- Introduced in Oracle8i.
- Combines (a) strong authentication with (b) encryption of data in storage and while being transferred to and from the database.
- Includes Transparent Data Encryption (TDE), Wallet Management, Network Encryption, RADUIS, Kerberos, Secure Socket Layer (SSL) Authentication, etc.
- Helps customers address regulatory compliance requirements, including
- - Sarbanes-Oxley (?)
- - Payment Card Industry Data Security Standard (PCI-DSS),
- - Health Insurance Portability and Accountability Act (HIPAA), and numerous
- - Breach notification laws.
OAS provides (transparent) data encryption and strong authentication services
- Protect sensitive data on the network, on storage media and within the database from unauthorized disclosure.
- Also protects against theft, loss, and improper decommissioning of storage media and database backups
 | OAS Components |
- Encrypts data before it is written to storage and
- automatically decrypts data when reading it from storage without any changes to existing applications (no need for triggers, views, etc..)
- Access controls that are enforced by the Oracle database still remain in effect. These include object grants, roles, virtual private database and Oracle Database Vault.
- Two supported modes: TABLESPACE ENCRYPTION (11g only) and COLUMN ENCRYPTION (Introduced on 10g r2)
- Tablespace Encryption: good for encrypting entire app tables
- Column Encryption: good for individual data elements (credit cards, SSNs, etc).
- Frequently accessed data blocks are cached in memory in the same manner as traditional nonencrypted data blocks
KEY Management
- Two-tier key management architecture: MASTER encryption key + one or more DATA encryption keys.
- TDE MASTER Encryption key (MEK): used to encrypt and protect the DATA encryption keys.
- TDE MEK: can be stored in the Oracle Wallet.
Network encryption
- Provides standards-based network encryption
- Connections can be rejected from clients that have encryption turned off
- No changes to existing applications are required
Strong Authentication
- Kerberos, PKI or RADIUS
- SSL-based authentication can make use of Smart Cards.
Encrypted database backups
- RMAN backups encrypted data.
- RMAN can call TDE during the backup process to encrypt the entire database (including SYSTEM and SYSAUX).
- RMAN can COMPRESS and use TDE to ENCRYPT => compact and secure backups.
No comments:
Post a Comment