51 lines
2.1 KiB
Markdown
51 lines
2.1 KiB
Markdown
# Solution Patterns
|
|
|
|
Use these patterns as starting points. Adapt to database version, edition, topology, and operational model.
|
|
|
|
## Crown-Jewel Production Database
|
|
|
|
Recommended controls:
|
|
|
|
- TDE for tablespaces and backups.
|
|
- OKV for centralized TDE key lifecycle if multiple databases or strict custody requirements exist.
|
|
- Database Vault around sensitive application schemas.
|
|
- Unified Audit with AVDF or Data Safe collection.
|
|
- Data Masking and Subsetting for non-production clones.
|
|
|
|
Mermaid template:
|
|
|
|
```mermaid
|
|
flowchart LR
|
|
App["Applications"] --> DB["Oracle Database"]
|
|
DBA["DBA Operations"] --> DV["Database Vault Controls"]
|
|
DV --> DB
|
|
DB --> Audit["Unified Audit Trail"]
|
|
Audit --> AVDF["AVDF or Data Safe"]
|
|
DB --> TDE["TDE Encrypted Storage"]
|
|
OKV["Oracle Key Vault"] --> TDE
|
|
Clone["Non-production Clone"] --> Mask["Data Masking and Subsetting"]
|
|
Mask --> Dev["Dev/Test Users"]
|
|
AVDF --> SIEM["SIEM / SOC"]
|
|
```
|
|
|
|
## OCI-Centric Database Estate
|
|
|
|
Prefer Data Safe for assessment, discovery, masking, and activity auditing when supported. Consider OCI Vault for cloud key management requirements and OKV when enterprise key centralization spans on-premises and cloud databases. Integrate IAM, private networking, logging, Cloud Guard, and security zones where relevant.
|
|
|
|
## Exadata or High-Throughput RAC
|
|
|
|
Design for throughput and operational resilience:
|
|
|
|
- Validate TDE performance with workload replay or representative SQL.
|
|
- Test Data Guard, backup, restore, and key availability scenarios.
|
|
- Size audit collection and AVDF ingestion for peak SQL and audit volumes.
|
|
- Avoid blocking firewall policies until false positives are tuned in monitoring mode.
|
|
|
|
## Privileged User Risk Reduction
|
|
|
|
Use Database Vault to protect application data from powerful users. Start with realms around sensitive schemas, then add command rules for high-risk operations. Keep emergency access documented and audited.
|
|
|
|
## Non-Production Data Exposure
|
|
|
|
Use Data Masking and Subsetting as the primary control. Discover sensitive columns, preserve referential integrity, validate application behavior after masking, and document irreversibility and refresh workflow.
|