Oracle Database Cloud Service provides the power and flexibility of Oracle Database in the cloud. You
have the choice of a dedicated database instance with full administrative control or a dedicated
pluggable database with a complete development and deployment platform managed by Oracle. In this
document, we will elaborate specifically on the security capabilities of the full instance cloud service.
Oracle Database Cloud Service – Enterprise Edition provides dedicated virtual machines that are
preconfigured and running Oracle Database 12c or Oracle Database 11g instances. Oracle Database
Cloud Service offers general purpose and high memory virtual machine compute shapes that provide
the full power of Oracle Database for any type of application, whether deploying production workloads
or developing and testing. Oracle Database Cloud Service is ideal for businesses that want a full
featured Oracle database in the cloud, while retaining complete administrative control such as root OS
and SYSDBA access. Oracle Database Cloud Service provides advanced cloud tooling for simpler
management of the database including one-click automated backup with point-in-time recovery, one
click patching, and one-click upgrades.
The Exadata Cloud Service is similar to the Oracle Database Cloud Service. This Exadata Cloud
Service gives you all the features and functionality of an Exadata Engineered System, but in the cloud.
Customers can utilize the storage servers and flash cache for hyper fast queries, the hardware
redundancy for superior uptime and high availability as well as flexible deployment options to fit every
production workload. The Exadata Cloud Service enables customers to create their first database in
hours, where traditionally on premises; this could take weeks or months. Simple provisioning through
the UI, full OS access and advanced cloud tooling for patching, backup and recovery provide
customers with a platform for deploying their production workloads with confidence.
30 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER SSH-Based Access
To securely access a port on a compute node associated with an Oracle Database Cloud Service or
an Exadata Cloud Service instance, you use Secure Shell (SSH) client software that supports
tunneling. When an Oracle Database Cloud instance is created, network access to the compute nodes
of the service instance is provided by SSH connections on port 22.
Several SSH clients that support tunneling are freely available. You can use the ssh utility on the
Linux platform. If you access your database instance from Windows, you can use PuTTY, which is a
freely available SSH client program that supports SSH tunneling. After the SSH tunnel is created on
Linux or Windows, you can access the port on the target compute node by specifying
localhost:local-port on your system, where local-port is the source port you specified when
you created the tunnel. MacOS has SSH installed by default.
When creating an Oracle Cloud Database, you must provide the service with a public encryption key.
This key has a matching private key that only the customer has. Using these keys, access to the Cloud
Database is restricted to only holders of the private key. If an access attempt is made using SSH
where the matching private key is not presented, that access will be denied and logged.
Secure Access to Database Instances
Oracle Database Cloud Service relies on Oracle Cloud Infrastructure Compute Classic to provide
secure network access to cloud database instances. You can use the Oracle Cloud Infrastructure
Compute Classic console to perform network access operations such as enabling access to a port on
a compute node associated with a cloud database. With the Exadata Cloud Service, network access is
also controlled by the UI. Authorized users can allow network access to enter or exit the service using
this console. Oracle does not have a copy of these keys.
Network Encryption and Integrity
Oracle Database Cloud Service customers can use database network encryption to secure
connections to their cloud databases. With SSL/TLS, you can encrypt and optionally configure mutual
authentication of database network connections. With Oracle native network encryption (SQLNet), you
can encrypt and optionally execute integrity checking to prevent the modification of data in flight and
31 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER for illegitimate replay. These network encryption options support strong ciphers such as Advanced
Encryption Standard (AES). Integrity checking supports modern hashing algorithms including SHA-2.
By default, Oracle Database Cloud instances and database clients are configured for Oracle native
network encryption (SQLNet) and integrity checking. If a database client is later reconfigured to not
use network encryption, then this potential threat is detected on the server, and the default server
settings ensure the connection will be rejected.
Data-at-Rest Encryption
User-created database tablespaces where customers typically store their data are encrypted by default
in all Oracle Database Cloud Service. New tablespaces you create with the SQL CREATE
TABLESPACE command or any tool executing this command will be encrypted by default using the
AES128 algorithm. The tablespace data file encryption is enabled in all standard and enterprise
editions and versions of Oracle Database Cloud Service – Enterprise Edition as well as the Exadata
Cloud Service.
