Oracle Advanced Security: Database security tool overview

Expert Ed Tittel examines Oracle Advanced Security, a database security add-on product with transparent data encryption (TDE) and data redaction features.

Oracle's portfolio of database and related products includes Oracle Advanced Security, an additional option for Oracle Database Enterprise Edition. The add-on includes the Transparent Data Encryption (TDE) and Data Redaction features.

Using Data Redaction, an administrator masks (redacts) column data. TDE encrypts stored data to prevent viewing by unauthorized database users. In this case, "transparent" means the front-end application connected to the database isn't affected, nor are users. The TDE process encrypts data as it's written to storage and decrypts it when read.

Product features

Installation is minimal because Oracle Advanced Security is installed by default with Oracle Database Enterprise Edition. An administrator simply needs to enable the Oracle Advanced Security option. However, policy configuration and keystore setup (where the encryption keys are stored) is more complicated and takes some time to work through the steps. Configuration is performed at the Command-line interface (CLI) or via the Enterprise Manager console.

For security and convenience, an administrator can manage TDE keystores using Oracle Key Vault, which makes the master keys available to all TDE-enabled databases from a central location.

Oracle TDE offers column- and table-level protection. With column encryption, the externally stored master key encrypts/decrypts the table key, which is used to encrypt/decrypt the table column. With table encryption (referred to as tablespace encryption), an administrator can encrypt multiple selected columns or the entire table. Only data in the tablespace is encrypted, not related data stored outside of the database.

Although Oracle builds in some performance-enhancing measures, applications can take a performance hit when whole-table encryption is enabled.

Data Redaction essentially hides data from view based on user privileges, without altering the actual data. Oracle Advanced Security enforces Data Redaction policies in the database kernel. An admin can choose from several kinds of redaction: full, partial, regular expressions, random or none. With full redaction, all data in a column is hidden. Partial redaction hides part of the data in a column, such as all but the last four digits of a Social Security number. Regular expressions redact data based on patterns, and random redaction displays randomly generated values.

Note: Oracle software, including Oracle Database Enterprise Edition, can be downloaded for free from the Oracle Technology Network (OTN), as long as you accept the OTN license agreement. This gives developers and admins the opportunity to play with software in their test environment before making a purchasing decision.

Pricing and licensing

Oracle Advanced Security is licensed per processor or per core, depending on the size of the customer's environment. For smaller shops, perhaps a development environment in which all devices are easily inventoried, customers must purchase 25 licenses per processor under a "Named User Plus" agreement. A pack of 25 licenses cost $300, plus $66 for software updates, licensing and support. Enterprise Edition per-core licensing costs $15,000, plus $3,300 for software updates, licensing and support. Customers can order Oracle Advanced Security licenses directly from the Oracle website.

Determining the number of licenses an organization needs can be tricky, but Oracle provides examples during the purchasing process online and you can speak with an Oracle rep to answer specific questions.

Support

Oracle technical support is outstanding. Premium support is available 24/7 with priority request handling, as well as new product releases, patches and fixes, and proactive support tools for the lifetime of the product. Advanced Customer Support includes personalized support for your environment, issue escalation, on-site support, start-up services and more.

Next Steps

Part one of this series examines the basics of database security in the enterprise

Part two of this series looks at enterprise deployment scenarios for database security tools

Part three of this series offers nine steps for purchasing database security software

Part four of this series compares the top database security tools in the industry

Dig Deeper on Data security and privacy