Oracle Data Safe Overview

Oracle Data Safe is a unified control center for your Oracle databases which helps you understand the sensitivity of your data, evaluate risks to your data, mask sensitive data, implement and monitor security controls, assess user security, monitor user activity, and address data security compliance requirements.

Features of Oracle Data Safe

Oracle Data Safe provides the following set of features for protecting sensitive and regulated data in Oracle databases, all in a single, easy-to-use database security control center:

  • Security Assessment helps in evaluating the security of your database configurations. It examines database configurations, user accounts, and security controls, and subsequently provides findings along with recommendations for remedial actions following best practices to reduce or mitigate risks. Recommendations are based on the Security Technical Implementation Guides (STIG), Center for Internet Security (CIS) Configurations, recommendations from the General Data Protection Regulation (EU GDPR) and Oracle best practices.
  • User Assessment assists in identifying highly privileged accounts that may pose a threat if misused or compromised. It scrutinizes information about users in the data dictionary of target databases and calculates a potential risk score for each user. This evaluation includes user types, authentication methods, password policies, password change frequency, and provides direct links to related audit records. With this information, appropriate security controls and policies can be deployed.
  • Data Discovery facilitates the detection of sensitive data within your databases. By specifying the type of sensitive data to search for, Data Discovery examines the actual data and data dictionary, presenting a list of sensitive columns. It comes with default search capabilities covering various sensitive data categories, such as identification, biographic, IT, financial, healthcare, employment, and academic information.
  • Data Masking offers a means to mask sensitive data, ensuring its safety for non-production purposes. For instance, when organizations need to create copies of production data for development and testing, Data Masking replaces sensitive data with realistic but fictitious information, mitigating the risk associated with exposing sensitive data to new users.
  • Activity Auditing lets you audit user activity on your databases so you can monitor database usage.
  • Alerts keep you informed of unusual database activities as they happen.
  • SQL Firewall protects against risks such as SQL injection attacks or compromised accounts. SQL Firewall is a new security capability built into the Oracle AI Database 26ai kernel and offers protection against these risks. The SQL Firewall feature in Oracle Data Safe lets you centrally manage and monitor the SQL Firewall policies for your target databases. Oracle Data Safe lets you collect authorized SQL activities of a database user, generate and enable the policy with allowlists of approved SQL statements and database connection paths, and provides a comprehensive view of any SQL Firewall violations across the fleet of your target databases.

Oracle Data Safe Guided Tour

The Oracle Data Safe guided tour gives you a high-level overview of the features of Oracle Data Safe and how to start using them to improve the security of your databases.

If you do not have any target databases registered with Oracle Data Safe the tour will begin automatically. If you navigate to the Overview page again during the same session the tour will no longer start automatically.

Anyone can initiate the tour at any time by navigating to the Overview page and clicking Take the tour.

You can click through the walk through by clicking Next or stop the tour at any time by clicking Stop tour.

Figure 1-1 Data Safe Overview


Screenshot of the first slide in the guided UI tour in Oracle Data Safe.

Key Concepts and Terminology

Understand the following concepts and terminology to help you get started with Oracle Data Safe.

Oracle Cloud Infrastructure

Oracle Cloud Infrastructure is a set of complementary cloud services that enables you to build and run a wide range of applications and services in a highly available hosted environment. Oracle Cloud Infrastructure offers high-performance compute capabilities (as physical hardware instances) and storage capacity in a flexible overlay virtual network that is securely accessible from your on-premises network. Oracle Data Safe is integrated as a service into Oracle Cloud Infrastructure.

Oracle Cloud Infrastructure Console

The Oracle Cloud Infrastructure Console is a simple and intuitive web-based user interface that you can use to access and manage Oracle Cloud Infrastructure. You can access Oracle Data Safe in the Oracle Cloud Infrastructure Console.

Tenancy

A tenancy is a secure and isolated partition within Oracle Cloud Infrastructure where you can create, organize, and administer your cloud resources.

Region and Availability Domain

Oracle Cloud Infrastructure is physically hosted in regions and availability domains. A region is a localized geographic area, and an availability domain is one or more data centers located within a region. A region is composed of one or more availability domains. Oracle Cloud Infrastructure resources are either region-specific, such as a virtual cloud network, or availability domain-specific, such as a compute instance.

