With data breaches growing every day along with the evolving set of data protection and privacy regulations, protecting business sensitive and regulated data is mission critical. However, knowing whether the database is securely configured, who can access it, and where sensitive personal data resides is a challenge for most organizations. As part of Oracle’s defense in depth capabilities, the Oracle Database Security Assessment Tool (DBSAT) helps identify areas where your database configuration, operation, or implementation introduces risks and recommends changes and controls to mitigate those risks.
Oracle Database Security Assessment Tool (DBSAT) is a popular command-line tool that helps identify areas where your database configuration, operation, or implementation introduces risks and recommends changes and controls to mitigate those risks. DBSAT helps assess how securely the database is configured, determines who the users and their entitlements are, and identifies where sensitive data resides within the database.
The latest DBSAT 2.2.2 release can now differentiate between on-premises Oracle Databases, Autonomous Databases (Shared and Dedicated) and DBCS. Depending upon the database target type, DBSAT performs different checks and provides target-specific remarks. DBSAT 2.2.2 has also added new checks, improved accuracy of the existing checks, and clarified several remarks.
DBSAT is provided at no additional cost and enables customers to quickly find:
The figure below summarizes the security status of a sample database, and categorizes its findings by risk levels.
DBSAT analyzes information on the database and listener configuration to identify configuration settings that may unnecessarily introduce risk. DBSAT goes beyond simple configuration checking, examining user accounts, privilege and role grants, authorization control, separation of duties, fine-grained access control, data encryption and key management, auditing policies, and OS file permissions. DBSAT applies rules to quickly assess the current security status of a database and produce findings in all the areas above. For each finding, DBSAT recommends remediation activities that follow best practices to reduce or mitigate risk.
The Finding below shows which users have the powerful DBA role, and how that role was obtained (directly granted, granted via another role).
DBSAT also scans the database for sensitive data using customizable regular expression patterns, and reports on the amount and type of sensitive data found. Besides providing the ability to search for sensitive data on English based data dictionaries (column names and comments) it also includes support for additional major European languages such as Dutch, French, Italian, German, Portuguese and Spanish. This provides organizations with a deeper insight on how much sensitive data they have and where it resides, enabling them to then protect their databases through appropriate access controls, auditing, masking, and encryption. The figure below shows a summary report from a scan of the database metadata.
DBSAT assists in evaluating the current security posture and helps you find out where sensitive data resides. DBSAT produces reports in multiple formats for different audiences and uses. DBSAT is easy to use and provides actionable reports with summary, detailed information, and prioritized recommendations.
Security configuration scanning and knowing where sensitive data resides is an essential part of regulatory compliance and key to EU General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA/HITECH, and numerous data privacy laws. DBSAT recommendations help minimize risk, enhance the overall security posture and accelerate the path to compliance (PDF).