What is Zero Trust Architecture?

When we talk about information security, we always refer to the CIA triad- the relationship between Confidentiality, Integrity, and Availability. 

Zero trust Architecture drastically increases the Integrity arm of the triangle; it relies on the assurance that with all the technological advances, the availability arm will catch up. 

It relies on the understanding that the IT infrastructure will require a significant investment over a period to ensure that the accessibility of the system is optimized even after the trust in the identity shifts from being implicit to Zero.

We'll look at how you can help your team understand the basic concepts, issues, and review creative solutions. We will specially focus on repurposing existing systems to adapt them to the ZTA model.  

Through the whole series I will emphasize how you can do this yourself within your organization. 

Or, if you are planning to use an outside agency or product, you can use the information to help evaluate which of these agencies and products are most likely to help your team out. 

I've got lots of information for you on how ZTA fits into business and IT processes. So, let's get started.

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan

Zero Trust Architecture - How does your security posture compare?

As the CISO or head of security for your organization, you are likely always on the lookout for new and innovative ways to improve your company's security posture. You have probably heard a lot about zero trust architectures in recent months and may be wondering what all the hype is about. In this blog post, we will compare zero trust architectures to traditional, perimeter-based security models and discuss the benefits of moving to a zero trust model. We will also provide tips on how you can start transitioning your organization to a zero trust architecture. read more.... 

As businesses continue to move their operations online and into the cloud, traditional security models that rely on keeping sensitive data behind locked perimeters are no longer feasible. Zero Trust Architecture is an alternate approach that eliminates the need for trusted insiders and instead focuses on verifying identities and authorizing access on a case-by-case basis. This approach can be substantially more secure than traditional security models, as it does not rely on assuming that all users are trustworthy just because they are employees or have been granted access to certain systems or data. 

In this blog post, we will compare zero trust architectures to traditional, perimeter-based security models and discuss the benefits of moving to a zero trust model. We will also provide tips on how you can start transitioning your organization to a zero trust architecture. Stay tuned!

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan

What should be included in every company's data breach response plan

No organization is immune from a data breach. In the past year, we've seen a significant uptick in the number of companies that have been affected by cyber-attacks. If your company doesn't have a data breach response plan in place, now is the time to develop one. This blog post will outline what should be included in every company's data breach response plan.

A data breach is the unauthorized access or theft of customer or company information. This can happen when there's a cyberattack on a company's networks or systems, or when an employee accidentally exposes data. Data breaches can have dire consequences, including identity theft, loss of revenue, and damage to reputation. 

As a result, it is important for organizations to have a plan in place for how to respond in the event of a data breach. A good response plan will help to minimize the damage caused by a breach and protect the reputation of the organization. It will also help to speed up the recovery process and get the organization back on track as quickly as possible.

There are a few key elements that should be included in every data breach response plan:

- Identify who is responsible for leading the response effort and assembling the response team. This should be someone with the authority to make decisions and access to all of the necessary resources.

- Establish protocols for quickly identifying and containing a breach. This may involve setting up systems for monitoring activity on company networks and devices, as well as employee education on spotting signs of a potential breach.

- Develop procedures for notifying individuals whose data has been compromised, as well as regulators and law enforcement if required.

- Have a plan for restoring systems and retrieving lost data. This may involve having backup systems in place so that you can quickly resume operations after a breach.

- Put procedures in place for assessing the damage caused by a breach and taking steps to prevent future breaches from occurring. This includes conducting a post-breach analysis to identify what went wrong and making changes to systems and processes accordingly. Testing your plan regularly will help to ensure that it is effective and that employees are familiar with what they need to do in the event of a breach. Training employees on how to spot signs of a potential breach and what to do if they suspect one is occurring is also important. By taking these steps, you can help to minimize the risk of experiencing a damaging data breach.

To protect your business, you need to create a data breach response plan that includes steps for identifying, containing, and recovering from a breach. You should also test your plan regularly and train employees on what to do in the event of a breach. Do you have a data protection plan in place? What kind of precautions have you taken to prevent or mitigate the effects of a potential data leak? Share your thoughts and experiences in the comments below.

Sachin
Chief Architect
BuzzClan

OCI-Oracle ATP- Import Data from on-prem

The primary method to move data to the Oracle ATP instance is by using Data Pump.

You export data from your On-Prem database. Use the following parameters for faster and easier migration to ATP

exclude=cluster,db_link
parallel=n
schemas=schema_name
dumpfile=export%u.dmp

For larger data size, use parallelism. Use the number of CPU's you have in your ATP. For a 16 CPU ATP instance, here is an example of export. Other parameters like compression can also be used.

expdp sh/sh@orcl \
exclude=cluster,db_link \
parallel=16 \
schemas=sh \
dumpfile=export%u.dmp

Once the export file(s) is ready, move the files to Oracle Cloud Infrastructure Object Storage.

