Oracle 12c/19c Advance Security features

In general, Oracle DBAs discuss mainly about installations, restoration, clustering, standby, migration and/or performance tuning. In all this, it is observed that they are least bothered about data security at database end.

In the today’s fast changing business world, that drives the fast-paced technological changes and thereby on the database front as well. If we closely look at the business model now-a-days, we have multi dynamic system and simply creating user complex credential is not enough. Business data is the most valuable asset for IT companies especially when it comprises Business client personal identifiable information (PII). And at the same time, business data need to be compliant with different compliance norms/regulations like GDPR (General Data Protection Regulation) as per EU's data protection laws.Therefore, database security is of paramount importance and is gaining momentum to safekeep the data and efforts of the organization from any sort of vulnerabilities.

This article is focused on Oracle Database advance security features, that can be implemented without any changes to the application layer. Changing application layer to secure data could be very time and effort consuming as well as will be a cost to the company. Also, coming to legacy applications (if they are there in the environment), that contains potential PII data, it will be a challenge to redesign these legacy application(s). Even if we try and say redesign the application layer, we cannot regulate PII data accessibility from backend and there will always be a threat resulting into data exploitation from backend leaving the environment vulnerable.

 As a DBA, we should have a mechanism to secure layer at data front in such manner that - 1)     It should NOT influence the application functionality.

2)     It should NOT influence the database performance.

3)     It should be robust to secure data and at the same time flexible to implement.

4)     It should NOT be an overhead to application architecture.

Following are some of the Oracle Advanced security features that can give multi-dimensional security to database as well as complies data regulations like GDPR.

1)     TDE (Transparent Data encryption)

2)     Network encryption

3)     Unified Data auditing

4)     Data masking/redaction

5)     Database vault

If we check GDPR Guidelines to protect data, above features covers maximum points.

•      Why TDE Encryption: Oracle database encryption safeguards business data from any physical threat like if data files or backup files are stolen. Although backup is restorable, and database may open but business data is not visible if tablespace/tables are encrypted until encryption key is provided to databases. Encryption key is also password protected in key store wallet software at OS level or hardware-based wallet. Therefore, TDE is a very secure wall to any kind of physical security threat. TDE also support all standard encryption algorithm to protect data from any manipulation. Most striking aspect is that we need not to make any changes at application layer or database logical objects because it is transparent to SQL layer. However, while using TDE key wallet, we should ensure to have multiple backup copy of wallet and at different locations because once business data tablespaces/tables are encrypted, it cannot be accessed by any means until correct wallet copy is available. So, if wallet is lost for once, everything is lost. That’s the beauty of TDE. Even business keep database backed-up on tapes supported by third party vendors. Data cannot be retrieved until wallet file is available and If database file system is placed on ASM, it is better to keep wallet file on ASM disk group with normal redundancy (at least 2 mirror copy in case of disk failure).

TDE impact on database performance is insignificant to application.

There two level of TDE possible.

1)     Tablespace level

2)     Table column level

If we decide to implement TDE better to have Oracle, 12c release 2 because of better steadiness of TDE component. Oracle 12c release 1 have many bugs and hence not recommended.

•      Why Network Encryption: Most of the cyber threats are speculated and occur over network channels exploiting data at flow. It is, therefore, a good practise to encrypt data at network channel. Not many changes are required to do this. It only needs to update the SQLNET file at client and server location and the data flow happens in an encrypted format.

•      Data Redaction: Even though TDE secures data from physical threat but cannot save data from SQL layer if one has access to database, especially to tables that contains sensitive information. However, at the same time, the support team needs access to non-sensitive data, configuration data to support/maintain task, or for incident resolution occurring at application layer raised by business. By Redaction, vulnerability on SQL layer can be reduced and at the same time, if we have authentic business user with permission to access sensitive data from backend can have access-redacted data. Therefore, Data Redaction can protect sensitive data from any SQL layer exploitation.

•      Unified Auditing: Unified auditing is Oracle 12c advanced feature unlike hit to performance of database and logs unevenly distributed on OS and database. Unified auditing is very easy to implement and audit policy can be customized as per needs as to –

1)     Who (list of users should be audited),

2)     What (action should also be audited like insert, update, delete, select)

3)     Even we can choose which tables would come under audit.

While planning to implement Unified Auditing on Database, One must be clear that Unified auditing is being enabled at OS level but policies to audit is being maintained at Database level. Therefore, if you have multiple database running on it, So DBAs can have different audit policies to respective database. Even database backup action (logical or physical) audited to record. Unified auditing Data records cannot manipulated or deleted by normal privilege though is stored  in same “SYSAUX” tablespace but Schema is different as named AUDSYS,And addition to sys one need AUDIT_ADMIN and AUDIT_VIEWER roles to look or manipulate Audit record .

In “read only” database, the Audit logs are stored at OS level.

•      Database Vault: Database vault is another feature that can help secure data and control sensitive information like PII. Similar to Data Redaction, one can create security rules with Vault components. Best feature of database vault is to control a rule in such a manner that if a user password has been copied or stolen and attempt to login from different machines can be nullified. However, Implementing Database vault is bit complicated as compared to other features and needs micro system analysis.

Some of the feature like Unified auditing are available with enterprise edition and some are paid features Which means client has to pay little extra to consume those features but still safekeeping to Business data is more important to pay little and be safe if application database contains Business sensitive data.