« Vacation is Over, Time for Summer Projects | Main | Astra 7.4 Coming to WOU »

July 13, 2011

Oracle Database Security

Today I had an opportunity to check out some of the Oracle database security products. There are quite a few of them, but these are some of the main applications:

Data Vault: This allows for fine grained control of data access in the database. It's primary function is to protect sensitive data from even high level database administrators with DBA privileges - even SYS and SYSMAN. The idea is that the management of the database is separated from direct access to the sensitive data in the database. Sometimes there have been problems where the high level database managers have abused their position, and accessed sensitive data for their own reasons. This would be a bit of a pain to implement.

Advanced Security - Database Encryption: Oracle 11g database encryption is a definite step up. You can use Enterprise Manager to encrypt table columns, an entire tablespace, and even such things as your daily backups. This protects you from direct OS file stealing, theft of backup tapes, and similar threats. It uses a two layer encryption algorythm which I had not seen before. There is an encryption key stored outside the database (in an Oracle wallet for example), and a second encryption key made randomly by you for each table, which is a series of up to 70 random characters. To decrypt the information, you need both keys. I thought encrypting a whole tablespace might be too much overhead, but that encrypting certain columns containing sensitive data made a lot of sense. Oh, also, you keep one encryption key outside the database so it is not included in any of your daily backups.

Data Masking: This is not too useful for anything I could think of in our situation, but the idea is that sensitive data is converted to irretrievable gibberish. This is used in situations where you might give your data to third parties but they don't need the real values of the sensitive data to do their work.

We will be adding Advanced Security at least to our production databases.

Posted by rossm at July 13, 2011 3:36 PM

Comments

Post a comment

Thanks for signing in, . Now you can comment. (sign out)

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Remember me?