Data security has become an extremely hot topic, as several large organizations have suffered data loss or data theft recently, and major viruses threaten the security of our networks and database environments like never before. With more systems storing more data, we are also seeing greater requirements for regulatory compliance, such as PCI, CIS and Sarbanes Oxley. In this series of blogs, Cintra explore ways in which you can safeguard your data.
Securing Stored Data Using Transparent Data Encryption
Transparent Data Encryption (TDE) enables you to encrypt data so that only an authorized recipient can read it. It enables you to encrypt sensitive data, such as credit card numbers, stored in tables and tablespaces. Encrypted data is transparently decrypted for a database user or application that has access to data. TDE helps protect data stored on media in the event that the storage media or data file is lost or stolen.
Benefits of Using Transparent Data Encryption
Transparent Data Encryption (TDE) has the following advantages:
- Security : you can be sure that sensitive data is safe in case the storage media or data file is lost stolen. The Master Encryption key will be stored outside of your database, and your data cannot be decrypted without it.
- Easy to implement: No code changes are necessary; these changes are completely transparent to the application. Key management operations are also automated. No storage overhead.
- Compliance : TDE helps you address security-related regulatory compliance issues
Types of Transparent Data Encryption
Transparent Data Encryption (TDE) column encryption enables you to encrypt sensitive data stored in select table columns.
TDE tablespace encryption enables you to encrypt all data stored in a tablespace.
Both TDE column encryption and TDE tablespace encryption use a two-tiered, key-based architecture. Even if the encrypted data is retrieved, it cannot be understood until authorized decryption occurs, which is automatic for users authorized to access the table.
How TDE Column Encryption Works
The TDE master encryption key is stored in an external security module, which can be an Oracle software keystore such as an Oracle Wallet or hardware keystore. This TDE master encryption key encrypts and decrypts the TDE table key, which in turn encrypts and decrypts data in the table column.
Storing the TDE master encryption key in this way prevents its unauthorized use. Using an external security module separates ordinary program functions from encryption operations, making it possible to assign separate, distinct duties to database administrators and security administrators. Security is enhanced because the keystore password can be unknown to the database administrator, requiring the security administrator to provide the password.
Oracle Wallet for TDE
Oracle Wallet works seamlessly with TDE and is easy to install. It runs as a separate application/process for database and can be password protected and shared with a security administrator. Since it is separate from database passwords, DBAs need not necessarily have access to this password.
Limitations of Transparent Data Encryption
- TDE column encryption encrypts and decrypts data at the SQL layer.
- Although most datatypes are supported, there are some limitations; Please check Oracle documentation for limitations of TDE column encryption.
- TDE requires licenses for Oracle Advanced Security.
If you’re interested in learning more about TDE or other aspects of Oracle Security, contact Cintra today!
Written by Sandip Patel, Oracle DBA, May 2014