5 Replies Latest reply on Jul 18, 2020 11:32 AM by Mike Kutz

    Locking down 18c XE

    NickeN

      I have some sensitive data I wish to install in an Oracle 18c XE database on Windows in a way that only a specific oracle user with a specific password of my choosing can acces the data. I've googled around and not found any information at all really. TDE looks really nice, passwords can be changed etc. But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.

      Is Oracle databases in general not appropriate for installation/usage in such a hostile environment or am I missing someting?

        • 1. Re: Locking down 18c XE
          Markus Flechtner

          Hi,

           

          Oracle Database Vault (https://www.oracle.com/database/technologies/security/db-vault.html ) could serve your needs.

          However, Database Vault is not available for Oracle 18c XE.

          Please remember that the Express Edition is free software which does not provide all features of the Oracle Enterprise.

           

          HTH

          Markus

          • 2. Re: Locking down 18c XE
            r_h_smith2

            You may want to consider the Oracle Cloud Autonomous Transaction Processing (free tier is available) for a scenario where data security is a high concern.

            • 3. Re: Locking down 18c XE
              Gaz in Oz

              Security wise You are definitely missing something.

              If you are concerned people have access to the user who created the database then do something about that.

              • 4. Re: Locking down 18c XE
                Dude!

                But in the end, the user that installed the database can use 'sqlplus / as sysdba' to turn it all around, or even orapwd.exe I guess.

                What do you mean by turning it around?

                 

                Btw, "as sysdba" uses OS authentication provided you are a local user belonging to the OSDBA system group. It always connects to the SYS schema regardless of the user and password you specify. It does not rely on any user or password inside the database. You can also use "humpty/dumpty as sysdba".

                • 5. Re: Locking down 18c XE
                  Mike Kutz

                  The ability to prevent the DBA from seeing your data requires $$$.

                   

                  Oracle Database Vault would be what you'd use.

                  I don't know if Oracle Cloud (free tier) implements this or not.

                  If the Paid Tier does, I'm sure an Oracle Sales Rep will let you know.

                   

                  Mistake 1

                  NickeN wrote:

                   

                  I have some sensitive data I wish to install in an Oracle 18c XE

                  Many people will say that "installing on unpatched, unsupported version of Oracle" would be your first mistake.

                  If you want to keep data as secure as you seem to claim, you will use the most recent version with the most up-to-date patches. ( I believe Oracle Cloud does this for you automatically)

                   

                  Mistake 2

                  It sounds like you are trying to install "private data" on a laptop.

                  I would say "That is a mistake" also.

                   

                  One of the first questions asked by "various entities that verify you are following Best Practices for data security" is:

                  Are the physical computers located in a physically controlled area with limited physical access?

                  (or something to that affect)

                  By its very nature, a laptop does not fall into this category.

                   

                  If you want to protect the data as much as you claim, you would start by ensuring your data is located in a place that can answer this question with a "YES".

                  I'm assuming Oracle Cloud fits that description.

                   

                  Mistake 3 (joke)

                  NickeN wrote:


                  on Windows

                  Others would say that this is your 2nd mistake.  But, I'll classify that as a more of a "religious" debate.  Please take this statement as a joke. 

                  I'm pretty sure that Oracle Cloud (ATP/ADW) is not on Windows.

                   

                  TDE

                  AFAIK - Oracle Cloud tablespaces are already using TDE by default.

                  I forgot where I read it.  I'm not sure if that is true for Free Tier.

                   

                  Oracle Cloud accounts

                  When you create an Autonomous Database (automatic Transaction Processor [ATP]/Automatic Data Warehouse [ADW]) on Oracle Cloud, you start off with one DBA account ( ADMIN ).

                  From there, you can add other users (including an APEX Workspace).

                   

                  Another win for Oracle Cloud: You get 20GB on Oracle Cloud Free Tier.  You get 12GB on XE.

                   

                  Overall, if you want to keep private data private (while using free stuff), you'll use the Oracle Cloud Free Tier, not XE

                   

                  Best of all: It is free

                  https://www.oracle.com/cloud/free/

                   

                  My $0.02

                   

                  MK

                   

                  PS - When I created my account,  It asked for a Credit Card.  The system made (and then reascended) a $1 charge.  My bank sent me an Alert for that charge.