Encryption and Redaction in Oracle Database 12c with

Encryption And Redaction In Oracle Database 12c With-Free PDF

  • Date:25 Oct 2020
  • Views:8
  • Downloads:0
  • Pages:13
  • Size:706.03 KB

Share Pdf : Encryption And Redaction In Oracle Database 12c With

Download and Preview : Encryption And Redaction In Oracle Database 12c With


Report CopyRight/DMCA Form For : Encryption And Redaction In Oracle Database 12c With


Transcription:

Table of Contents,Introduction 1,Preventing Database Bypass with Encryption 2. Oracle Advanced Security Transparent Data Encryption 2. Protecting Sensitive Data Using TDE Column Encryption 3. Protecting Entire Applications Using TDE Tablespace Encryption 3. Protecting the Database Using TDE Database Encryption 4. Performance Characteristics 4,Built In Key Management 4. Encryption Impact for Common Operational Activities 5. Limiting Sensitive Data Exposure with Data Redaction 6. Oracle Advanced Security Data Redaction 6,Policies and Transformations 7. Performance Characteristics 8,Security Considerations 8. Easy to Deploy Data Redaction 8,Comparison to Alternative Approaches 9.
Applying Encryption and Redaction in Oracle Multitenant Architecture 10. Conclusion 10, 0 ENCRYPTION AND REDACTION IN ORACLE DATABASE 12C WITH ORACLE ADVANCED SECURITY. Introduction, Rising security threats expanding compliance requirements consolidation and cloud computing are. just a few of the reasons why data security has become critical Nearly 10 years after the first U S. breach notification law the need for strong preventive controls continues to increase as access to data. expands Initiatives such as the European Union s General Data Protection Regulation GDPR help. ensure data security remains a top priority for organizations Stolen client devices including tablets. and smartphones have the potential to easily expose sensitive information as users move beyond the. laptop Outsourcing offshoring corporate mergers and nearly continuous organizational change. create additional risks by making it easier for malicious insiders to obtain sensitive data and for outside. hackers to gain access to servers using social engineering attacks These growing trends are just one. reason why centralized and efficient protection of sensitive data regardless of the applications being. used is more important than ever Implementing security measures that consistently protect sensitive. data at the source becomes a critical control as stored data continues to proliferate and access to data. expands beyond traditional boundaries Protecting data requires a defense in depth multi layered. approach that encompasses controls to evaluate security postures prevent data loss detect. suspicious activities and apply data access controls at the source through data driven security Oracle. Database 12c Release 2 strengthens Oracle s industry leading database security solution by providing. important new security measures in each of these areas. Oracle Advanced Security option with Oracle Database 12c delivers two essential preventive controls. covering encryption of data at rest and redaction of sensitive data displayed by applications These. controls help protect sensitive data from being exposed directly from storage or through applications. Oracle Advanced Security Transparent Data Encryption TDE helps prevent attacks that attempt to. bypass the database and read sensitive information from data files at the operating system level from. database backups or from database exports Oracle Advanced Security Data Redaction. complements TDE by redacting sensitive data in query results before the data leaves the database. thus reducing the risk of unauthorized data exposure in applications This white paper describes TDE. and Data Redaction and explains how these valuable preventive controls can work together to help. secure your sensitive data,Preventing Database Bypass with Encryption. Data at rest encryption is an important control for blocking unauthorized access to sensitive data using methods that. circumvent the database Privileged operating system accounts are just one of the vehicles used by attackers and. malicious insiders to gain access to sensitive information directly in physical storage. Oracle Advanced Security Transparent Data Encryption TDE stops attackers from bypassing the database and. reading sensitive information from storage by encrypting data in the database layer Applications and users. authenticated to the database continue to have access to application data transparently while unauthenticated. users attempting to circumvent the database are denied access to clear text data To understand this better. consider the fact that privileged operating system users can access database tablespace files and extract sensitive. data