Oracle Data Safe is a fully-integrated Cloud service focused on the security of your data. It provides a complete and integrated set of features for protecting sensitive and regulated data in Oracle Cloud databases.
Today I will explain what Data Safe is and how to configure in your OCI account then mask your data with your own sensitive data type. It will be cool.
If you have never heard of Data Safe, here is the quick video to give you an idea and basic understanding. Also, I suggest you follow step by step technical whitepaper provided by Oracle and official document.
Basically, Data Safe assesses your database security and users, discovers sensitive data from your database, masks your sensitive data, and audits your user/admin activities. It does exactly words in its name, secures your data in the cloud, it will cover you up when you are not around. I am not going to explain security architecture, but show you how to monitor your Autonomous database with Data Safe. You also can monitor oracle DBCS and your on-premise database, isn't it great?
Enjoy step by step GIF files as I always do.
1.Login to your OCI tenancy with an appropriate user account. Creating a separate user group to manage data safe and give specific permissions according to the official document is a recommended approach. However in order to test it out first, I used a non-federated administrator account.
Open a supported browser and sign in to the Oracle Cloud Infrastructure Console. In the left top corner, select Data Safe from navigation menu. Then click on Service console, where you will be asked to enter your credentials once more.
2. Take your time in Data Safe environment, notice that there are multiple tabs. If you go to your "Targets" tab, most likely empty. There's nothing to do, so open your Autonomous database console. You can register an Autonomous Database from the Autonomous Database Details page. Under Data Safe, there is a link called "Register". Click on the link and confirm dialog box asks if you are sure you want to register the database with Oracle Data Safe. It will take a few seconds to finish up the registration.
3. Now I believe you can add your Autonomous database and ready for more action. I'd like to assess my Oracle database configurations using Security Assessment. The Security Assessment reports provide you an overall picture of your database security status. They highlight recommendations by the Center for Internet Security (CIS), European Union's General Data Protection Regulation (GDPR), and Security Technical Implementation Guide (STIG), making it easier for you to identify the recommended security controls.
Go to "Security Assessment" tab from Data Safe, and click on a desired database to start the wizard. Rest is easy.
4.Okay, I have checked my database, and it was pretty much compliant with the industry standards. But, what about my users? Let's go to "User Assessment", which helps you assess the security of your database users and identify high risk users. Similar to previous step, choose your database to check and start the wizard. After completion, you can check the report. I had 2 users with DBA access, ADMIN and GGADMIN. I can tell that GGADMIN is no longer needed so I can revoke this right and lock this account until I needed it.
5.Now, I want to discover my database if there's any sensitive data is being stored in non-production schemas? I need to find out which tables have sensitive information and mask it if schema does not need original values. There are currently 125 predefined sensitive data types in Data Safe, and I will show you how to add your own custom data type in step 8.
In order to do "Data Discovery", you need to run little bit of script in your database. You can download dbcs_privileges.sql. When you execute the script, provide DS$ADMIN, GRANT, ALL values for each pop-ups.
6.Let's assume you've done it and begin data discovery. It is also wizard based, which means I don't need to explain it. However data discovery saves the discovery results as a sensitive data model (SDM). An SDM consists of discovered sensitive columns and referential relationships. You can perform incremental updates to an SDM and manually add and remove columns from an SDM. Interesting right? Unfortunately, it's not covered in my steps, explore it on your own :)
After your discovery process finished you can export the results into XLS or PDF format. Here I attached my result.
7. There are 182 sensitive columns out of 1547 from 31 different tables with 2503113 rows. I can also tell many non-production schemas have those values, so I can mask it. Continue from where you stopped after data discovery step, click on "Continue to mask the data" button, then choose what schemas and tables to be masked.
I think it was pretty easy with predefined data types. But what if you don't use English names in your column? how to understand your local language texts from your database? Let's create my own data type.
8. Here I have a table called TBL_FREQUENTFLYER with some specific local data. In Mongolia we have national ID and I believe in the most of the time we call it "REGISTRIIN DUGAAR". It is mandatory to start with 2 Cyrillic letters and followed by YYMMDD and 2 numbers. here is the example:
- ШУ88112205 in Cyrillic
- SHU88112205 in Latin
Let's define our masking format first, if our data discovery finds this column, something format need to be applied on. There are tons of masking formats available and I choose to replace the sensitive data with fixed value of "MNID99119911" for this instance and name it "Mon_NAT_ID_masking".
Now we need to create our sensitive type. There are couple of important parts in this step.
- Column Name Pattern: Enter a regular expression that should be used to match column names.
- Column Comment Pattern : Enter a regular expression that should be used to match column comments, this can be skipped if your columns does not have comment descriptions.
- Column Data Pattern: Enter a regular expression that should be used to match column data. I used regex101.com for testing my regular expressions.
Any column like REGISTRIIN_DUGAAR or NATIONAL_ID of a table will be found by this regular expression:
Also data of that column should start with 3 to 4 letters followed by 8 digits should be checked by this regex:
Now I can successfully search which tables have Mongolian National Identification and I am able to mask it.
And there is Activity Auditing part left, where you can configure audit and alert policies for monitoring Oracle database activities, collecting audit data, and generating alerts on audit events by using the Activity Auditing feature in Oracle Data Safe. Even if you trust your database administrators, account owners, and end users. However, it’s important to monitor database activity regularly because accounts are always at risk for being compromised or misused.
Activity Auditing in Oracle Data Safe helps to ensure accountability and improve regulatory compliance. You will see something like this after you configured successfully.
With Activity Auditing, you can monitor user activities on Oracle Cloud databases, collect and retain audit records per industry and regulatory compliance requirements, and trigger alerts as needed for unusual or blacklisted behavior. You can audit sensitive database changes, administrator and user activities, activities recommended by the Center for Internet Security (CIS), and activities defined by your own organization. You can choose to be alerted when a database parameter or audit policy changes, a failed login by an admin occurs, a user entitlement changes, and when a user is created or deleted.
I can see since last week, there were 115 successful and 1 failed login attempt with 315 DDL and 68DML activities happened in my database "SUPERCOOL".
As I said, Oracle Data Safe, a fully integrated cloud service that helps you secure your data and address compliance requirements. With Oracle Data Safe, you can assess the security of your database configurations, find your sensitive data, mask that data in development and test environments, discover the risks associated with database users, and monitor database activity - all from a single, easy-to-use management console.
This will help your data assets safe and secure for free.
It looks like Data Safe has got you covered and rest is assured. Have a nice holiday :)