Content of Figures
As more and more companies are embracing digital transformation, the challenges of securely storing, processing and exchanging digital data continue to multiply. With the average cost of a data breach exceeding $3.9M, just direct financial losses can be catastrophic for many companies, not even considering indirect reputational damages. High-profile “mega-breaches” that expose millions of sensitive data records can easily drive these costs up to hundreds of millions of dollars, but even the victims of smaller ones are now facing increasingly harsh compliance fines – consider the recent decision to fine British Airways £183 million for exposing their customers’ data last year.
It is therefore completely unsurprising that both corporate executives and government policy-makers now consider data protection their top priority. According to Oracle’s Security in the Age of AI report, 45% of policy-makers cite data security as their biggest concern, and over 60% of surveyed professionals consider security the top benefit of cloud technology.
Just keeping track of all the digital information is a big problem, but understanding which data is more sensitive according to various policies and regulations and then selecting and enforcing the necessary data protection and governance capabilities is already too much even for the largest businesses. Indeed, many would love to outsource parts of this responsibility to a qualified third party like a cloud service provider.
However, as anyone familiar with the shared responsibility model adopted by most Cloud Service Providers (CSP) would quickly realize, even though customers no longer need to worry about the underlying infrastructure security, they still retain full responsibility for any security or compliance violation involving their data and users. From sensitive data discovery and classification to access governance and activity monitoring to user risk assessment and management – all these functions are crucial for comprehensive and continuous data protection, yet none of these are provided out of the box by a cloud service provider.
The way Oracle attempts to solve these challenges for their customers is a direct consequence of their radically different, but still unique position in the database and cloud markets. As a latecomer to the Infrastructure-as-a-Service market, the company had a chance to learn from the requirements of their enterprise customers and implement many data security and compliance controls directly in Oracle cloud services.
The company takes a lot of pride in their 2nd generation cloud infrastructure, which was designed from scratch according to the Security-by-Design principle with a higher degree of isolation than any other major CSP, providing better network security, threat containment, and access governance. To benefit from the strict network-level separation of cloud servers from the control plane, customers do not need to do anything – they can expect that their data in use isn’t just physically isolated from other tenants, but from Oracle’s own administrators as well.
The Oracle Autonomous Database introduced an automated self-tuning and self-patching cloud-based database platform that fully eliminates administrative user access, strictly enforcing separation of duties and adhering to the latest DB security best practices.
Autonomous Database customers also inherently benefit from critical data security and governance controls like data encryption enabled by default; secure backup; no cloud administrative access to data; automated upgrade, backup and performance tuning; and other database security measures that are integrated into the Oracle Database.
These developments alone have largely taken the burden of securing the underlying infrastructure and database platform itself off the customer’s shoulders. Yet, even the Autonomous Database cannot completely ensure security and appropriate usage of corporate data. Security depends in part on appropriate usage, and the underlying database and the infrastructure lack the business context associated with customer’s data, user identities, corporate policies and other key factors that influence risk assessment and prioritization. There is still a need to identify and classify the types of data loaded into a database, review privileges of the users granted access to the data and validate that access to sensitive data is in accordance with corporate policy.
And this is where the recently released Oracle Data Safe comes into play. With this integrated cloud-based service for automating data governance and risk management activities, the company has further expanded its security portfolio to ensure that customer’s sensitive data remains secure.
And while activities like data discovery and classification or user monitoring and risk assessment still fall under the customer’s responsibly, with Data Safe they now have a convenient tool that provides guidance, support and automation for protecting sensitive data from security threats and compliance violations – at no additional cost for their databases in the Oracle Cloud.
2 Product Description
Oracle Data Safe is a cloud-based service that centralizes, guides and automates major capabilities required for fulfilling the customer’s part of the shared responsibility for sensitive data in the cloud. In its initial form, the service is specifically targeted towards existing Oracle customers that collect, store and process their data in cloud-hosted Oracle databases.
Data Safe provides a unified control center that allows customers to manage, monitor and tune existing security capabilities of the Oracle Database, as well as correlate automatically collected activity data with business risk context to ensure more reliable identification of risky assets or activities and to help mitigate them sooner.
The initial release of the service focuses on supporting Oracle Databases (both Autonomous and unmanaged) in the Oracle Cloud. Existing cloud customers can benefit from the new service’s tight integration into the cloud administration console – it’s literally one click away from the cloud database management UI and can be quickly activated for each database instance.
The service is architected to be extensible, with additional security functions to be added in the future, yet tightly integrated to support consistent experience, unified alerting and reporting and a single audit trail. The service offers a centralized view of security across all customer’s databases on Oracle cloud.
