Add Oracle Database Security Architect skill. First commit.
This commit is contained in:
36
references/portfolio-guide.md
Normal file
36
references/portfolio-guide.md
Normal file
@@ -0,0 +1,36 @@
|
||||
# Oracle Database Security Portfolio Guide
|
||||
|
||||
Use this file to select a simple, defensible control set.
|
||||
|
||||
## Product Positioning
|
||||
|
||||
- Oracle Advanced Security: use Transparent Data Encryption (TDE) for encryption at rest and Data Redaction for selective masking of query results in production applications. TDE protects datafiles, backups, exports, and redo depending on configuration; it does not replace access control.
|
||||
- Oracle Data Masking and Subsetting: use for non-production data protection, test/dev minimization, and irreversible or format-preserving masking workflows. Pair with discovery and referential integrity planning.
|
||||
- Oracle Database Vault: use for privileged user controls, separation of duties, realms around sensitive schemas, command rules, factors, and operational controls that restrict DBA access to application data.
|
||||
- Oracle Label Security: use when row-level access depends on formal labels, compartments, groups, or multilevel security. Consider Virtual Private Database for simpler policy-based row filtering.
|
||||
- Oracle Audit Vault and Database Firewall (AVDF): use for centralized audit collection, reporting, alerting, Database Firewall monitoring/blocking, SQL traffic analysis, and heterogeneous database audit visibility.
|
||||
- Oracle Key Vault (OKV): use for centralized wallet, TDE master key, certificate, Java keystore, SSH key, and secret lifecycle management, especially across many databases or regulated environments.
|
||||
- Oracle Data Safe: use for OCI-oriented security assessment, user assessment, data discovery, data masking, activity auditing, and sensitive data monitoring for supported Oracle databases.
|
||||
|
||||
## Smart Simplicity Selection
|
||||
|
||||
Start with the smallest stack that covers the risk:
|
||||
|
||||
- Sensitive data at rest: TDE plus disciplined backup/export controls.
|
||||
- Non-production exposure: Data Masking and Subsetting before expanding production controls.
|
||||
- Privileged DBA risk: Database Vault realms and command rules around crown-jewel schemas.
|
||||
- Centralized audit and SQL monitoring: AVDF for on-premises, Exadata, and broad enterprise use; Data Safe for OCI-centric posture and supported targets.
|
||||
- Key lifecycle and scale: OKV when wallet sprawl, HSM integration, rotation, or centralized operations matter.
|
||||
- Fine-grained row-level classification: Label Security only when the access model truly needs labels and clearance semantics.
|
||||
|
||||
## Deployment Context
|
||||
|
||||
- On-premises: plan wallet location, OKV reachability, backup integration, audit trail sizing, network taps or proxies for Database Firewall, and separation of duties.
|
||||
- Exadata: account for high throughput, smart scan expectations, backup strategy, Data Guard, RAC, and operational ownership between database, platform, and security teams.
|
||||
- OCI: consider Autonomous Database built-in controls, OCI Vault, IAM, private endpoints, Data Safe, Cloud Guard, Logging, Events, and service limits. Avoid duplicating cloud-native controls without a clear risk reason.
|
||||
|
||||
## Common Control Layers
|
||||
|
||||
- Preventive: TDE, Database Vault, Label Security, least privilege, network segmentation, key custody, firewall/blocking mode where appropriate.
|
||||
- Detective: unified auditing, AVDF, Data Safe activity auditing, Database Firewall monitoring, SIEM integration, alerts and reports.
|
||||
- Corrective: key rotation, account lockdown, incident playbooks, masking refresh processes, policy tuning, audit retention, and evidence packages.
|
||||
Reference in New Issue
Block a user