Modern Security Features in Oracle Database 23c and Oracle 23ai

Lesson 6	New security features
Objective	Describe security management improvements.

Oracle Database 23c and Oracle 23ai introduce a unified, cloud-ready security model that integrates infrastructure controls, automated encryption, access governance, and AI-assisted threat detection. These enhancements replace the older, manual configuration methods of Oracle 11g and earlier versions, offering a modern “secure-by-default” foundation for both on-premises and cloud deployments.

1. Cloud Infrastructure and Identity Integration

In Oracle Cloud Infrastructure (OCI), database security begins at the network and identity layer. Administrators configure access through OCI Identity and Access Management (IAM), which centralizes user provisioning, role-based policies, and single sign-on across multiple databases and applications.

By provisioning databases in private subnets within a Virtual Cloud Network (VCN), administrators isolate resources from public exposure. Secure connectivity is established through VPN or FastConnect tunnels, ensuring encrypted communication over SSL/TLS between the client and the database.

2. Advanced Encryption and Data Protection

Oracle 23c enforces encryption as a default security standard. All data at rest and in transit can be encrypted using Transparent Data Encryption (TDE) and Oracle Native Network Encryption. Encryption keys are stored within a unified Oracle Keystore Service, which is automatically managed in the cloud or configured locally in hybrid environments.

Transparent Data Encryption (TDE): Protects both tablespace and column-level data with AES-256 encryption.
SecureFiles LOB Encryption: Provides encryption for large objects such as documents or multimedia content.
RMAN Backup Encryption: Ensures backup files remain secure even if copied outside the database environment.

In Oracle Autonomous Database, these protections are automatically configured during provisioning—eliminating the need for manual wallet creation or key rotation scripts.

3. Fine-Grained Access and Row-Level Security

Oracle continues to refine Virtual Private Database (VPD) technology to enforce row-level access control through context-sensitive predicates. In 23c, these policies can be defined using DBMS_RLS and are now fully compatible with MERGE INTO statements, simplifying secure data manipulation.

Administrators can define access policies that dynamically filter rows based on user identity, department, or application context:


BEGIN
  DBMS_RLS.ADD_POLICY(
    object_schema   => 'HR',
    object_name     => 'EMPLOYEES',
    policy_name     => 'HR_ROW_ACCESS',
    function_schema => 'SEC_ADMIN',
    policy_function => 'get_user_predicate',
    statement_types => 'SELECT, INSERT, UPDATE, DELETE'
  );
END;
/

This ensures each user only sees or modifies data they are authorized to access, even when using shared applications.

4. Autonomous Security and Self-Patching

Oracle Autonomous Database—built upon 23c technology—automates traditional security operations:

Self-Patching: Security vulnerabilities are patched automatically without administrator intervention or downtime.
Automated Threat Detection: AI-driven models continuously monitor database activity for anomalies.
Encrypted Backups and Storage: Backup and export operations automatically apply encryption and data masking policies.

These capabilities form a zero-trust framework that keeps cloud databases secure and compliant with enterprise policies.

5. Authentication, Authorization, and Schema Control

Oracle 23c introduces enhanced account management aligned with least-privilege principles:

Schema-Only Accounts: Accounts that own objects but cannot log in, reducing exposure to credential attacks.
Centralized Authentication: Integration with OCI IAM, Microsoft Active Directory, or LDAP services allows unified credential management across multiple systems.
Application Context Security: Database sessions can inherit context from an application tier, restricting privileges dynamically at runtime.

6. Secure Data Access and API Integration

Oracle 23c supports secure data exposure through Oracle REST Data Services (ORDS), enabling RESTful access without direct database logins. Access tokens, OAuth2 credentials, and privilege definitions enforce granular control for each API endpoint.

Additionally, the DBMS_CLOUD package allows secure integration with external object storage, while the Data Sharing feature lets users share live datasets through authenticated tokens—ensuring that sensitive information is never exposed unintentionally.

7. Oracle Wallet Manager and Directory Integration

Oracle Wallet Manager securing SSL connections for web and database communication — The Oracle Wallet Manager, still part of the modern security framework, manages SSL certificates and credentials for encrypted client and server communication. When integrated with OCI IAM or directory services, wallets ensure that applications, APIs, and users authenticate securely before accessing database resources.

Conclusion

Oracle 23c and 23ai advance database security through automation, encryption, and identity integration. Features such as schema-only accounts, automated key management, and AI-driven threat detection represent a shift from manual configuration to continuous, adaptive security. The database and cloud infrastructure now work together to ensure a resilient and compliant environment from the network layer to the row level.