Practices for Lesson: Data

and Database Security

Practice: Create a Vault and Using Master Encryption Key

Tasks
1. Sign in to Oracle Cloud account

2. To navigate to the page that displays vault, you need to click Identity & Security and
Vault.

3. Ensure you are in the correct Compartment corresponding to your OCI cloud account
provided to you.

4. Choose the OCI Region in which you have created the VCN and other resources in the
previous practice.

Copyright © 2021, Oracle and/or its affiliates.

48 Practices for Lesson: Data and Database Security

5. Click Create Vault.

6. Provide a meaningful name for the vault (initials of your name) and click Create Vault at the
bottom. (Do no check the Make It a Virtual Private Vault.)

7. It will take a few minutes to create the vault. Once it is ready, your vault will be displayed
with state as Active.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 49

8. Click the link on the name of the vault to go into the details page.

9. You will create two keys, one with HSM protection and the other with software protection.

Copyright © 2021, Oracle and/or its affiliates.

50 Practices for Lesson: Data and Database Security

10. In the Master Encryption Keys section, click Create Key. Enter the following details:

Protection Mode – HSM

Name – HSMKey<YourInitials>
Key Shape, Algorithm and Length – Accept the default values
Click Create Key.

11. Create another master encryption key with the following details:

Protection Mode – Software

Name – SWKey<YourInitials>
Key Shape, Algorithm and Length – Accept the default values
Click Create Key.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 51

12. Once both keys are created, they are listed in the vault.

13. Go to Menu > Storage > Block Storage, and from right side Block Storage options select
Boot Volumes.

14. The two instances you created for the webservers have their boot volumes, and they will be
listed.

15. You can assign a key to a boot volume when it is not attached to an instance. You can use
the menu for one of the boot volumes to see that Assign Master Encryption key is disabled
right now as the boot volume is used by the instance.

Copyright © 2021, Oracle and/or its affiliates.

52 Practices for Lesson: Data and Database Security

16. In order to attach your master encryption key, you need to shut down/stop the instance,
detach the boot volume, assign the master encryption key, and then re-attach the boot
volume and start the instance.

17. Go to the Instance page of one of the instances and stop the instance.

18. Wait for the instance to stop; it will take a few minutes.

19. Once the instance stops, scroll down and click Boot Volume under Resources section (on
the left side of the page).

20. Once the instance is stopped, use the menu for the boot volume and click Detach Boot
Volume.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 53

21. In the pop-up menu, click Detach Boot Volume.

22. Once the boot volume is detached, go to Menu > Storage > Block Storage, and from right
side Block Storage options select Boot Volumes.

23. Click the menu of the boot volume that is detached from the instance, and you will see the
Assign Master Encryption Key option is now enabled.

24. Click Assign Master Encryption Key.

25. In the pop-up menu, choose your vault and choose the master encryption key you want to
assign. Click Assign.

26. Go back to the Webserver1 Instance page (or the instance for which the boot volume you
detached) and attach the boot volume to the instance.

Copyright © 2021, Oracle and/or its affiliates.

54 Practices for Lesson: Data and Database Security

27. Start the instance. The instance now has the boot volume that is encrypted using the data
encryption key generated by the master encryption key you assigned to the boot volume.

28. Go to Object Storage using Menu > Storage > Object Storage & …

29. Create a bucket with the Create Bucket button. Enter the following details:
Bucket Name – <Yourinitial>Bucket
Encryption – Choose your vault and a master encryption key
Accept default values for all other options.
Click Create.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 55

30. A bucket is created, in which any object you upload will be encrypted with a data encryption
key generated by the master encryption key you assigned to the bucket.

31. From Menu, click on Identity & Security and Vault, select the vault that you have created.

32. You can rotate a key from the Resource option Master Encryption Key.

Copyright © 2021, Oracle and/or its affiliates.

56 Practices for Lesson: Data and Database Security

 Click the vault and use the menu for the master encryption key you want to rotate and click
Rotate Key.

33. In the Confirm pop-up menu, click Rotate Key.

34. Click Close to acknowledge the success message.

35. Once the state of the key changes from Updating to Enabled, click the key to go to the
details page.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 57

36. Notice the OCID of the master encryption key remains the same, but you will find multiple
versions (for each rotation), and the OCID of each version is different.

This completes the task of working with the vault.

Copyright © 2021, Oracle and/or its affiliates.

58 Practices for Lesson: Data and Database Security

Practice: Create Database Services

Tasks
The steps given below are for creating an Autonomous Data Warehouse. All autonomous
database services are similar in the way they are provisioned; each type is optimized for a
particular purpose.

