Security for Oracle Database@Azure

Databases contain sensitive data that requires defense-in-depth security architecture beyond database-level protections. A comprehensive security strategy protects Oracle Database@Azure workloads through multiple defense mechanisms including strong authentication, network security, data encryption, and threat monitoring.

This article provides security recommendations for Oracle Database@Azure deployments. Defense mechanisms include authentication and authorization frameworks, network security controls, encryption of data at rest and in transit, and integrated threat protection through Azure Arc and Microsoft Defender for Cloud.

For Oracle-specific security guidance, see Security guide for Oracle Exadata Database@Azure and Exadata security controls.

Establish dual-platform security governance

Security architecture requires coordination between Azure and Oracle Cloud Infrastructure (OCI) platforms because Oracle Database@Azure runs on OCI infrastructure colocated in Microsoft datacenters. Azure controls infrastructure provisioning and network connectivity while OCI manages database operations and individual node management.

1. Define clear security ownership boundaries between Azure and OCI platforms. Azure manages security policies for the underlying infrastructure including virtual networks, Azure Arc-enabled servers, and Defender for Cloud integration. Oracle controls database security configurations, transparent data encryption, and OCI-specific security features. This separation prevents conflicts while ensuring comprehensive coverage.

2. Implement Azure Arc integration for unified security monitoring. Onboard Oracle Database@Azure infrastructure to Azure Arc-enabled servers to enable centralized security management through Defender for Cloud. Azure Arc integration provides security visibility and threat protection without interfering with OCI management operations or database performance. For detailed implementation guidance, see Azure Arc connectivity design for Oracle Database@Azure.

3. Align security policies across platforms without conflicts. Follow Azure Policy best practices for Azure Arc-enabled servers while maintaining Oracle's security configuration standards. Security policies must complement rather than override existing Oracle security configurations to maintain operational integrity.

Implement network security controls

Network security provides the frontline of defense through Azure virtual network integration and network security groups (NSGs). Oracle Database@Azure integrates into Azure virtual networks through subnet delegation without default internet access.

1. Configure NSGs with Oracle-specific considerations. NSG support depends on network features configuration. When you use NSGs on Azure-delegated subnets, review security rules configured on the Oracle (OCI) side to prevent conflicts that cause access problems or operational disruptions. For complete network planning and NSG configuration guidance, see Network topology and connectivity for Oracle Database@Azure.

2. Secure access through predefined port controls. Oracle Database@Azure uses a predefined list of Transmission Control Protocol (TCP) ports. These ports are inaccessible from other subnets by default because NSGs within OCI manage them. Only open required ports for secure communication following the principle of least privilege.

3. Enable outbound internet access through secure channels when required. Configure network address translation (NAT) or use a proxy like Azure Firewall or a network virtual appliance if outbound internet access is necessary. For more information, see Network planning for Oracle Database@Azure.

Deploy data encryption and key management

Data protection requires encryption at rest and comprehensive key management strategies. Oracle Database@Azure provides built-in encryption capabilities with flexible key management options.

1. Use default transparent data encryption for immediate protection. Oracle Database@Azure enables data-at-rest encryption by default through transparent data encryption at the database layer. This encryption secures the container database (CDB$ROOT) and pluggable databases by using Oracle-managed encryption keys with AES-128 encryption stored locally in a wallet within the VM cluster file system. For more information, see Manage tablespace encryption.

2. Select appropriate key management platform based on data residency requirements. Choose between OCI Vault for Oracle Cloud Integration, Oracle Key Vault for on-premises style deployment, or Azure Key Vault for Azure-native integration. Consider data location requirements when you select the key management solution.

   • Use OCI Vault for standard deployments. OCI Vault provides built-in integration with Oracle Database@Azure with keys stored in OCI outside of Azure. This option offers the simplest implementation path with native Oracle integration.

   • Store Oracle Transparent Data Encryption (TDE) master encryption keys in Key Vault. Follow best practices for using Key Vault when you implement Azure-native key management for Oracle Database@Azure. This option keeps all keys within Azure boundaries and integrates with Azure security controls.

   • Implement Oracle Key Vault for on-premises style deployment. Deploy Oracle Key Vault on Azure when you require traditional key management approaches with full control over the key management infrastructure. Oracle Key Vault on Azure requires manual installation, database integration, and high availability configuration. For deployment guidance, see Create an Oracle Key Vault image in Microsoft Azure.

3. Ensure high availability for key management infrastructure. Create a multi-primary Oracle Key Vault deployment for encryption key availability. Deploy a multi-primary Oracle Key Vault cluster with four nodes spanning at least two availability zones or regions for robust high availability. For more information, see Oracle Key Vault multi-primary cluster concepts.

