdb_name, b.name tablespace_name, c.ENCRYPTIONALG algorithm
  2    from v$pdbs a, v$tablespace b, v$encrypted_tablespaces c
  3   where a.con_id = b.con_id
  4     and b.con_id = c.con_id
  5     and b.ts# = c.ts#;
     2    3    4    5

PDB_NAME                                 TABLESPACE_NAME                ALGORITHM
---------------------------------------- ------------------------------ ----------
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      SYSTEM                         AES256
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      SYSAUX                         AES256
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      UNDOTBS1                       AES256
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      USERS                          AES256
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      DBFS_DATA                      AES256
G283BFEA6ED35C8_MULTICLOUDWEBINAR01      TEMP                           AES256

6 rows selected.

SQL>

Option 2: Configure and Enable Oracle Database Vault

Configure and enable Oracle Database Vault in your Oracle Autonomous Database Serverless instance to protect data from unauthorized privileged account access.

You need to create some additional database accounts to facilitate separation of duties for Oracle Database Vault. After Oracle Database Vault is enabled, create a Oracle Database Vault realm to separate the sensitive data from highly privileged accounts inside the database.

To configure and enable Oracle Database Vault:

  1. Create necessary accounts for Oracle Database Vault configuration.

    Oracle recommends creating multiple accounts to ensure you are never locked out of your data. Losing the password for these accounts could render your data inaccessible.

    Sign in to your Oracle Autonomous Database Serverless database and create four database accounts: two accounts will be assigned the Database Vault Owner role and two accounts will be assigned the Database Vault Account Manager role.

    Use the following example code to create the accounts where <user_name> is the name used to identify the associated account. 

    Connected to:
Oracle Database 23ai Enterprise Edition Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.8.0.25.05

SQL> create user DBOWNER identified by "<user_name>";
User created.

SQL> create user DBVACCTMGR identified by "<user_name>";
User created.

SQL> create user DBOWNER_BACKUP identified by "<user_name>";
User created.

SQL> create user DBVACCTMGR_BACKUP identified by "<user_name>";
User created.

SQL> grant connect, resource to DBOWNER;
Grant succeeded.

SQL> grant connect, resource to DBOWNER_BACKUP;
Grant succeeded.

SQL> grant connect, resource to DBVACCTMGR;
Grant succeeded.

SQL> grant connect, resource to DBVACCTMGR_BACKUP;
Grant succeeded.

SQL> show con_name;

CON_NAME
------------------------------
G283BFEA6ED35C8_MULTICLOUDWEBI
NAR01

SQL> select * from dba_dv_status;

NAME                STATUS
------------------  ----------------
DV_APP_PROTECTION   NOT CONFIGURED
DV_CONFIGURE_STATUS FALSE
DV_ENABLE_STATUS    FALSE
SQL>
  2. Configure and enable Oracle Database Vault.
    1. Login to the database as admin and execute the following package to configure Oracle Database Vault.
      SQL>
SQL> EXEC DBMS_CLOUD_MCADM.CONFIGURE_DATABASE_VAULT('DBVOWNER', 'DBVACCTMGR');
 
PL/SQL procedure successfully completed.
      After you configure Oracle Database Vault, enable it. After Oracle Database Vault is enabled, accounts with the Database Vault Owner role can manage the vault configuration and accounts with the Database Vault Account Manager role can create and manage accounts in the database. Now you can take advantage of the separation of duties in the database.
    2. Restart the database.
      From the database instance page in OCI, click More Actions and select Restart.
    3. Validate that Oracle Database Vault is configured and enabled by using the following example code.
      Connected to:
Oracle Database 23ai Enterprise Edition Release 23.0.0.0.0 - for Oracle Cloud and Engineered Systems
Version 23.0.0.25.0

SQL> SELECT * FROM DBA_DV_STATUS;

NAME                     STATUS
------------------------ ----------------
DV_APP_PROTECTION        NOT CONFIGURED
DV_CONFIGURE_STATUS      TRUE
DV_ENABLE_STATUS         TRUE

SQL>
    4. Grant Oracle Database Vault roles to backup accounts:
      
SQL> grant DV_OWNER to DBOWNER_BACKUP;

Grant succeeded.

SQL> grant DV_ACCTMGR to DBVACCTMGR_BACKUP;

Grant succeeded.

SQL>
  3. Create a realm to separate sensitive data from privileged accounts.
    1. Before creating the realm, login as admin and validate that the privileged account has access to the sensitive data, in this case, human resources (HR) data:
      SQL> show user;
USER is "ADMIN"
SQL> select EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SALARY from HR.EMPLOYEES where ROWNUM < 8;

EMPLOYEE_ID FIRST_NAME      LAST_NAME                 SALARY
----------- --------------- ------------------------- ----------
        100 Steven          King                         24000
        101 Neena           Yang                         17000
        102 Lex             Garcia                       17000
        103 Alexander       James                         9000
        104 Bruce           Miller                        6000
        105 David           Williams                      4800
        106 Valli           Jackson                       4800

7 rows selected.

