In Oracle LiveLabs , experiments related to database security are divided into 2 series, with a total of 12 experiments.
The Oracle database security architecture is as follows:
These labs involve Oracle security-related features, Enterprise Edition options, stand-alone products and services.
The Chinese homepage of Oracle security products can be seen at:
In the image below, the first entry is actually two experiments, TDE and Data Redaction.
1. DB Security Basics Series
Experiments in this foundational series include:
- Database Assessment Tool (DBSAT)
- Native Network Encryption (NNE)
- Privilege Analysis
- Unified Auditing
- Transparent Sensitive Data Protection (TSDP)
- Data Safe for on-premises database
The last experiment, Data Safe for on-premises database is on the Oracle public cloud, so this experiment will not be done.
1.1 Oracle LiveLabs实验:DB Security - Database Assessment Tool
Users with a MOS account can download this tool for free.
The Oracle Database Security Assessment Tool (DBSAT) is a command-line tool that helps identify areas where database configuration, operation, or implementation present risks and recommends changes and controls to mitigate those risks. DBSAT helps assess the security of database configurations, identify users and their rights, and identify where sensitive data is located in databases.
The homepage of DBSAT is here .
1.2 Oracle LiveLabs实验:DB Security - Native Network Encryption (NNE)
Starting from 10gR2 , NNE is no longer part of ASO (Advanced Security Option). Native network encryption enables you to encrypt database connections without the configuration overhead of TCP/IP and SSL/TLS, and without the need to open and listen on different ports.
Oracle Database provides native data network encryption and integrity to ensure data is secure as it travels across the network.
The purpose of a secure cryptosystem is to convert plaintext data into unintelligible ciphertext based on a key such that it is difficult (computationally infeasible) to convert ciphertext back to its corresponding plaintext without knowing the correct key.
In symmetric cryptosystems, the same key is used to encrypt and decrypt the same data. Oracle Database provides the Advanced Encryption Standard (AES) symmetric cryptosystem to protect the confidentiality of Oracle Web Services traffic.
Documentation on NNE can be found here .
1.3 Oracle LiveLabs实验:DB Security - Privilege Analysis
The Privilege Analysis feature is included in Oracle Database Enterprise Edition.
Privilege Analysis enables customers to create a profile for a database user and capture a list of system and object privileges that user is using. Customers can then compare the user's list of used permissions to the list of granted permissions and reduce the list of granted permissions to match the used permissions.
Privilege analysis helps improve the security of applications and operations by identifying unused or excessive privileges. The privileges required by a database administrator can be easily identified by analyzing the privileges used to perform common administrative activities. The permissions required by an application can be easily identified by running a permissions analysis while the application is connecting to the database
.
The main page of authority analysis is here .
1.4 Oracle LiveLabs实验:DB Security - Unified Auditing
Unified Auditing enables you to capture audit records from various sources.
Unified Auditing is a new auditing tool in Oracle Database 12c Release 1 (12.1).
Its documentation is here .
1.5 Oracle LiveLabs实验:DB Security - Transparent Sensitive Data Protection (TSDP)
2. DB Security Advanced Series
This series includes the following experiments:
- Transparent Data Encryption (TDE)
- Data Redaction
- Database Vault (DV)
- Label Security (OLS)
- Data Masking and Subsetting (DMS)
- Audit Vault and DB Firewall (AVDF)
- Oracle Key Vault (OKV)
The manual for this series of experiments can be found here .
2.1 Oracle LiveLabs实验:DB Security - Transparent Data Encryption (TDE)
Both TDE and Data Redaction in the next experiment belong to the Oracle Advanced Security option. The Chinese introduction of Oracle Advanced Security Option is here .
TDE transparently encrypts data at rest in the Oracle Database. It blocks unauthorized attempts by the operating system to access database data stored in files without affecting how applications access the data using SQL. TDE can encrypt the entire application tablespace or specific sensitive columns. TDE is fully integrated with Oracle Database. Encrypted data remains encrypted within the database, whether in tablespace storage files, temporary tablespaces, undo tablespaces, or other files that Oracle Database relies on, such as redo logs. Additionally, TDE can encrypt entire database backups (RMAN) and Data Pump exports.
Chinese documentation for transparent data encryption:
- 12c transparent data encryption
- 11g TDE FAQ
- Oracle Advanced Security Transparent Data Encryption Best Practices
- Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security
- Oracle Database 12c Security and Compliance
- Securing Oracle Database 12c: A Technical Primer
2.2 Oracle LiveLabs experiment: DB Security - Data Redaction
The role of Data Redaction is to redact sensitive data before it leaves the database, reducing the risk of unauthorized data leakage in applications. Prevent sensitive data from being extracted at scale into reports and spreadsheets with partial or full redaction.
It is part of Oracle Advanced Security and prevents the display of data columns such as credit card numbers, US social security numbers, and other sensitive or regulated data. It is driven by declarative policies that can take into account database session factors and information passed by the application. Sensitive display data can be edited at runtime on live production systems with minimal disruption to running applications and without altering the actual stored data.
2.3 Oracle LiveLabs实验:DB Security - Database Vault
Oracle Database Vault implements data security controls in Oracle Database to ensure that only privileged users access application data, thereby effectively reducing the risk of internal and external threats and meeting compliance requirements such as separation of duties.
The Chinese product home page of Database Vault is here .
2.4 Oracle LiveLabs实验:DB Security - Oracle Label Security (OLS)
OLS is an option for the Enterprise Edition of the database.
Oracle Tag Security enforces data access control based on data tags and session tags. It documents and enforces data access controls by project code, region, and data classification, reducing the risk of unauthorized access to sensitive data and ensuring compliance.
The Chinese product home page of OLS is here .
2.5 Oracle LiveLabs实验:DB Security - Data Masking and Subsetting (DMS)
Oracle Data Masking and Subsetting (DMS) empowers enterprises to unlock the value of data while ensuring data security while minimizing storage costs. Enterprises can provision data securely and cost-effectively, whether in test, development, or partner environments.
DMS is a management pack of Oracle Enterprise Manager.
The Chinese product home page of DMS is here .
2.6 Oracle LiveLabs实验:DB Security - Audit Vault and DB Firewall
Oracle Audit Vault and Database Firewall is a comprehensive and scalable solution for database auditing and network-based activity monitoring. It analyzes and reports user activity to help detect attacks and meet compliance requirements.
The Chinese homepage of AVDF is here .
2.7 Oracle LiveLabs experiment: DB Security - Key Vault
Oracle Key Vault securely stores encryption keys, Oracle wallets, Java keystores, credential files, and other secrets in a scalable, fault-tolerant cluster that supports the OASIS KMIP standard and is deployed on-premises and in the cloud.
The Chinese homepage of Oracle key management is here .