Security guidelines for Oracle Database@Azure

This article builds on several considerations and recommendations that are defined in the Azure security design area. It provides key design considerations and recommendation for Oracle Database@Azure security measures.

Overview

Most databases contain sensitive data that requires a secure architecture beyond database-level protections. The defense-in-depth strategy provides comprehensive security by layering multiple defense mechanisms. This approach combines various measures to avoid relying solely on one type of security, such as network defenses. These measures include strong authentication and authorization frameworks, network security, encryption of data at rest, and encryption of data in transit. This multilayered strategy is essential for securing Oracle workloads effectively.

For more information, see Security guide for Oracle Exadata Database Service on dedicated infrastructure and Exadata security controls.

Design considerations

Consider the following guidance when you design your security guidelines for Oracle Database@Azure:

• Oracle Database@Azure workloads contain resources that are deployed in Azure virtual networks and datacenters. The Azure control plane and the Oracle Cloud Infrastructure (OCI) control plane both manage these resources. The Azure control plane manages the initiation of the infrastructure and network connectivity. The Oracle control plane handles database management and individual node management. For more information, see Groups and roles for Oracle Database@Azure.

• The Oracle Database@Azure service is deployed on private subnets in Azure only. The service isn't immediately accessible from the internet.

• Oracle Database@Azure delegated subnets don't support network security groups (NSGs).

• The Oracle Database@Azure solution uses many default Transmission Control Protocol (TCP) ports for various operations. For the full list of ports, see Default port assignments.

• To store and manage keys by using Transparent Data Encryption (TDE), which is enabled by default, the Oracle Database@Azure solution can use OCI vaults or Oracle Key Vault. The Oracle Database@Azure solution doesn't support Azure Key Vault.

• By default, the database is configured by using Oracle-managed encryption keys. The database also supports customer-managed keys.

• To enhance data protection, use Oracle Data Safe with Oracle Database@Azure.

• Non-Microsoft and Oracle agents can access the Oracle Database@Azure OS if they don't modify or compromise the OS kernel.

Design recommendations

Consider the following recommendations when you design your security for Oracle Database@Azure:

• Segment infrastructure access from data services access, especially when different teams access multiple databases on the same infrastructure for various reasons.

• Use NSG rules to limit the source IP address range, which secures the data plane and virtual network access. To prevent unauthorized access to and from the internet, only open the necessary ports that you require for secure communication. You can configure NSG rules on OCI.

• Configure network address translation (NAT) if you require internet access. Always require encryption for data in transit.

• If you use your own encryption keys, establish a rigorous key rotation process to uphold security and compliance standards.

• If you use non-Microsoft or Oracle agents on Oracle Database@Azure, install these agents in locations that database or grid infrastructure patches don't affect.

Next steps

• Identity and access management for Oracle Database@Azure
• Network topology and connectivity for Oracle Database@Azure
• Business continuity and disaster recovery (BCDR) for Oracle Database@Azure