How Oracle Secures Databases: Deep‑Defense Strategies and Domestic DB Comparison

1. Security Threats to Databases

The article first maps a five‑dimensional threat landscape:

Endpoint user layer : Attackers masquerade as legitimate users, exploit weak passwords or stolen credentials, and use SQL injection or privilege escalation to steal data.

Application layer : Vulnerable applications become a launchpad for attacks; static credentials or over‑privileged apps let attackers reach the database.

Network transport layer : Man‑in‑the‑middle attacks intercept unencrypted traffic, enabling credential theft or replay attacks.

Administrative privilege layer : Compromised DBA accounts allow bulk data export and unchecked internal abuse.

Data‑life‑cycle layer : Unprotected copies in development or test environments and mis‑configured databases expose data throughout its lifecycle.

These threats demand a depth‑in‑defense approach covering identity governance, application hardening, transport encryption, strict privilege separation, data masking, and full‑lifecycle monitoring.

2. Oracle Database Security Capabilities

Database Firewall

Oracle Database Firewall sits between applications and the database, analysing SQL syntax in real time. It enforces white‑list, black‑list and anomaly policies, supports both blocking and passive monitoring modes, and generates compliance‑ready audit reports.

Network Encryption

Oracle offers native network encryption and TLS/SSL. All client‑server traffic (SQL statements, results) can be encrypted with AES‑256 and integrity‑checked with SHA‑256, protecting against eavesdropping and tampering without code changes.

Password Policy

Through PROFILE settings, Oracle enforces password complexity, expiration, reuse restrictions, and automatic lockout after repeated failures.

User Authentication

Supports database credentials, OS authentication, Kerberos, PKI certificates, RADIUS, and proxy authentication, providing strong identity verification and auditability.

Privilege Analysis

Dynamic analysis of session privileges identifies unnecessary rights. Administrators can revoke high‑risk privileges such as ANY based on usage reports, applying the principle of least privilege.

Database Vault (Three‑Way Separation)

Creates security domains that isolate sensitive objects; even DBA users cannot access data without explicit domain authorization. Command rules control high‑risk SQL (e.g., DROP TABLE) based on context.

Data Tagging (Classification & Labeling)

Row‑level security is enforced by attaching sensitivity labels to each row; users receive matching label sets, ensuring they can only read or modify rows matching their clearance.

Virtual Private Database (VPD)

Automatically appends predicate filters to queries, providing transparent row‑ and column‑level access control without application changes.

Sensitive Data Discovery

Oracle Data Safe’s “Data Discovery” scans for over 170 predefined sensitive data types, building a data model for downstream masking and compliance reporting.

Static Masking (Data Masking and Subsetting Pack)

Automates discovery, builds an application relationship model, and applies predefined or custom masking formats to produce realistic, non‑sensitive test data while preserving referential integrity.

Dynamic Redaction

Real‑time redaction masks sensitive columns during query execution based on configurable policies and session context, leaving the underlying data unchanged.

Database Auditing

Provides statement, privilege, and object auditing with fine‑grained policies. Unified Auditing (since 12c) consolidates logs, supports role‑based access to audit data, and stores records in tables or OS files with minimal performance impact.

Audit Vault

Collects audit data from multiple databases and OS sources, encrypts it in a central repository, analyses it for anomalies, and generates compliance reports (SOX, PCI‑DSS, etc.).

Transparent Data Encryption (TDE)

Encrypts data files, redo logs, and backups at the storage engine level using AES‑256. Keys are stored outside the database (Oracle Wallet or HSM), enabling strict separation of duties.

Key Vault

Centralised platform for managing encryption keys, certificates, SSH keys, and passwords, with high‑availability clustering and REST/KMIP APIs for integration.

Immutable / Blockchain Tables

Blockchain tables chain rows with cryptographic hashes (e.g., SHA‑512) to detect tampering; Immutable tables enforce a “no‑delete, no‑update” policy via NO DELETE UNTIL n DAYS and NO DROP clauses, suitable for audit logs.

Secure Backup (Oracle Secure Backup)

Provides end‑to‑end encrypted backups using AES, integrates with RMAN, enforces role‑based access, and supports multi‑protocol storage (tape, NAS, OCI).

Configuration & Compliance Management

Oracle Enterprise Manager continuously evaluates configurations against CIS, STIG, and custom baselines, auto‑remediates drift, and produces quantitative compliance scores.

Patch & Upgrade Management

Quarterly CPU/SPU patches address security vulnerabilities; OPatch handles install, rollback, and RAC‑aware rolling updates. Autonomous Database automates patch delivery.

Database Security Assessment Tool (DBSAT)

Automated scanner that collects security metadata, evaluates against standards, produces risk‑ranked reports, and offers remediation scripts. Includes sensitive‑data discovery.

Data Safe (Unified Security Platform)

Cloud‑based console for configuration assessment, sensitive‑data discovery, static masking, user‑risk scoring, activity monitoring, and SQL firewall integration.

Real Application Security (RAS)

Declarative framework that embeds application‑level roles, realms, and ACLs into the database kernel, simplifying policy management and providing fine‑grained audit trails.

3. Comparison with Domestic Databases

The article concludes with a side‑by‑side matrix (image) that maps the same security capabilities to several Chinese‑origin database products, marking missing features with “Y*” where the capability is achieved indirectly. This comparison highlights gaps in native security functions such as built‑in firewalls, TDE, or immutable tables, underscoring the maturity advantage of Oracle’s ecosystem.