If you need a refresher, visit Part 1

In Part 1, we have done the following:

• Installed Terraform
• Created .tf scripts
• Executed the workflows, Initialize > Plan > Apply
• Authenticated our OCI tenant with the Terraform provider scripts

In Part 2, let's look at how we can provision compartments & provision compute & network resources within these compartments.

In Part 1, we created the following .tf file which allowed Terraform to authenticate with our OCI tenant.

In Part 2, we will first need to create a compartment to store our resources that we'll be creating later. To do this, we will need 2 .tf files in our working folder.

Creating the Working Directory

Let's begin with creating the working directory to store our files in it. Once, the files are defined, we'll initialize Terraform & put it to work from this directory.

Create a directory called 'tf-compartment' under your root directory.

$ mkdir tf-compartment

Copy the provider.tf file from the tf-provider directory to this directory (tf-compartment). Once you have that in place, let's create the compartment.tf file & define the parameters. Add the following code in your file.

resource "oci_identity_compartment" "tf-compartment" {
    compartment_id = "<tenancy-ocid>"
    description = "Compartment for Terraform resources."
    name = "<your-compartment-name>"
}

Defining Policies on OCI

Let's add a policy on our OCI tenant.

1. Navigate to Identity & Security > Policies
2. Choose a Compartment if you have one or select the root compartment for now
3. Click Create Policy & click Show manual editor
4. Paste the following policy & click Create

allow group <the-group-your-username-belongs> to manage compartments in tenancy

Creating the Compartment

Initialize

First, let's initialize Terraform within our working directory, tf-compartment

$ terraform init

You'll get the following output

Plan

Once, we've initialized Terraform, let's plan our deployment.

$ terraform plan

You'll get an output like this:

Apply

Once we're good with our plan, let's proceed with creating the compartment by issuing the following command

$ terraform apply

You'll get an output like these:

Now, let's verify the creation in our OCI tenant

There you go. Our compartment has been successfully created on OCI

Provisioning a Compute Instance in an Existing VCN

Now, let's attempt to provision a compute instance in our compartment, vickterraform2. This compute instance will be provisioned into an existing Virtual Cloud Network, vickvcn1, in the OCI tenant

Generating SSH Keys

I'll be generating SSH keys which will be used to connect to the compute instance which I'll be creating later

$ ssh-keygen -t rsa -N "" -b 2048 -C <your-ssh-key-name> -f <your-ssh-key-name>

This will generate a public & private key pair for you. You would get something like this

Gather Important Information

Before we begin creating the scripts, let's gather the important information that we'll be using in our scripts

• Compartment Name
• Compartment ID
• Subnet ID
• Source ID
• Shape
• Path of your SSH public key
• Path of your SSH private key

Getting the Source ID

The Source ID refers to the ID of the source image of your compute & this depends on what image (Ubuntu, CentOS, Oracle Linux, Windows, etc.) you would like to provision

To get the Source ID:

1. Identify your region. Mine is us-ashburn-1
2. Refer here: Image Release Notes
3. For this deployment, I'll be using an Ubuntu 20.04 image & this is my Source ID to the image according to my region: ocid1.image.oc1.iad.aaaaaaaaos5ofuq26nipxcybznimsjnhyw3jf7mrq2r3kgpsf6zqbtqei25q

Getting the Shape

The shape refers to the size of the compute instance which defines the allocation of CPUs & memory

To get the shape:

1. Refer here: VM Standard Shapes
2. I'll be using a VM.Standard2.1 shape

Add Policies to OCI

Let's add the following policy in Identity & Security > Identity > Policies under your compartment

allow group <the-group-your-username-belongs> to manage all-resources in compartment <your-compartment-name>

Creating the Scripts

Let's setup a new working directory for this called 'tf-compute'

$ mkdir tf-compute

Copy your 'provider.tf' file into this directory

$ cp ../tf-provider/provider.tf .

Let's also copy the 'availability-domains.tf' file which we created in the initial setup into this directory

cp ../tf-provider/availability-domains.tf .

