Efficient Key Management for Oracle Database 11g …go.thalesesecurity.com/rs/480-LWA-970/images/Key-Mgmt...Efficient Key Management for Oracle Database 11g Release 2 Using Hardware

www.thalesesec.com/oracle

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

WHITE PAPER

Thales e-Security


2

TABLE OF CONTENT

Introduction ..................................................................................................3

Oracle Database 11g Release 2 Advanced Security

and Transparent Data Encryption (TDE) .............................................................5

Why encryption is unique and important ............................................................7

Industry regulation and the costs of breaches......................................................8

What is a hardware security module (HSM)?.......................................................9

Benefits of Using HSMs for Key Management ...................................................10

The need for centralized key management.........................................................11

Oracle and Thales: Added Value for Centralized

Key Management and High Security................................................................12

Operational benefits.....................................................................................12

Security and compliance benefits ....................................................................13

Compliance benefits.....................................................................................13

Conclusion ..................................................................................................15

For more information ....................................................................................16

About Thales .............................................................................................16

About Thales e-Security................................................................................16


3

INTRODUCTION

Sensitive data is everywhere—bank transactions, healthcare records, student information,

credit card data, and more. Data not only lives in the data center, point-of-sale terminal,

or trading workstation, it also travels beyond the controls of the IT department – whether

transferred over the Internet or shipped by truck for archiving. Businesses and

governments are responsible for protecting the privacy—and private data—of their

customers, patients, citizens, employees, and business partners. This responsibility is now

part of legislation, regulation, and industry rules. Increasingly, encryption is the means by

which organizations meet this responsibility.

Databases are a core operational component in running a modern business. Organizations

are storing increasing amounts of sensitive information in databases, which poses a risk if

there is a breach of data confidentiality. A data breach can result in fines and lost business.

Database encryption solutions can be used to help mitigate this risk. Whether data remains

in a database, is transferred over a network, or is backed up to tape, encryption ensures

that data is readable only by applications or individuals with the appropriate encryption keys.

As highlighted in a 2011 Ponemon Institute research report titled “What Auditors Think

about Crypto Technologies”, protecting the confidentiality of data in storage is one of the

more challenging aspects for compliance with increasing data security regulations.

While encryption is considered the best technology for securing databases, the administration

of the key management system is equally important for auditors.

Oracle’s Database 11g Release 2 Transparent Data Encryption (TDE) provides database

encryption to address the risks outlined above. Oracle Database 11g Release 2 supports

centralized key management in hardware security modules (HSMs) such as the Thales

nShield family. The main business driver for this type of solution is the need to meet

compliance requirements, notably PCI.


4

This white paper is aimed at IT Security professionals and database administrators.

It discusses the benefits of encryption, focusing on database encryption using Oracle’s TDE

integrated with Thales nShield HSMs. Also discussed is how HSMs improve the operational

aspects of key management and offer a higher level of security assurance to the customer

and aid compliance.


5

ORACLE DATABASE 11G RELEASE 2 ADVANCED SECURITY AND TRANSPARENT DATA ENCRYPTION (TDE)

Advanced Security is an option for the Oracle Database 11g Release 2 Enterprise Edition

that includes network encryption, transparent data encryption (TDE), and strong authentication.

It is TDE that is the main focus of this paper.

Oracle Advanced Security TDE can easily secure both new and existing database

deployments – without modification to any of the applications or processes consuming the data.

This is possible because TDE by its very design is transparent to the application as it resides

within the database engine. Therefore, TDE can be applied to many types of data: customer

data, credit card data, financial, healthcare records and other types of sensitive information.

TDE provides two modes of encryption:

• TDE column encryption

• TDE Tablespace encryption

Figure 1: TDE is part of Oracle Advanced Security


6

TDE column encryption permits security managers to identify specific data (for example

credit card numbers) in an application table column that should be protected using encryption.

This requires a good understanding of where the sensitive information resides in the

database that needs protection.

Figure 2: Sample database table.

Tablespace1 encryption is a feature unique to the Oracle database. It allows the security

officer to select which tablespaces should be encrypted. The feature was first introduced

with Oracle Database 11g Release 2 and offers an important advantage compared to the

column-level approach:

• If the exact location of sensitive data is unknown, then use tablespace encryption

to protect all data in a tablespace. It removes the effort of having to locate and

classify data within the tables.

