Oracle Cloud Infrastructure – Data Safe: Part 1

Share on:

data safe

Data is the new currency. It is one of the most valuable organizational assets; however, if that data is not well protected, it can quickly become a liability. At an alarming rate, we are seeing more and more data breaches that impact an organization’s brand, their ability to continue to deliver services and do business, and of course, they are impacted financially. We know that most sensitive data is stored and managed within databases. 

Databases now become prime targets for security threats. Oracle Data Safe is the solution with a packaged unified database security control centre for protecting both cloud and on-premises databases. Data Safe provides an integrated set of security features including 5 key components:

data safe 2


What is Oracle Data Safe in OCI?

Oracle Data Safe is a fully-integrated Cloud service focused on the security of your data… Features include Security Assessment, User Assessment, Data Discovery, Data Masking, and Activity Auditing.

This meta link will be useful to set up data safe and register the target database with data safe. 

https://docs.oracle.com/en/cloud/paas/data-safe/udscs/set-oracle-data-safe.html

Features of Oracle Data Safe

  1. Security Assessment
  2. User Assessment
  3. Data Discovery
  4. Oracle Data Masking
  5. Activity Auditing

Also data safe is free to collect 1 million database audit records per month. When it goes beyond 1 million data safe chargeback method is getting applied.

In this article, I will illustrate how we can configure the data safe in the cloud.

 

Enable Data Safe and Setup Endpoint

First login to OCI and navigate to the Oracle database section, under the external database there is data safe.
Once you click on data safe, open the data safe configuration page.

data safe 3

Data safe page, This page has few options for database registration. 

OCI gen 1 supported only cloud-registered databases. Now data safe is extended to support Cloud and On-Premises databases.

The most important section is creating a private endpoint.

  1. Private endpoint : 
         This enables to connect to register the database in data safe. Traffic flow within the OCI network layer.

data safe 4

 

Create Private Endpoint

Before starting this make sure to create VCN (Virtual Circuit Network), VNC automatically creates two IP subnets.

  1. Private
  2. Public

As Data Safe network flow within the OCI (Oracle Cloud Infrastructure), we need to select private. Network Security Group can be selected after creating this.

For this NSG and Security list configuration play a major part in the connection.

data safe 5

data safe 6

 

Create Ingress and Egress rule in the Security List

For this NSG and Security, list play a major part in the connection. We need to create ingress and egress rules to establish the connection.

  • In the NSG or security list for your target database, add an ingress rule that allows your target database’s private endpoint IP address on the target database’s port to receive incoming traffic from Oracle Data Safe’s private endpoint IP address from all ports.
  • In the NSG or security list for your Oracle Data Safe private endpoint, add an egress rule that allows Oracle Data Safe’s private endpoint IP address on all ports to send requests to the target database’s private endpoint IP address on the target database’s port. If the target database has multiple IP addresses, you need to configure an egress rule for each IP address. In the case of an Oracle On-Premises Database, you only need to configure an egress rule and not an ingress rule.

Navigate to VCN and add the security ingress and egress rule.

data safe 7

For this testing, I created these ingress and egress rules to allow traffic to data safe.

  • Allow the target database to receive traffic on port 1521 from oracle Data Safe’s private endpoint (10.0.1.0) from any port

data safe 8

  • Allow Oracle Data Safe’s Private endpoint ( from any port ) to send traffic to the target database (10.0.0.0 on port 1521)

data safe 9

 

Create DATASAFE$ADMIN user.

Create a user in the database to collect audit information.

#### Registration

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PWHSE_PDB                      READ WRITE NO
SQL> alter session set container=PWHSE_PDB;

Session altered.

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         3 PWHSE_PDB                      READ WRITE NO
SQL>

###### create user
CREATE USER DATASAFE$ADMIN IDENTIFIED BY ORacle123## DEFAULT TABLESPACE USERS QUOTA 10M ON USERS TEMPORARY TABLESPACE TEMP;

SQL> CREATE USER DATASAFE$ADMIN IDENTIFIED BY ORacle123## DEFAULT TABLESPACE USERS QUOTA 10M ON USERS TEMPORARY TABLESPACE TEMP;

User created.

This script is there in the data safe target registration section which has a procedure to collect information from the database.

data safe 10

Execute the script as sys and feed prompt information for username, Type etc …

SQL> !pwd
/home/oracle/scripts/sql
SQL> !ls -lrth
total 32K
-rw-r--r-- 1 oracle oinstall 30K Oct 26 18:08 datasafe_privileges.sql
SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
Setting MODE to all
Granting AUDIT_COLLECTION privileges to "DATASAFE$ADMIN" ...
Granting AUDIT_SETTING privileges to "DATASAFE$ADMIN" ...
Granting DATA_DISCOVERY role to "DATASAFE$ADMIN" ...
Granting MASKING role to "DATASAFE$ADMIN" ...
Granting ASSESSMENT role to "DATASAFE$ADMIN" ...
Done.
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.11.0.0.0
[oracle@dbsdpl21 sql]$

 

Register Target

Please follow mentioned steps to perform data safe registration.

data safe 11

Select the private endpoint as we are using the private endpoint to transfer traffic within the OCI.

data safe 12

Connection setting can be obtained from the database section

data safe 13

Make sure to provide DATASAFE$ADMIN password to register database.

SQL> !pwd
/home/oracle/scripts/sql
SQL> !ls -lrth
total 32K
-rw-r--r-- 1 oracle oinstall 30K Oct 26 18:08 datasafe_privileges.sql
SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
Setting MODE to all
Granting AUDIT_COLLECTION privileges to "DATASAFE$ADMIN" ...
Granting AUDIT_SETTING privileges to "DATASAFE$ADMIN" ...
Granting DATA_DISCOVERY role to "DATASAFE$ADMIN" ...
Granting MASKING role to "DATASAFE$ADMIN" ...
Granting ASSESSMENT role to "DATASAFE$ADMIN" ...
Done.
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.11.0.0.0
[oracle@dbsdpl21 sql]$

 

Troubleshooting

This happens when you copy entire connection details 
connection Settings

data safe 14

 

The Solution

The solution is to add the only the service name

data safe 15

Final output after registration target should display in green colour.

data safe 16

 

Login to Data Safe console

Click on the security centre to log in to the data safe console.

This covers 5 sections

  1. Security Assessment
  2. User Assessment
  3. Data Discovery
  4. Data Masking
  5. Activity Auditing

data safe 17

Console dashboard 

data safe 18

data safe 19

Share on:
Back to Top