Initially, the following capabilities are available:
Database Security Assessment
While Oracle databases are installed secure-by-default, it’s easy for the configuration to drift from the baseline, exposing the database to various attacks whether from insiders or outsiders. For on-premises customers, Oracle has provided the Database Security Assessment Tool (DBSAT) for quite some time that users can download and run manually on each database to produce static assessment reports for an experienced DBA to analyze and act upon. While based upon DBSAT, the new cloud service scans various security parameters of all database instances and reports them in an easy to use fashion.
The assessment reports help customers to identify not just potential security configuration issues, but also identify users that have excessive privileges, thus addressing the most common violations of security best practices. The service’s findings are delivered as actionable reports, with individual recommendations ranked by risk and relevance for specific compliance frameworks like GDPR. Of course, in case of an Autonomous Database instance, most of these adjustments are performed automatically, but even in this case, some decisions can only be made by customers.
Data Discovery and Classification
For each registered database, Data Safe automatically scans it for various types of sensitive information, ranging from personally identifiable information (PII) to finance, health, employment or even IT-related data – over 125 types in total. Additionally, users can define their own custom types using regular expressions. A number of templates that contain preconfigured sets of sensitive types for various geographies and industries are provided out of the box – again, users can create their own to avoid cluttering their scans with irrelevant detections.
Data Safe also creates reports identifying the location of sensitive data within the database schema, and how many such values are present in the database, helping customers come up with an appropriate risk mitigation strategy.
Although the classification engine is somewhat basic, lacking the sophistication of specialized AI/ML-based solutions from some vendors, the results are comprehensive and the performance impact on the database is minimal thanks to incremental discovery support. Still, we hope to see more concise, executive-focused discovery reports with clear KPIs in the upcoming releases.
Sensitive Data Masking
If sensitive data is discovered in a database, it can be automatically desensitized with various data masking transformations according to policies defined by customers. Data Safe provides out-of-the-box support for over 50 predefined masking formats for various data types: national IDs, credit card numbers, SSNs or just any date, number or string. Oracle’s data masking is a mature and comprehensive technology that supports complex masking transformations for various scenarios: from development and testing to business analytics or industry-specific regulations.
Data Safe provides an easy interface for defining and applying masking policies to various sensitive data types across multiple columns, tables or databases. In addition, the reporting service provides visibility into how much data has been desensitized.
User Risk Assessment
Another key area where customers retain their responsibility is identifying potential risks of privileged users having too broad access rights to sensitive data. The principle of least privilege is a common approach towards data protection, but only customers themselves can usually make an informed decision whether a particular privilege is needed for a legitimate business purpose.
Data Safe evaluates all database users and identifies potential abuse of privileges, taking both static (user type, role, password policy, etc.) and dynamic (history of past activities) factors into account. The results of the assessment, including the list of the riskiest users along with all of their available privileges, are presented to the customer. The initial release does not provide any automated mitigations against these users, focusing more on reporting capabilities.
User Activity Auditing
Last but not least, Data Safe provides an interface for managing audit, compliance and alert policies for each registered database instance. Although the audit data is generated in the database, the service offers convenient means for enabling various types of activity auditing, applying pre-defined audit and alert policies, and collecting the audit data in its centralized repository.
Extensive reporting capabilities of the service allow users to access the collected audit data for all database targets interactively or through customizable reports in various formats, for security specialists or compliance auditors. These reports can be very useful for forensic analysis of activities across all databases, leading to a better understanding of who did what and when.
3 Strengths and Challenges
Although Oracle’s database and cloud security capabilities built into their services are comprehensive and mature, ensuring that customers are able to secure their users and data still remained a challenge, especially with the growing skills gap in IT security.
With Data Safe, Oracle cloud databases now include a straightforward, easy to use and free service that helps customers protect their sensitive data from security threats and compliance violations. Even in the initial release that focuses on supporting cloud-hosted Oracle databases, the tool can be recommended for every existing Oracle Cloud customer. We hope to see that they add support for on-premises databases as many customers cannot move to the cloud for various reasons – with that, Data Safe will become an essential security tool for every Oracle DBA.
It's worth mentioning that the entirety of the company’s database security portfolio has been recently evaluated in KuppingerCole’s Leadership Compass on Database and Big Data Security, recognizing Oracle as the Overall Leader in this market.
Arguably, the only major limitation of Oracle Data Safe is that it’s designed to support Oracle Databases only, which probably won’t change in foreseeable future because of the tool’s reliance on core Oracle DB technologies. Among more feasible improvements we’d like to see in future releases are more actionable mitigation functions (“click here to fix the risk”) and more focus on executive-style compliance reporting with clear business KPIs.
4 Related Research
Leadership Compass: Database and Big Data Security – 79015
Executive View: Oracle Autonomous Database – 70964
Executive View: Oracle Database Security Assessment – 70965
Executive View: Oracle Database Vault – 70899
Executive View: Oracle Audit Vault and Database Firewall – 70890
Advisory Note: Database Governance – 70102