Security

Types of sensitive Data / Governing bodies mostly govt??

Based on the data  element present in the colulm

i)personal or customer-related ()
PI/PII : Any data that can directly or indirectly identify an individual, including personal details like Social Security numbers, phone numbers, and biometric data.
SCD (Sensitive Customer Data): Any personal or financial information that, if exposed, could lead to harm to the customer (e.g., full name, address, phone number, credit card info).
RPI (Restricted Personal Information): Highly sensitive personal information that requires strict access control, often including identifiers like Social Security Number, health data, and biometric data.
FCC (Financial Customer Information): Information related to a customer’s financial status, transactions, or assets that must be protected (e.g., bank account numbers, credit history).
PII is typically protected by various privacy regulations, such as: GDPR (General Data Protection Regulation) in Europe ,CCPA (California Consumer Privacy Act) in California, USA ,HIPAA (Health Insurance Portability and Accountability Act) for medical information

 ii)payment card-related
PCI (Payment Card Industry Data): Payment card information, including cardholder data (e.g., card number, expiration date, and CVV), regulated by PCI DSS for security.
SPI (Sensitive Payment Information): Data related to payment card transactions that includes more sensitive parts, such as CVV/CVC, PIN, and full track data.
governing SOX ,FSA etc .  govering CPNI for telecom

Data is considered ?
In use: meaning it is in active memory.
In motion/transit: data is “on the wire”, being transmitted across the network from A to B, From client to oracle DB.
At rest: stored data, resides in a permanent location awaiting access. Examples include data stored in DB, on hard drives, backup tapes, cloud storage etc.

 

Oracle Security Products?
Application level :
(best option for SPI/PCI colum data as it provides both in transit/at rest security)
DBMS-CRYPTO :application level encryption using DBMS_CRYPTO would be the best option but it is more complex and has to managed by the application . Starting from Oracle Database 21c Release, the use of DBMS_CRYPTO is deprecated.

Other encrypting Sensitive data Technology – OpenText Voltage SecureData ORAVOLT ,UBIQ is emerging, Vormetric, Ingrain ( CipherTrust Database Protection) etc.

In transit :
You can use Oracle Native Network Encryption OR TLS (SSL) to encrypt your network traffic. There's no need to do both.If Oracle Net encryption has been enabled, it will be the Oracle kernel doing the encryption and not the OS/device layer.

At rest :
TDE is disk base datafile encryption. Decryption requires an encryption key that is password protected.

In case of Oracle DBaS, it is based on Oracle Exadata that uses ASM, which could be distributed among at least 14 Servers*12Disks. So chances to get that required disk and stealing it from Oracle Data Center (if that is possible), you still may not be able Mohave the required data. Again if the Encryption Key and the Password is stolen too.

If IaaS is being used then it is TDE on data files (Tabelspace or Colman), the VM will have an encryption key that could be password. If customer has the Password for the key then he is safe from the cloud provider and admin.

Further more, few words came in ,more towards access limitation. Each one is a db pack in Oracle. Specific focus on masking sensitive data when it is accessed, rather than encrypting or storing the data in a protected format

masking sensitive data/access control
row level security prevents (or permits) access to individual rows.attribute (or column) level security prevents (or permits) access to individual columns within the rows.OLS

Database Reduction, is to mask data between server and client, client can not decrypt the data. Used to protect SSN, Credit Cards.

Database Vault used to specify HOW, WHO, WHERE, and WHEN data can be accessed. By default DBA can not have data owner. Unless data owner give such access. It can also audit/report such activity beside ALLOW/DISALLOW/DIVERSE the required Action.

VPD (FGAC Fine grain access control) is to protect data from being accessed. From end users, from people who are supposed to see some of the data but perhaps not all of the data
.
OLS (Oracle Label Security) protects rows. You may use VPD (virtual private database, the feature used by OLS itself) to further hide columns (it can null them out if someone is not supposed to see them). They are not mutually exclusive, it is not "use one or the other

                                                         Data  in Transit 

SQL*Net data Security?
By default only the PASSWORD used to connect is encrypted. All other data is sent in the clear

ASO - there a way to encrypt every sql goes to server like connecting password(as you said earlier),so that network savy guys can't see what sql is going to server

The advantage of native network encryption over TLS/SSL is that you hardly need to do any configuration on the client. However the down side of this method is that you will not be knowing if you are connected to the intended database(server). To a certain extent, man-in-the-middle attack is possible with native network encryption

To clarify, the use of native network encryption or SSL/TLS is no longer a licensable item. It is part of the core RDBMS offerings. This applies to all versions of Oracle, not just 12c. Strong authentication services (Kerberos, PKI, and RADIUS) and network encryption (native network encryption and SSL/TLS) are no longer part of Oracle Advanced Security and are available in all licensed editions of all supported releases of the Oracle database.

                                                        Data  at REST

 
Does Oracle 12C by default enforce any encryption mechanism to the Data at rest in Database?
For on-premises Oracle Databases, the Advanced Security license option includes the Transparent Data Encryption (TDE) feature.  This encrypts the data at rest protecting the database files on the server and in storage and on the network in between.  Oracle Cloud Database Cloud Services (DBCS) automatically encrypts your data at rest.

 

Do you see any problem with indexes on encrypted columns using TDE.
if you are using tablespace encryption - not at all.
if you are using column encryption - there are issues such as you cannot range scan on them, you cannot create function based indexes on them, you cannot do primary/foreign key relations with them.