Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Oracle Patch Tuesday Is Coming"] [Next entry: "A new improved version of the woraauthbf Oracle password cracker is available"]

nCipher provides encryption key management for TDE in Oracle 11g

I saw a news post the other day via google and made a note to mention it here as its a very interesting development. The post is titled "nCipher to Provide Encryption Key Management for Oracle Database 11g"

"MILPITAS, Calif., Jul 07, 2008 (BUSINESS WIRE) ----nCipher plc (LSE:NCH), a global leader in protecting critical enterprise data, today announced its nShield and netHSM key management solutions are now integrated with Transparent Data Encryption, part of Oracle Database 11g Advanced Security option. The combination of Oracle Transparent Data Encryption and nCipher's secure key management systems provides customers with the highest level of data security assurance and enables compliance with even the most rigorous regulations and industry standards, including the Payment Card Industry Data Security Standard (PCI DSS)."

This is very interesting on a number of levels. The first is that my extensive experience with encryption in Oracle databases and with getting involved with my clients solutions at all levels from design, development, integration, review and more for database encryption and TDE is that the key problem (pun intended) for everyone is the issue of keys, how to manage them, cycle them, protect them and more. I am really glad to see that Oracle and nCipher have got together in this way for TDE (Transparent Database Encryption) BUT....

Second point... I would have liked to see some co-operation or something much better from Oracle in the same area for the people who need to encrypt data in the database itself. TDE is fine to protect data at rest but its not a complete solution. PCI DSS 1.1 (I am paraphasing from memory here so don't shoot me down) states that only those people who need to see credit card PAN's should see them. Solutions around this include exposing parts of the PAN to all, different hashes searches, masking the PAN, workflow(authorisation for CoI and SoD issues) and more. In other words if a person (an employee) should be able to see the PAN, the application should call upon the database to decrypt the PAN and return it to their screen, for others who should not see it, it should refuse to return it or mask it or... in other words there is a gap, TDE is fine at encryption at rest but anyone with a SQL*Net connection to the database or application access can in a lot of cases query up PAN's and TDE doesn't stop this (hence the transparent in the name). For this you can have a whole host of solutions, database encryption , middle teir encryption, application encryption, RBAC, workflow....... lots of soltions.

What I would like to see is a simple in terms of easy to use/deploy key management solution for the database for use with say DBMS_CRYPTO, it should handle key storage, retrieval, cycling, managment, change on threat of breach, not cache..... in otherwords solve the main issues for those people who do use dbms_crypto in the database. There are solutions out there of course already but not something from Oracle, in the database or rather made to work easily with DBMS_CRYPTO.. oh, and i almost forgot, not as part of the ASO as most sites i work with don't deploy ASO almost exclsuively on cost grounds. Most agree the usefulness of ASO but don't want / or cannot justify the cost.