Files
skill-oracle-db-security/references/solution-patterns.md

51 lines
2.1 KiB
Markdown

# Solution Patterns
Use these patterns as starting points. Adapt to database version, edition, topology, and operational model.
## Crown-Jewel Production Database
Recommended controls:
- TDE for tablespaces and backups.
- OKV for centralized TDE key lifecycle if multiple databases or strict custody requirements exist.
- Database Vault around sensitive application schemas.
- Unified Audit with AVDF or Data Safe collection.
- Data Masking and Subsetting for non-production clones.
Mermaid template:
```mermaid
flowchart LR
App["Applications"] --> DB["Oracle Database"]
DBA["DBA Operations"] --> DV["Database Vault Controls"]
DV --> DB
DB --> Audit["Unified Audit Trail"]
Audit --> AVDF["AVDF or Data Safe"]
DB --> TDE["TDE Encrypted Storage"]
OKV["Oracle Key Vault"] --> TDE
Clone["Non-production Clone"] --> Mask["Data Masking and Subsetting"]
Mask --> Dev["Dev/Test Users"]
AVDF --> SIEM["SIEM / SOC"]
```
## OCI-Centric Database Estate
Prefer Data Safe for assessment, discovery, masking, and activity auditing when supported. Consider OCI Vault for cloud key management requirements and OKV when enterprise key centralization spans on-premises and cloud databases. Integrate IAM, private networking, logging, Cloud Guard, and security zones where relevant.
## Exadata or High-Throughput RAC
Design for throughput and operational resilience:
- Validate TDE performance with workload replay or representative SQL.
- Test Data Guard, backup, restore, and key availability scenarios.
- Size audit collection and AVDF ingestion for peak SQL and audit volumes.
- Avoid blocking firewall policies until false positives are tuned in monitoring mode.
## Privileged User Risk Reduction
Use Database Vault to protect application data from powerful users. Start with realms around sensitive schemas, then add command rules for high-risk operations. Keep emergency access documented and audited.
## Non-Production Data Exposure
Use Data Masking and Subsetting as the primary control. Discover sensitive columns, preserve referential integrity, validate application behavior after masking, and document irreversibility and refresh workflow.