SQL>
    2. Sign in to Oracle Autonomous Database Serverless as a user with the Database Vault Owner role. Execute this PL/SQL block to create a realm called Protect HR Data:
      SQL> begin
  2  DVSYS.DBMS_MACADM.CREATE_REALM(
  3     realm_name => 'Protect HR Data'
  4    , description => 'This Realm will protect HR data from unauthorized privileged user access'
  5    , enabled => 'Y'
  6    , realm_type => DBMS_MACADM.MANDATORY_REALM );
  7  end;
  8  /
PL/SQL procedure successfully completed.

SQL>
    3. Add the database objects which are to be protected by the realm. Execute this PL/SQL block to add all tables in the HR schema to the Protect HR Data realm:
      SQL> begin
  DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name => 'Protect HR Data',
    object_owner => 'HR',
    object_name => '%',
    object_type => 'TABLE');
end;
/ 
2    3    4    5    6    7    8

PL/SQL procedure successfully completed.

SQL>
    4. Execute this PL/SQL block to add the HR schema account as well as an HR Manager hr_debra as Realm Authorized Participants. This will ensure that only the application service account as well as the HR Manager can access data in the HR schema. No DBA accounts or any other highly privileged accounts in the database will be able to access the data protected by the Database Vault Realm.
      SQL> begin
  DVSYS.DBMS_MACADM.ADD_OBJECT_TO_REALM(
    realm_name => 'Protect HR Data',
    object_owner => 'HR',
    object_name => '%',
    object_type => 'TABLE');
end;
/  2    3    4    5    6    7    8

PL/SQL procedure successfully completed.

SQL>
    5. Validate ADMIN can no longer access HR data:
      SQL> 
SQL> show user;
USER is "ADMIN"
SQL> select EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SALARY from HR.EMPLOYEES where ROWNUM < 8;
select EMPLOYEE_ID,FIRST_NAME,LAST_NAME,SALARY from HR.EMPLOYEES where ROWNUM < 8
                                                                                 *
ERROR at line 1:
ORA-01031: insufficient privileges


SQL>

Option 3: Register the Database with Oracle Data Safe

Oracle Data Safe is a unified control center for your Oracle databases that helps you understand the sensitivity of your data, evaluate risks to your data, mask sensitive data, implement and monitor security controls, assess user security, monitor user activity, and address data security compliance requirements.

In this option, you register the target instance with Oracle Data Safe. After successful registration, review the Security Assessment and the User Assessment results and configure baselines for each.

To register the database with Oracle Data Safe, perform the following steps:

  1. Register the target database with Oracle Data Safe:
    1. In the OCI console, click Oracle Database, then Overview under Data Safe. Click Target databases in the left navigation pane and click Register database.
    2. Select Oracle Autonomous Database Serverless, enter the required information and click Register.
    3. Upon successful target registration, Oracle Data Safe initiates both a Security Assessment scan as well as a User Assessment scan.
  2. Review the Security Assessment:
    1. From the Data Safe Overview page, click Security Assessment in the left navigation pane. Select the target summary tab, then click the target summary for your database.
    2. Scroll down and review each of the findings. If necessary, take corrective action and initiate another scan. If you are happy with the current scan results and accept the findings, click Set as Baseline. All future scans are compared with the baseline and you will receive a notification if the database configuration deviates from the set baseline.
  3. Review the User Assessment:
    1. From the Data Safe Overview page, click Security Assessment in the left navigation pane. Select the target summary tab, then click the target summary for your database.
    2. Scroll down and review each of the findings. If necessary, take corrective action and initiate another scan. If you are happy with the current scan results and accept the findings, click Set as Baseline. All future scans will be compared with the baseline and you will receive a notification if the database configuration deviates from the set baseline.

Option 4: Centralize User Authentication and Authorization by Integrating with Entra ID

Managing users and credentials for Oracle Database users can quickly become a challenging administrative burden as the number of databases instances multiply.

Oracle has been creating innovative solutions to mitigate this problem for decades. Oracle Autonomous Database honors OAuth2 tokens issued by Entra ID (formerly Active Directory), Microsoft’s cloud identity platform. This capability lets you manage users and roles in a central cloud identity solution, while Oracle Autonomous Database uses those credentials for policy-based access controls.

