OCI Data Safe - Oracle Database User Assessment

 

Introduction:

• Data Safe User Assessment enables you to evaluate how securely database user accounts are configured and to detect users that may pose a higher security risk. This helps you understand the potential impact on your data if an account is ever compromised.
• With User Assessment, you can track and receive alerts for changes to users or their privileges, uncover weak authentication practices, and identify inadequate password or login policies—supporting stronger overall database security.
• Oracle Data Safe automatically performs user assessments for registered target databases and keeps the results in an assessment history for future reference.
• You can review and analyze assessment results both across all target databases and at an individual database level.
• User and privilege changes can be detected by comparing the most recent assessment with a baseline or a previous assessment.

In my previous Data Safe blog, we walked through the steps to register Autonomous AI database into Data Safe, and explore Data Safe security center.

In this blog, we will walk through the steps to:

• View User Assessment's overview page and the latest user assessment for your target database
• Change users and entitlements on the target database.
• Refresh the latest user assessment and compare with the initial user assessment.

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free Autonomous AI database
• Access to a registered target database. Covered in my previous Data Safe blog 

Task #1: View User Assessment Overview Page

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security.

2. Under Security center, click Security assessment.

3. Under List scope, select your compartment. Deselect Include child compartments. The overview page shows user's security statistics for all target databases under the selected compartment. 

4. Review 5 charts at the top of overview page.

• Potential user risk chart: shows you the number and percentage of users who are potentially Critical, High, Medium, and Low risk.
• User roles chart: shows you the number of users with the DBA, DV admin, and Audit admin roles.
• Last password change chart: shows you the number of users who changed their passwords within the last 30 days, within the last 30-90 days, and 90 days ago or more.
• Last login chart: shows you the number of users that signed in to the target database within the last 24 hours, within the last week, within the current month, within the current year, and a year ago or more.
• Password expiry date chart: shows you the number of users whose passwords will expire within three distinct time intervals: next 30 days, 30-90 days, and beyond 90 days.

5. Review the Risk summary tab. It provides information on potential risks across all selected target databases. It shows you potential risk levels, the number of target databases, the total number of users at each risk level, the total number of privileged users at each risk level, and counts for DBAs, DV admins, and Audit admins.

6. Review the Target summary tab. It shows the following information for each target database

• The number of critical and high risk users, DBAs, DV admins, and Audit admins.
• Date and time of the latest user assessment.

Task #2: Analyze Users in the Latest User Assessment

The latest user assessment is the one that was automatically generated by Oracle Data Safe when you registered your target database.

1. On the Target summary tab, locate your target database and click View report. 

The latest user assessment for your target database is displayed.

2. On the Overview tab, review 6 charts

• Potential user risk
• User roles
• Tope 5 users by schema access
• Last password change
• Last login
• Password expiry date

3. Click the Assessment information tab to view details about user assessment like OCID, compartment name, target database name, assessment date and time, schedule, name, name of the baseline assessment.

Rename the latest user assessment "UA_<TARGET_DATABASE_NAME>_Latest".

4. Scroll down and review the User details section.

5. In the User name column, click a user that is a CRITICAL potential risk, for example DBA_DEBRA.

The User details page shows information shows below.

Task #3: Change Users and Entitlements on the Target database

1. Access the SQL worksheet in Database Actions of your Autonomous AI Database.

2. As ADMIN, execute below commands.

DROP USER evil_rich;

CREATE USER app_developer identified by <user-password>;

GRANT PDB_DBA to app_developer;

Task #4: Refresh the Latest User Assessment

At the top of the latest security assessment report page, click Refresh now to get the latest data. The Refresh now panel is displayed. Name the assessment "UA_<TARGET_DATABASE_NAME>_2", and click Refresh now. Wait for the status to read as SUCCEEDED.

Review the refreshed latest assessment charts and user details table.

Notice that EVIL_RICH user is no longer a CRITICAL potential risk, while user "APP_DEVELOPER", which was created in previous task, is a CRITICAL potential risk because the user has PDB_DBA role.

Task #5: Compare the Latest User Assessment with the Initial User Assessment

1. With the latest user assessment displayed, under Resources on the left, click Compare assessments.

2. From the Select assessment drop-down list, select the initial assessment for your target database. As soon as you select it, the comparison operation is started.

3. Review the results. A new user is added  (APP_DEVELOPER) and a user is deleted (EVIL_RICH). The new user finding is identified as a potential CRITICAL risk.

4. In the Comparison results column, click Open details links for new user to view more information.

Thanks for reading !!!

OCI Data Safe - Oracle Database Configuration Security Assessment

 

Introduction:

• Poor database configurations, such as weak password policies, insufficient control of overprivileged accounts, and lack of activity monitoring, are the most common causes of database vulnerabilities.
• In Data Safe, Security Assessment provides you an overall picture of your database and security posture. It analyzes database configurations, users and user entitlements, and security policies to uncover security risks and improve the security posture of Oracle databases within your organization.
• Security Assessment helps you assess the security of your database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk.
• Oracle Data Safe automatically creates a security assessment of your target database during registration. This assessment is referred to as the latest assessment and is automatically updated on a weekly basis. All assessments are stored in the Assessment History.
  
