Cloud Security Perspectives and Insights

Protecting your existing Oracle Databases with Oracle Data Safe

Paul Toal
Distinguished Solution Engineer - Cyber Security

How quickly can you run a security assessment against your Oracle Databases, baseline that assessment, then monitor for changes? What about a user assessment to identify risky database users, or being able to quickly identify where your sensitive data is in your database and how much of that data there is? Can you do that wherever your database sits, i.e. on-premises, in Oracle Cloud, or in another Cloud?

Well, the good news is that now you can use Oracle Data Safe to do it quickly and easily for all of your Oracle Databases, irrespective of where they are deployed and irrespective of whether those databases are running Standard or Enterprise Edition.

Oracle Data Safe started life as a complementary service to Oracle Autonomous Database within Oracle Cloud. It was designed to help customers meet their shared security responsibilities in an easy to use, cost effective way. Quickly the value of Data Safe was realised as customers immediately started asking for it to support other Oracle Databases besides Autonomous Database, and therefore we have been expanding its scope to support all Oracle Cloud Databases (e.g. Exadata Cloud Service, ExaData Cloud at Customer, and Database Cloud Service). But what about your non-Cloud databases? For customers using Oracle Cloud who already have dedicated VPN or FastConnect connections into Oracle Cloud Infrastructure (OCI), it has been possible to include your on-premises databases for several months now.

However, at the start of this month we released the on-premises connector for Data Safe, so that, even if you don’t have a VPN or FastConnect connection, you can still use Data Safe to monitor your on-premises databases. What’s more is that the connector is extremely simple and straightforward to deploy. Let me show you just how quick and simple it is. Full step-by-step details are contained in the documentation.

I am assuming you have already enabled Data Safe within your OCI tenancy and set up the correct OCI IAM policies to enable the Data Safe service to run and for your users to access it. If not, follow the instructions here.

The first step for linking your on-premises Oracle Database to Data Safe is to register the on-premises connector from the OCI console, by accessing the Data Safe service from the OCI menu and choosing On-Premises Connectors.

You can now create a new connector.


Once registered, you can download the installation bundle, once you have provided a password for it.


Copy the bundle onto your database server and extract the contents.

Checking that you meet the requirements for the bundle installer (such as having python3 and Java installed), you can then execute the installer.

The connector will communicate with Data Safe over an outbound TLS-secured connection. You may need a proxy to connect to the internet. In this case, we don’t but you could configure one if necessary.

The connector is now installed and running so you can proceed to the next step of creating a database service account that Data Safe can use to talk to your database. For this example, I have created a user called DATASAFE_ADMIN. I use a SQL script included with the on-premises connector bundle to grant the necessary permissions to this service account. There are 5 main features within Data Safe, each of which is granted to the service account through a role:

  • Security Assessment
  • User Assessment
  • Sensitive Data Discovery
  • Data Masking
  • Auditing

You can grant them individually to the service account or as a group. In my case, I am granting all 5 to my account (you can see the ‘grant all’ statement below). In production environments we recommend not granting the Data Masking role as masking should only be performed in non-production environments.

The final step is to register your on-premises database with Data Safe. You can do that within the Data Safe console, providing the details of your database and service account. Once you have filled in the details, you can test your connection, then complete the registration.


That’s it! Your target database is now visible within Data Safe and you can run all of the capabilities of Data Safe against that database, just like you can for any other registered database.

I told you it was quick and easy to install. If you want to understand the on-premises connector in more detail, I highly recommend this AskTom session, or you can request a demo here.

Join the discussion

Comments ( 1 )
  • Ahmed Baraka Sunday, January 3, 2021
    Thanks for the great article.
    I am so pleased for this new easy connectivity between OCI Data Safe and on-prem databases.
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.