With data breaches growing every day along with the evolving set of data protection and privacy regulations, protecting business sensitive and regulated data is mission critical. However, knowing whether the database is securely configured, who can access it, and where sensitive personal data resides is a challenge for most organizations. As part of Oracle’s defense in depth capabilities, the Oracle Database Security Assessment Tool (DBSAT) helps identify areas where your database configuration, operation, or implementation introduces risks and recommends changes and controls to mitigate those risks.
The Oracle Database Security Assessment Tool is a stand-alone command line tool that accelerates the assessment and regulatory compliance process by collecting relevant types of configuration information from the database and evaluating the current security state to provide recommendations on how to mitigate the identified risks.
DBSAT is provided at no additional cost and enables customers to quickly find:
The figure below summarizes the security status of a sample database, and categorizes its findings by risk levels.
DBSAT analyzes information on the database and listener configuration to identify configuration settings that may unnecessarily introduce risk. DBSAT goes beyond simple configuration checking, examining user accounts, privilege and role grants, authorization control, separation of duties, fine-grained access control, data encryption and key management, auditing policies, and OS file permissions. DBSAT applies rules to quickly assess the current security status of a database and produce findings in all the areas above. For each finding, DBSAT recommends remediation activities that follow best practices to reduce or mitigate risk.
The Finding below shows which users have the powerful DBA role, and how that role was obtained (directly granted, granted via another role).
DBSAT also scans the database for sensitive data using customizable regular expression patterns, and reports on the amount and type of sensitive data found. Besides providing the ability to search for sensitive data on English based data dictionaries (column names and comments) it also includes support for additional major European languages such as Dutch, French, Italian, German, Portuguese and Spanish. This provides organizations with a deeper insight on how much sensitive data they have and where it resides, enabling them to then protect their databases through appropriate access controls, auditing, masking, and encryption. The figure below shows a summary report from a scan of the database metadata.
DBSAT assists in evaluating the current security posture and helps you find out where sensitive data resides. DBSAT produces reports in multiple formats for different audiences and uses. DBSAT is easy to use and provides actionable reports with summary, detailed information, and prioritized recommendations.
Security configuration scanning and knowing where sensitive data resides is an important part of regulatory compliance and key to EU General Data Protection Regulation (EU GDPR), Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), HIPAA/HITECH, and numerous data privacy laws. DBSAT recommendations help minimize risk, enhance the overall security posture and accelerate the path to compliance (PDF).
DBSAT can be used whether your database is running on-premises, in customer managed Database Cloud Services, or in IaaS deployed databases, providing a simple way to assess your Oracle Databases Security posture in a consistent way across hybrid deployments. DBSAT can also be run against Autonomous Databases.
DBSAT supports Oracle Database versions Oracle 10.2 through Oracle 21c.
To simultaneously run assessments on multiple databases, schedule periodic assessments, establish a security baseline and get a comparison report that highlights the drift between that baseline and the current database security assessment, customers can use Oracle Data Safe. Oracle Data Safe is a cloud service that works with databases running on Cloud and on-premises. Apart from assessment capabilities, Data Safe also provides Data Discovery, Data Masking, and Activity Monitoring capabilities.