Professional Documents
Culture Documents
Data and Database Security
Data and Database Security
Tasks
1. Sign in to Oracle Cloud account
2. To navigate to the page that displays vault, you need to click Identity & Security and
Vault.
3. Ensure you are in the correct Compartment corresponding to your OCI cloud account
provided to you.
4. Choose the OCI Region in which you have created the VCN and other resources in the
previous practice.
6. Provide a meaningful name for the vault (initials of your name) and click Create Vault at the
bottom. (Do no check the Make It a Virtual Private Vault.)
7. It will take a few minutes to create the vault. Once it is ready, your vault will be displayed
with state as Active.
9. You will create two keys, one with HSM protection and the other with software protection.
11. Create another master encryption key with the following details:
13. Go to Menu > Storage > Block Storage, and from right side Block Storage options select
Boot Volumes.
14. The two instances you created for the webservers have their boot volumes, and they will be
listed.
15. You can assign a key to a boot volume when it is not attached to an instance. You can use
the menu for one of the boot volumes to see that Assign Master Encryption key is disabled
right now as the boot volume is used by the instance.
17. Go to the Instance page of one of the instances and stop the instance.
18. Wait for the instance to stop; it will take a few minutes.
19. Once the instance stops, scroll down and click Boot Volume under Resources section (on
the left side of the page).
20. Once the instance is stopped, use the menu for the boot volume and click Detach Boot
Volume.
22. Once the boot volume is detached, go to Menu > Storage > Block Storage, and from right
side Block Storage options select Boot Volumes.
23. Click the menu of the boot volume that is detached from the instance, and you will see the
Assign Master Encryption Key option is now enabled.
25. In the pop-up menu, choose your vault and choose the master encryption key you want to
assign. Click Assign.
26. Go back to the Webserver1 Instance page (or the instance for which the boot volume you
detached) and attach the boot volume to the instance.
28. Go to Object Storage using Menu > Storage > Object Storage & …
29. Create a bucket with the Create Bucket button. Enter the following details:
Bucket Name – <Yourinitial>Bucket
Encryption – Choose your vault and a master encryption key
Accept default values for all other options.
Click Create.
31. From Menu, click on Identity & Security and Vault, select the vault that you have created.
32. You can rotate a key from the Resource option Master Encryption Key.
35. Once the state of the key changes from Updating to Enabled, click the key to go to the
details page.
Tasks
The steps given below are for creating an Autonomous Data Warehouse. All autonomous
database services are similar in the way they are provisioned; each type is optimized for a
particular purpose.
37. Ensure you are in the same region where you have created the VCN and in the
compartment assigned to you.
40. The autonomous database will be provisioned and available in a few minutes. Go to the
next step to provision another autonomous database (with a private endpoint).
41. First, you will create a network security group (NSG) specifically to be associated with the
private end point to be used for the autonomous database.
42. Log in to OCI with the credentials provided. Click Menu > Networking > Virtual Cloud
Networks to go to the VCN page.
44. In the pop-up menu, provide a meaningful name for the NSG and click Next.
45. You will not add any rules for now. Click Create to create the NSG; you will work further to
add rules to this.
Network security group – The NSG you created in the previous tasks (for ADB)
Choose a license type – Any option is OK for this practice.
49. The autonomous databases will be provisioned and available in a few minutes.
Tasks
1. You will create a network security group (NSG) in the VCN and then create a private
endpoint for Data Safe in the VCN and associate it to the NSG. Note: You have already
created NSGs for other practices earlier.
2. Log in to OCI with the credentials provided. Click Menu > Networking > Virtual Cloud
Networks to go to the VCN page.
3. Click your VCN and go to the Network Security Groups section under Resources. Click
Create Network Security Group.
4. In the pop-up menu, provide a meaningful name for the NSG and click Next.
5. You will not add any rules for now. Click Create to create the NSG; you will work further to
add rules to this. For now, the NSG is created without any rules.
7. You are taken to the Data Safe home page; on the left side, under Connectivity Options,
click Private Endpoints.
9. Give the following details in the pop-up menu for creating the private endpoint:
Name – DSPvtEndPt
Virtual Cloud Network – CloudNet (the VCN you created earlier)
Subnet – The private subnet
Network Security Group – PvtEndPt-NSG (the NSG you created in the previous section of
this practice)
11. Currently, there are no registered databases; you will add them and explore the features of
Data Safe in the rest of this practice.
12. First, you will register the two autonomous databases to Data Safe and then the VM
database system in the public subnet.
13. Navigate to the autonomous database (ADB) listing page and click the link to the
autonomous database that you created with secure access from everywhere.
17. Next, you will register the ADB with private endpoint.
19. Under the Network section, click the Show link for the Private Endpoint IP and note the
private endpoint IP address for the NSG name for the ADB.
21. You need to add the following rules in the two NSGs:
NSG of ADB private endpoint needs ingress rule to receive traffic from the Data Safe
endpoint IP address.
NSG of Data Safe private endpoint needs egress rule to send traffic to the ADB private end
point.
22. Have for reference the NSG names and the private IP addresses for both the resources.
24. Click the NSG you created for the ADB and click Add Rules.
25. In the Add Rules dialog box, specify the following and click Add:
Direction – Ingress
Source Type – NSG
Source NSG – NSG of the Data Safe endpoint
IP Protocol – TCP
Source Port Range – All
Destination Port Range - 1522
Direction – Ingress
Source Type –CIDR
Source CIDR – PvtIPofDataSafeEndpoint/32
IP Protocol – TCP
Source Port Range – All
Destination Port Range – 1522
26. Now go to the NSG that you have associated with the Data Safe endpoint and add egress
rule as follows:
Direction – Egress
Destination Type – NSG
Destination NSG – NSG of the ADB private endpoint
IP Protocol – TCP
Instead of using NSG, you can also use Destination Type as CIDR and specify the CIDR as
<IPAddressofADBEndPOint>/32 as shown below:
28. Click the link Register under the Data Safe section. In the pop-up window, click Confirm.
29. It will take a few minutes for the ADB to be registered with Data Safe.
30. Navigate to the Data Safe home page and click the link to Target Databases (under the
Data Safe section on the left side).
31. To see the various options of Data Safe, click the Security Assessment.
33. Now that you have these databases in Data Safe; you will explore Data Safe functionality.
36. Depending on when you registered the databases, various reports may be available.
37. Look into the Last Generated Report for one of the ADBs.
39. Scroll to the top of the page and click the Home tab.
41. You will explore how to enable Activity Auditing for an ADB.
43. In the next page to configure policies, click the check box for the ADB and click Retrieve.
46. In the Start Audit Collection page, choose a date (before current time) in the Collect Audit
Data by using the Calendar icon.
51. You may explore other options of Data Safe if you have time.