The authentication flow is shown in the diagram below and described in steps that follow:


Description of azure-authentication.png follows
Description of the illustration azure-authentication.png

azure-authentication-oracle.zip

  1. The Azure user requests access to the Oracle Autonomous Database Serverless instance.
  2. The database client or application requests an authorization code from Entra ID.
  3. Entra ID authenticates the user and returns the authorization code.
  4. The helper tool or application uses the authorization code with Entra ID to exchange it for the OAuth2 token.
  5. The database client sends the OAuth2 access token to the Oracle database. The token includes the database app roles the user was assigned to in the Entra ID app registration for the database.
  6. The Oracle Autonomous Database Serverless instance uses the Entra ID public key to verify that the access token was created by Entra ID.

To implement the plan presented here, you must first meet the following prerequisites:

  • Set up Oracle Autonomous Database Serverless as an Microsoft Azure Entra ID enterprise application (tutorials are referenced in the Explore More section).
  • Set up SQL Developer Client for seamless Azure Entra ID authentication.

To integrate authentication with Microsoft Entra ID, perform the following steps:

  1. Configure Oracle Autonomous Database Serverless to use the enterprise application in Azure Entra ID for authentication.

    The following procedure instructs Oracle Autonomous Database Serverless to use the Entra ID tenancy as an identity provider, and specifically binds the OAuth2 tokens issued by the enterprise application for authorization to the database.

    1. Sign in to your Oracle Database Actions (SQL Developer Web) instance.
    2. In the left panel, select the appropriate Connection.
    3. Click Views in the menu above the search bar.
    4. In the search bar, enter the name of the view, such as MULTICLOUD_DEMO_AZURE_CONFIGS, to quickly find your view and then click the view name.
    5. Enter the following SQL code with the associated tenant ID and application URI:
      BEGIN
    DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
        type   => 'AZURE_AD',
        params => JSON_OBJECT('tenant_id' VALUE '<tenant_id>',
                              'application_id' VALUE 'f2c359b4-c3f9-4415-a333-332340376e59',
                              'application_id_uri' VALUE '<application_id_uri>'),
        force => TRUE
    );
END;
  2. Create a user association:
    1. Create a user schema in Oracle Autonomous Database Serverless and associate that user with the user principal ID in Entra ID. Defining a global user indicates that the Entra ID token subject is used to assert the identity of the database user.
      For this use case, a one-to-one mapping of Entra ID Subject to Database is used. For larger deployments, an administrator can choose to configure shared schema user mappings based on role and group memberships in Entra ID.
    2. Grant connect capabilities to the database user in the Oracle Database Actions (SQL Developer Web) instance:
      CREATE USER <azure_user_name> IDENTIFIED GLOBALLY AS 'AZURE_USER=<azure_user_name>';

grant connect to <azure_user_name>;
  3. Sign in to the database using Oracle SQL Developer and Entra ID.
    Open Oracle SQL Developer and configure a connection to the Oracle Autonomous Database Serverless instance using the latest JDBC libraries that allow for interactive login with Azure Entra ID.
    1. On the Oracle SQL Developer Connections panel, click New Connection.
    2. Specify a connection name.
    3. Select OS as the Authentication Type.
    4. Select Custom JDBC as the Connection Type.
    5. Enter your JDBC URL:
      jdbc:oracle:thin:@config=<jdbc_url>
    6. Verify the connection by clicking Test which will open a browser for interactive login to Entra ID.
    7. Authenticate using the user that you have mapped as the Database Global User.
      Upon successful login, an open SQL connection is established.
    8. Run show user to return the schema user.
      show user;
select sys_context('USERENV', 'AUTHENTICATED_IDENTITY') from dual;
    9. Check the context of the session to show that the authenticated principal retains the Entra ID principal.
      This is used by the unified audit trail to associate the Entra ID user to the transactions conducted by the authenticated principal.
    10. Click Save in the database connection window.

Option 5: Unify Audit and Database Pipeline to Export Data to Azure Blob Storage

Having strong preventative security controls is only half of the battle; companies must also audit and monitor their systems, even when they are not under attack.

Creating an audit trail of your database transaction is a powerful way to ensure that you have traceability. Oracle Autonomous Database includes pipelines that are ready to configure and deploy and that can push these audit logs to your choice of multicloud storage. This section shows how you can easily use the existing Entra ID service principal (created in the previous section) to push your audit trail to Azure Blob Storage on a continuous time interval.


Description of adbs-pipeline-export-arch.png follows
Description of the illustration adbs-pipeline-export-arch.png

adbs-pipeline-export-arch-oracle.zip

To implement the plan presented here, you must first meet the following prerequisites:

  • Enable a unified audit trail with Oracle Data Safe.
  • Create a service principal for the Oracle Autonomous Database Serverless.
  • Create an Azure storage account.
  • Create a private container in the Azure storage account for the Oracle Autonomous Database Serverless audit logs.

