Files
oracle-deep-data-security-lab/README.md
Rodrigo Pace 52bf971b8b
Some checks failed
Repo Quality / structure (push) Has been cancelled
Terraform Validate / validate (push) Has been cancelled
Translate lab documentation to English
2026-05-08 14:50:52 -03:00

5.9 KiB

Oracle Deep Data Security Lab

Internal enablement kit for demonstrating Oracle Deep Data Security in realistic enterprise data security scenarios: AI agents, prompt injection, shared application accounts, ad hoc BI, PII access, view bypass, legacy app modernization, RAG/vector retrieval, and audit evidence.

The goal is to let any team member deploy a secure OCI foundation, install lab scenarios, run positive and negative tests, and collect evidence in a repeatable way.

Quick View

terraform/   Secure-by-default OCI infrastructure
scenarios/   Independent SQL labs and runbooks
scripts/     Bootstrap, validation, execution, and reset automation
docs/        Architecture, demo, and operations guides
apps/        Placeholder for Spring Boot app, AI agent, and BI simulator

Included Scenarios

ID Scenario Objective
01 AI Prompt Injection Show that the database limits data even when an AI agent generates broad or malicious SQL.
02 Shared App Account Show end-user data enforcement even when a technical application account is used.
03 PII Row/Column/Cell Show row, column, and cell-level controls for personal data and salary.
04 View Bypass / MAC Show Mandatory Access Control with USE DATA GRANTS ONLY.
05 Legacy App AI Extension Show AI modernization without rewriting all legacy application authorization logic.
06 RAG Vector Classified Docs Show RAG/vector search returning only authorized chunks by classification.
07 Audit Evidence With Data Safe Show access evidence with Unified Audit and OCI Data Safe validation guidance.

Each scenario includes a RUNBOOK.md with a before/after demo flow, expected evidence, and official references.

Scenario Execution Guides

Use these links to open the step-by-step demo guide for each scenario. Each runbook explains the vulnerable baseline, the commands to apply Oracle Deep Data Security, the expected protected result, and the official references.

ID Scenario Step-by-step guide
01 AI Prompt Injection RUNBOOK.md
02 Shared App Account RUNBOOK.md
03 PII Row/Column/Cell RUNBOOK.md
04 View Bypass / MAC RUNBOOK.md
05 Legacy App AI Extension RUNBOOK.md
06 RAG Vector Classified Docs RUNBOOK.md
07 Audit Evidence With Data Safe RUNBOOK.md

Prerequisites

  • OCI tenancy with permission to create networking, Autonomous Database, optional Vault, and optional Compute resources.
  • Terraform 1.6 or later.
  • OCI CLI configured, or OCI provider authentication variables.
  • SQLcl, SQL*Plus, or another compatible Oracle client.
  • Access to an Oracle AI Database version compatible with Oracle Deep Data Security.

7-Step Execution

  1. Clone the repository.

  2. Copy the example Terraform variables file.

    Linux/macOS:

    cp terraform/envs/demo/terraform.tfvars.example terraform/envs/demo/terraform.tfvars
    

    Windows PowerShell:

    Copy-Item terraform\envs\demo\terraform.tfvars.example terraform\envs\demo\terraform.tfvars
    
  3. Edit terraform/envs/demo/terraform.tfvars with your OCIDs, region, and database parameters.

    Linux/macOS:

    vi terraform/envs/demo/terraform.tfvars
    

    Windows PowerShell:

    notepad terraform\envs\demo\terraform.tfvars
    
  4. Validate the infrastructure.

    Linux/macOS:

    chmod +x scripts/*.sh
    ./scripts/validate-terraform.sh
    

    Windows PowerShell:

    powershell -ExecutionPolicy Bypass -File .\scripts\validate-terraform.ps1
    
  5. Deploy the infrastructure.

    Linux/macOS:

    cd terraform/envs/demo
    terraform init
    terraform plan -out tfplan
    terraform apply tfplan
    cd ../../..
    

    Windows PowerShell:

    Set-Location terraform\envs\demo
    terraform init
    terraform plan -out tfplan
    terraform apply tfplan
    Set-Location ..\..\..
    
  6. Install a scenario.

    Linux/macOS:

    ./scripts/run-scenario.sh 01-ai-prompt-injection "<connect_string>"
    

    Windows PowerShell:

    powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 01-ai-prompt-injection -ConnectString "<connect_string>"
    
  7. Run tests and reset when needed.

    Linux/macOS:

    ./scripts/run-scenario.sh 05-legacy-app-ai-extension "<connect_string>"
    ./scripts/reset-scenario.sh 05-legacy-app-ai-extension "<connect_string>"
    

    Windows PowerShell:

    powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
    powershell -ExecutionPolicy Bypass -File .\scripts\reset-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
    

Secure Defaults

  • Database deployed in a private subnet.
  • No public IP on the database.
  • Dedicated NSGs for application and database access.
  • mTLS required for Autonomous Database connectivity.
  • Secrets kept out of Git.
  • Optional Vault/KMS customer-managed keys.
  • Compute bastion disabled by default.
  • Demo evidence and logs ignored by Git.

Contributing

Read CONTRIBUTING.md. Every new scenario must include README.md, RUNBOOK.md, metadata.yaml, numbered SQL files, positive/negative tests, and a reset script.

CI/CD

This repository includes GitHub Actions for:

  • terraform fmt
  • terraform init -backend=false
  • terraform validate
  • minimum scenario structure checks
  • blocking sensitive files such as .tfvars, .pem, and .key