37. Ensure you are in the same region where you have created the VCN and in the
compartment assigned to you.

38. Click Create Autonomous Database.

39. Provide the following details:

Display name – A meaningful display name
Database name – Name for the database
Choose a workload type – Data Warehouse
Choose a deployment type – Shared Infrastructure

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 59

 Choose database version – 19c (accept the default)
OCPU and Storage – Accept the defaults
Password – Type a password that meets the requirements
(Password must be 12–30 characters and contain at least one uppercase letter, one lowercase
letter, and one number. The password cannot contain the double quote (") character or the
username "admin".)
Confirm password – Type the same password

Copyright © 2021, Oracle and/or its affiliates.

60 Practices for Lesson: Data and Database Security

 Network Access Type – secure access from everywhere
Choose a license type – Any option is OK for this practice

Click Create Autonomous Database.

40. The autonomous database will be provisioned and available in a few minutes. Go to the
next step to provision another autonomous database (with a private endpoint).

41. First, you will create a network security group (NSG) specifically to be associated with the
private end point to be used for the autonomous database.

42. Log in to OCI with the credentials provided. Click Menu > Networking > Virtual Cloud
Networks to go to the VCN page.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 61

43. Click your VCN and go to the Network Security Groups section under Resources. Click
Create Network Security Group.

44. In the pop-up menu, provide a meaningful name for the NSG and click Next.

45. You will not add any rules for now. Click Create to create the NSG; you will work further to
add rules to this.

46. Use the menu to go to Autonomous Database.

47. Click Create Autonomous Database.

Copyright © 2021, Oracle and/or its affiliates.

62 Practices for Lesson: Data and Database Security

48. Provide the following details:
Display name – A meaningful display name
Database name – Name for the database
Choose a workload type – Transaction Processing
Choose a deployment type – Shared Infrastructure

Choose database version – 19c (accept the default)

OCPU and Storage – Accept the defaults

Password – Type a password that meets the requirements

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 63

 (Password must be 12–30 characters and contain at least one uppercase letter, one lowercase
letter, and one number. The password cannot contain the double quote (") character or the
username "admin".)
Confirm password – Type the same password

Network Access Type – Private endpoint access only

Virtual cloud network – The VCN you created earlier
Subnet – Private subnet in the VCN
Host name prefix – A meaningful name for the endpoint

Network security group – The NSG you created in the previous tasks (for ADB)
Choose a license type – Any option is OK for this practice.

Copyright © 2021, Oracle and/or its affiliates.

64 Practices for Lesson: Data and Database Security

Click Create Autonomous Database.

49. The autonomous databases will be provisioned and available in a few minutes.

50. Continue to the next practice.

This completes the task of creating database services.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 65

Practice: Use Data Safe

Tasks
1. You will create a network security group (NSG) in the VCN and then create a private
endpoint for Data Safe in the VCN and associate it to the NSG. Note: You have already
created NSGs for other practices earlier.

2. Log in to OCI with the credentials provided. Click Menu > Networking > Virtual Cloud
Networks to go to the VCN page.

3. Click your VCN and go to the Network Security Groups section under Resources. Click
Create Network Security Group.

4. In the pop-up menu, provide a meaningful name for the NSG and click Next.

5. You will not add any rules for now. Click Create to create the NSG; you will work further to
add rules to this. For now, the NSG is created without any rules.

Copyright © 2021, Oracle and/or its affiliates.

66 Practices for Lesson: Data and Database Security

6. Use the OCI menu and navigate to Data Safe: Menu > Oracle Database > Data Safe

7. You are taken to the Data Safe home page; on the left side, under Connectivity Options,
click Private Endpoints.

8. Click Create Private Endpoint.

9. Give the following details in the pop-up menu for creating the private endpoint:

Name – DSPvtEndPt
Virtual Cloud Network – CloudNet (the VCN you created earlier)
Subnet – The private subnet
Network Security Group – PvtEndPt-NSG (the NSG you created in the previous section of
this practice)

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 67

 Click Create Private Endpoint.

10. The private endpoint will be created in a couple of minutes.

11. Currently, there are no registered databases; you will add them and explore the features of
Data Safe in the rest of this practice.

12. First, you will register the two autonomous databases to Data Safe and then the VM
database system in the public subnet.

13. Navigate to the autonomous database (ADB) listing page and click the link to the
autonomous database that you created with secure access from everywhere.

Copyright © 2021, Oracle and/or its affiliates.

