Database security is crucial to protect the integrity, confidentiality, and availability of data. It builds customer trust, helps comply with regulations, and reduces the risks associated with cyberattacks or unauthorized access.
Security has always been a top priority for Oracle. Oracle 23ai has introduced several advanced security features that help in protecting data, managing privileges, enhanced encryption, and more.
TLS 1.3
TLS 1.3 is one of the major updates to the TLS protocol, which provides significant security and performance improvements compared to the TLS 1.2 protocol.
Oracle Database 23ai clients, including SQL*Plus, JDBC, and ODP.NET, support TLS 1.3 for connecting to Oracle databases. TLS 1.3 is the default for
Oracle Database 23ai, so no further configuration steps are needed on the Oracle Database 23ai client or the server.
23ai also has simplified configuration and management for TSL settings with Sqlnet.ora(SSL_VERSION = TLSv1.3)
Key Benefits of TLS 1.3 in Oracle Database
- Improved Security: TLS 1.3 reduces the number of roundtrips required during the handshake, helping to protect against various attacks.
- Faster Handshake: TLS 1.3 significantly improves performance by reducing the number of round trips needed to establish a secure connection, improving response times.
SSL_ENABLE_WEAK_CIPHERS
Parameter SSL_ENABLE_WEAK_CIPHERS in Oracle’s sqlnet.ora file controls whether weak ciphers are allowed during SSL/TLS communications. Weak ciphers are cryptographic algorithms that have known vulnerabilities or are no longer considered secure by modern security standards.
By setting SSL_ENABLE_WEAK_CIPHERS = FALSE, you are actively improving the security of your Oracle database's network communications.
This ensures that only strong, secure ciphers are used for encrypting data between Oracle clients and the database, improving the overall security of your database connections. If you’re running an Oracle database in a regulated or high-risk environment, this is an important step in hardening the system against potential attacks.
Password Length up to 1024 Bytes
Oracle Database 23ai supports passwords up to 1024 bytes in length. In previous releases, the length was only 30 bytes. The 30-byte limitation was too restrictive when password multi-byte characters used more than 1 byte in an NLS configuration.
Longer passwords provide greater protection against brute-force attacks.
Column Level Auditing for Tables and Views
This feature enables you to configure more granular and focused audit policies and ensures that auditing is selective enough to reduce the creation of unnecessary audit records, and effective enough to let you meet your compliance requirements.
In earlier releases, if you wanted to audit a column, you had to enable auditing on the entire table. However, with 23ai, you can enable it on a specific column.
The ACTIONS clause of the CREATE AUDIT POLICY and ALTER AUDIT POLICY procedures allows you to specify the list of columns to audit. For example, to audit UPDATE statements on the SALARY column of a table, you would specify ACTIONS UPDATE(SALARY)
CREATE AUDIT POLICY employees ACTIONS UPDATE ON DV.EMPLOYEES (OLD)
CREATE AUDIT POLICY employees ACTIONS UPDATE(SALARY) ON DV.EMPLOYEES (23ai)
SQL Firewall
SQL injection attacks and compromised accounts are the two most common techniques that result in attackers gaining full access to sensitive data stored in databases.
SQL Firewall directly in Oracle Database 23ai helps to effectively address both SQL injection attacks and compromised account issues.
Oracle SQL Firewall inspects all incoming database connections and SQL statements, including those from PL/SQL (Oracle’s procedural extension to SQL), whether local or over the network, encrypted, or clear text. The firewall evaluates the complete SQL and the processing context and only allows explicitly authorized SQL. You can decide whether you want to block unauthorized SQL or only log it, giving you flexibility on how to handle attacks.
Oracle SQL Firewall policies work at a database account level, for application accounts or a direct database user, such as a reporting user or a database administrator. This flexibility allows you to gradually build up the protection level of the database, starting with either the database administrators or the application accounts.
Data Dictionary Protection to Non-SYS Oracle Schemas
Data Dictionary Protection to Non-SYS Oracle Schemas is a feature in Oracle Database 23ai that enhances security by protecting the data dictionary from unauthorized access, modification, or destruction by users who are not SYSDBA.
The data dictionary contains critical metadata about the database, such as information about tables, indexes, users, and more. This metadata is essential for database management, so ensuring its integrity and confidentiality is crucial.
Oracle Database schemas now can have data dictionary protection with additional separation of duties protection for the SYSBACKUP, SYSKM, SYSRAC, and SYSDG schemas. The full list of dictionary protected Oracle schemas includes: SELECT USERNAME, DICTIONARY_PROTECTED FROM DBA_USERS WHERE DICTIONARY_PROTECTED='YES';
Transport Layer Security (TLS) Connections Without a Client Wallet
Earlier HTTPS callouts from the database required the use of the client wallet. With 23ai, you can use the operating system certificate store, which reduces the burden of certificate management. Normally, the operating system has a certificate store containing the root certificates, which makes a trusted connection to the site using root certificates.
Improved and More Secure Local Auto-Login Wallet
Newly created Local auto-login wallets in 23ai are tightly integrated with the host (Physical/Virtual) where it was created, resulting in additional security as compared with previous Oracle releases. It’s also applicable for Transparent Data Encryption (TDE) local auto-login keystores. The local auto-login process doesn’t require additional deployment or root access.
Explore more database resources at Datavail.com.