# Security Model ## Required Controls - Database deployed through a private endpoint. - Dedicated NSG for the database. - mTLS required. - Passwords, API keys, wallets, and `.tfvars` files kept out of Git. - Demo users without administrative privileges. - Reset SQL script for each scenario. ## Recommended Controls - OCI Vault with customer-managed keys. - Data Safe for assessment, discovery, masking, and activity auditing when supported. - OCI Logging and event retention. - SIEM integration for advanced labs. - Database Vault to demonstrate DBA blocking for sensitive schemas. ## Optional Controls - Compute bastion with restricted public access. - Oracle Key Vault for hybrid or multicloud scenarios. - AVDF for centralized auditing and Database Firewall in on-premises or Exadata environments. ## Important Notes Oracle Deep Data Security enforces authorization at runtime. It does not replace TDE, non-production data masking, Database Vault, Data Safe, AVDF, or key governance. In a customer architecture, these controls should be combined according to risk.