The 'availability-domains.tf' has the following code

data "oci_identity_availability_domains" "ads" {
  compartment_id = "<tenancy-ocid>"
}

Let's also create an 'outputs.tf' file in the 'tf-compute' directory

output "name-of-first-availability-domain" {
  value = data.oci_identity_availability_domains.ads.availability_domains[0].name
}

Now, we have the following files in our tf-compute directory

• provider.tf
• availability-domains.tf
• outputs.tf

Let's initialize > plan > apply our Terraform scripts

$ terraform init
$ terraform plan
$ terraform apply

Once you've hit the terraform apply, you'll be provided with an output of your availability domain

Declare the Compute Resource

Now that we're ready to provision the compute instance, let's create a 'compute.tf' file & add the following code into the file

resource "oci_core_instance" "ubuntu_instance" {
    # Required
    availability_domain = data.oci_identity_availability_domains.ads.availability_domains[0].name
    compartment_id = "<compartment-ocid>"
    shape = "VM.Standard2.1"
    source_details {
        source_id = "<source-ocid>"
        source_type = "image"
    }

    # Optional
    display_name = "<your-ubuntu-instance-name>"
    create_vnic_details {
        assign_public_ip = true
        subnet_id = "<subnet-ocid>"
    }
    metadata = {
        ssh_authorized_keys = file("<ssh-public-key-path>")
    } 
    preserve_boot_volume = false
}

This is my completed file

Now, let's run our scripts

$ terraform init
$ terraform plan
$ terraform apply

And, we have successfully created our Ubuntu server via Terraform. Also, let's verify this on the OCI console

Let's also try connecting to this server

$ ssh -i <ssh-private-key-path> ubuntu@<your-public-ip-address>

And there you go. We've successfully accessed the Ubuntu server

Now that I've tested the deployment & it's working, I will proceed to delete this compute instance

$ terraform destroy

Simultaneously on the console, the instance is getting terminated

Once the instance is completely terminated, you will get the following output

Creating a New Virtual Cloud Network (VCN)

In this section, I will demonstrate the creation of a new Virtual Cloud Network (VCN) & its associated components such as subnets, gateways, security lists & more

Gather Important Information

Before we begin, let's gather the important information that we'll be using in our scripts

• Compartment Name
• Compartment ID
• Region

Create a Working Directory

Let's create a new working directory for this demo & let's name it 'tf-vcn'

$ mkdir tf-vcn

Copy the 'provider-tf' file from the 'tf-provider' directory into this directory

cp ../tf-provider/provider.tf .

Declaring the VCN Configuration

Now, let's create a file called 'vcn-module.tf' & insert the following code into it

# Source from https://registry.terraform.io/modules/oracle-terraform-modules/vcn/oci/
module "vcn"{
  source  = "oracle-terraform-modules/vcn/oci"
  version = "3.1.0"
  # insert the 5 required variables here

  # Required Inputs
  compartment_id = "<compartment-ocid>"
  region = "<region-identifier>"

  internet_gateway_route_rules = null
  local_peering_gateways = null
  nat_gateway_route_rules = null

  # Optional Inputs
  vcn_name = "vcn-module"
  vcn_dns_label = "vcnmodule"
  vcn_cidrs = ["10.0.0.0/16"]

  create_internet_gateway = true
  create_nat_gateway = true
  create_service_gateway = true  
}

Here's a sample of my code

Let's also create an 'outputs.tf' file & insert the following code to get the information of the VCN once we run the scripts

# Outputs for the vcn module

output "vcn_id" {
  description = "OCID of the VCN that is created"
  value = module.vcn.vcn_id
}
output "id-for-route-table-that-includes-the-internet-gateway" {
  description = "OCID of the internet-route table. This route table has an internet gateway to be used for public subnets"
  value = module.vcn.ig_route_id
}
output "nat-gateway-id" {
  description = "OCID for NAT gateway"
  value = module.vcn.nat_gateway_id
}
output "id-for-for-route-table-that-includes-the-nat-gateway" {
  description = "OCID of the nat-route table - This route table has a nat gateway to be used for private subnets. This route table also has a service gateway."
  value = module.vcn.nat_route_id
}

Creating the VCN

Now that we have the required scripts configured, let's create the VCN

$ terraform init

$ terraform plan

$ terraform apply

And there you go. We've successfully created the VCN & the gateways

Let's also verify this on the OCI console

Notice that we don't have any subnets in our VCN yet. We'll be creating this later

Customizing the VCN

Before we jump on to create subnets, I would like to define security lists for my subnets

Creating a Security List for the Private Subnet

Let's create a file called 'private-security-list.tf' & add the following code into it

