Add Oracle Database Security Architect skill. First commit.
This commit is contained in:
50
references/solution-patterns.md
Normal file
50
references/solution-patterns.md
Normal file
@@ -0,0 +1,50 @@
|
||||
# Solution Patterns
|
||||
|
||||
Use these patterns as starting points. Adapt to database version, edition, topology, and operational model.
|
||||
|
||||
## Crown-Jewel Production Database
|
||||
|
||||
Recommended controls:
|
||||
|
||||
- TDE for tablespaces and backups.
|
||||
- OKV for centralized TDE key lifecycle if multiple databases or strict custody requirements exist.
|
||||
- Database Vault around sensitive application schemas.
|
||||
- Unified Audit with AVDF or Data Safe collection.
|
||||
- Data Masking and Subsetting for non-production clones.
|
||||
|
||||
Mermaid template:
|
||||
|
||||
```mermaid
|
||||
flowchart LR
|
||||
App["Applications"] --> DB["Oracle Database"]
|
||||
DBA["DBA Operations"] --> DV["Database Vault Controls"]
|
||||
DV --> DB
|
||||
DB --> Audit["Unified Audit Trail"]
|
||||
Audit --> AVDF["AVDF or Data Safe"]
|
||||
DB --> TDE["TDE Encrypted Storage"]
|
||||
OKV["Oracle Key Vault"] --> TDE
|
||||
Clone["Non-production Clone"] --> Mask["Data Masking and Subsetting"]
|
||||
Mask --> Dev["Dev/Test Users"]
|
||||
AVDF --> SIEM["SIEM / SOC"]
|
||||
```
|
||||
|
||||
## OCI-Centric Database Estate
|
||||
|
||||
Prefer Data Safe for assessment, discovery, masking, and activity auditing when supported. Consider OCI Vault for cloud key management requirements and OKV when enterprise key centralization spans on-premises and cloud databases. Integrate IAM, private networking, logging, Cloud Guard, and security zones where relevant.
|
||||
|
||||
## Exadata or High-Throughput RAC
|
||||
|
||||
Design for throughput and operational resilience:
|
||||
|
||||
- Validate TDE performance with workload replay or representative SQL.
|
||||
- Test Data Guard, backup, restore, and key availability scenarios.
|
||||
- Size audit collection and AVDF ingestion for peak SQL and audit volumes.
|
||||
- Avoid blocking firewall policies until false positives are tuned in monitoring mode.
|
||||
|
||||
## Privileged User Risk Reduction
|
||||
|
||||
Use Database Vault to protect application data from powerful users. Start with realms around sensitive schemas, then add command rules for high-risk operations. Keep emergency access documented and audited.
|
||||
|
||||
## Non-Production Data Exposure
|
||||
|
||||
Use Data Masking and Subsetting as the primary control. Discover sensitive columns, preserve referential integrity, validate application behavior after masking, and document irreversibility and refresh workflow.
|
||||
Reference in New Issue
Block a user