Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3853
  • Last Modified:

Data encryption with Oracle Standard Edition

We have a third-party application that for licensing cost reasons we have employed Oracle 10g Standard Edition for the back-end database. We need to encrypt a handful of sensitive data fields in the database. The third-party application vendor has informed us that they do not offer data encryption, nor do they intend to in the future, and they suggested that we use Oracle's Transparent Data Encryption. Unfortunately, this feature is only available in the Enterprise Edition, and even then only at additional cost.

So, the $564,000 question is this: Is there any simple way to do database-level data encryption that would be transparent to the third-party application? In other words, we do not want to mess with our vendor's code unless we absolutely have no other alternative. Are there any Oracle third-party tools that would work for us?
0
DanielBorson
Asked:
DanielBorson
  • 3
  • 3
2 Solutions
 
slightwv (䄆 Netminder) Commented:
0
 
DanielBorsonAuthor Commented:
Our DBA is looking into this. A few of the potential problems we see with DBMS_CRYPTO:

1) The existing data fields are not sufficiently large to store encrypted values.

2) Our DBA's thinking is that we would need to create a custom table to store encrypted values and then create functions that would select, insert, update or delete these values. We would then replace the column name with the appropriate function in each and every place in our vendor's backend code where the column is referenced.

3) We would need to update all this code each and every time that we receive a back-end code update from our vendor. Also, we're not yet sure what modifying this code would do to any warranties or support contracts.

4) What happens with reporting tools, such as Discoverer, when we need to select one of these encrypted fields and bring it into a report?

Are there any third-party Oracle tools that would provide us with similar functionality to Oracle's Transparent Data Encryption?
0
 
slightwv (䄆 Netminder) Commented:
Data encryption isn't my strong point but I've never heard of any 'seamless' 3rd party plug-in to do this.  Leave this open for a while.  Maybe other experts will know of a way.

I agree with all the pitfalls for dbms_crypto you mentioned above.  A possible work-around (with it's own problems):
create a new table to store the encrypted values.  replace the apps table with a view that decrypts the data on the fly that exactly mimics the apps table.

You'll still have some of the problems above with one additional one:  You will have to hard-code the key in the view's text which kind of defeats the purpose of encrypting.  It will fool the 'common' folk but probably wouldn't fool someone bent on seeing the data for long.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
DanielBorsonAuthor Commented:
Thanks, slightwv. Okay, all you other Oracle experts out there -- anyone else have anything encouraging or enlightening to add?
0
 
mrjoltcolaCommented:
Just remember, transparent encryption has limited usefulness. It will protect the database and backups, if stolen, but wont protect the data if accessed by an Oracle session. To an Oracle user, or an app connected via the Oracle client TDE hides the encryption, and the columns are plainly visible.

The question is: what are you trying to protect against? Stolen database files / backups, or live hacking?

Like slightwv, I am not aware of another transparent solution than TDE. One could be probably architect a solution with Oracle tools like materialized views and the VPD/context API. The main requirement is that the encryption key must not be stored in a location that it can be stolen along with the database. TDE protects the key but requires the DBA to provide a password or "open the wallet" manually after starting the instance. To architect another transparent solution, you'd need to solve that same problem.
0
 
DanielBorsonAuthor Commented:
We're mostly interested in protecting against stolen data, not live hacking, but we would definitely need to have the encryption key stored outside the database. We have an appointment to talk with our Oracle account rep about options, and in the meantime, I'll just leave this open in case anyone else has any other ideas.
0
 
slightwv (䄆 Netminder) Commented:
I suggest even split as follows:

http:#26295451
accept httP:#26297331

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now