DBTA February 2008 - Oracle Data Strategies

Securing Data in Oracle Database 11g

Dr. Arun Kumar R.

Nowadays, organizations are spending a lot of time and effort to make sure that their databases are secure from internal and external threats. Encryption of databases and files is one of the prominent methods for securing data. Oracle Database has been offering data encryption methods for database fields since Oracle 8 and modified the Transparent Data Encryption technology from 10g to cover database tables as well as tablespaces in Oracle Database 11g. Transparent Data Encryption can encrypt (disguise) data in a table column or the entire tablespace using Advanced Encryption Standard (AES) and Triple Data Encryption standard (3DES) methods and then decrypt (undisguised) the data for reading.

When you encrypt a piece of data, it will have the following components - an algorithm to encrypt the data (AES or 3DES), algorithm to decrypt it, and a key for encryption and decryption. The encryption algorithm converts clear text data to a form that cannot be deciphered by humans or computers easily. The same algorithm can decrypt or reverse the disguising process at the receiving end to review the data. When you encrypt the data, Oracle database uses the encryption key along with the encryption algorithm to transform the data. When you are ready to read the encrypted data, Oracle database will use the decryption algorithm along with the same encryption key to untangle the data.

For using transparent data encryption, you need a wallet to store the encryption key. The wallet is a binary file for storing the key. It is created outside the database, which can be accessed only by the DBA or security administrator. The location of this wallet is specified in the sqlnet.ora file. When you need to decrypt the data, you get the wallet for the key and decrypt the data using Oracle functions. The wallet can be secured by a password from intruders.

Transparent data encryption can be used to encrypt table level columns or entire tablespaces. It supports NUMBER, CHAR, DATE, VARCHAR2, BINARY_FLOAT, and BINARY_DOUBLE among many common approved data types. The table column cannot be a part of the foreign key. When you wish to use transparent data encryption feature on tablespaces, you will have to create new tablespaces or move data from existing tablespaces to new tablespaces. This is a small hiccup for using the feature at the tablespace level.

When you use transparent data encryption on table columns, performance is affected while scanning encrypted columns. In Oracle Database 11g, the scanning of data in encrypted tablespaces occurs in database memory in an unencrypted form, and this reduces the performance impact as in scanning encrypted columns.

Transparent data encryption offers advantages over other encryption methods. Sensitive data remains safe even if the storage media or data file is stolen by hackers. The database will take care of encryption/decryption functions rather than creating database triggers for the functionality. Database applications can seamlessly use the encrypted data, as encryption and decryption are provided by the database itself.

We can use transparent data encryption to protect regulatory and confidential data in organizations, with little or no change to the application. Database performance is slightly impacted, when we retrieve or insert data into an encrypted column. The database overhead is estimated at around 5 percentthan with clear text data. Similarly, encrypted data requires extra storage space over normal data. Encrypting a single column in an Oracle database table requires an average of 32 to 48 bytes of extra storage for each row.

The decision to deploy transparent data encryption should be based on the nature of your business, types of data elements in databases, and nature and volume of updates for encrypted columns. Compared with third-party encryption offerings for Oracle databases, the transparent data encryption feature is clearly a cost-effective method for securing enterprise data at the column or database level.

About the Author

Dr. Arun Kumar R., Data Architect at Cingular Wireless, has over a decade of experience in Oracle technologies. He has authored two Oracle Database 10g books and over 50 technical papers. Arun can be reached at arundbta@dbatrends.com.


	\|<< TOC << Back 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 Next >> Masthead >>\| DBTA Home Page \| About Us \| Contact Us \| Partners To receive a monthly notice about new material and a quarterly complimentary print edition, click here.

DBTA Home Page

To receive a monthly notice about new material and a quarterly complimentary print edition, click here.

Table of Contents

TRENDS AND APPLICATIONS
•	Green IT: Can a column-based analytics server relieve the pain of a data center full of hot air?
•	Trends in Dashboards: A Glimpse into the Future
•	The Unique Database Requirements of Time-Series Data
•	Enterprise Tools for the Data Center – and Beyond
•	Evolving to Desktop Virtualization

MV COMMUNITY
•	Revelation Software Purchases Freedombase Web Ready from Freedomsoft
•	In-Depth Tutorials and Vendor Fair Under Consideration for U2 University 2008; UniData 7.2 Soon to be Released in Beta
•	Aptron and Entrinsik Partner to Bring Web-Based Reporting to the Higher Education Market
•	DesignBais Announces Series of Webinars
•	MITS Announces Major New Investor, Redeems Shares

COLUMNS
•	Applications Insight by Guy Harrison
•	DBA Corner by Craig S. Mullins
•	The Enterprise Environment by Joe McKendrick
•	Database Elaborations by Todd Schraml
•	Oracle Database Strategies by Dr. Arun Kumar R.

News
•	Download Central
•	Places to Go
•	Did Ya Here?
•	New Products

Online Masthead

DBTA Home Page

DBTA E-Editions
January 2008