Cao Tiến Đức. Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference.

Slides:

Advertisements

Similar presentations

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any.

Advertisements

Data Definition Language (DDL)

Oracle Database Security

1. 2 Introduction This presentation describes introduction of data encryption into Oracle databases and how “Transparent Data Encryption” in Oracle 11g.

Basic Storage Concepts and Settings

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Introduction to Structured Query Language (SQL)

1 - Oracle Server Architecture Overview

Securing Data Storage Protecting Data at Rest Advanced Systems Group Dell Computer Asia Ltd.

Harvard University Oracle Database Administration Session 2 System Level.

DBSYSTEMS 1 of 13 Chapter 10 DB System Administration (Part II) 1 Based on G. Post, DBMS: Designing & Building Business Applications University of Manitoba.

Harvard University Oracle Database Administration Session 5 Data Storage.

15 Copyright © 2006, Oracle. All rights reserved. Database Security.

Introduction to Structured Query Language (SQL)

1 Chapter Overview Managing Compression Managing Disk Quotas Increasing Security with EFS Using Disk Defragmenter, Check Disk, and Disk Cleanup.

Backup Concepts. Introduction Backup and recovery procedures protect your database against data loss and reconstruct the data, should loss occur. The.

IS 4510 – Database Administration Module – 2 Database Backup 10/24/20141Compiled by: Zafar Iqbal Khan.

Oracle TDE -11gR2.

Oracle Database Administration Database files Logical database structures.

CHAPTER 11 Large Objects. Need for Large Objects Data type to store objects that contain large amount of text, log, image, video, or audio data. Most.

Jim McLeod MyDBA  SQL Server Performance Tuning Consultant with MyDBA  Microsoft Certified Trainer with SQLskills Australia 

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

UNESCO ICTLIP Module 4. Lesson 4 Database Design, and Information Storage and Retrieval Lesson 4. Advanced features of WinISIS.

Database Administration TableSpace & Data File Management

Transparent Data Encryption Explained

Chapter 7 Making Backups with RMAN. Objectives Explain backup sets and image copies RMAN Backup modes’ Types of files backed up Backup destinations Specifying.

Roy Ernest Database Administrator Pinnacle Sports Worldwide SQL Server 2008 Transparent Data Encryption.

1 Oracle Database 11g – Flashback Data Archive. 2 Data History and Retention Data retention and change control requirements are growing Regulatory oversight.

7202ICT Database Administration Lecture 7 Managing Database Storage Part 2 Orale Concept Manuel Chapter 3 & 4.

Additional Security Tools Lesson 15. Skills Matrix.

Transparent Data Encryption

1 All Powder Board and Ski Oracle 9i Workbook Chapter 9: Database Administration Jerry Post Copyright © 2003.

1 Creating and Modifying Database Objects. 2 An Oracle database consists of multiple user accounts Each user account owns database objects Tables Views.

7 1 Chapter 7 Introduction to Structured Query Language (SQL) Database Systems: Design, Implementation, and Management, Seventh Edition, Rob and Coronel.

Database structure and space Management. Database Structure An ORACLE database has both a physical and logical structure. By separating physical and logical.

Introduction to Oracle. Oracle History 1979 Oracle Release client/server relational database 1989 Oracle Oracle 8 (object relational) 1999.

8 Copyright © 2007, Oracle. All rights reserved. Managing Schema Objects.

Week 3 Lecture 2 Basic Storage Concepts and Settings.

Week 4 Lecture 2 Advanced Table Management. Learning Objectives  Create tables with large object (LOB) columns and tables that are index-organized 

Database Storage Structures

Database Security. Multi-user database systems like Oracle include security to control how the database is accessed and used for example security Mechanisms:

SQL/Lesson 7/Slide 1 of 32 Implementing Indexes Objectives In this lesson, you will learn to: * Create a clustered index * Create a nonclustered index.

Lecture 18 Windows – NT File System (NTFS)

Physical Database Design Purpose- translate the logical description of data into the technical specifications for storing and retrieving data Goal - create.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

Chapter 4 Indexes. Indexes Logically represents subsets of data from one or more tables View Generates numeric valuesSequence Basic unit of storage; composed.

Data Confidentiality Oracle Security Do Tri Tuc

Module 11: Managing Data Storage. Overview Managing File Compression Configuring File Encryption Configuring EFS Recovery Agents Implementing Disk Quotas.

1 11g NEW FEATURES ByVIJAY. 2 AGENDA  RESULT CACHE  INVISIBLE INDEXES  READ ONLY TABLES  DDL WAIT OPTION  ADDING COLUMN TO A TABLE WITH DEFAULT VALUE.

C Copyright © 2007, Oracle. All rights reserved. Security New Features.

20 Copyright © 2006, Oracle. All rights reserved. Best Practices and Operational Considerations.

8 Copyright © 2007, Oracle. All rights reserved. Implementing SecureFile LOBs.

Views / Session 3/ 1 of 40 Session 3 Module 5: Implementing Views Module 6: Managing Views.

9 Copyright © 2004, Oracle. All rights reserved. Getting Started with Oracle Migration Workbench.

8 Copyright © Oracle Corporation, All rights reserved. Managing Tablespaces and Data files.

SQL Server Encryption Ben Miller Blog:

Oracle 10g Administration Database Control and Storage Structures Copyright ©2006 Custom Training Institute.