• It is the simplest approach to implement and manage precisely because an

organization does not need to locate sensitive data and classify it within the

database tables.

1 A tablespace is a logical entity within the Oracle database; it can be thought of as a container that stores tables and all other database objects within the database. Every table in the database resides within a tablespace. This logical entity is the bridge between the logical and physical database. Each tablespace is associated with one or many data files. In other words, the data is stored within a database table, which is logically stored within a tablespace where the tablespace physically stores the data within data files on the operating system.


7

Figure 3: Each tablespace can contain one or several tables and other database objects like Indexes.

Any applications, including non-Oracle applications that use Oracle Database 11g Release 2

or plan to use the database, can take advantage of the full range of TDE capabilities.

For example, there is a growing list of applications that have been tested and certified by

Oracle to use TDE tablespace encryption. At the time of going to press the list includes:

• Oracle E-Business Suite

• Oracle PeopleSoft Enterprise 8.48+

• Oracle Siebel CRM 8.0+

• Oracle JD Edwards Enterprise One

• SAP (6.40_EX and later)

Why encryption is unique and important

Securing sensitive data against security breaches helps mitigate reputational and compliance

risks to the business. Encryption provides a unique solution to the problem of data security

when compared to access controls that can manage user access to database tables.


8

Encryption offers protection in many scenarios: when database disks are exchanged for

maintenance purposes or when database files are written to an export file or to backup

such as a tape library. In these instances database encryption becomes far more important

than access controls because by moving data from the database the encrypted data has

been separated from the master encryption key that is required to access the data. As a

result, anyone finding the media containing the encrypted database files is unable to read it.

There is an additional benefit to encrypting data. When data needs to be destroyed and

disposed of, simply destroying the keys will prevent the data ever being read. This is

especially valuable in cases where disks might be accidentally sold or lost without being

wiped or cleared.

Why is encryption so important? Enterprises need encryption to satisfy various compliance

requirements, which vary depending on the industry sector. For example, encryption plays

an important role in aiding compliance with PCI DSS2, which is an industry standard that

mandates the consistent protection of credit card data. While traditional security mechanisms

that monitor and control access to applications are still required, encryption is an increasingly

necessary component to achieve compliance. Encryption protects data wherever it goes,

even beyond the boundaries of the data center.

Industry regulation and the costs of breaches

Many industries are proactively taking steps to protect their customers’ privacy and avert

government regulation. For example, PCI DSS consolidates security standards created

by American Express, Discover, JCB, MasterCard, and Visa. All organizations processing,

transmitting, or handling credit card data must document and report their PCI DSS

compliance. PCI DSS mandates the protection of Primary Account Numbers (PANs) –

in transit and in storage. Encryption is commonly used to achieve PCI DSS compliance,

and audits are used to verify compliance. Passing an external audit can be time-consuming,

complex and expensive, often requiring changes to processes and technology.

In addition to the regulatory activities led by industry there are numerous privacy breach

notification laws in place that effectively mandate encryption. The first such law was the

2 Payment Card Industry Data Security Standard


9

State of California Senate Bill 1386 and more recently the State of Massachusetts

mandated stricter requirements for the use of encryption.

Not encrypting data can prove to be very costly to organizations. Published in 2009,

the U.S. Cost of a Data Breach Study by the Ponemon Institute reports that data breaches

cost organizations an average of US$202 per lost record, with the total cost of an average

breach reaching US$6.6 million. Most of the costs arise from the notification of customers

and lost future business due to reputational damage. As such, security and compliance can

prove to be competitive advantages.

What is a hardware security module (HSM)?

A HSM is a hardware device that is typically deployed in the data center. Generally, HSMs

are either plug-in cards that serve a single server or network-based hardware appliances

that support many servers concurrently. HSMs are deployed in a variety of applications –

identity management, public key infrastructure (PKI), database encryption, POS format

preserving encryption and tokenization, web services, hi-tech manufacturing, digital rights

management and more. They do the following:

• Protect cryptographic keys and perform cryptographic functions within a secure

tamper-resistant hardware environment.

• Overcome the threat of a software-based attack on the OS by protecting the

keys within the hardware, and provide robust tools to enforce key management

policies across the key life cycle.

