INTELLILINK Database Security Assessment Service for Oracle

Vulnerability visualization solution, a first step toward prevention of targeted database

Databases store many important information assets such as personal information, technical information, and intellectual property. In many cases, companies have suffered unexpected damage due to data breach or data falsification that steal information to get cash. It could lead to situations that cannot be ignored such as a loss of customers due to a damaged brand image, countermeasures or compensation costs, and administrative guidance that could affect the performance and survival of the company.

When considering database security measures, the first thing to do is to understand the current situation. INTELLILINK Database Security Assessment Service for Oracle can diagnose hidden vulnerabilities in Oracle databases on-premises or in the cloud in a short time and at low cost. We will present you with diagnostic results based on security settings recommended by Oracle and show you the points that need to be addressed. The diagnostic report classifies security risks into six levels in ten diagnostic areas, providing visualization of database configuration, operational, and implementation risks. We support customers who "want to diagnose the security level of their databases" or "need a security check by a third party to undergo a security audit".

Importance of database security, which has to be strong

The database runs on a strictly secured server data center that is inaccessible to the public. It was thought to be safe in the past because it runs on an internal network isolated from external networks and there is no fear of direct database access. However, the means of attack has become more diverse and sophisticated in recent years, and there have been incidents of information leaks via application server from the databases that cannot be directly accessed.

While it is very important to have strong security measures in place for the network and applications and ensure boundary protection, this does not mean that the database should be left unprotected. The malicious insider can easily steal the data if unprotected database can be accessed directly. It is necessary to consider how to manage the important data to be protected, control and manage the users who have access to the data, and review security holes in the database.

Various guidelines for strengthening database security

With the implementation of the My Number Act, the amendment of the Act on the Protection of Personal Information, and the addition of description to the security guidelines issued by the National Center of Incident Readiness and Strategy for Cybersecurity. (NICS), database security measures are becoming even more demanding.

Name Activities for Strengthening Security Target
PCIDSS(*1) December 2004 Establishment of PCI DSS Companies that handle credit cards
November 2013 Upgraded to v3.0
Added encryption, access control, auditing, masking, configuration management//
Cyber Security Management Guidelines(*2) December 2015 Published guidelines
Added multi-layered protection and advanced encryption, access control, and auditing of critical data (databases, files)//
Company managers
Companies that provide IT systems and companies for which using IT is essential for management strategy
November 2017 Added description requiring the establishment of mechanism for attack detection and recovery//
Common Standards for Information Security Measures for Government Agencies(*3) September 2005 Published Common Standards for Information Security Measures for Government Agencies Government agencies
August 2016 Published 2016 version
Added new database items. Added split administrative privileges, access control, auditing/detection and encryption//
Public offices, independent administrative institutions
Revised Act on the Protection of Personal Information(*4) September 2015 Law passed and promulgated Business operators or industry associations that hold personal information
November 2016 Published guidelines
Clarified personal information to be protected
AddedAccess control, encryption, auditing and detection, cipher processingin the General Rules
Revised Installment Sales Act(*5) February 2017 Law passed and promulgated Added description demanding PCIDSS compliance when credit card information is retained. Companies that handle credit cards

First step in strengthening database security

The first step in considering database security measures is to understand whether the current configuration has any vulnerabilities. Due to the emphasis on operational efficiency, the assignment of strong privileges to general users, and the lack of internal resources, user inventories are not kept for a long period of time and temporarily created test users or accounts of employees who have left the company are left neglected. In addition, the robustness of database will reduce with the cases left neglected where necessary security patches are not applied due to failure to catch up with patch information released by vendors.

It is important to diagnose database vulnerabilities and visualize areas that need to be addressed and items that need to be strengthened further. This is not just a one-time diagnostic service, but also supports periodic diagnostics, which can be useful for early detection of newly emerging risks.

Low-cost and quick security diagnostics of Oracle database

Service Overview
  • We examine the security status of your Oracle database and generate a diagnostic report.
  • Based on Oracle recommended settings, we present the recommended countermeasures along with the diagnostic results.
  • Customer needs to run the diagnostic script and send back the results and configuration file.
Price One-time300,000 yen ~
*Price for one database regardless of RAC configuration. Please discuss if the number of instances in RAC configuration exceeds 4
*If you wish to have periodic diagnosis, please discuss separately.
Period About 5 business days after running and returning the diagnostic script results and configuration file////

Scope of service

Supports a wide range of DB versions

Oracle Database 10gR2 or later
( or later)

Supports various OS types

Linux, Solaris, HP-UX,AIX, Windows

Also support cloud environment

On-premises, cloud
(such as Oracle Cloud, AWS (excluding RDS))

*The information collection script used in this service must be executable in the environment where the DB is running.

Diagnosis report

For each of the 10 diagnostic areas, we determine the gap with Oracle recommended configuration (value). We report the gaps by classifying them into six risk levels in accordance with the judgment criteria of Oracle. From this report, you can easily visualize and check the points of security risks.

10 diagnostic areas

# Diagnostic Area Overview of Diagnostic Items
1 Basic information Usage of security patches and security features
2 User account Default table area, password related, profile settings
3 Permissions and roles Strong administrative privileges, strong roles
4 Authentication control Behavior control of privilege management user
5 Data encryption Transparent data encryption
6 FGA control Access control implementation
7 Audit Audit trail setting, audit policy
8 Database configuration Initialization parameters, dictionary access rights
9 NW configuration Network encryption, client connection control
10 OS configuration OS authentication, directory permissions

Risk Summary Graph

The risks found as a result of the diagnosis are classified into six levels, and the number of occurrences is tabulated. The number of risks that occurred in each diagnostic area is shown in the "Risk Area Summary Graph".

Risk Summary Graph

Risk Area Summary Graph

Risks found in each of the 10 diagnostic areas are classified into six levels and the number of occurrences is tabulated. Areas that need to be checked on priority are marked with a "Caution" mark.

Risk Area Summary Graph

*The image above shows a part of the diagnostic report. The actual report provides a more detailed description of each risk.

Prerequisites for service

Please consult us for implementation of measures to address vulnerabilities We provide support for the study and implementation of security risk countermeasures for a separate fee. (If you have an Oracle maintenance contract with us, QA will be handled by Oracle maintenance.)
*We visualize and report security risks, but visualization of all security risks is not guaranteed.
Please run the information collection script at your convenience. Customer needs to execute the scripts we provide.
We do not access the business data We search (SELECT) parameter and dictionary information from the Oracle database and export it to the output file.
*Performance impact on script execution is negligible.

Service Flow

  • 1. Hold a meeting and collect information

    We will collect information about database configuration, environment information, version, etc.

  • 2. Provide diagnostic materials

    We will give you information collection script to be used in the diagnosis.

  • 3. Run information collection script

    The customer runs the script in the database to be diagnosed.

  • 4. Return results after running the script

    You will be asked to provide listener.ora and sqlnet.ora along with the information you have collected.

  • 5. Analytical investigation

    We will analyze the data in about 5 business days after we receive it.

  • 6. Send diagnostic report

    We will send the diagnostic report to customer.


When considering database security measures, the first thing to do is to understand the current situation. Why don't you visualize hidden risks with a security diagnosis? Please feel free to contact us.

Related content

Material Download

[Introductory Material] INTELLILINK Database Security Assessment Service for Oracle (PDF: 2 pages, 1.61MB)

* These products or services are only available in Japan.

INTELLILINK Database Security Assessment Service for Oracle