To use and store audit logs, perform the following steps:

  1. Assign the Storage Blob Data Contributor role to the Oracle Autonomous Database Serverless service principal:
    1. In the Azure portal, select the storage account you created previously.
    2. Click Access Control (IAM).
    3. Click Add and then click Add role assignment.
    4. Use the Search bar to search for Storage Blob Data Contributor.
    5. Click the Storage Blob Data Contributor role.
    6. Click Next.
  2. Add the Oracle Autonomous Database Serverless service principal to the role assignment.
    1. In the Members section, search for the Oracle Autonomous Database Serverless service principal.
    2. Assign the membership.
    3. Click Review + Assign.
  3. Configure the pipeline attributes from the Azure Storage Container location.

    Open an SQL Worksheet and execute the following SQL procedures where <storage_location_url> is the URL of the Azure storage location: 

    BEGIN
DBMS_CLOUD_PIPELINE.SET_ATTRIBUTE( pipeline_name => 'ORA$AUDIT_EXPORT',
  attribute_name => 'credential_name',
  attribute_value => 'AZURE$PA' );

DBMS_CLOUD_PIPELINE.SET_ATTRIBUTE( pipeline_name => 'ORA$AUDIT_EXPORT',
  attribute_name => 'location',
  attribute_value => '<storage_location_url>' );

DBMS_CLOUD_PIPELINE.SET_ATTRIBUTE( pipeline_name => 'ORA$AUDIT_EXPORT',
  attribute_name => 'interval',
  attribute_value => '15' );

END;
/
  4. To test the export pipeline and set it to run, execute the following statements:
    /* THIS RUNS THE PIPELINE ONCE*/
/
BEGIN DBMS_CLOUD_PIPELINE.RUN_PIPELINE_ONCE( pipeline_name => 'ORA$AUDIT_EXPORT' );
END;
/

/* IF SUCCESSFUL - THIS WILL RESET THE PIPELINE*/
/
BEGIN DBMS_CLOUD_PIPELINE.RESET_PIPELINE( pipeline_name => 'ORA$AUDIT_EXPORT', purge_data => TRUE);
END;
/

/* THIS WILL MAKE IT ACTIVE AND RUNNING ON THE SET INTERVAL */
/
BEGIN DBMS_CLOUD_PIPELINE.START_PIPELINE( pipeline_name => 'ORA$AUDIT_EXPORT' );
END;
/
    If the pipeline is configured properly, you will see a file in the Azure Blob storage container that was configured in the pipeline attributes. Over time, it will create incremental files in the storage container that contain only the latest unified audit trail records.

Option 6: Use Oracle SQL Firewall for Oracle Autonomous Database Serverless 23ai

In addition to the virtual networking security lists and network security groups, Oracle Autonomous Database Serverless 23ai ships with Oracle SQL Firewall.

Oracle SQL Firewall is a defense-in-depth feature that runs within the database runtime and that enforces policy-based and context-based access control to your data.

For Oracle Database@Azure, the SQL Firewall policies can provide last-mile protection against unauthorized access, regardless of the ingress point.


Description of adbs-sqlfirewall-flow.png follows
Description of the illustration adbs-sqlfirewall-flow.png

adbs-sqlfirewall-flow-oracle.zip


Description of adbs-sqlfirewall-arch.png follows
Description of the illustration adbs-sqlfirewall-arch.png

adbs-sqlfirewall-arch-oracle.zip

To implement the plan presented here, you must first meet the following prerequisites:

  • Register Oracle Data Safe with Oracle Autonomous Database Serverless 23ai instance.
  • Enable SQL Firewall in Oracle Data Safe (a link to instructions is provided in the Explore More section).

To use Oracle SQL Firewall for Oracle Autonomous Database Serverless 23ai, perform the following steps:

  1. Start collecting SQL traffic for the user that you created for Entra ID authentication:
    1. From the SQL Firewall Dashboard, click SQL Collections.
    2. Specify the user that you intend to create the SQL Firewall policy.
    3. Click Create and Start SQL Collection.
  2. After generating some SQL traffic with the selected user, configure the policy based on the SQL statements captured:
    1. On the SQL collection details page, click Stop.
    2. Click Generate Firewall Policy.
    3. Review and optionally update the allowed SQL session context values as desired.
      For example for an allowed statement, select a row, click Update and then click the X at the end of the row to remove the allowed statement. For testing puposes, you can do this for all allowed statements.
    4. Click Deploy and enforce to enable the policy.
  3. Test the enabled SQL firewall policy.
    Using SQL Developer (or any SQL Client), sign in to the database and authenticate as the Entra ID user created for SQL Firewall policy enforcement (with all allowed SQL statements removed). After authenticating, the an error message indicates that the database successfully has passed through the security lists and network security groups, however the request is denied at the SQL connection level.
  4. To view violation reports, click Violation reports in the left navigation pane of the SQL Firewall dashboard.