No.
TDE encryption protects the data at rest, including backups if used.
Properly configured encryption over the network (SQLNet encryption) -
see the Advanced Security manual to do that - should be used to protect
data in motion.
The Advanced Security Option Redaction capability helps with application
security by redacting that which is presented, but does not help at all
keeping incorrect access from getting the data. In other words, using
that single central userid at the database level can still cause issues.
That is where Real Application Security (RAS) comes in - it allows the
web tier to do the authentication and passes the middle-tier principal
to the database - and then applies VPD-like ACLs to the DML/Query
operations. The database understands the principal (user or role)
without needing that user to be a regular database user (think PROXY
User, but really enhanced). (In addition, it supports server-side
connection pooling, including Oracle UCP possibly tying back to Oracle
DRCP, which helps a lot in managing resources.) So think of RAS as VPD
plus OLS plus Roles & Privileges on steroids - included in EE license at
that.
To protect against the entire life-cycle, you also want to have *at
least* At-Rest Masking, and likely Subsetting, as in the Oracle Data
Masking and Subsetting Pack capability. That includes the ability to
identify - by column name AND column data pattern - the columns that
contain sensitive data (too many orgs don't even have an inventory of
what is sensitive) stored in the Application Data Model, allowing both
transformation of data and obtaining a consistent subset for use in
dev/test/training - RDBMS independent.
And Database Vault to ensure that the DBA does not bypass PII controls.
And then there is the whole discussion about 'prove it', using auditing.
While we are at it, Packet State Inspection, AND Statement State
Inspection Firewalls, such as Oracle's Database Firewall and Audit Vault
become interesting.
But this is turning into a product list, and nearing marketing. Oracle
needs to put up a Virtual Technology Summit or OU Class on this topic.
(Oh wait, I'm writing that class right now...)
/Hans
On 10/03/2016 7:38 AM, Tim Gorman wrote:
Are encryption and redaction enough to protect the full life-cycle of environments (i.e. prod, dev, test, train, patch, etc), or just production environments?
In other words, once mechanisms for encryption (data at-rest and data-inflight) and/or redaction are implemented, is personally-identifiable information ("PII") protected across the board?
On 3/10/16 06:51, rob@xxxxxxxxxxxxxxxx wrote:
And from my Reading, it appears you need OAS to use redaction. -Rob
Oracle Advanced Security
Oracle Advanced Security helps you protect sensitive information and comply with various privacy and compliance regulations including breach notification laws and the Payment Card Industry Data Security Standard (PCI-DSS) by enabling encryption inside the database that is transparent to applications and enabling redaction of sensitive data before it leaves the database.
Oracle Advanced Security provides two primary security features: Transparent Data Encryption and Data Redaction.Data Redaction is new in Oracle Advanced Security with the release of Oracle Database 12c and provides the ability to redact sensitive information such as credit card data and social security numbers before the information leaves the database and is displayed by applications. Transparent Data Encryption provides encryption of data stored in the database, exported from the database using DataPump, or disk-based backups using Oracle RMAN.
===================================
Robert P. Lockard Oracle ACE
Winner of the 2015 Oracle Developers Choice Award for Database Design
President Oraclewizard.com, Inc.
"When given the choice between two evils, I always take the one I have not tried." Mae West
(cell) 571.276.4790
(office) 410.766.6960
(fax) 410.766.0332
twitter @navonpilot
youtube https://www.youtube.com/user/n4281k
blog: http://www.oraclewizard.com
-----Original Message-----
*From:* Hans Forbrich [mailto:fuzzy.graybeard@xxxxxxxxx]
*Sent:* Thursday, March 10, 2016 08:41 AM
*To:* oracle-l@xxxxxxxxxxxxx
*Subject:* Re: The issue about using wireshark to dissect Oracle
TNS protocol packet
Side note: do you know that Encrypted SQL*Net does not require an
extra license?
From
http://docs.oracle.com/database/121/DBLIC/options.htm#DBLIC143 we
read "Network encryption (native network encryption and SSL/TLS)
and strong authentication services (Kerberos, PKI, and RADIUS)
are no longer part of Oracle Advanced Security and are available
in all licensed editions of all supported releases of the Oracle
database."
A discuiion on how to accomlish this is at
https://docs.oracle.com/cd/B28359_01/server.111/b28337/tdpsg_network_secure.htm#CHDHFHIE
/Hans