• Provide a simple strong authentication mechanism for key management

administrators and can be used to establish and enforce powerful separation of

duty schemes (e.g. so that no one person could subvert the key security).

• Are dedicated to individual servers (usually in the form of a PCI or PCIe card) or

when using an appliance can be shared by multiple servers.

• Incorporate high-speed cryptographic processors to improve performance and

therefore system capacity.


10

Benefits of Using HSMs for Key Management

HSMs are important for three main reasons:

• Security: HSMs ensure the security of cryptographic keys as they are created,

stored, and used. They provide the highest level of security assurance for the

keys that are protecting sensitive data. Typically HSMs are required to be

certified and comply with well-known security standards, FIPS and Common

Criteria3.

• Operations: Management of the encryption keys is handled by the HSM.

Many key management operations can be simplified by using an HSM.

• Compliance: Organizations address and reduce the amount of effort needed

for compliance by deploying an HSM as part of their encryption solution.

Encryption keys are central to data security—your data is only as secure as your keys.

This makes key management extremely important.

The need for centralized key management

An Oracle Advanced Security TDE deployment may involve a number of database instances,

each with their own encryption keys and associated TDE master keys. Rotating and managing

each of these keys individually can be expensive when compared to the use of an HSM to

centralize the management.

Some of the benefits in using a HSM to provide centralized key management to multiple

databases and possibly other applications too include:

3 The Federal Information Processing Standard (FIPS) defines security requirements for cryptographic modules used in protecting sensitive data within government and enterprise information systems. The standard is promulgated by the United States and Canada and enjoys international recognition. Common Criteria is an internationally recognized computer security product evaluation framework.


11

• All the HSM functions outlined earlier in the section “What is a hardware

security module (HSM)” equally apply to a centralized HSM appliance.

• One central appliance that can be deployed in a clustered failover and load-

balancing configuration.

• Central location for key life cycle management simplifies the operational

management.

• Reduction in key rotation frequency. When compared to using software

protection of a key, the use of a HSM reduces the frequency of key rotation

because of the higher level of security afforded which reduces operating costs.

• Central repository for key storage e.g. this assists with PCI compliance

requirements for the keys to be stored in as few places as possible.

• Audits are simplified. HSMs are a well understood part of the modern IT security

infrastructure, simplifying key management in a manner that readily aids auditors

in assessing adherence to good policy. This in turn reduces the expense of

meeting compliance.


12

ORACLE AND THALES: ADDED VALUE FOR CENTRALIZED KEY MANAGEMENT AND HIGH SECURITY

Oracle and Thales have partnered to integrate the Oracle Database 11g Release 2 and the

Thales nShield HSM product family. The Thales nShield Solo PCI or PCIe card can be

installed in a server to provide local key management to that server (appropriate when

multiple database instances are installed on one server, replacing their individual Oracle

Wallets), while the Thales nShield Connect appliances can be deployed centrally to service

multiple servers. A unique feature of the Thales nShield family is that the HSMs are

compatible with each other. The nShield Solo and nShield Connect are fully compatible

and if required may be deployed together in the same installation.

HSMs centrally manage the master encryption keys, which improves operational efficiency

and provides a higher level of assurance for the keys. As a result, organizations can more

easily and efficiently meet PCI compliance requirements by managing keys effectively

and storing them in as few places as possible.

Below we outline the important benefits of deploying a Thales nShield with the Oracle

Database 11g Release 2 TDE.

Operational benefits

• Smooth deployment – Fully tested and supported by Thales and Oracle for quick

deployment - integrates out of the box via the industry standard PKCS#11 API

• Scalability – As the number of databases and tablespaces increases or the

encryption load increases more HSMs can be added that also includes automatic

load balancing.

• Support for virtualized environments – For Thales nShield Connect, users have

the option to add hardware-based key management to virtualized servers


13

• Performance – Hardware acceleration enables organizations to avoid server

CPU bottlenecks caused by the high processing requirements of cryptography.

• Failover capability – The Thales nShield HSM family provides users with the

option of deploying a redundant configuration in the event of an HSM failure.

• Recovery – Thales HSMs offer a unique ability for simple and secure backup

of sensitive keys and recovery in the event of a disk, server or HSM failure.

