Oracle Advanced Security

Oracle Advanced Security (OAS)

  • Introduced in Oracle8i.
  • Combines (a) strong authentication with (b) encryption of data in storage and while being transferred to and from the database.
  • Includes Transparent Data Encryption (TDE), Wallet Management, Network Encryption, RADUIS, Kerberos, Secure Socket Layer (SSL) Authentication, etc.
  • Helps customers address regulatory compliance requirements, including
    • - Sarbanes-Oxley (?)
    • - Payment Card Industry Data Security Standard (PCI-DSS),
    • - Health Insurance Portability and Accountability Act (HIPAA), and numerous
    • - Breach notification laws.

OAS provides (transparent) data encryption and strong authentication services
- Protect sensitive data on the network, on storage media and within the database from unauthorized disclosure.
- Also protects against theft, loss, and improper decommissioning of storage media and database backups

OAS Components
Transparent data Encryption (TDE)
  • Encrypts data before it is written to storage and
  • automatically decrypts data when reading it from storage without any changes to existing applications (no need for triggers, views, etc..)
  • Access controls that are enforced by the Oracle database still remain in effect. These include object grants, roles, virtual private database and Oracle Database Vault.
  • Two supported modes: TABLESPACE ENCRYPTION (11g only) and COLUMN ENCRYPTION (Introduced on 10g r2)
    • Tablespace Encryption: good for encrypting entire app tables
    • Column Encryption: good for individual data elements (credit cards, SSNs, etc).
    • Frequently accessed data blocks are cached in memory in the same manner as traditional nonencrypted data blocks

KEY Management
  • Two-tier key management architecture: MASTER encryption key + one or more DATA encryption keys.
  • TDE MASTER Encryption key (MEK): used to encrypt and protect the DATA encryption keys.
  • TDE MEK: can be stored in the Oracle Wallet.

Network encryption
  • Provides standards-based network encryption
  • Connections can be rejected from clients that have encryption turned off
  • No changes to existing applications are required

Strong Authentication
  • Kerberos, PKI or RADIUS
  • SSL-based authentication can make use of Smart Cards.

Encrypted database backups
  • RMAN backups encrypted data.
  • RMAN can call TDE during the backup process to encrypt the entire database (including SYSTEM and SYSAUX).
  • RMAN can COMPRESS and use TDE to ENCRYPT => compact and secure backups.

No comments:

Post a Comment