# Source from https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_security_list

resource "oci_core_security_list" "private-security-list"{

# Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id

# Optional
  display_name = "security-list-for-private-subnet"
}

Let's also add an egress rule to this security list by adding the following code into our file

  egress_security_rules {
      stateless = false
      destination = "0.0.0.0/0"
      destination_type = "CIDR_BLOCK"
      protocol = "all" 
  }

Here's a sample of my code

Also, let's add the following code into the 'outputs.tf' file

# Outputs for private security list

output "private-security-list-name" {
  value = oci_core_security_list.private-security-list.display_name
}
output "private-security-list-OCID" {
  value = oci_core_security_list.private-security-list.id
}

Once we have created our scripts, let's run the creation of the security list for our private subnet

$ terraform init

$ terraform plan

$ terraform apply

And we've successfully created our security list along with its egress rule

Now that's successful, let's also create ingress rules for our security lists. In the 'private-security-list.tf', let's add the following code into it

ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml TCP is 6
      protocol = "6"
      tcp_options { 
          min = 22
          max = 22
      }
    }
  ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"

      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
        code = 4
      } 
    }   

  ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"

      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
      } 
    }

Once again, let's run our scripts

$ terraform init

$ terraform plan

$ terraform apply

Now that it has successfully ran, we are able to see the ingress & egress rules created for the security list for the private subnet

Creating a Security List for the Public Subnet

Now, let's replicate the above operations for our public subnet. Let's copy the file 'private-security-list.tf' to a new file called 'public-security-list.tf' & let's modify the parameters

$ cp private-security-list.tf public-security-list.tf

Let's change the code private-security-list in the resource block to public-security-list & change the display_name from security-list-for-private-subnet to security-list-for-public-subnet

We'll maintain the egress rule. However, for the ingress rule let's change the source = "10.0.0.0/16" to source = "0.0.0.0/0"

Your code should look like this

ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml TCP is 6
      protocol = "6"
      tcp_options { 
          min = 22
          max = 22
      }
    }
  ingress_security_rules { 
      stateless = false
      source = "0.0.0.0/0"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"

      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
        code = 4
      } 
    }   

  ingress_security_rules { 
      stateless = false
      source = "10.0.0.0/16"
      source_type = "CIDR_BLOCK"
      # Get protocol numbers from https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml ICMP is 1  
      protocol = "1"

      # For ICMP type and code see: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml
      icmp_options {
        type = 3
      } 
    }

Let's also add the following code to the 'outputs.tf' file

# Outputs for public security list

output "public-security-list-name" {
  value = oci_core_security_list.public-security-list.display_name
}
output "public-security-list-OCID" {
  value = oci_core_security_list.public-security-list.id
}

Now, let's run our scripts

$ terraform init

$ terraform plan

$ terraform apply

Now, we are able to see on the console that the security list & its ingress & egress rules have been created

Creating the Private Subnet

We are not done yet as we have not created the subnets for our VCN. Let's start by creating a private subnet

Let's create a file called 'private-subnet.tf' & add the following code to it

# Source from https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_subnet

resource "oci_core_subnet" "vcn-private-subnet"{

  # Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id
  cidr_block = "10.0.1.0/24"

  # Optional
  # Caution: For the route table id, use module.vcn.nat_route_id.
  # Do not use module.vcn.nat_gateway_id, because it is the OCID for the gateway and not the route table.
  route_table_id = module.vcn.nat_route_id
  security_list_ids = [oci_core_security_list.private-security-list.id]
  display_name = "private-subnet"
}

Let's also add the following to the 'outputs.tf' file

# Outputs for private subnet

output "private-subnet-name" {
  value = oci_core_subnet.vcn-private-subnet.display_name
}
output "private-subnet-OCID" {
  value = oci_core_subnet.vcn-private-subnet.id
}

Now, let's run our scripts

$ terraform init

$ terraform plan

$ terraform apply

And there you go. We've created our private subnet with a CIDR block of 10.0.1.0/24

Creating the Public Subnet

Let's do the above for the public subnet. To begin, let's create a file called 'public-subnet.tf' & add the following code

# Source from https://registry.terraform.io/providers/hashicorp/oci/latest/docs/resources/core_subnet

resource "oci_core_subnet" "vcn-public-subnet"{

  # Required
  compartment_id = "<compartment-ocid>"
  vcn_id = module.vcn.vcn_id
  cidr_block = "10.0.0.0/24"

  # Optional
  route_table_id = module.vcn.ig_route_id
  security_list_ids = [oci_core_security_list.public-security-list.id]
  display_name = "public-subnet"
}

