1.1 KiB
1.1 KiB
Security Model
Required Controls
- Database deployed through a private endpoint.
- Dedicated NSG for the database.
- mTLS required.
- Passwords, API keys, wallets, and
.tfvarsfiles kept out of Git. - Demo users without administrative privileges.
- Reset SQL script for each scenario.
Recommended Controls
- OCI Vault with customer-managed keys.
- Data Safe for assessment, discovery, masking, and activity auditing when supported.
- OCI Logging and event retention.
- SIEM integration for advanced labs.
- Database Vault to demonstrate DBA blocking for sensitive schemas.
Optional Controls
- Compute bastion with restricted public access.
- Oracle Key Vault for hybrid or multicloud scenarios.
- AVDF for centralized auditing and Database Firewall in on-premises or Exadata environments.
Important Notes
Oracle Deep Data Security enforces authorization at runtime. It does not replace TDE, non-production data masking, Database Vault, Data Safe, AVDF, or key governance. In a customer architecture, these controls should be combined according to risk.