Customers also can encrypt RMAN backups and Data Pump exports generated from cloud databases.
Optimizations in the database pass through already encrypted tablespace data or encrypt the whole
data stream where necessary. Backups and exports can be encrypted with the same key used by
tablespace encryption, with a password, or both.
Master encryption keys used for data-at-rest encryption are created automatically by cloud databases
and stored in a per-tenant Oracle wallet. The current key can be rotated periodically by a customer’s
authorized database security administrator using SQL commands. Historical master keys are retained
in the Oracle wallet for encrypted backups that may need to be restored in the future. Customers with
many cloud databases and proliferating Oracle wallets should use Oracle Key Vault (a separately
licensable product) for centralized management of encryption keys and wallets. Oracle Key Vault is a
security-hardened software appliance that runs in your data center, connecting to encrypted databases
running in Oracle Cloud or on-premises.
32 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER 33 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER
Additional Security Controls
Oracle Database Cloud Service provides a number additional database security controls that can be
used to protect essential cloud data. These optional controls are part of every database and can be
configured after cloud database provisioning is complete.
Core controls include user privileges and user roles. As a best practice, you should grant only
appropriate privileges and roles to cloud database users, following the security principle of least
privilege. Cloud database auditing is another core control. You should use auditing to capture records
of database actions and detect malicious activity. To get the most from auditing, it is recommended
that you deploy Oracle Audit Vault and Database Firewall (separately licensed products). This enables
you to move audit information to a central on-premises repository where you can run database activity
reports and generate security alerts. It also provides database security firewall and monitoring
capabilities that can track inbound SQL statements, giving you early warning of unauthorized database
activity, and optionally blocking threats before they cause harm. Further security controls are available
at no extra cost for particular cloud subscriptions and database releases. These are preventive
controls you can configure to restrict access to your most sensitive or regulated data in Oracle
Database Cloud Service. Many of these controls are unique in the database space and can be found
only in Oracle databases.
Control
Description
Inclusions
(Cloud Subscriptions)
Availability
(Database Release)
Enterprise
Edition
High
Perf.
Extreme
Perf.
Exadata
Service
Oracle
Database
12c
Oracle
Database
11gR2
Advanced
Security
Data
Redaction
Redacts sensitive cloud data from query results
before display by applications. Enforces redaction
at runtime, with low overhead, and according to
conditions set in policies.
Yes
Yes
Yes
Yes
Yes
Database
Vault
Reduces risk exposure coming from powerful
database users such as a DBA and privileged
application connections. Restricts operations
these privileged accounts can perform. Enforced
based on runtime conditions and factors.
Yes
Yes
Yes
Yes
Yes
Label
Security
Implements concepts of U.S. Department of
Defense Multi‐Level Security (MLS), enabling rows
with differing sensitivity to reside in the same
table. Explicitly labels rows in cloud databases
with group, compartment, and sensitivity levels.
Yes
Yes
Yes
Yes
Yes34 ORACLE INFRASTRUCTURE AND PLATFORM CLOUD SERVICES SECURITY WHITE PAPER
Real
Application
Security
Provides a framework for application developers
to define light‐weight database user accounts
(with no schema) and detailed object
authorizations. Enables developers to author their
security model once in an Oracle Database tier
and reuse this model across multiple custom
applications.
Yes
Yes
Yes
Yes
Yes
You also can use databases running in Oracle Database Cloud Service as data sources for Oracle
Data Masking and Subsetting Pack, an optional pack of Oracle Enterprise Manager 12c. This
important security control makes it easy to create sanitized copies of production cloud data for use by
business partners in non-production environments such as development and test databases. A data
source license for Oracle Data Masking and Subsetting Pack is included with High Performance,
Extreme Performance, and Exadata Service subscriptions. It can be used with Oracle Database 11g
R2 or Oracle Database12c. For the most up to date security information on the Oracle Database
please refer to the following URL:
http://www.oracle.com/technetwork/database/security/overview/index.html