"MILPITAS, Calif., Jul 07, 2008 (BUSINESS WIRE) ----nCipher plc (LSE:NCH), a global leader in protecting critical enterprise data, today announced its nShield and netHSM key management solutions are now integrated with Transparent Data Encryption, part of Oracle Database 11g Advanced Security option. The combination of Oracle Transparent Data Encryption and nCipher's secure key management systems provides customers with the highest level of data security assurance and enables compliance with even the most rigorous regulations and industry standards, including the Payment Card Industry Data Security Standard (PCI DSS)."
This is very interesting on a number of levels. The first is that my extensive experience with encryption in Oracle databases and with getting involved with my clients solutions at all levels from design, development, integration, review and more for database encryption and TDE is that the key problem (pun intended) for everyone is the issue of keys, how to manage them, cycle them, protect them and more. I am really glad to see that Oracle and nCipher have got together in this way for TDE (Transparent Database Encryption) BUT....
Second point... I would have liked to see some co-operation or something much better from Oracle in the same area for the people who need to encrypt data in the database itself. TDE is fine to protect data at rest but its not a complete solution. PCI DSS 1.1 (I am paraphasing from memory here so don't shoot me down) states that only those people who need to see credit card PAN's should see them. Solutions around this include exposing parts of the PAN to all, different hashes searches, masking the PAN, workflow(authorisation for CoI and SoD issues) and more. In other words if a person (an employee) should be able to see the PAN, the application should call upon the database to decrypt the PAN and return it to their screen, for others who should not see it, it should refuse to return it or mask it or... in other words there is a gap, TDE is fine at encryption at rest but anyone with a SQL*Net connection to the database or application access can in a lot of cases query up PAN's and TDE doesn't stop this (hence the transparent in the name). For this you can have a whole host of solutions, database encryption , middle teir encryption, application encryption, RBAC, workflow....... lots of soltions.
What I would like to see is a simple in terms of easy to use/deploy key management solution for the database for use with say DBMS_CRYPTO, it should handle key storage, retrieval, cycling, managment, change on threat of breach, not cache..... in otherwords solve the main issues for those people who do use dbms_crypto in the database. There are solutions out there of course already but not something from Oracle, in the database or rather made to work easily with DBMS_CRYPTO.. oh, and i almost forgot, not as part of the ASO as most sites i work with don't deploy ASO almost exclsuively on cost grounds. Most agree the usefulness of ASO but don't want / or cannot justify the cost.