Encrypt sensitive data at rest
The currency of business these days is data. So to protect your business, your sensitive data must be encrypted in order for it to be secure from both internal and external threats.
We recommend that you encrypt your sensitive data in the cloud using a Transparent Data Encryption (TDE) solution. This enforces access control and separation of duties while ensuring the privacy of your data—even in a multi-tenant storage area network. In addition to protecting your data, this encryption solution helps you meet compliance requirements, such as HIPAA, that require encryption at rest, i.e. data that’s stored in a database or backup system.
For data at rest, TDE automatically encrypts and decrypts the data stored in the database without having to write additional code. With TDE, the encryption process and associated encryption keys are created and managed by the database. Thus it’s transparent to those who have been authenticated to the database. At the operating system, however, attempts to access database files return data in an encrypted state, which means for any operating system level users, the data remains inaccessible. Another benefit is that because the database is doing the encryption, there is no need to change the application, and there is a minimal performance overhead when changes occur in the database because TDE is designed into the database itself.
In addition, existing Oracle database processes will backup data protected with TDE without any modification. In other words, if a column or tablespace is encrypted, the same data will remain encrypted when it is backed up. This is a significant side benefit of database encryption because no additional time is required during the backup process to re-encrypt the database. Also with TDE, you can choose to encrypt an entire tablespace or just certain columns.
TDE addresses data at rest, but does not address data in transit. Remember, for any of the architectural options, there is some additional data in transit that must be protected with another tool. You need layers of protection, including access controls, data masking and other techniques to keep data protected from privileged users and to encrypt data in motion, in development/test environments and in long-term storage.