68 Practices for Lesson: Data and Database Security

14. On the ADB home page, click Register under the Data Safe section.

15. In the pop-up menu, click Confirm.

16. The ADB will be registered in a few minutes.

17. Next, you will register the ADB with private endpoint.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 69

18. Go to the home page of the ADB you created with the private endpoint.

19. Under the Network section, click the Show link for the Private Endpoint IP and note the
private endpoint IP address for the NSG name for the ADB.

Copyright © 2021, Oracle and/or its affiliates.

70 Practices for Lesson: Data and Database Security

20. Similarly, you need to identify the private endpoint IP and NSG for Data Safe you
provisioned earlier. Go to the Data Safe page and click Private Endpoint you created and
identify the details.

21. You need to add the following rules in the two NSGs:

NSG of ADB private endpoint needs ingress rule to receive traffic from the Data Safe
endpoint IP address.
NSG of Data Safe private endpoint needs egress rule to send traffic to the ADB private end
point.

22. Have for reference the NSG names and the private IP addresses for both the resources.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 71

23. Go to the VCN home page and go to the NSG section.

24. Click the NSG you created for the ADB and click Add Rules.

25. In the Add Rules dialog box, specify the following and click Add:
Direction – Ingress
Source Type – NSG
Source NSG – NSG of the Data Safe endpoint
IP Protocol – TCP
Source Port Range – All
Destination Port Range - 1522

Copyright © 2021, Oracle and/or its affiliates.

72 Practices for Lesson: Data and Database Security

 This is an example of allowing any VNIC associated to the Source NSG to communicate
with the ADB; if you want to be very specific to only allow the Data Safe private endpoint to
communicate, then enter the following:

Direction – Ingress
Source Type –CIDR
Source CIDR – PvtIPofDataSafeEndpoint/32
IP Protocol – TCP
Source Port Range – All
Destination Port Range – 1522

26. Now go to the NSG that you have associated with the Data Safe endpoint and add egress
rule as follows:
Direction – Egress
Destination Type – NSG
Destination NSG – NSG of the ADB private endpoint
IP Protocol – TCP

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 73

 Source Port Range – All
Destination Port Range – 1522

Instead of using NSG, you can also use Destination Type as CIDR and specify the CIDR as
<IPAddressofADBEndPOint>/32 as shown below:

Copyright © 2021, Oracle and/or its affiliates.

74 Practices for Lesson: Data and Database Security

27. To register the ADB with Data Safe, go to the ADB (with private endpoint) home page.

28. Click the link Register under the Data Safe section. In the pop-up window, click Confirm.

29. It will take a few minutes for the ADB to be registered with Data Safe.

30. Navigate to the Data Safe home page and click the link to Target Databases (under the
Data Safe section on the left side).

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 75

 You would see the two ADBs registered. If you do not see it, wait a few minutes for the
registration to complete [and the page to be refreshed].

31. To see the various options of Data Safe, click the Security Assessment.

32. A dashboard with the current security assessments is displayed.

33. Now that you have these databases in Data Safe; you will explore Data Safe functionality.

Copyright © 2021, Oracle and/or its affiliates.

76 Practices for Lesson: Data and Database Security

34. Go to the Data Safe Service console; a summary dashboard is shown with the current
security assessment for the databases registered with Data Safe.

35. Click Security Assessment section on the left side.

36. Depending on when you registered the databases, various reports may be available.

37. Look into the Last Generated Report for one of the ADBs.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 77

38. Explore the different sections of the security assessment report for the ADB.

39. Scroll to the top of the page and click the Home tab.

40. Click the link to Activity Auditing on the left side.

41. You will explore how to enable Activity Auditing for an ADB.

42. Choose any ADB and click Continue.

43. In the next page to configure policies, click the check box for the ADB and click Retrieve.

Copyright © 2021, Oracle and/or its affiliates.

78 Practices for Lesson: Data and Database Security

44. Once successful, click Continue.

45. In the next screen, click Continue.

46. In the Start Audit Collection page, choose a date (before current time) in the Collect Audit
Data by using the Calendar icon.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 79

47. Once you have chosen a data, select the target (using check box) and click Start button to
start Audit Collection.

48. In the pop-up window, click Start.

49. The audit data will be collected.

Copyright © 2021, Oracle and/or its affiliates.

80 Practices for Lesson: Data and Database Security

50. You can define audit policies based on which operations to be audited, and the data will be
collected from the database.

51. You may explore other options of Data Safe if you have time.

This completes the tasks for working with Data Safe.

Copyright © 2021, Oracle and/or its affiliates.

Practices for Lesson: Data and Database Security 81

 Copyright © 2021, Oracle and/or its affiliates.

82 Practices for Lesson: Data and Database Security