And, add the following code to the 'outputs.tf' file

# Outputs for public subnet

output "public-subnet-name" {
  value = oci_core_subnet.vcn-public-subnet.display_name
}
output "public-subnet-OCID" {
  value = oci_core_subnet.vcn-public-subnet.id
}

Now, let's run our scripts

$ terraform init

$ terraform plan

$ terraform apply

And now, we have successfully created our public subnet with a CIDR block of 10.0.0.0/24

Summary

This sums Part 2 of this blog. In Part 2, we've created the following

• A compartment
• A Ubuntu 20.04 compute instance
• A Virtual Cloud Network (VCN)
• Security List for Private Subnet with Ingress & Egress Rules
• Security List for Public Subnet with Ingress & Egress Rules
• A Private Subnet
• A Public Subnet

In Part 3, I will be covering how we can incorporate the above in a single Terraform script & provision an infrastructure on OCI. Stay tuned.

Terraform is an infrastructure as code (IAC) tool that lets you define both cloud & on-prem resources in human-readable configuration files that you can version, reuse, and share. The concept of Terraform is to allow users to provision huge & complex infrastructure & workloads in an automated fashion by defining the parameters in a ".tf" file, instead of manually provisioning them which takes alot of effort & time.

Terraform creates & manages resources on cloud platforms (such as OCI) & other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.

Image credits: terraform.io

Terraform execution involves three stages:

Image credits: freecodecamp.org

• Write - This is where you write a “.tf” file to define the resources that you're provisioning to a provider (Eg: AWS, Azure, OCI, GCP, etc.)
• Plan - Terraform will create an execution plan outlining the infrastructure that you want to create, update or destroy based on your environment & the “.tf” file that you've defined
• Apply - This is when Terraform executes the plan based on the parameters defined in your “.tf” file

Image credits: terraform.io

Working with Terraform on OCI

In this section, I'll be documenting the process of configuring Terraform & the creation of resources on OCI.

Setting Up Terraform

Terraform Installation

Firstly, we need to install Terraform in our environment. I have a Linux (Ubuntu) Windows Subsystem for Linux (WSL) on my Windows 10 machine which allows me to run a Linux environment directly on Windows without needing a virtual machine or dual boot setup. To learn more on WSL, refer here: WSL

For Ubuntu/Debian, do the following:

$ curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -

$ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"

$ sudo apt-get update && sudo apt-get install terraform

For CentOS/RHEL, do the following:

$ sudo yum install -y yum-utils

$ sudo yum-config-manager --add-repo 

$ sudo yum -y install terraform

Creating RSA Keys

Once Terraform installed, we need to generate RSA keys to allow API signing into the OCI tenant.

On your terminal, create an .oci directory in the root folder.

$ mkdir $HOME/.oci

Generate a 2048-bit private key in PEM format.

$ openssl genrsa -out $HOME/.oci/<your-rsa-key-name>.pem 2048

Modify the permission of your PEM file (private key) so that only you can read & write the file.

$ chmod 600 $HOME/.oci/<your-rsa-key-name>.pem

Generate a public key (also in PEM format).

$ openssl rsa -pubout -in $HOME/.oci/<your-rsa-key-name>.pem -out $HOME/.oci/<your-rsa-key-name>_public.pem

View your public key & copy it's contents. Include ‘BEGIN PUBLIC KEY’ & ‘END PUBLIC KEY’.

$ cat $HOME/.oci/<your-rsa-key-name>_public.pem

-----BEGIN PUBLIC KEY-----

xxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxx

-----END PUBLIC KEY-----

Add the public key to your user account on the OCI portal.

• Click your profile
• Click API Keys
• Click Add Public Key
• Select Paste Public Keys
• Paste your public key into the field, include the lines with 'BEGIN PUBLIC KEY' & 'END PUBLIC KEY'
• Click Add

Define Policies on OCI

You need to define policies to provide permissions for your user(s) & group(s) to read & manage resources in your tenancy.

