OCI - Data Safe - Part 1

Data is the new currency. It is one of the most valuable organizational assets, however, if that data is not well protected, it can quickly become a liability. At an alarming rate we are seeing more and more data breaches that impact an organization’s brand, their ability to continue to delivery services and do business and of course they are impacted financially. We know that most sensitive data is stored and managed within databases. 

Databases now become a prime target for security threats. Oracle Data Safe is the solution with a packaged unified database security control center for protecting both cloud and on-premises databases. Data Safe provides an integrated set of security features including 5 key components:

What is Oracle Data Safe in OCI ?

Oracle Data Safe is a fully-integrated Cloud service focused on the security of your data. ... Features include Security Assessment, User Assessment, Data Discovery, Data Masking, and Activity Auditing.

This meta link will be useful to setup data safe and register target database with data safe. 

https://docs.oracle.com/en/cloud/paas/data-safe/udscs/set-oracle-data-safe.html

Features of Oracle Data Safe

1) Security Assessment
2) User Assessment

3) Data Discovery

4) Oracle Data Masking
5) Activity Auditing

Also data safe is free to collect 1 million each database audit records per month. When it goes beyond 1 million data safe charge back method is getting applied.
 

This article I will illustrate how we can configure the data safe in cloud.

Enable data safe and setup endpoint

First login to OCI and navigate to Oracle database section , under external database there is data safe.
Once you click on data safe , opens data safe configuration page.

Data safe page , This page has few options for database registration. 

OCI gen 1 supported only cloud registered database. Now data safe is extend to support Cloud and On-Premises databases.

Most important section is creating private endpoint.

1. Private endpoint : 
       This enables to connection to register database in data safe. Traffic flow within the OCI network layer.

Create Private endpoint

Before starting this make sure to create VCN , VNC automatically create two ip subnets.

1. Private
2. Public

As data safe network flow within the OCI we need to select private. Network security Group can be select after creating this.

For this NSG and Security list configuration play major part for the connection.

Create Ingress and Egress rule in security list

For this NSG and Security list play major part for the connection. We need to create ingress and egress rule to establish the connection.

• In the NSG or security list for your target database, add an ingress rule that allows your target database's private endpoint IP address on the target database's port to receive incoming traffic from Oracle Data Safe's private endpoint IP address from all ports.


• In the NSG or security list for your Oracle Data Safe private endpoint, add an egress rule that allows Oracle Data Safe's private endpoint IP address on all ports to send requests to the target database's private endpoint IP address on the target database's port. If the target database has multiple IP addresses, you need configure an egress rule for each IP address. In the case of an Oracle On-Premises Database, you only need to configure an egress rule, and not an ingress rule.

 

Navigate to VCN and add security ingress and egress rule.

For this testing I created these ingress and egress rules to allow traffic to data safe.

• Allow the target database to receive traffic on port 1521 from oracle Data Safe's private endpoint (10.0.1.0) from any port

• Allow Oracle Data Safe's Private endpoint ( from any port ) to send traffic to the target database (10.0.0.0 on port 1521)

Create DATASAFE$ADMIN user.

Create user in database to collect audit information.

#### Registration

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         2 PDB$SEED                       READ ONLY  NO
         3 PWHSE_PDB                      READ WRITE NO
SQL> alter session set container=PWHSE_PDB;

Session altered.

SQL> show pdbs

    CON_ID CON_NAME                       OPEN MODE  RESTRICTED
---------- ------------------------------ ---------- ----------
         3 PWHSE_PDB                      READ WRITE NO
SQL>

###### create user

CREATE USER DATASAFE$ADMIN IDENTIFIED BY ORacle123## DEFAULT TABLESPACE USERS QUOTA 10M ON USERS TEMPORARY TABLESPACE TEMP;

SQL> CREATE USER DATASAFE$ADMIN IDENTIFIED BY ORacle123## DEFAULT TABLESPACE USERS QUOTA 10M ON USERS TEMPORARY TABLESPACE TEMP;

User created.

This script is there in the data safe target registration section which has a procedure to collection information from database.

Execute the script as sys and feed prompt information for username , Type etc …

SQL> !pwd
/home/oracle/scripts/sql

SQL> !ls -lrth
total 32K
-rw-r--r-- 1 oracle oinstall 30K Oct 26 18:08 datasafe_privileges.sql

SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all

SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
Setting MODE to all
Granting AUDIT_COLLECTION privileges to "DATASAFE$ADMIN" ...
Granting AUDIT_SETTING privileges to "DATASAFE$ADMIN" ...
Granting DATA_DISCOVERY role to "DATASAFE$ADMIN" ...
Granting MASKING role to "DATASAFE$ADMIN" ...
Granting ASSESSMENT role to "DATASAFE$ADMIN" ...
Done.
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.11.0.0.0
[oracle@dbsdpl21 sql]$

Register target

Please follow below mention steps to perform data safe registration.

Select the private endpoint as we are using private end point to transfer traffic within the OCI.

Connection setting can be obtain from database section

Make sure to provide DATASAFE$ADMIN password to register database.

SQL> !pwd
/home/oracle/scripts/sql

SQL> !ls -lrth
total 32K
-rw-r--r-- 1 oracle oinstall 30K Oct 26 18:08 datasafe_privileges.sql

SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all

SQL> @datasafe_privileges.sql
Enter value for USERNAME (case sensitive matching the username from dba_users)
DATASAFE$ADMIN
Setting USERNAME to DATASAFE$ADMIN
Enter value for TYPE (grant/revoke)
grant
Setting TYPE to grant
Enter value for MODE (audit_collection/audit_setting/data_discovery/masking/assessment/all)
all
Setting MODE to all
Granting AUDIT_COLLECTION privileges to "DATASAFE$ADMIN" ...
Granting AUDIT_SETTING privileges to "DATASAFE$ADMIN" ...
Granting DATA_DISCOVERY role to "DATASAFE$ADMIN" ...
Granting MASKING role to "DATASAFE$ADMIN" ...
Granting ASSESSMENT role to "DATASAFE$ADMIN" ...
Done.
Disconnected from Oracle Database 19c EE Extreme Perf Release 19.0.0.0.0 - Production
Version 19.11.0.0.0
[oracle@dbsdpl21 sql]$

Troubleshooting

This happens when you copy entire connection details 
connection Settings

Solution

Solution is to add only service name

Final output after registration target should display in green color.

Login to Data Safe console

Click on security center to login to data safe console.

This covers 5 sections

1. Security Assessment
2. User Assessment
3. Data Discovery
4. Data Masking
5. Activity Auditing

Console dashboard