Simplified Data Safe notifications improve data security visibility

Notifications in OCI provide a common, efficient infrastructure for operational alerts and application integration. OCI notifications are reliable, low latency, and implement a publish and subscribe paradigm that reduces the need for polling by connected applications. Setting up notifications from scratch can be challenging, however. This is why Data Safe now makes it easier to configure notifications. Notifications allow you to quickly set up and receive messages informing you about a variety of different events and conditions in Data Safe. Best of all, you can now define notifications directly within the Data Safe console without navigating away from the feature you are working on. Notifications can improve operational security by alerting you with an email, SMS message, or Slack message when something in your database environment changes.

What are notifications?

To understand how we've made notifications easier to use, it’s necessary to first understand a little bit about how OCI notifications work. OCI notifications involve creating and associating OCI resources to create operational alerts. These resources include:

• Events –structured messages that indicate changes in Data Safe resources.
• Rules –filter the stream of events to trigger actions such as notifications for selected event conditions.
• Notifications –messages that are created when some defined event that meets a rule’s condition is generated in OCI.
• Topics –communication channels that are used to forward notifications to endpoints.
• Subscriptions –endpoints to which notification messages are sent. For example, a subscription endpoint could be an email address, phone number, or Slack channel.

Putting it all together, an event that meets conditions defined by a rule triggers a notification that is sent to subscribers of a topic.

We've added contextual notifications to the Data Safe console to make setting up notifications easy for users. We are calling these contextual notifications because the events you choose from are now displayed within the context of the Data Safe function you are working with. No more scrolling through hundreds of different events trying to find the ones that are relevant to you!

A new notifications tab can be found in the various features of Data Safe, allowing you to create and manage notifications for a Data Safe feature while working in the context of that feature. You will find notification tabs in many areas of the Data Safe console, for example:

• User assessment
• Security assessment
• Discovery
• Masking
• Activity auditing
• SQL Firewall

To make getting started with notifications even easier, we created quick-start templates for the most common use cases. Let's look at an example of creating a simple but useful notification to show you how this works.

Security configuration drift.

Many data breaches can trace their cause to administrator error. A frequent source of that error is configuration drift. A setting or parameter is changed – often to facilitate troubleshooting or solve an urgent operational issue – and that change weakens the system's security. Data Safe helps you identify this type of "drift" away from an approved security baseline, and notifications can bring that drift quickly to your attention. Let's use the new notifications capability to email us if Data Safe spots configuration drift. We first open the Security assessment page and click the new notifications tab.

On the notifications tab we see quick start templates – these are ready-to-go notification policies that make sense in the context of the Data Safe area you are working in. We’ll click A security assessment has drifted from baseline to create our notification.

To create our notification, we add three things to the template:

• Name of the notification rule – this is what you want to call the notification, and it will appear in the email you get when security drift occurs
• Topic name – this is what you will call the OCI resource to which you’ll add notification subscriptions. Something to watch out for when entering a topic name is that there can be no spaces in the topic name.
• Subscription – these are the locations to which you want notification messages to be sent. The most common form of subscription is an email, so you would enter an email address. Other types of subscriptions include SMS or Slack messages, RESTful API calls, or calls to OCI functions.

That’s all it takes – click Create notification, and the next time Data Safe detects that the most recent security assessment doesn’t match the baseline, you’ll get an email letting you know.

Note: for email subscriptions, Data Safe will first send an email to the address you entered asking you to confirm you wish to subscribe to the notification. Until you confirm the subscription, Data Safe will not actually send a notification email to that address.

Where can you find notifications within Data Safe?

You’ll find the new notification tabs throughout Data Safe – wherever it makes sense in the context of the screen you are working with to proactively notify you that something has changed. These include:

• Security Assessment
• User Assessment
• Data Discovery – Sensitive data models
• Data Masking – Masking policies
• Activity auditing – Audit profiles, policies, trails, Archive data retrievals, and reports
• SQL Firewall
• Alerts – Reports and Target-policy associations

Notifications work the same way throughout Data Safe except for Target-policy associations in the alert console. We'll look at an example of that next.

Target-policy notifications.

Data Safe includes several predefined alert policies for conditions like SQL Firewall violations, user profile changes, user entitlement changes, etc. When Data Safe detects the conditions defined by one of these policies, an alert is created, which you can view in the All alerts report. Alerts can also trigger an alarm, which in turn can be used to trigger a notification. Target-policy associations allow you to enable an alert policy for a Data Safe target database.

At first glance, these are similar to other notifications – two quick start templates are defined.

• An alert was generated – this will send a notification anytime Data Safe detects an alert triggered for any target database with an alert policy associated with it
• More than 1000 alerts were generated in 5 minutes – this is just what it sounds like – Data Safe will send you a notification if more than 1,000 alerts are triggered within five minutes. That can be for ANY of your targets, and the 1,000 count is cumulative across them.

These predefined templates make sense for Data Safe instances with just a few target databases. But as the number of target databases increases, the number of alerts generated in the system may also increase, and it might make sense to define your notification more narrowly. Let's take a look at a common use case – user entitlements.

Advanced alert notifications

We’re going to narrow down the conditions Data Safe will check to send us an alert so that we don’t receive notifications for things we don’t care about. In the case of user entitlement changes, I might only care if a new entitlement is granted, but not care if an entitlement is revoked. To create this kind of custom notification, we will click Create notification (the grey button) instead of using one of the templates. Then, we’ll click Advanced alarm notification. This opens a form where we can create our advanced notification. In the screenshot below you’ll see that I’ve added callouts to indicate where changes are entered into the form – for this use case, there are eight of them. That number will vary depending on how many rules you create.

1. Alarm name – similar to the simplified notification templates like Security assessment drift from baseline, this is just what you want to call your notification. It appears as the description field in a notification message.
2. Event type – there is only one choice here, Alert Generated.
3. Click + Another condition to add a new condition. We’ll select Attribute for the condition, and then displayName for the attribute name. In Attribute values enter “User entitlement changes” – this is the name of the alert policy. You can find a list of alert policy names in the Alert policies resource page.
4. Click + Another condition to add a second condition. This time, we'll select operation, and enter GRANT as the value we want to look for.
5. Metric – Choose DeliverySucceedEvents and leave the rest of the fields at their default values.
6. Trigger rule – This is where you select how many alarms need to occur before you will be notified. In this case, we want a notification anytime someone grants a new privilege, so we’ll choose “equal to” for the Operator, set the Value to one, and enter a Trigger delay in minutes of one.
7. Now we are back on familiar ground – enter a topic name (don’t forget – no spaces allowed).
8. Enter the email address you want to receive the notification.

Click Create notification and you’re done!  You’ll be notified whenever Data Safe detects a user entitlement change AND that change is a grant.

By stacking different conditions you can narrow your notification focus to just those alerts you care about, reducing the “noise” of unnecessary notifications.

Note: conditions are always cumulative – always an “and” operation. There is no ability to have an “or” or “not” condition.

And that’s all there is to it. Notifications are extremely flexible and can be tailored for a wide variety of use cases. If you’d like to see the new feature in operation, here is a short video that walks you through several ways of using it. 

Source: oracle.com