30 lines
1.1 KiB
Markdown
30 lines
1.1 KiB
Markdown
# Security Model
|
|
|
|
## Required Controls
|
|
|
|
- Database deployed through a private endpoint.
|
|
- Dedicated NSG for the database.
|
|
- mTLS required.
|
|
- Passwords, API keys, wallets, and `.tfvars` files kept out of Git.
|
|
- Demo users without administrative privileges.
|
|
- Reset SQL script for each scenario.
|
|
|
|
## Recommended Controls
|
|
|
|
- OCI Vault with customer-managed keys.
|
|
- Data Safe for assessment, discovery, masking, and activity auditing when supported.
|
|
- OCI Logging and event retention.
|
|
- SIEM integration for advanced labs.
|
|
- Database Vault to demonstrate DBA blocking for sensitive schemas.
|
|
|
|
## Optional Controls
|
|
|
|
- Compute bastion with restricted public access.
|
|
- Oracle Key Vault for hybrid or multicloud scenarios.
|
|
- AVDF for centralized auditing and Database Firewall in on-premises or Exadata environments.
|
|
|
|
## Important Notes
|
|
|
|
Oracle Deep Data Security enforces authorization at runtime. It does not replace TDE, non-production data masking, Database Vault, Data Safe, AVDF, or key governance. In a customer architecture, these controls should be combined according to risk.
|
|
|