1. Navigate to Identity & Security > Users. Create your user (Eg: terraformuser)
2. Navigate to Identity & Security > Groups. Create your group (Eg: terraformgroup) & add your user to the group
3. Navigate to Identity & Security > Policies
4. Choose a Compartment if you have one or select the root compartment for now (We'll be creating a Compartment later as well, in Part 2)
5. Click Create Policy & click Show manual editor
6. Paste the following policy & click Create

allow group <the-group-your-username-belongs> to read all-resources in tenancy

Gather Required Information

We will need to collect the following information to authenticate our Terraform scripts. Collect them from here:

1. Tenancy OCID: Below your profile, click Tenance: & copy the OCID
2. User OCID: Click on your profile & copy the OCID
3. Fingerprint: In your profile, click API Keys & copy the fingerprint associated with your RSA public key. The format is xx:xx:xx:…..:xx
4. Region: From the top navigation bar, locate your region & find your region's from Regions & Availability Domains. Eg: us-ashburn-1

Also, collect the following information from your environment (Linux, in my case).

1. Private Key Path: Eg: $HOME/.oci/.pem

Creating Your Scripts

Next, we need to create scripts (.tf files) to allow Terraform to authenticate & fetch data from the OCI tenant.

Add API Key-Based Authentication

In your $HOME directory (your root directory), create a directory called ‘tf-provider’ & change to that directory.

$ mkdir tf-provider

$ cd tf-provider

Create a file called ‘provider.tf’ using your preferred text editor (vi/vim/nano). Add the following code into your file. Replace the field brackets with the information gathered earlier. Retain the quotations around the string values. Save the file.

provider "oci" {

tenancy_ocid = "<tenancy-ocid>"

user_ocid = "<user-ocid>"

private_key_path = "<rsa-private-key-path>"

fingerprint = "<fingerprint>"

region = "<region-identifier>"

}

Add Data Source

In this section, you create a .tf file to fetch a list of availability domains in your tenancy.

1. In the tf-provider directory, create a file called 'availability-domains.tf'
2. Add the following code & save.

data “oci_identity_availability_domains” “ads” {

compartment_id = “<tenancy-ocid>”

}

Run Your Scripts

In this section, we run the Terraform script by the workflow, Initialize > Plan > Apply

Initialize

1. Initialize a working directory in the tf-provider directory.

$ terraform init

Example output:

Initializing the backend...

Initializing provider plugins...

- Finding latest version of hashicorp/oci...

- Installing hashicorp/oci vx.x.x...

- Installed hashicorp/oci vx.x.x (signed by HashiCorp)

Terraform has been successfully initialized!

Plan

1. Now, we create an execution plan to check whether the changes shown in the plan match our expectations, without changing the real resource.

$ terraform plan

Example output:

Changes to Outputs:

  + all-availability-domains-in-your-tenancy = [

      + {

          + compartment_id = "ocid1.tenancy.oc1..xxx"

          + id             = "ocid1.availabilitydomain.xxx"

          + name           = "QnsC:US-ASHBURN-AD-1"

        },

      + {

          + compartment_id = "ocid1.tenancy.oc1..xxx"

          + id             = "ocid1.availabilitydomain.xxx"

          + name           = "QnsC:US-ASHBURN-AD-2"

        },

      + {

          + compartment_id = "ocid1.tenancy.oc1..xxx"

          + id             = "ocid1.availabilitydomain.xxx"

          + name           = "QnsC:US-ASHBURN-AD-3"

        },

    ]

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Apply

Now, we run the Terraform scripts. Enter ‘yes’ when prompted.

$ terraform apply

Example output:

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

all-availability-domains-in-your-tenancy = tolist([

  {

    "compartment_id" = "ocid1.tenancy.xxx"

    "id" = "ocid1.availabilitydomain.xxx"

    "name" = "QnsC:US-ASHBURN-AD-1"

  },

  {

    "compartment_id" = "ocid1.tenancy.xxx"

    "id" = "ocid1.availabilitydomain.xxx"

    "name" = "QnsC:US-ASHBURN-AD-2"

  },

  {

    "compartment_id" = "ocid1.tenancy.xxx"

    "id" = "ocid1.availabilitydomain.xxx"

    "name" = "QnsC:US-ASHBURN-AD-3"

  },

])

We have successfully authenticated our OCI tenant with our Terraform provider scripts.