15 Copyright © Oracle Corporation, All rights reserved. Managing Users.

ORACLE's Approach ORALCE uses a proprietary mechanism for security. They user OLS.... ORACLE Labeling Security. They do data confidentiality They do adjudication.

McGraw-Hill/Irwin Copyright © 2005 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 9: Database Administration All Powder Board and Ski.

Securing Data with SQL Server 2016

Open Source Server Side Scripting Permissions & Users

Database Security.

Transparent Data Encryption (TDE)

Database Security OER- Unit 1-Authentication

Chapter 4 Indexes.

Presentation transcript:

Cao Tiến Đức

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

What is TDE A mechanism to protect sensitive data which is stored in data files Transparently decrypt data with who has access to data Use TDE when you want to protect confiential data such as credit card and social security number

Benefits of TDE As a security administrator, you can be sure that sensitive data is safe in case the storage media or data file gets stolen. You do not need to create triggers or views to decrypt data. Data from tables is transparently decrypted for the database user. Database users need not be aware of the fact that the data they are accessing is stored in encrypted form. Data is transparently decrypted for the database users and does not require any action on their part. Applications need not be modified to handle encrypted data. Data encryption/decryption is managed by the database.

Restrictions when use TDE Can't use with table which has foregin key Can't use with some other database features Index types other than B-tree Range scan search through an index External large objects (BFILE) Materialized View Logs Synchronous Change Data Capture Transportable Tablespaces Original import/export utilities

Restrictions when use TDE Only protects data stored on disk/media, not the data in transit Can use DBMS_CRYPTO package to perform unsupport features Decrease performance Need more storage

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

How TDE work

Key-based access control system. Data retrieved must be decrypted to understand. Column encryption keys are stored in a dictionary table of the database. Security administrator (master encryption key) vs database administrator (column encrtypion key) Enhance security

How TDE work Master key Random key generated by TDE PKI certificate designed for encryption More secure Greater decrease performance Require more system resource

How TDE work Some recommendation when using TDE Must be running Oracle Database 10g release 2 (10.2) or higher Use a separate wallet to store the master encryption key

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

Basic TDE operations Requirement: must have the ALTER SYSTEM privilege and a valid password to the Oracle wallet

Basic TDE operations Create new maskter key ALTER SYSTEM SET ENCRYPTION KEY IDENTIFIED BY password Enclose the password in double quotation marks

Basic TDE operations Create new table with encrypted columns CREATE TABLE table_name ( column_name column_type ENCRYPT,....); Default AES encryption algorithm with a 192-bit key length (AES192) Can use other algorithms: 3DES168, AES128, AES256 If you want index the encrypted column, use NO SALT

Basic TDE operations Index and salt keyword If you want index the encrypted column, use NO SALT CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT NO SALT, salary NUMBER(6) ENCRYPT USING '3DES168' ); ALTER TABLE employee MODIFY (first_name ENCRYPT SALT); ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT);

Basic TDE operations Modify/add column table ALTER TABLE table_name MODIFY/ADD ( column_name column_type ENCRYPT,...); ALTER TABLE employee MODIFY (first_name DECRYPT);

Basic TDE operations Oracle wallet ALTER SYSTEM SET ENCRYPTION WALLET CLOSE Once the wallet has been opened, it remains open until you shut down the database instance ALTER SYSTEM SET ENCRYPTION WALLET OPEN IDENTIFIED BY password

Basic TDE operations Save Disk Space and Improve Performance Use the NOMAC Parameter Saves 20 bytes of disk space per encrypted value Causes the integrity check to be skipped during encryption and decryption operations CREATE TABLE employee ( first_name VARCHAR2(128), last_name VARCHAR2(128), empID NUMBER ENCRYPT 'NOMAC' NO SALT, salary NUMBER(6));

Basic TDE operations Change encryption key ALTER TABLE employee REKEY; ALTER TABLE employee REKEY USING '3DES168';

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

Tablespace encryption All objects created in the encrypted tablespace are automatically encrypted includes internal large objects (LOBs) such as BLOBs and CLOBs does not encrypt data that is stored outside the tablespace

Tablespace encryption The tablespace encryption master key is stored in Oracle wallet The encrypted data is protected during operations like JOIN and SORT. This means that the data is safe when it is moved to temporary tablespaces. Allows index range scans on data in encrypted tablespaces not possible with column-based transparent data encryption

Tablespace encryption Create encrypted tablespace CREATE TABLESPACE securespace DATAFILE '/home/user/oradata/secure01.dbf' SIZE 150M ENCRYPTION USING '3DES168' DEFAULT STORAGE(ENCRYPT); Can use other algorithms: DES168, AES128(default), AES256

Tablespace encryption Cannot encrypt an existing tablespace Can import data into an encrypted tablespace using the Oracle Data Pump utility Or you can use this command ALTER TABLE...MOVE... to move a table into the encrypted tablespace

Tablespace encryption Encryption status of a tablespace DBA_TABLESPACES, USER_TABLESPACES : The ENCRYPTED column indicates whether a tablespace is encrypted

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

Hardware Security Module A physical device that provides secure storage for encryption keys Orovides secure computational space (memory) to perform encryption and decryption operations A more secure alternative to the Oracle wallet Need to configure transparent data encryption to use HSM.

Outline What is TDE How TDE works Basic TDE operations Tablespace encryption HSM Reference

ork.111/b28530/asotrans.htm