Security Best Practices

Oracle considers cloud security its highest priority, and the security responsibilities are shared between Oracle and you.

Oracle and Your Responsibilities

Oracle regularly evaluates critical patch updates and security alert fixes as well as relevant third-party fixes as they become available and applies the relevant patches in accordance with the applicable change management processes. Security vulnerabilities are patched on a regular cadence.

You are required to do the following:

  • Track vulnerabilities and regularly perform security scans and security assessments on the MySQL HeatWave DB systems.
  • Read and assess information related to critical patch updates and security alerts and bulletins. See Security Alerts.
  • Apply critical software upgrades and corrective measures.
  • In case you require additional information that is not addressed, submit a service request within your designated support system. See Creating a Support Request.

Security Features

Oracle provides you various features such as in-transit encryption, data masking, and deletion plan to keep your data safe and secure.

Table 3-1 Security Features

Feature Best Practice
Database access control and account management Use MySQL security features to control access and manage your account. See Access Control and Account Management.
OCI Audit Service Use the OCI Audit Service to automatically record calls to all supported public application programming interface (API) endpoints throughout your tenancy as log events. The log events contains details such as the source, target, or time the API activity occurred. See Viewing Audit Service Logs, and Overview of Audit.
MySQL Enterprise Audit plugin Use the MySQL Enterprise Audit plugin to produce a log file containing an audit record of server activity. The log contents include when clients connect and disconnect, and what actions they perform while connected, such as which databases and tables they access. You can add statistics for the time and size of each query to detect outliers. By default, audit plugin logs are disabled, and you have to define filters to enable logging all auditable events for all users. See Default MySQL Privileges, and MySQL Enterprise Audit Plugin.
authentication_oci plugin Use MySQL authentication_oci plugin to map MySQL users to existing users and groups defined in the IAM service. See Authenticating Using authentication_oci Plugin.
connection-control plugin By default, MySQL HeatWave Service supports connection-control plugin to provide a deterrent that slows down brute force attacks against MySQL user accounts. See Plugins and Components.
In-transit encryption Your data is always encrypted at rest. You can use in-transit encryption for a given user to secure your data. See Data Security.
Data masking Use data masking to protect your sensitive data. See Data Masking.
Deletion plan Use deletion plan to protect the DB system against delete operations. See Advanced Option: Deletion Plan.
Identity and Access Management As a security administrator, assign minimum privileges to users. Use IAM policies to control access and use of MySQL resources. See IAM Policies.
validate_password component MySQL HeatWave Service enforces strong passwords with the validate_password component. Make sure your applications comply with the password requirements. See Plugins and Components.
Virtual cloud network (VCN)
  • Configure network security groups or security lists of the VCN to restrict the authorized public IP addresses to a single IP address or a small range of IP addresses. See Creating a Virtual Cloud Network.
  • Configure the MySQL DB system to use private subnets of your VCN. To connect to your MySQL DB system from an external network, use a Bastion Session or a VPN connection. If you can connect to your DB system over the internet only, restrict the authorized public IP addresses to a single IP address or a small range of IP addresses, and use in-transit encryption. See Network Load Balancer.