Discussions
Categories
- 195.9K All Categories
- 2.1K Data
- 208 Big Data Appliance
- 1.9K Data Science
- 447.2K Databases
- 220.8K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 23 Multilingual Engine
- 516 MySQL Community Space
- 463 NoSQL Database
- 7.7K Oracle Database Express Edition (XE)
- 2.9K ORDS, SODA & JSON in the Database
- 461 SQLcl
- 3.9K SQL Developer Data Modeler
- 185.8K SQL & PL/SQL
- 20.9K SQL Developer
- 292.4K Development
- 7 Developer Projects
- 121 Programming Languages
- 289.2K Development Tools
- 94 DevOps
- 3K QA/Testing
- 645.4K Java
- 21 Java Learning Subscription
- 36.9K Database Connectivity
- 150 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.8K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 14 Java Essentials
- 142 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 197 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 221 LiveLabs
- 34 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.8K Other Languages
- 2.3K Chinese
- 166 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 225 Portuguese
Locking down 18c XE
I have some sensitive data I wish to install in an Oracle 18c XE database on Windows in a way that only a specific oracle user with a specific password of my choosing can acces the data. I've googled around and not found any information at all really. TDE looks really nice, passwords can be changed etc. But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.
Is Oracle databases in general not appropriate for installation/usage in such a hostile environment or am I missing someting?
Answers
-
Hi,
Oracle Database Vault (https://www.oracle.com/database/technologies/security/db-vault.html ) could serve your needs.
However, Database Vault is not available for Oracle 18c XE.
Please remember that the Express Edition is free software which does not provide all features of the Oracle Enterprise.
HTH
Markus
-
You may want to consider the Oracle Cloud Autonomous Transaction Processing (free tier is available) for a scenario where data security is a high concern.
-
Security wise You are definitely missing something.
If you are concerned people have access to the user who created the database then do something about that.
-
But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.
What do you mean by turning it around?
Btw, "as sysdba" uses OS authentication provided you are a local user belonging to the OSDBA system group. It always connects to the SYS schema regardless of the user and password you specify. It does not rely on any user or password inside the database. You can also use "humpty/dumpty as sysdba".
-
The ability to prevent the DBA from seeing your data requires $$$.
Oracle Database Vault would be what you'd use.
I don't know if Oracle Cloud (free tier) implements this or not.
If the Paid Tier does, I'm sure an Oracle Sales Rep will let you know.
Mistake 1
NickeN wrote:I have some sensitive data I wish to install in an Oracle 18c XE
Many people will say that "installing on unpatched, unsupported version of Oracle" would be your first mistake.
If you want to keep data as secure as you seem to claim, you will use the most recent version with the most up-to-date patches. ( I believe Oracle Cloud does this for you automatically)
Mistake 2
It sounds like you are trying to install "private data" on a laptop.
I would say "That is a mistake" also.
One of the first questions asked by "various entities that verify you are following Best Practices for data security" is:
Are the physical computers located in a physically controlled area with limited physical access?(or something to that affect)
By its very nature, a laptop does not fall into this category.
If you want to protect the data as much as you claim, you would start by ensuring your data is located in a place that can answer this question with a "YES".
I'm assuming Oracle Cloud fits that description.
Mistake 3 (joke)
NickeN wrote:
on WindowsOthers would say that this is your 2nd mistake. But, I'll classify that as a more of a "religious" debate. Please take this statement as a joke.
I'm pretty sure that Oracle Cloud (ATP/ADW) is not on Windows.
TDE
AFAIK - Oracle Cloud tablespaces are already using TDE by default.
I forgot where I read it. I'm not sure if that is true for Free Tier.
Oracle Cloud accounts
When you create an Autonomous Database (automatic Transaction Processor [ATP]/Automatic Data Warehouse [ADW]) on Oracle Cloud, you start off with one DBA account ( ADMIN ).
From there, you can add other users (including an APEX Workspace).
Another win for Oracle Cloud: You get 20GB on Oracle Cloud Free Tier. You get 12GB on XE.
Overall, if you want to keep private data private (while using free stuff), you'll use the Oracle Cloud Free Tier, not XE
Best of all: It is free
https://www.oracle.com/cloud/free/
My $0.02
MK
PS - When I created my account, It asked for a Credit Card. The system made (and then reascended) a $1 charge. My bank sent me an Alert for that charge.
-
Only a member of the OSDBA group on taht PC can connect to the database as 'sqlplus / as sysdba' or use orapwd.
In the same way that you would control access to the OS Administrator, you would control access to the OSDBA group.
'sqlplus / as sysdba'
