Hans, my thinking is that while there may be a lot of lookup tables in the
system the total size of the lookup tables is usually small in data terms
compared to the whole. You only incur a encryption cost on reading or writing
the table block into the buffer so with heavily used blocks since those blocks
are likely to remain cached for significant periods of time the overhead will
be low. By encrypting every tablespace you eliminate the possibility of
someone moving a table with sensitive data from an encrypted tablespace to an
unencrypted one. You also eliminate the worry of sensitive data being copied
to a new table which is not designated as sensitive from a storage point of
view. In simple terms uniformity is easier to manage.
From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx] On ;
Behalf Of Hans Forbrich
Sent: Thursday, February 25, 2016 12:45 PM
To: oracle-l@xxxxxxxxxxxxx
Subject: Re: Oracle TDE Question
Many applications have significant numbers of code/value lookup tables.
Many applications, especially 3-tier applications, do validation using those
lookup tables.
In many cases those code tables are not sensitive.
Unless appropriate caching is used (keep cache), bashing against encrypted
storage introduce unnecessary overhead.
I totally agree when you talk about 'business-generated' data. But the list of
countries, states, cities ...?
/Hans
On 25/02/2016 10:13 AM, Powell, Mark wrote:
I am of the opinion that if you buy TDE you should use probably use it on all
tablespaces. When you really consider it most business data is sensitive.
Most of the data may not need access within the company restricted, but you
would not want your competition or a hacker to have access so encrypting the
disk version makes business sense.
Make sure management and developers understand use of TDE in no way excuses
lack of control of the object level privileges.
From: oracle-l-bounce@xxxxxxxxxxxxx<mailto:oracle-l-bounce@xxxxxxxxxxxxx>
[mailto:oracle-l-bounce@xxxxxxxxxxxxx] On Behalf Of MJ Mody
Sent: Thursday, February 25, 2016 9:58 AM
To: christopherdtaylor1994@xxxxxxxxx<mailto:christopherdtaylor1994@xxxxxxxxx>
Cc: oracle-l@xxxxxxxxxxxxx<mailto:oracle-l@xxxxxxxxxxxxx>
Subject: Re: Oracle TDE Question
A valid question here is if your organization has previously gone through the
exercise of identifying PII. Should this be the case than it is known which
objects should utilize the encrypted tablespaces.
In interest of time, is it prudent to enable TDE on all tablespaces?
That said overall overhead Oracle says is 6%-8% with TDE.
On Feb 25, 2016, at 7:54 AM, Chris Taylor
<christopherdtaylor1994@xxxxxxxxx<mailto:christopherdtaylor1994@xxxxxxxxx>>
wrote:
I think I know the answer to this question, but want to confirm for
completeness.
When you use Oracle TDE (with the appropriate licenses of course), is it
supported to have both non-encrypted tablespaces and encrypted tablespaces in
the same database, correct?
If it's not I'd be surprised but wanted to confirm.
Thanks!
Chris Taylor
