Security Best Practices
Oracle considers cloud security its highest priority, and the security responsibilities are shared between Oracle and you.
Oracle and Your Responsibilities
Oracle regularly evaluates critical patch updates and security alert fixes as well as relevant third-party fixes as they become available and applies the relevant patches in accordance with the applicable change management processes. Security vulnerabilities are patched on a regular cadence.
You are required to do the following:
- Track vulnerabilities and regularly perform security scans and security assessments on the MySQL HeatWave DB systems.
- Read and assess information related to critical patch updates and security alerts and bulletins. See Security Alerts.
- Apply critical software upgrades and corrective measures.
- In case you require additional information that is not addressed, submit a service request within your designated support system. See Creating a Support Request.
Security Features
Oracle provides you various features such as in-transit encryption, data masking, and deletion plan to keep your data safe and secure.
Table 3-1 Security Features
| Feature | Best Practice |
|---|---|
| Database access control and account management | Use MySQL security features to control access and manage your account. See Access Control and Account Management. |
| OCI Audit Service | Use the OCI Audit Service to automatically record calls to all supported public application programming interface (API) endpoints throughout your tenancy as log events. The log events contains details such as the source, target, or time the API activity occurred. See Viewing Audit Service Logs, and Overview of Audit. |
| MySQL Enterprise Audit plugin | Use the MySQL Enterprise Audit plugin to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access. You can add statistics for the time and size of each query to detect outliers. By default, audit plugin logs are disabled, and you have to define filters to enable logging all auditable events for all users. See Default MySQL Privileges, and MySQL Enterprise Audit Plugin. |
authentication_oci plugin
|
Use MySQL authentication_oci plugin to
map MySQL users to existing users and groups defined in the IAM service.
See Authenticating Using authentication_oci Plugin.
|
connection-control plugin
|
By default, MySQL HeatWave Service supports connection-control plugin to
provide a deterrent that slows down brute force attacks against MySQL
user accounts. See Plugins and Components.
|
| In-transit encryption | Your data is always encrypted at rest. You can use in-transit encryption for a given user to secure your data. See Data Security. |
| Data masking | Use data masking to protect your sensitive data. See Data Masking. |
| Deletion plan | Use deletion plan to protect the DB system against delete operations. See Advanced Option: Deletion Plan. |
| Identity and Access Management | As a security administrator, assign minimum privileges to users. Use IAM policies to control access and use of MySQL resources. See IAM Policies. |
| Security Certificate | A security certificate is a digital document that confirms its subject is the owner of the public key in the certificate. You can either let MySQL HeatWave Service define a security certificate, or bring your own certificate to Oracle Cloud Infrastructure. See Advanced Option: Connections. |
validate_password component
|
MySQL HeatWave Service
enforces strong passwords with the validate_password
component. Make sure your applications comply with the password
requirements. See Plugins and Components.
|
| Virtual cloud network (VCN) |
|