• Cost-effectiveness – Thales nShield Connects enable the shared use of single

modules across several servers to reduce costs

Security and compliance benefits

• Hardware key protection – Stores the TDE master keys in a secure

environment, the keys are never exposed to anyone outside of the HSM.

• High security – An HSM provides a TDE deployment with the highest level of

security assurance for protecting the encryption keys. This level of protection is

only achievable by the use of tamper-resistant hardware – a security strength

that software protection alone could not provide.

• Advanced separation of duties – Where (1) the key management is separated

from the database administration functions, (2) management of the HSM

includes separation of roles, (3) strong authentication (including smartcard

quorums) of HSM administrators and operators.

Compliance benefits

• Reduced cost of compliance – The centralized key management of the nShield

Connect reduces the operational costs that includes a reduced need for key

rotation, and reduces the cost of meeting compliance.

• FIPS validated hardware – The nShield Solo and nShield Connect security are

certified to FIPS 140-2 level 3. Only purpose built hardware solutions can meet

this level of security certification, thus augmenting the certifications of the Oracle

database.


14

• Common criteria – The nShield Solo and nShield Connect security are certified

to Common Criteria EAL4+. Again this also augments the security certification

of the Oracle database.

Figure 4: nShield HSMs can be dedicated to one server or provide cryptographic services to an entire infrastructure.

In summary, for the purposes of PCI compliance nShield HSMs offer strong cryptography

with associated key-management processes and procedures. This includes secure key

generation and key storage in as few locations as possible, along with tight integration with

the Oracle database.


15

CONCLUSION

Sensitive data is worth its weight in gold to cyber-criminals, product counterfeiters,

and other corporate and rogue government data thieves. Therefore, databases must be

protected at the highest level of security or risk breaches that can result in damage to an

organization’s brand and competitive advantage, not to mention the incurrence of serious

fines for non-compliance of data protection laws.

Database encryption is the answer to the challenge since it ensures that stolen encrypted

data will be useless to thieves. Encryption also satisfies compliance and regulatory compliance.

For databases, Oracle has addressed the need for security and compliance using a

defense-in-depth approach that emphasizes preventive and detective controls – data

encryption, data masking, access controls, and monitoring. Oracle Advanced Security TDE

provides organizations with an easy way to encrypt sensitive data with minimal impact on

business applications and administrators. Implemented as a native encryption service inside

the database, TDE is a big step forward for organizations running Oracle Database 11g

Release 2.

However, simply encrypting the data with TDE is not enough. Organizations must take

another critical step forward – with centralized key management – if they want to adopt

database encryption in the most efficient and cost-effective manner throughout the

enterprise. Industry regulations demand stringent key management processes, while data

breach notification rules with safe harbor clauses require strong custody and control of keys.

Database encryption with Oracle Advanced Security TDE and Thales nShield HSMs raises

the bar for the operation, management, and protection of TDE encryption keys. By providing

centralized key storage, backup, and recovery, as well as fault tolerance, this combined

encryption and key management solution helps organizations comply with international

security standards while achieving the highest levels of database security.


16

FOR MORE INFORMATION

For more information, on Thales security solutions for Oracle users, please contact

[email protected] or visit www.thalesesec.com/oracle.

About Thales

Thales is a global technology leader for the Aerospace and Space, Defense, Security and

Transportation markets. In 2009, the company generated revenues of 12.9 billion Euros

with 68,000 employees in 50 countries. With its 25,000 engineers and researchers,

Thales has a unique capability to design, develop and deploy equipment, systems and

services that meet the most complex security requirements. Thales has an exceptional

international footprint, with operations around the world working with customers as local

partners. www.thalesgroup.com

About Thales e-Security

Thales is a leading global provider of data encryption solutions to the financial services,

manufacturing, government and technology sectors. With a 40-year track record of

protecting corporate and government information, Thales solutions are used by four of the

five largest energy and aerospace companies, 22 NATO countries, and they secure more

than 70 percent of worldwide payment transactions. Thales e-Security has offices in

France, Hong Kong, Norway, United States and the United Kingdom. For more information,

visit www.thales-esecurity.com

©2011 Thales e-Security

Documents

Efficient Key Management for Oracle Database 11g …go.thalesesecurity.com/rs/480-LWA-970/images/Key-Mgmt...Efficient Key Management for Oracle Database 11g Release 2 Using Hardware