   Note

   Oracle Key Vault requires separate licensing and manual high availability configuration.

4. Establish secure backup encryption practices. Database backups are encrypted with the same primary encryption keys by default. Store encryption keys and database backups in separate environments to enhance security and minimize data compromise risk. Retain old encryption keys for restoration operations when you perform long-term backups.

Enable Defender for Cloud integration

Defender for Cloud provides comprehensive threat protection and security monitoring for Oracle Database@Azure through Azure Arc integration. This security layer complements Oracle's native security controls with Microsoft's threat intelligence and automated response capabilities.

1. Deploy Defender for servers on Azure Arc-enabled infrastructure. Enable Microsoft Defender for servers on Azure Arc-enabled Oracle Database@Azure infrastructure for comprehensive threat protection. This integration provides advanced threat detection, vulnerability assessment, and automated incident response capabilities. For Defender for servers capabilities, see Defender for servers features and benefits.

2. Configure security baselines and compliance monitoring. Use Microsoft cloud security benchmark to complement Oracle security configurations without conflicts. Implement security baselines by following the guidance in Establish security baseline to maintain consistent security posture across hybrid Oracle deployments.

3. Implement automated threat detection and response. Establish alert correlation processes by using Defender workflow automation and managing security alerts. Configure automated response playbooks for common threat scenarios while respecting Oracle database operations and maintenance windows.

4. Deploy vulnerability management with Oracle considerations. Implement Defender vulnerability assessment with scheduling aligned to Oracle maintenance windows. For remediation processes, see Remediate machine vulnerability findings while ensuring compatibility with Oracle grid infrastructure patches.

5. Integrate with Security Information and Event Management (SIEM) for comprehensive security operations. Optionally, integrate with Microsoft Sentinel for SIEM capabilities to correlate security events across Azure and Oracle platforms for unified threat visibility.

Manage encryption keys and operational security

Operational security requires rigorous key management, secure agent deployment, and workload isolation strategies. These practices maintain security integrity while enabling necessary monitoring and management operations.

1. Establish key rotation and life cycle management processes. Implement rigorous key rotation processes to maintain security and compliance standards when you use customer-managed encryption keys. Define rotation schedules, automate key management operations where possible, and maintain audit trails for all key life cycle events.

   • Start with local wallet for pilot deployments. Use a wallet stored locally in the software keystore for proof of concept or pilot deployments when you finalize key management platform decisions. Plan transition strategy based on selected key management platform.

   • Plan transition strategies by platform. If you select OCI Vault, transition represents a dynamic operation with minimal disruption. If you select Oracle Key Vault, manually migrate encryption keys to the Oracle Key Vault platform following Oracle migration procedures.

2. Deploy security agents with infrastructure considerations. Install non-Microsoft or Oracle agents on Oracle Database@Azure in locations where database or grid infrastructure patches don't interfere with agent operations. Ensure agents don't modify or compromise the database operating system kernel to maintain Oracle support and system stability.

3. Implement workload isolation for security boundaries. Deploy VM clusters in separate virtual networks to achieve security isolation at the workload level, especially when different teams access multiple databases on the same infrastructure. This isolation prevents lateral movement between environments and maintains clear security boundaries. For more information, see Resource organization for Oracle Database@Azure.

Defender for Cloud integration

Consider the following recommendations for integrating Defender for Cloud with Oracle Exadata Database@Azure:

• Enable comprehensive threat protection. Deploy Microsoft Defender for servers on Azure Arc-enabled Oracle Database@Azure infrastructure. For more information, see Defender for servers features and benefits. Optionally, integrate with Microsoft Sentinel for SIEM capabilities.

• Configure security baselines and compliance. Use Microsoft cloud security benchmark to complement Oracle security configurations. For more information, see Establish a security baseline.

• Implement threat detection workflows. Establish alert correlation processes by using Defender workflow automation and managing security alerts. Configure automated response playbooks for threat scenarios.

• Deploy vulnerability management. Implement Defender vulnerability assessment with scheduling considerations for Oracle maintenance windows. For remediation guidance, see Remediate machine vulnerability findings.

Next steps

Implement the Oracle Database@Azure security framework through the following complementary guidance areas:

• Azure Arc connectivity design for Oracle Database@Azure
• Identity and access management for Oracle Database@Azure
• Network topology and connectivity for Oracle Database@Azure
• Manage and monitor Oracle Database@Azure
• Business continuity and disaster recovery (BCDR) for Oracle Database@Azure

For Microsoft security guidance:

• Defender for Cloud
• Azure Arc-enabled servers
• Azure security design area