Oracle Transparent Data Encryption undecrypted access

一笑奈何 提交于 2019-12-01 19:05:04

问题


Can I set up an Oracle Database in a way that all of the following statements are true

a) certain columns, potentially all columns are encrypted, so that direct file access to the database file wouldn't allow an attacker to retrieve any records

b) the encrypted columns are transparently decrypted for authorized user, where authorization happens e.g. by having a certain role or privilege

c) an admin who has suiteable privileges for doing 'normal' admin tasks (tuning, creating/droping schema objects, restarting database, selecting from data dictionary) can select the tables but will see only encrypted data in the encrypted columns.

If this is possible, how do I do it. If it is not possible, what are the options I have to at least get 'close' to these requirements?

a)+b) seem to be possible with Oracle Transparent Data Encryption, but I am not sure about c)


回答1:


Transparent Data Encryption only does (a). It is about preventing data breaches occuring because somebody stole the hard drive or backups, or ran strings against the DBF files. That's still useful, because it prevents your sysadmins using their privileged OS access to bypass all your database security.

If you want to enforce something like (b) the appropriate technology is the virtual private database - either DBMS_RLS with the Enterprise Edition or Oracle Label Security if you have the additional license.

If you want to implement (c) you will need Oracle's Database Vault product, which is again a chargeable extra on top of the Enterprise License.

As TDE requires the Advanced Security Option these options amount to a 75%(*) surcharge on the EE license. In which case you might as well go for broke and buy Audit Vault as well!

(*) Only 50% if you buy Label Security.



来源:https://stackoverflow.com/questions/2230189/oracle-transparent-data-encryption-undecrypted-access

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!