Cloud Security Perspectives and Insights

Keeping your Data Safe, Part (3): Assessing Cloud Databases

Russ Lowenthal
Product Manager, Database Security

The first step in securing a database is understanding the current state of that database.You need to know how it is configured, who the users are, and what kind of data the system contains. Oracle Data Safe helps with that, allowing you to easily analyze your database’s configuration, survey your database users for risk, discover what types of sensitive data are in your database, and how much of that data is being stored.

Today, I’d like to focus on the assessment capabilities of Data Safe – we’ll cover sensitive data discovery another day. Data Safe offers two types of assessment -security and user. 


Security assessment looks at configuration, security control usage, and how you are managing users – including privilege and role assignment.  Use security assessment to identify configurations that may be introducing unnecessary risk into your environment- things like weak password policies, unnecessary access to sensitive database objects, and access control exemptions.  Each security assessment finding delivers details of what was found, remarks on why this is important, and (if appropriate) references to applicable security frameworks like CIS, STIG, and EU GDPR. Below you see an example of a finding, in this case the Datapump_EXP_FULL_DATABASE role has been granted to several people, and along with that role comes an indirect grant of the EXEMPT REDACTION POLICY privilege.  This finding is advisory in nature, just letting you know that with this grant you are nullifying the effectiveness of Oracle Data Redaction policies for these users.


User assessment focuses on database accounts and drills into the level of risk those accounts present to the system – in other words, if a user’s account is compromised, how much damage could the compromise do?  From this screen, you can see who the users are – drill into a user to see who created them, their account status, when they last logged on, and what roles and privileges they are assigned.  You can also see when they last changed their password, and by clicking View Activity you can drill down into what this user has done in the database. We’re particularly excited about this Data Safe capability because it’s really the first time we’ve presented this type of view in any of our products.  You’re probably already aware that the number one cause of database breaches are compromised accounts – so doesn’t it make sense that we need to start approaching risk from the standpoint of those accounts?  You can expect to see this area within Data Safe evolve rapidly over the coming year as we improve our ability to help you assess risk in your user accounts.


If you are operating a database in the Oracle Cloud, and aren’t already using Data Safe, you should make configuring the service and assessing your databases a priority.  Data Safe is included with your database service at no additional cost, and is one of your best tools to ensure your data is protected in the cloud.

For more information about how Data Safe can secure your users and data in the cloud, see our Data Safe White Paper or new database security eBook (3rd Edition) with new Data Safe chapter. And if you didn’t catch them, read Part 1 or Part 2 of our 5-part blog series on Data Safe.

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.