•  You can analyze assessment data across all your target databases and for each target database. You can monitor security drift on your target databases by comparing the latest assessment to a baseline or to another assessment.

In my previous Data Safe blog, we walked through the steps to register Autonomous AI database into Data Safe, and explore Data Safe security center.

In this blog, we will walk through the steps to:

• View Security Assessment's overview page and the latest security assessment for your target database
• Create a risk on the target database and adjust the risk level of a risk finding
• Set the latest assessment as the baseline assessment
• Compare new assessment with the baseline

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free Autonomous AI database
• Access to a registered target database. Covered in my previous Data Safe blog 

Task #1: View Security Assessment Overview page

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security.

2. Under Security center, click Security assessment.

3. Under List scope, select your compartment. Deselect Include child compartments. The overview page shows statistics for all target databases under the selected compartment. 

4. Review charts.

• Risk level chart: shows you a percentage breakdown of the different risk levels (High, Medium, Low, Advisory, and Evaluate) across all target databases in the selected compartment.
• Risks by category chart: shows you a percentage breakdown of the different risk categories (User accounts, Privileges and roles, Authorization control, Data encryption, Fine-grained access, Auditing, and Database configurations) across target databases in the selected compartment.
• Top 5 common security controls chart: shows a bar graph of the number of target databases at each risk level for each of the top five common controls. The top five common controls are the five security controls that Oracle considers the most important to the security of your target databases. Clicking on any of the bars will show you the list of target databases associated with the selected data.

5. Review the Risk summary tab. 

• It shows you how much risk you have across all target databases in the specified compartment.
• You can compare the number of high, medium, low, advisory, and evaluate risk findings across all target databases, and view which risk categories have the greatest numbers.
• Risk categories include Target databases, User accounts, Privileges and roles, Authorization control, Fine-grained access control, Data encryption, Auditing, and Database configuration.

6. Review the Target summary tab. 

• It shows you the security posture of each target database.
• You can view the number of high, medium, low, advisory, and evaluate risk findings for each target database.
• You can view the latest assessment date and find out if the latest assessment deviates from a baseline (if one is set).
• You can access the latest assessment report for each target database.

 

Task #2: View the latest Security Assessment for your Target Database

1. On the Target summary tab, locate your target database and click View report. 

The latest security assessment for your target database is displayed.

2. Review the top 5 common security controls that Oracle considers to be the most important to the security of your target databases. You can click the links to quickly navigate to more detail below.

3. Review the information in the Summary table. This table compares the number of findings for each category in the report and counts the number of findings per risk level.

4. Click the Assessment information tab to view details about security assessment like OCID, compartment name, target database name, target database version, assessment date and time, schedule, name, name of the baseline assessment.

5. Scroll down and view Assessment details section. 

This section shows you all findings for each risk category. Risks are color-coded to help you easily identify categories that have high risk findings (red).

Under Filters by risks on the left, you can select the risk levels that you want displayed. Also you can filter by references security standards.

6. Expand categories and review the findings. 

In this demo, the Transparent Data Encryption finding is low risk (orange) and has three references.

Task #3: Adjust Finding Risk Level

You can defer or change the risk level of a risk finding. In this demo, we will defer the Users with Unlimited Concurrent Sessions risk finding.

1. Click the pencil icon for the Users with Unlimited Concurrent Sessions finding.

2. In the Update risk for finding panel, select Defer risk. Optionally, enter a justification and set an expiration date. Click Save. Notice that the risk finding is recategorized in the Assessment details section.

Setting an expiration date is optional. Upon expiry, the next assessment resumes evaluating the finding and displays as found. With no expiration date, the risk finding is deferred indefinitely.

Task #4: Set the latest Assessment as a Baseline

1. At the top pf the Assessment report page, click Set as baseline. Click Yes to confirm.

Task #5: Create a risk on the Target Database

1. Access the SQL worksheet in Database Actions of your Autonomous AI Database.

2. As ADMIN, execute below grant command.

grant ALTER ANY ROLE to PUBLIC;

Task #6: Refresh the latest Security Assessment and analyze the results

1. At the top of the latest security assessment report page, click Refresh now to get the latest data. The Refresh now panel is displayed. Leave the default name as is, and click Refresh now. Wait for the status to read as SUCCEEDED.

2. Click the Assessment information tab. Notice that the assessment date and time is right now, and that Complies with baseline is equal to No.

3. Scroll down and expand finding System Privileges Granted to PUBLIC. Notice this is a high risk finding. 

Task #7: Compare new Assessment with the Baseline

1. With the latest security assessment displayed, under Resources on the left, click Compare with baseline.

2. From the Baseline drop-down list, select your baseline. Click Compare.

3. When the comparison operation is completed, scroll down the page to the Comparison with baseline section and review the information.