using simple shell commands In addition consider the possibility of attacks that read sensitive data from lost. stolen or improperly decommissioned disks or backups Figure 1 shows an example of extracting customer credit. card numbers directly from storage using the common Linux strings command and a search pattern. Figure 1 Extracting customer credit card numbers from Oracle database tablespace files. Oracle Advanced Security Transparent Data Encryption. Transparent Data Encryption resides at an optimal layer within the database to prevent database bypass while. maintaining application transparency TDE deploys quickly and encrypts individual application table columns. application tablespaces or entire databases It is transparent to applications because the encryption and decryption. processes do not require any application changes and the application users do not have to directly deal with. encrypted data Most importantly TDE s built in two tier encryption key management provides full key lifecycle. management tracking the keys across their lifetime with helpful meta data attributes and assisted encryption key. rotation switching to a new master key with no downtime Figure 2 shows how encrypting an Oracle database. using TDE prevents database bypass, Figure 2 Encrypting with Transparent Data Encryption to prevent database bypass. TDE is unique when compared to alternative approaches that encrypt entire storage volumes or require new toolkits. and programming APIs These approaches do not protect against many bypass attacks may require significant. application changes have complex key management and are not integrated with complementary technologies such. as Oracle Advanced Compression Oracle Real Application Cluster RAC Oracle Recovery Manager RMAN. Oracle Multitenant Oracle GoldenGate and Oracle Active Data Guard. The high level of protection provided by TDE follows common standards for strong encryption as described in the. figure below With Oracle 12c Release 2 TDE supports operation with a FIPS 140 2 Level 1 cryptographic module. using approved encryption suites for SSL TLS and TDE encryption. Encryption Algorithms Hashing Algorithms optional, Advanced Encryption Standard AES Secure Hash Algorithm 1 SHA 1.
Key length 128 192 256 bits Digest length 160 bits. Triple Data Encryption Standard TDES,Key length 168 bits. Regional encryption algorithms,ARIA and SEED, Figure 3 Standard encryption and hashing algorithms used by TDE. Protecting Sensitive Data Using TDE Column Encryption. Oracle Advanced Security TDE column encryption can be used to encrypt specific data in application tables such as. credit card numbers and U S Social Security numbers Customers identify columns within their application schema. containing sensitive or regulated data and then encrypt only those columns This approach is useful when the. database tables are large only a small number of columns must be encrypted and the columns are known TDE. column encryption also is useful for warehouse applications where each query is likely to return a very different set. of data Oracle Enterprise Manager Sensitive Data Discovery searches for and identifies sensitive columns quickly. Data encrypted using TDE column encryption remains encrypted on backup media and discarded disk drives. helping prevent unauthorized access and potential data breaches that bypass the database. Protecting Entire Applications Using TDE Tablespace Encryption. Oracle Advanced Security TDE tablespace encryption protects entire application tables by encrypting the underlying. tablespaces It encrypts application tablespaces regardless of the data s sensitivity and irrespective of its data type. Tablespace encryption simplifies the encryption process because there is no need to identify specific database. columns It is useful when the database contains a large amount of sensitive data to be encrypted and the columns. reside in many different locations TDE tablespace encryption and TDE column encryption can be used. independently of one another or together within the same database As is the case with both TDE column. encryption and TDE tablespace encryption data remains protected on backup media as a measure against potential. bypass attacks, Protecting the Database Using TDE Database Encryption. Oracle Advanced Security TDE database encryption protects entire databases including Oracle supplied. tablespaces SYS SYSAUX TEMP and UNDO A new capability with Oracle 12c Release 2 this approach ensures. that sensitive system and metadata information remain protected through encryption as well as application data. Performance Characteristics, TDE s cryptographic operations are extremely fast and well integrated with related Oracle Database features TDE. leverages CPU based hardware