Summary

To summarize Part 1, we have done the following:

• Installed Terraform
• Created .tf scripts
• Executed the workflows, Initialize > Plan > Apply
• Authenticated our OCI tenant with the Terraform provider scripts

In Part 2, I will document steps to provision resources (compartments, compute instances, etc.) in our OCI tenant via Terraform scripts.

I hope this has been beneficial to you. I'll see you in Part 2. Stay tuned & have a nice day.

Data is an organization's most critical asset which if not protected, becomes a huge liability. Databases containing sensitive data, such as personally identifiable information (PII), personal financial information, and personal healthcare information, are vulnerable to external & even internal threats looking to steal data for financial, strategic, or personal gain, or simply to cause business disruption.

In terms of having ownership of data, organizations are required to be compliant in Data Protection Laws. The following are a few laws you may be familiar with.

• General Data Protection Regulation (GDPR)
• Payment Card Industry's Data Security Standard (PCI DSS)
• Sarbanes Oxley (SOX)
• Health Insurance Portability & Accountability Act (HIPAA)

In addition to the above, there are also other global & country-specific laws which addresses data protection.

Attackers are constantly looking at ways of gaining illegitimate access into enterprise systems by exploiting vulnerabilities in user credentials, applications & configurations of databases.

How do you manage against a legion of attackers who have all the infrastructure, the tools, & the time, when you don’t? Oracle provides top-in-class security for the computing infrastructure of its cloud databases, including encryption by default, separation of duty, and proactive security patching. But organizations need to further secure their databases by understanding their own data, their own users & their configurations.

What is Oracle Data Safe?

Image credits: 4iapps.com

Oracle Data Safe offers a protection mechanism for Oracle databases which helps organizations to:

• understand the sensitivity of data
• evaluate risks to data
• mask sensitive data
• implement & monitor security controls
• assess user security
• monitor user activity
• address data security compliance requirements

Oracle Data Safe Features

• Security Assessment allows organizations to assess the security of their database configurations. It analyzes database configurations, user accounts, and security controls, and then reports the findings with recommendations for remediation activities that follow best practices to reduce or mitigate risk.
• User Assessment looks into the security assessments of your database users & identify high risk users. It reviews information about your users in the data dictionary on your target databases & calculates a risk score for each user. For an instance, it examines the user types, how users are authenticated, the password policies assigned to each user & how long it has been since each user has changed their password. It also provides a direct link to audit records related to each user. With this information, organizations can then deploy appropriate security controls and policies.
• Data Discovery helps organizations to identify sensitive data in its databases. Data Discovery can be instructed to search for a particular kind of sensitive data & it inspects the actual data in the database & its data dictionary & then provisions a list of sensitive columns. By default, Data Discovery can search for a wide variety of sensitive data pertaining to identification, biographic, IT, financial, healthcare, employment, and academic information.
• Data Masking is a mechanism for you to mask sensitive data so that the data is safe for non-production purposes. For an instance, organizations are often required to create copies of their production data to support development and test activities. Simply copying the production data exposes sensitive data to new users. To avoid a security risk, you can use Data Masking to replace the sensitive data with realistic, but fictitious data.
• Activity Auditing allows security admins to audit user activity on databases which also allows them to monitor database usage.
• Alerts keep you informed of unusual database activities as they happen.

What Databases can I Protect with Oracle Data Safe?

Oracle Data Safe allows you to protect a variety of Oracle databases which includes Autonomous Databases & DB systems (Bare Metal, Virtual Machine, and Exadata), on-premises Oracle Databases, and Oracle Databases on compute instances in both Oracle Cloud Infrastructure (OCI) and non-Oracle cloud environments.

Image credits: Oracle Data Safe Architecture

Oracle Data Safe in Action

I hope this was insightful. Thank you for reading & I shall share more write ups in my next blog post.

Data Owner

Refers to the that has collected or created the data. From an organization perspective, data ownership is assigned to specific individuals who have rights & responsibilities of the data. This may include Department Heads or Business Unit Managers whom have collected or created a dataset. From a cloud computing perspective, the customer is the owner of the data

Data Custodian

Refers to a person or entity that is given the mandate to maintain & administer the data. The data custodian is also responsible of administering adequate security controls & processes as directed by the data owner. An example of a data custodian is a database administrator.

Data Processor

Refers to a person or organization who manipulates, stores or moves data on behalf of the data owner. Data processing may include copying, printing, destroying & utilizing. From an international law perspective, the cloud provider is a data processor.