• You can identify where the changes have occurred on your target database by viewing cells that contain the word Modified. The number represents the total count of new, remediated, and modified risks on the target database.
• In the details table, you can view the risk level for each finding, the category to which the finding belongs, the finding name, and a description of what has changed on your target database. The Comparison Report column is important because it explains what is changed, added, or removed from the target database since the baseline report was generated.

Thanks for reading !!!

Setup and Access Oracle OCI Data Safe

 

Introduction:

• Organizations rely on databases to manage their most critical asset the data. But if not well protected, this data could become their biggest liability.
• According to industry reports, almost one third of the attacks are performed by internal actors and over half of internal attacks are on databases.
• Sensitive data, such as personally identifiable information, personal financial information, and personal health care information, make databases attractive targets for hackers and even insiders who are looking to steal data for monetary, strategic or personal reasons or just to disrupt business.
• Organizations need to further secure their databases by understanding their own data, their own users, and their configurations.
• Oracle Data Safe is Oracle’s platform for securing data in databases. As a native Oracle Cloud Infrastructure service, Oracle Data Safe lets you assess the security of your database configurations, find your sensitive data, mask that data in non-production environments, discover the risks associated with database users, monitor database activity, and create and enforce SQL Firewall policies for users.
• Oracle Data Safe helps organizations to secure their data assets
• A single and unified database security control center
• No new infrastructure to manage
• No need for manual upgrades 
• No special security expertise required
• Simple and powerful service that saves time and money 

In this blog, we will walk through the steps to:

• Register Oracle AI Autonomous database with Oracle Data Safe using the wizard
• Access Oracle Data Safe and explore security center

Prerequisites:

• A free tier or paid Oracle Cloud account
• A provisioned Always free Autonomous 26ai database. 
• An existing OCI compartment.

Task #1: Prepare your environment

1. Create IAM user group and assign IAM account to the group

1.1. From the navigation menu, select Identity & Security, and then Domains. Select the default domain.

1.2. Click the User management tab.

1.3. Scroll down, then click Create group button.

1.4. In Create group page, enter a name for the group (DataSafeGroup) and a description (User group for data safe).

1.5. Under Users section, search for the user for this demo and select the use.

1.6. Click Create button.

2. Create IAM policy for the user group

2.1. From the navigation menu, select Identity & Security, and then Policies. The Policies page is displayed. Change the compartment to the root compartment. 

2.2. Click Create Policy button.

2.3. In the Create Policy page, enter a policy name and a description.

2.4. Select the same compartment as Autonomous AI database.  

2.5. In the Policy Builder section, click Show manual editor and enter below statements. Use the same compartment as Autonomous AI database. 

 

Allow group DataSafeGroup to manage data-safe-family in compartment {Compartment_Name}

Allow group DataSafeGroup to manage autonomous-database in compartment 

{Compartment_Name}

 

2.6. Click Create button.

3. Load sample data into Autonomous AI database

3.1. Access SQL worksheet in the Database Actions. 

3.2. Download sample data script load-data-safe-sample-data_admin.sql. 

3.3. As the ADMIN user on the database SQL worksheet, copy the entire script and paste it into the worksheet, then click Run Script button.

3.4. To ensure the sample data is loaded successfully, review the row count for each table in the HCM1 schema.

 

Task #2: Register Autonomous AI Database with Oracle Data Safe

To use a database with Oracle Data Safe, you first need to register it with Oracle Data Safe. A registered database is referred to as a target database in Oracle Data Safe. 

You have three options for registering Autonomous AI database into Data Safe:

• Use the Register link on the Autonomous AI Database page (one-click method with no interaction).

• Use the Autonomous AI Databases wizard on the Overview page for the Oracle Data Safe service (guided method with customization options).
• Manually register your target database from the Registered Targets page (advanced method without guidance).

We will use Autonomous AI Database Wizard option in this demo.

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security. The Overview page is displayed.

2. Under Autonomous Database tile, click Start Wizard.

 

3. On Register Autonomous Database page

3.1. Select your database from the drop-down list.

Notice the message at the bottom of the page: The selected database is configured to be securely accessible from everywhere. Steps 2 ('Connectivity option') and 3 ('Add security rule') are not necessary and will be skipped. If your database has a private IP address, the wizard will guide you through the process of configuring an Oracle Data Safe private endpoint and security rules. 

3.2. Click Next button.

3.3. On the Review and submit page, review the information.  

3.4. Click Register button. The Target database information page is displayed.

3.5. Wait for the target database status to turn to ACTIVE, which means your target database is fully registered. 

 

Task #3: Access Oracle Data Safe and Explore Security Center

1. From the navigation menu, select Oracle AI Database, and then Data Safe - Database Security. Under Data Safe on the left, select Target Databases. Make sure to select the right compartment.

2. Under Security center on the left, click Dashboard and review the dashboard. Scroll down to view the security controls and feature charts. Make sure your compartment is selected under List scope. From the Target databases drop-down list, select your target database so that the data in the dashboard pertains to your target database only.

Oracle Data Safe features will be covered in separate blogs. 

- Data Safe - Security Assessment blog

- Data Safe - User Assessment blog

Thanks for reading !!!