You can use 10 GiB of Object Storage and 10 GiB of Archive Storage for free in your home region. If you use more than 20 GiB and have not upgraded when your Free Trial ends, your data is deleted.


If You are participating in a Free Trial and can store unlimited data. When your trial ends, you are converted to an Always Free account. An Always Free account is limited to 20 GiB of combined Object Storage and Archive Storage in your home region. If you are using more than 20 GiB when your account is converted, your data is deleted. Reduce your usage to 20 GiB or less before converting to Always Free.

Storage usage is the approximate total size of all objects in the region. Usage is updated periodically. You will see a lag between what is displayed and the actual usage.

Oracle Data Pump v18.3 or above supports importing data into ATP. See (https://erpthings.blogspot.com/2019/10/oci-oracle-atp-connect-via-sqlplus-on.html) for details on how to get Oracle Instance Client.
Steps:

• Store Credential Argument so that Data Pump can authenticate to the Object Storage services

BEGIN
DBMS_CLOUD.CREATE_CREDENTIAL
  DBMS_CLOUD.CREATE_CREDENTIAL(
    credential_name => 'objectstore',
    username => <'userid'>,
    password => <'password'>
  );

  dbms_cloud.enable_credential(credential_name => 'objectstore');
  ALTER DATABASE PROPERTY SET default_credential = 'ADMIN.objectstore';
End;
  exit;

• Determine the Native URI for your dump file(s) (See this post)
• Run Data Pump import

impdp admin/password@ATPC1_high \       
     directory=data_pump_dir \       
     credential=def_cred_name \       
     dumpfile= https://objectstorage.us-ashburn-1.oraclecloud.com/n/atpc/b/atpc_user/o/export%u.dmp \
     parallel=16 \
     transform=segment_attributes:n \
     transform=dwcs_cvt_iots:y transform=constraint_use_default_index:y \
     exclude=cluster,db_link

  I got a few errors that were eluding to the fact that the user is not authenticated. To work around the issue, I used a few support documents:

How to validate Object Storage URI and Credentials Are Correctly Set for ATP (Doc ID 2468298.1)

NOTE:2113967.1 - How To Validate A DataPump Export (EXPDP) Dump File ?
NOTE:2416814.1 - ADW: Getting "ORA-17500: ODM err:ODM HTTP Unauthorized" error during import to ADW Instance
NOTE:2446550.1 - ATP : Import to ATP From Object Store Fails with 'ORA-17500: ODM Err:ODM HTTP Unauthorized'

Finally, I used a pre-authenticated url for the dmp file as discussed in the last note.
Once this was done, here is the new impdb command which imported the data:

./impdp admin@buzztaqdev_high \ dumpfile=default_credential:<pre-authenticated url > \
transform=segment_attributes:n transform=dwcs_cvt_iots:y \
transform=constraint_use_default_index:y exclude=cluster,db_link

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan

Oracle OCI - Object Storage - Access via Native URI

To be able to access objects in the Oracle Cloud Object Storage, we need a Uniform Resource Identifier (URI) ('a string of characters that unambiguously identifies a particular resource')

• Native URI

https://objectstorage.region.oraclecloud.com/n/object-storage-namespace/b/bucket/o/filename

Tip:

You can view the Native URI of an object (such as an uploaded file) in its Object Details dialog:

1. Go to the Bucket Details page of the bucket containing the object.
2. In the bucket's list of objects, click the  action menu icon and choose View Object Details.
   The URL Path (URI) field displays the object's Native URI value.

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan

OCI-Oracle ATP- Connect via SQLPlus on Linux

Continuing from my OCI series: Moving On-Premises Oracle Apex application to OCI Oracle Autonomous Transaction Processing

To connect to the ATP instance from a Linux machine, we have to do a little more leg work.

Some things to review before we get started.
The client software should be 11.2.0.4 (full install) or higher to be able to connect to the ATP instance. Instant Client can be downloaded and installed from these links:

Oracle Instant Client Downloads
Instant Client Downloads for Linux x86-64 (64-bit)

Downloads

Download the appropriate version per your requirements. I have installed the 18.5 version.

• Basic Package - All files required to run OCI, OCCI, and JDBC-OCI applications
• Tools-optional Package SQL*Plus Package - The SQL*Plus command-line tool for SQL and PL/SQL queries
• Tools Package - Includes Data Pump, SQL*Loader and Workload Replay Client

I downloaded it to my local machine and then uploaded it to the Linux machine via FTP. There are ways to do "wget", but require more work as Oracle Authentication is required.

Once installed, I unzipped in the oracle user home

/home/oracle/instantClient

If you have the other client also installed on the machine, you may have to set-up things slightly different, but basic steps are the same.

