# Oracle Deep Data Security Lab Internal enablement kit for demonstrating Oracle Deep Data Security in realistic enterprise data security scenarios: AI agents, prompt injection, shared application accounts, ad hoc BI, PII access, view bypass, legacy app modernization, RAG/vector retrieval, and audit evidence. The goal is to let any team member deploy a secure OCI foundation, install lab scenarios, run positive and negative tests, and collect evidence in a repeatable way. ## Quick View ```text terraform/ Secure-by-default OCI infrastructure scenarios/ Independent SQL labs and runbooks scripts/ Bootstrap, validation, execution, and reset automation docs/ Architecture, demo, and operations guides apps/ Placeholder for Spring Boot app, AI agent, and BI simulator ``` ## Included Scenarios | ID | Scenario | Objective | | --- | --- | --- | | 01 | AI Prompt Injection | Show that the database limits data even when an AI agent generates broad or malicious SQL. | | 02 | Shared App Account | Show end-user data enforcement even when a technical application account is used. | | 03 | PII Row/Column/Cell | Show row, column, and cell-level controls for personal data and salary. | | 04 | View Bypass / MAC | Show Mandatory Access Control with `USE DATA GRANTS ONLY`. | | 05 | Legacy App AI Extension | Show AI modernization without rewriting all legacy application authorization logic. | | 06 | RAG Vector Classified Docs | Show RAG/vector search returning only authorized chunks by classification. | | 07 | Audit Evidence With Data Safe | Show access evidence with Unified Audit and OCI Data Safe validation guidance. | Each scenario includes a `RUNBOOK.md` with a before/after demo flow, expected evidence, and official references. ## Scenario Execution Guides Use these links to open the step-by-step demo guide for each scenario. Each runbook explains the vulnerable baseline, the commands to apply Oracle Deep Data Security, the expected protected result, and the official references. | ID | Scenario | Step-by-step guide | | --- | --- | --- | | 01 | AI Prompt Injection | [RUNBOOK.md](scenarios/01-ai-prompt-injection/RUNBOOK.md) | | 02 | Shared App Account | [RUNBOOK.md](scenarios/02-shared-app-account/RUNBOOK.md) | | 03 | PII Row/Column/Cell | [RUNBOOK.md](scenarios/03-pii-row-column-cell/RUNBOOK.md) | | 04 | View Bypass / MAC | [RUNBOOK.md](scenarios/04-view-bypass-mac/RUNBOOK.md) | | 05 | Legacy App AI Extension | [RUNBOOK.md](scenarios/05-legacy-app-ai-extension/RUNBOOK.md) | | 06 | RAG Vector Classified Docs | [RUNBOOK.md](scenarios/06-rag-vector-classified-docs/RUNBOOK.md) | | 07 | Audit Evidence With Data Safe | [RUNBOOK.md](scenarios/07-audit-evidence-data-safe/RUNBOOK.md) | ## Prerequisites - OCI tenancy with permission to create networking, Autonomous Database, optional Vault, and optional Compute resources. - Terraform 1.6 or later. - OCI CLI configured, or OCI provider authentication variables. - SQLcl, SQL*Plus, or another compatible Oracle client. - Access to an Oracle AI Database version compatible with Oracle Deep Data Security. ## 7-Step Execution 1. Clone the repository. 2. Copy the example Terraform variables file. Linux/macOS: ```bash cp terraform/envs/demo/terraform.tfvars.example terraform/envs/demo/terraform.tfvars ``` Windows PowerShell: ```powershell Copy-Item terraform\envs\demo\terraform.tfvars.example terraform\envs\demo\terraform.tfvars ``` 3. Edit `terraform/envs/demo/terraform.tfvars` with your OCIDs, region, and database parameters. Linux/macOS: ```bash vi terraform/envs/demo/terraform.tfvars ``` Windows PowerShell: ```powershell notepad terraform\envs\demo\terraform.tfvars ``` 4. Validate the infrastructure. Linux/macOS: ```bash chmod +x scripts/*.sh ./scripts/validate-terraform.sh ``` Windows PowerShell: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\validate-terraform.ps1 ``` 5. Deploy the infrastructure. Linux/macOS: ```bash cd terraform/envs/demo terraform init terraform plan -out tfplan terraform apply tfplan cd ../../.. ``` Windows PowerShell: ```powershell Set-Location terraform\envs\demo terraform init terraform plan -out tfplan terraform apply tfplan Set-Location ..\..\.. ``` 6. Install a scenario. Linux/macOS: ```bash ./scripts/run-scenario.sh 01-ai-prompt-injection "" ``` Windows PowerShell: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 01-ai-prompt-injection -ConnectString "" ``` 7. Run tests and reset when needed. Linux/macOS: ```bash ./scripts/run-scenario.sh 05-legacy-app-ai-extension "" ./scripts/reset-scenario.sh 05-legacy-app-ai-extension "" ``` Windows PowerShell: ```powershell powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "" powershell -ExecutionPolicy Bypass -File .\scripts\reset-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "" ``` ## Secure Defaults - Database deployed in a private subnet. - No public IP on the database. - Dedicated NSGs for application and database access. - mTLS required for Autonomous Database connectivity. - Secrets kept out of Git. - Optional Vault/KMS customer-managed keys. - Compute bastion disabled by default. - Demo evidence and logs ignored by Git. ## Contributing Read [CONTRIBUTING.md](CONTRIBUTING.md). Every new scenario must include `README.md`, `RUNBOOK.md`, `metadata.yaml`, numbered SQL files, positive/negative tests, and a reset script. ## CI/CD This repository includes GitHub Actions for: - `terraform fmt` - `terraform init -backend=false` - `terraform validate` - minimum scenario structure checks - blocking sensitive files such as `.tfvars`, `.pem`, and `.key`