cryptographic acceleration available in Intel AES NI and Oracle SPARC T4 T5. platforms to increase performance by up to 5x or more The block level operations of TDE tablespace encryption. receive an additional performance boost from database buffering and caching Tablespace encryption integrates. seamlessly with Oracle Advanced Compression ensuring that compression occurs before encryption Tablespace. encryption also integrates with the advanced technologies in Oracle Exadata such as Exadata Hybrid Columnar. Compression EHCC and Smart Scans which offload certain cryptographic processing to storage cells for fast. parallel execution,Built In Key Management, Key management is critical to the security of the encryption solution Oracle Advanced Security TDE provides an.
out of the box two tier key management architecture consisting of data encryption keys and a master encryption. key The data encryption keys are managed automatically by the database and are in turn encrypted by the master. encryption key The master encryption key is stored and managed outside of the database within an Oracle Wallet. a standards based PKCS12 file that protects keys or in Oracle Key Vault a centralized key management platform. Keeping the master key separate from the encrypted data mitigates attacks because both the keys and the. encrypted data must be separately compromised to gain access to clear data The two tier key architecture also. enables rotation of master keys without having to re encrypt all of the sensitive data Oracle Advanced Security. defines a dedicated SYSKM role that may run all key management operations including rotating master keys and. changing the keystore password This role can be optionally delegated to a designated user account to enable. separation of duty for these functions Oracle Enterprise Manager provides a convenient graphical user interface for. creating rotating and managing TDE master keys as shown in the figure below. Oracle Key Vault is a full stack security hardened software appliance which provides centralized management of. encryption keys Oracle Wallets Java Keystores and credential files Oracle Key Vault works with TDE to automate. the management of TDE master keys including creation rotation and expiration Oracle Key Vault itemizes and. stores the contents of Oracle Wallets in a master repository where they can be recovered back to servers if their. local copies are mistakenly deleted or their passwords are forgotten In addition Oracle Key Vault can centrally. manage TDE master keys over a direct network connection as an alternative to using local wallet files eliminating. operational challenges of wallet file management such as periodic password rotation wallet file backups and wallet. file recovery Using Oracle Key Vault with TDE enables sites to scale their TDE deployments to hundreds or. thousands of databases while improving operational efficiencies reducing TCO and enabling consistent key. management policies Oracle Key Vault supports hybrid cloud deployments so organizations migrating to the. Oracle Cloud can use it to support TDE deployments in both their cloud and on premises databases. Figure 4 Managing and rotating TDE master keys using Oracle Enterprise Manager. Encryption Impact for Common Operational Activities. Essential day to day database operational activities can potentially leak sensitive data when not performed properly. making bypass easy Examples of these activities include database backup and restore data movement high. availability clustering and replication, Database Technologies Example Points of Integration TDE Support. High Availability Clusters Oracle Real Application Clusters RAC Data Guard Active Data Guard. Backup and Restore Oracle Recovery Manager RMAN Oracle Secure Backup. Export and Import Oracle Data Pump Export and Import. Database Replication Oracle Golden Gate,Pluggable Databases Oracle Multitenant Option. Engineered Systems Oracle Exadata Smart Scans, Storage Management Oracle Automatic Storage Management ASM. Data Compression Oracle Standard Advanced and Hybrid Columnar Compression. Figure 5 Example integrations with Oracle Advanced Security TDE. Oracle Advanced Security TDE supports these critical database operational activities and helps ensure that the data. remains encrypted Tablespace encryption integrates with Oracle Recovery Manager backup and restore Oracle. Encryption and Redaction in Oracle Database 12c with Oracle Advanced Security OR ACL E WH IT E P AP E R MA RC H 20 17 0 ENCRYPTION AND REDACTION IN ORACLE DATABASE 12C WITH ORACLE ADVANCED SECURITY Table of Contents Introduction 1 Preventing Database Bypass with Encryption 2 Oracle Advanced Security Transparent Data Encryption 2 Protecting Sensitive Data Using TDE Column Encryption 3

Related Books