Forum Stats

  • 3,757,935 Users
  • 2,251,293 Discussions
  • 7,869,971 Comments

Discussions

Locking down 18c XE

NickeN
NickeN Member Posts: 21

I have some sensitive data I wish to install in an Oracle 18c XE database on Windows in a way that only a specific oracle user with a specific password of my choosing can acces the data. I've googled around and not found any information at all really. TDE looks really nice, passwords can be changed etc. But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.

Is Oracle databases in general not appropriate for installation/usage in such a hostile environment or am I missing someting?

NickeN

Answers

  • Markus Flechtner
    Markus Flechtner Member Posts: 501 Bronze Trophy
    edited Jul 3, 2020 5:54AM

    Hi,

    Oracle Database Vault (https://www.oracle.com/database/technologies/security/db-vault.html ) could serve your needs.

    However, Database Vault is not available for Oracle 18c XE.

    Please remember that the Express Edition is free software which does not provide all features of the Oracle Enterprise.

    HTH

    Markus

    NickeN
  • r_h_smith2
    r_h_smith2 Member Posts: 12 Blue Ribbon
    edited Jul 15, 2020 11:37AM

    You may want to consider the Oracle Cloud Autonomous Transaction Processing (free tier is available) for a scenario where data security is a high concern.

  • Gaz in Oz
    Gaz in Oz Member Posts: 3,782 Bronze Crown
    edited Jul 16, 2020 9:08AM

    Security wise You are definitely missing something.

    If you are concerned people have access to the user who created the database then do something about that.

  • Dude!
    Dude! Member Posts: 22,826 Blue Diamond
    edited Jul 16, 2020 1:46PM
    But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.

    What do you mean by turning it around?

    Btw, "as sysdba" uses OS authentication provided you are a local user belonging to the OSDBA system group. It always connects to the SYS schema regardless of the user and password you specify. It does not rely on any user or password inside the database. You can also use "humpty/dumpty as sysdba".

  • Mike Kutz
    Mike Kutz Member Posts: 5,637 Silver Crown
    edited Jul 18, 2020 7:32AM

    The ability to prevent the DBA from seeing your data requires $$$.

    Oracle Database Vault would be what you'd use.

    I don't know if Oracle Cloud (free tier) implements this or not.

    If the Paid Tier does, I'm sure an Oracle Sales Rep will let you know.

    Mistake 1

    NickeN wrote:I have some sensitive data I wish to install in an Oracle 18c XE

    Many people will say that "installing on unpatched, unsupported version of Oracle" would be your first mistake.

    If you want to keep data as secure as you seem to claim, you will use the most recent version with the most up-to-date patches. ( I believe Oracle Cloud does this for you automatically)

    Mistake 2

    It sounds like you are trying to install "private data" on a laptop.

    I would say "That is a mistake" also.

    One of the first questions asked by "various entities that verify you are following Best Practices for data security" is:

    Are the physical computers located in a physically controlled area with limited physical access?(or something to that affect)

    By its very nature, a laptop does not fall into this category.

    If you want to protect the data as much as you claim, you would start by ensuring your data is located in a place that can answer this question with a "YES".

    I'm assuming Oracle Cloud fits that description.

    Mistake 3 (joke)

    NickeN wrote:
    on Windows

    Others would say that this is your 2nd mistake.  But, I'll classify that as a more of a "religious" debate.  Please take this statement as a joke. 

    I'm pretty sure that Oracle Cloud (ATP/ADW) is not on Windows.

    TDE

    AFAIK - Oracle Cloud tablespaces are already using TDE by default.

    I forgot where I read it.  I'm not sure if that is true for Free Tier.

    Oracle Cloud accounts

    When you create an Autonomous Database (automatic Transaction Processor [ATP]/Automatic Data Warehouse [ADW]) on Oracle Cloud, you start off with one DBA account ( ADMIN ).

    From there, you can add other users (including an APEX Workspace).

    Another win for Oracle Cloud: You get 20GB on Oracle Cloud Free Tier.  You get 12GB on XE.

    Overall, if you want to keep private data private (while using free stuff), you'll use the Oracle Cloud Free Tier, not XE

    Best of all: It is free

    https://www.oracle.com/cloud/free/

    My $0.02

    MK

    PS - When I created my account,  It asked for a Credit Card.  The system made (and then reascended) a $1 charge.  My bank sent me an Alert for that charge.

  • AndyH
    AndyH Member Posts: 735 Bronze Trophy
    edited Sep 5, 2020 5:13PM

    Only a member of the OSDBA group on taht PC can connect to the database as 'sqlplus / as sysdba' or use orapwd.

    In the same way that you would control access to the OS Administrator, you would control access to the OSDBA group.

    'sqlplus / as sysdba'