Is Oracle Autonomous Database the answer to the many database security issues? (I)

There is no surprise that typical Database setups are the main target of the hacking attacks worldwide. The reason is obvious: cracking a database will result in access to the data which is the main ‘merchandise’ to be shared or sold on the dark corners of the World Wide Web. The examples are numerous and any successful attack results in huge monetary and reputation losses:

Oracle Autonomous offering comes as a game changer in the database market form many points of view. Security is one of them. This is Oracle’s claim and it has a lot of very convincing points. At least the self-securing capabilities are the ones that are most attractive to the Clients and practitioners.

The main fours self securing areas of Autonomous Database are:

Patching: Self-securing starts with the security of the Oracle Cloud infrastructure and database service. Security patches are automatically applied every quarter or as needed, narrowing the window of vulnerability. Patching includes the full stack: firmware, operating system [OS], clusterware, and database. There are no steps required from the customer side.

Encryption: Oracle encrypt customer data everywhere: in motion, at rest, and in backups. The encryption keys are managed automatically, without requiring any customer intervention. And encryption cannot be turned off.

Auditing: Administrator activity on Oracle Autonomous Data Warehouse Cloud is logged centrally and monitored for any abnormal activities. Oracle have enabled database auditing using predefined policies so that customers can view logs for any abnormal access: UNIFIED_AUDIT_TRAIL

Built upon Oracle Database Vault, unique to Oracle Cloud, operations personnel have privilege to do all administrative tasks without any ability to ever see any customer data.

And how is security implemented in those areas? The main benefits are:

1. There is no DBA access, no root access, no Operating System access and no callouts to OS are allowed… Still you can create users, roles, etc. just as before – but certain the commands are blacklisted

2. There are no customer-managed keys: Oracle manages the keys

3. Oracle automatically applies all security updates/patches to ensure data is not vulnerable to known attack vectors

4. All data is encrypted using transparent data encryption

5. Still database security features such as Virtual Private Database and Data Redaction are available

6. Network connections from clients to the Autonomous Database are also encrypted using the client credentials wallet

7. Data is encrypted everywhere: SQL*Net traffic, data in tablespaces and data in backups

8. It is now possible to specify an access control list that blocks all IP addresses that are not in the list from accessing the database

9. Oracle has been engaging with external assessment entities and independent auditors to meet a broad set of international and industry-specific compliance standards for service deployments in Oracle Cloud such as ISO 27001, SOC1, SOC2, PCI DSS, HIPAA/HITECH, and FedRAMP

10. All operations are being audited

As any independent observer would agree, those product capabilities are unique to the Oracle’s Autonomous offering as no other product on the market offers the same currently! In a future post I will dive in and comment more in detail re the security implementation on Autonomous.