Oracle Data Safe

Oracle Data Safe is a fully-integrated Cloud service in Oracle Cloud Infrastructure focused on the security of your data. It provides a complete and integrated set of features for protecting sensitive and regulated data in Oracle databases. The Security Center in Oracle Data Safe is the main area where you can access all the features.

Oracle Cloud Infrastructure Identity and Access Management (IAM)

The IAM service is the default, fully integrated, identity management service for Oracle Cloud Infrastructure. It lets you control who has access to your cloud resources, what type of access user groups have, and to which specific resources user groups have access. Oracle Data Safe uses all the shared services in Oracle Cloud Infrastructure, including IAM.

IAM Compartment

In IAM, compartments allow you to organize and control access to your cloud resources. A compartment is a collection of related resources, such as database instances, virtual cloud networks, and block volumes. A compartment should be thought of as a logical group and not a physical container. When you begin working with resources in the Oracle Cloud Infrastructure Console, the compartment acts as a filter for what you are viewing. A group requires permission by an administrator to access a compartment.

IAM User Group

A user group in IAM is a collection of users who all need the same type of access to a particular set of resources or compartment. Tenancy administrators can create users and groups in the root compartment of a tenancy with the IAM service in Oracle Cloud Infrastructure. Oracle Data Safe retrieves user groups from IAM, and in some cases, individual users.

Oracle automatically creates a tenancy administrator for you and adds it to the tenancy's Administrators group. This group has all permissions on all resources in the tenancy, and is responsible for creating the users, groups, and compartments for the tenancy.

IAM Policy

An IAM policy is a document that specifies who can access which resources in Oracle Cloud Infrastructure, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment, or to the tenancy itself. If you give a group access to your tenancy, the group automatically gets the same type of access to all the compartments inside your tenancy. Only tenancy administrators can create policies. An administrator can create IAM policies to define user privileges for all Oracle Data Safe resources.

Oracle Data Safe Console

The Oracle Data Safe Console is the former user interface for Oracle Data Safe. Administrators need to migrate content from this Console to the new Security Center in Oracle Cloud Infrastructure.

Oracle Data Safe Repository

The Oracle Data Safe repository is an Oracle database that stores audit data and metadata for Oracle Data Safe.

Target Database

A target database is an Oracle Database on which Oracle Data Safe can perform user and security assessment, data discovery, data masking, activity auditing, and alerts.

Sensitive Type

A sensitive type is a classification of sensitive data and defines the kind of sensitive columns to search for. For example, the US Social Security Number (SSN) sensitive type helps you discover columns containing Social Security numbers. Data Discovery searches for sensitive data in your databases based on the sensitive types that you choose. You can choose from a wide variety of predefined sensitive types and can also create your own sensitive types.

Sensitive types are divided into categories. The top-level categories are Identification Information, Biographic Information, IT Information, Financial Information, Healthcare Information, Employment Information, and Academic Information. You can choose individual sensitive types or sensitive categories to search sensitive data.

Sensitive Data Model

A sensitive data model is a collection of sensitive columns and referential relationships. Data Discovery identifies sensitive columns and referential relationships and creates a sensitive data model. Data Discovery automatically searches the Oracle data dictionary to find relationships between primary key columns and foreign key columns and flags them as sensitive. It can also discover non-dictionary referential relationships, which are relationships defined in applications and not in the Oracle data dictionary.

Masking Format

A masking format defines the logic to mask sensitive data in a database column. For example, the Shuffle masking format randomly shuffles values in a column. The Email Address masking format replaces values in a column with random email addresses. Oracle Data Safe provides many predefined masking formats. If needed, you can create your own.

Masking Policy

A masking policy maps sensitive columns to masking formats that should be used to mask the data. You can use a masking policy to perform data masking on a target database. You can create a masking policy using a sensitive data model.

Audit Data Retrieval

An audit data retrieval represents an archive retrieve request for audit data. You can retrieve audit data for a target database from the archive and store it online.

Audit Policy

An audit policy represents the audit policies for the target database and their provisioning status on the target database.

Audit Profile

An audit profile represents audit profile settings and audit configurations for the database target, and helps determine the audit data volume available on the target and the volume collected by Oracle Data Safe.

Alert Policy

In Oracle Data Safe, you can provision alert policies on your target databases. An alert policy defines an event in a database to monitor. Alert policies are rule-based and are triggered based on the audit data collected.

Audit Trail

An audit trail represents the source of audit records that provides documentary evidence of the sequence of activities in the target database.

Alert

An alert is a message that notifies you when a particular audit event happens on a target database.