5.9 KiB
Executable File
Oracle Deep Data Security Lab
Internal enablement kit for demonstrating Oracle Deep Data Security in realistic enterprise data security scenarios: AI agents, prompt injection, shared application accounts, ad hoc BI, PII access, view bypass, legacy app modernization, RAG/vector retrieval, and audit evidence.
The goal is to let any team member deploy a secure OCI foundation, install lab scenarios, run positive and negative tests, and collect evidence in a repeatable way.
Quick View
terraform/ Secure-by-default OCI infrastructure
scenarios/ Independent SQL labs and runbooks
scripts/ Bootstrap, validation, execution, and reset automation
docs/ Architecture, demo, and operations guides
apps/ Placeholder for Spring Boot app, AI agent, and BI simulator
Included Scenarios
| ID | Scenario | Objective |
|---|---|---|
| 01 | AI Prompt Injection | Show that the database limits data even when an AI agent generates broad or malicious SQL. |
| 02 | Shared App Account | Show end-user data enforcement even when a technical application account is used. |
| 03 | PII Row/Column/Cell | Show row, column, and cell-level controls for personal data and salary. |
| 04 | View Bypass / MAC | Show Mandatory Access Control with USE DATA GRANTS ONLY. |
| 05 | Legacy App AI Extension | Show AI modernization without rewriting all legacy application authorization logic. |
| 06 | RAG Vector Classified Docs | Show RAG/vector search returning only authorized chunks by classification. |
| 07 | Audit Evidence With Data Safe | Show access evidence with Unified Audit and OCI Data Safe validation guidance. |
Each scenario includes a RUNBOOK.md with a before/after demo flow, expected evidence, and official references.
Scenario Execution Guides
Use these links to open the step-by-step demo guide for each scenario. Each runbook explains the vulnerable baseline, the commands to apply Oracle Deep Data Security, the expected protected result, and the official references.
| ID | Scenario | Step-by-step guide |
|---|---|---|
| 01 | AI Prompt Injection | RUNBOOK.md |
| 02 | Shared App Account | RUNBOOK.md |
| 03 | PII Row/Column/Cell | RUNBOOK.md |
| 04 | View Bypass / MAC | RUNBOOK.md |
| 05 | Legacy App AI Extension | RUNBOOK.md |
| 06 | RAG Vector Classified Docs | RUNBOOK.md |
| 07 | Audit Evidence With Data Safe | RUNBOOK.md |
Prerequisites
- OCI tenancy with permission to create networking, Autonomous Database, optional Vault, and optional Compute resources.
- Terraform 1.6 or later.
- OCI CLI configured, or OCI provider authentication variables.
- SQLcl, SQL*Plus, or another compatible Oracle client.
- Access to an Oracle AI Database version compatible with Oracle Deep Data Security.
7-Step Execution
-
Clone the repository.
-
Copy the example Terraform variables file.
Linux/macOS:
cp terraform/envs/demo/terraform.tfvars.example terraform/envs/demo/terraform.tfvarsWindows PowerShell:
Copy-Item terraform\envs\demo\terraform.tfvars.example terraform\envs\demo\terraform.tfvars -
Edit
terraform/envs/demo/terraform.tfvarswith your OCIDs, region, and database parameters.Linux/macOS:
vi terraform/envs/demo/terraform.tfvarsWindows PowerShell:
notepad terraform\envs\demo\terraform.tfvars -
Validate the infrastructure.
Linux/macOS:
chmod +x scripts/*.sh ./scripts/validate-terraform.shWindows PowerShell:
powershell -ExecutionPolicy Bypass -File .\scripts\validate-terraform.ps1 -
Deploy the infrastructure.
Linux/macOS:
cd terraform/envs/demo terraform init terraform plan -out tfplan terraform apply tfplan cd ../../..Windows PowerShell:
Set-Location terraform\envs\demo terraform init terraform plan -out tfplan terraform apply tfplan Set-Location ..\..\.. -
Install a scenario.
Linux/macOS:
./scripts/run-scenario.sh 01-ai-prompt-injection "<connect_string>"Windows PowerShell:
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 01-ai-prompt-injection -ConnectString "<connect_string>" -
Run tests and reset when needed.
Linux/macOS:
./scripts/run-scenario.sh 05-legacy-app-ai-extension "<connect_string>" ./scripts/reset-scenario.sh 05-legacy-app-ai-extension "<connect_string>"Windows PowerShell:
powershell -ExecutionPolicy Bypass -File .\scripts\run-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>" powershell -ExecutionPolicy Bypass -File .\scripts\reset-scenario.ps1 -Scenario 05-legacy-app-ai-extension -ConnectString "<connect_string>"
Secure Defaults
- Database deployed in a private subnet.
- No public IP on the database.
- Dedicated NSGs for application and database access.
- mTLS required for Autonomous Database connectivity.
- Secrets kept out of Git.
- Optional Vault/KMS customer-managed keys.
- Compute bastion disabled by default.
- Demo evidence and logs ignored by Git.
Contributing
Read CONTRIBUTING.md. Every new scenario must include README.md, RUNBOOK.md, metadata.yaml, numbered SQL files, positive/negative tests, and a reset script.
CI/CD
This repository includes GitHub Actions for:
terraform fmtterraform init -backend=falseterraform validate- minimum scenario structure checks
- blocking sensitive files such as
.tfvars,.pem, and.key