Setup Wallet and configuration files

Download the client credentials (Wallet Zip) to the machine, and uninstall it to the home directory for oracle

drwxrwxr-x 2 oracle oracle  4096 Oct 13 17:28 Wallet_BuzzTAQDev
-rw-rw-r-- 1 oracle oracle 19814 Oct 13 17:25 Wallet_BuzzTAQDev.zip

Change the underlying file permissions to 600

chmod  600 *
[oracle@ip-172-30-0-39 Wallet_BuzzTAQDev]$ ll
total 36
-rw------- 1 oracle oracle 6669 Oct 12 23:21 cwallet.sso
-rw------- 1 oracle oracle 6624 Oct 12 23:21 ewallet.p12
-rw------- 1 oracle oracle 3244 Oct 12 23:21 keystore.jks
-rw------- 1 oracle oracle   87 Oct 12 23:21 ojdbc.properties
-rw------- 1 oracle oracle  114 Oct 12 23:21 sqlnet.ora
-rw------- 1 oracle oracle 1751 Oct 12 23:21 tnsnames.ora
-rw------- 1 oracle oracle 3336 Oct 12 23:21 truststore.jks

If Oracle database or client is already installed, we can put the tnsnames and sqlnet files in the current admin/network directory in ORACLE_HOME
If not, we will move the files to the instant client network/admin/ location

/home/oracle/instantClient/network/admin

Change the sqlnet.ora file :

WALLET_LOCATION = (SOURCE = (METHOD = file) (METHOD_DATA = (DIRECTORY="/home/oracle/Wallet_BuzzTAQDev")))

#SSL_SERVER_DN_MATCH=yes

Make sure that all the tnsnames in the downloaded file are in the final tnsnames.ora file

<>_high

<>_low

<>_mediom

<>_tp

<>_tpurgent

Client configuration:

Add the location of the client install in the current path variable:

export PATH=$PATH:/home/oracle/instantClient >> /home/oracle/.bash_profile

add the library path

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/oracle/instantClient >> /home/oracle/.bash_profile

If you already have sql client installed, you may have to rename the key files to ensure you are running the proper version

mv sqlplus sqlplus18

Going forward, we will use the sqlplus18 instead of sqlplus to run our scripts.

Test your connection

[oracle@ip-172-30-0-39 instantClient]$  sqlplus18 admin@buzztaqdev_medium
SQL*Plus: Release 18.0.0.0.0 - Production on Tue Oct 15 18:13:44 2019
Version 18.5.0.0.0
Copyright (c) 1982, 2018, Oracle.  All rights reserved.
Enter password:
Message 1549 not found;  product=SQLPlus; facility=SP2
Connected to:
Oracle Database 18c Enterprise Edition Release 18.0.0.0.0 - Production
Version 18.4.0.0.0
SQL>

Happy testing!!

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan

OCI - ATP Database - Basic connectivity - SQL Developer

Continuing from my OCI series: Moving On-Premises Oracle Apex application to OCI Oracle Autonomous Transaction Processing

Once the database is provisioned, you can connect from various clients.

1. Credential Zip File

The Credential zip contains the following files:

• Wallet and keystore:
• cwallet.sso
• ewallet.p12
• keystore.jks
• truststore.jks
• Configuration
• sqlnet.ora
• tnsnames.ora

TNS entries are as follows:

• High
• Low
• Medium
• TP
• TPurgent

Connecting to SQLDeveloper

Various versions will have different options when it comes to the connection type. I am sharing a couple of things I have seen. Either way, here are a few pointers. 

Download the latest SQL Developer. Cloud connections and secure connections are not available in older versions.

SQL Developer 19.2

SQL Developer 18.4

Open SQL Developer on your local computer. In the Connections panel, right-click Connections and select New Connection.

Note:

Depending on your version of SQL Developer, do not right-click Cloud Connection or Database Schema Service Connections. That menu selection is for connecting to a different Oracle cloud service, the Oracle Database Schema Service.

To start a new connection, start with New Connection, not the Cloud Connection.

The New/Select Database Connection dialog appears. Enter the following information:

• Connection Name - Enter the name for this cloud connection.
• Username - Enter the database username. Use the default administrator database account (admin) that is provided as part of the service.
• Password - Enter the admin user's password that you or your Autonomous Transaction Processing administrator specified when creating the service instance.
• Connection Type - Select Cloud Wallet. (or Cloud PDB)
• Configuration File - Click Browse, and select the Client Credentials zip file, downloaded from the Autonomous Transaction Processing service console by you.
• Service - In the drop-down menu, service selections are prepended with database names. Select the tpurgent, tp, high, medium, or low menu item for your database. These service levels map to the TPURGENT, TP, HIGH, MEDIUM and LOW consumer groups, which provide different levels of priority for your session. 

OR

Click Test, Save and Connect.

Link to the ObE - Connecting SQL Developer to Autonomous Transaction Processing

Next: OCI-Oracle ATP- Connect via SQLPlus on Linux

Sachin
Chief Architect
Oracle Apex Enthusiast
BuzzClan