Re: Are there inherent or 3rd-party tools for encrypting data in Oracle?

Hello, Sybrand!

Thank you for responding to my post. I have a few more questions if you would please see inline:

"Sybrand Bakker" <postbus_at_sybrandb.demon.nl> wrote in message news:4qtb9tokhpd64hrl66g4lvrifpkfdasqpl_at_4ax.com...
> Comments embedded
>
>
> On Thu, 22 Feb 2001 21:09:06 -0700, "John Peterson"
> <johnp_at_azstarnet.com> wrote:
>
> >Hello, all!
> >
> >Please forgive my extensive cross-posting, but I wasn't certain what
 forum
> >to post my question. This is my first visit to these groups, but I hope
 to
> >become a "regular" (and better determine where to place my posts in the
> >future ;-).
>
> IMO the distinction is: anything that comes with the server software
> in .server, so the server itself, sqlnet, tools like export and import
> and sqlloader.
> In .tools: Oracle Designer and Developer
> In .misc: Third party products (including drivers)
> So your question belongs to .server

Gotcha! I think my inexperience with Oracle and its capabilities prompted me to "shotgun" the question.

> >My background in databases has been largely limited to Microsoft SQL
 Server,
> >but I have started a new job with a company that uses Oracle 8i on Red
 Hat
> >Linux 6.2. As such, I'm trying to learn as much as I can about Oracle
 using
> >my knowledge of SQL Server as sort of a starting point. ;-)
>
> Forget about your sqlserver knowledge as soon as possible, Oracle is a
> completely different beast. Many Oracle applications suffer from
> developers porting their nasty sqlserver habits to Oracle.

Heh! I can appreciate where you're coming from, but surely there ARE some similarities between the two platforms, no? At least enough that some of the concepts might still be applicable? If not, I see an enormous learning curve ahead of me... ;-)

> >I have been tasked to investigate the feasibility of encrypting data in
> >Oracle. Are there any tools (off-the-shelf or internal to Oracle) that
> >might help to accomplish this? We use JDBC as our data access mechanism,
 so
> >we would prefer to NOT have to change the application, but to arrange for
> >the data to be encrypted between the Client Library (JDBC in our
> >application) and the Oracle server (we want the data across the wire to
 be
> >encrypted AND the data on the disk to be encrypted).
>
> The Enterprise Edition of Oracle comes with the Advanced Networking
> Option allowing you to use DES, RS40, and quite a few other algorithms
> Encrypting network traffic should be relatively easy. Of course you
> will have to pay $$ for the Enterprise Edition, and their choice of
> Linux probably betrays they're not prepared to do this.

Is this similar to the Advanced Security Option that Mark referred to in this thread? If so, is this feature only applicable to the Enterprise Edition of Oracle?

> >Also, I would appreciate any thoughts as to the pros/cons of this
 approach.
> >My natural inclination is to NOT encrypt the data in the database, but
> >rather to rely on the security safeguards that are in place with the
> >operating system and the database server. It seems to me that it would
 be
> >difficult to perform OLAP tasks or determine data patterns on data that's
> >encrypted (even partially), not to mention the performance ramifications
 of
> >said. However, our "hands may be tied", as this is a client imperative.
> >But, I'm hopeful that with some compelling evidence (one way or another),
> >they might change their stance accordingly.
>
> If they want to encrypt *all* the data on the disk, you must query
> their sanity. Oracle has quite enough security mechanisms to keep
> unauthorized people out without encryption. It also has enough
> mechanisms to authenticate the user.

Agreed. I'm hopeful that we DON'T have to encrypt all the data on the disk.

> The real problem is usually people are too lazy to find out what is
> really necessary and they grant DBA access to about just everything.

Heh, hee! I've seen instances of *exactly* that! ;-)

> Also Oracle comes with row level security and a feature called Virtual
> Private Database, which allows you to limit access on record basis.

Mark had hinted at this feature as well. Can you limit on both a row AND column basis? This sounds like it might be worthwhile to investigate.

> I have the strange feeling they just want a cheap all purpose product,
> instead of getting the Enterprise Edition and using all it's features.
> Evidently, you're going to kill a mouse with an elephant.

I'm hoping that they're open to any and all ideas. I believe (but I've only been with them for a day ;-) that they want a solution that's going to solve our client's security concerns. If a solution exists in an all-purpose product, then we'd certainly look at it. If Enterprise Edition also addresses the issues, we'd look at it too and compare/contrast features and cost. However, I'm concerned that my inexperience with Oracle will cause me to misunderstand the capabilities inherent in Oracle and start down a third-party path. Which is why I'm grateful to you and Mark for your ideas and suggestions!

Thank you again!

John Peterson

> >Thank you in advance for your time! :-)
> >
> >John Peterson
> >
>
> Hth
>
> Sybrand Bakker, Oracle DBA
Received on Fri Feb 23 2001 - 09:56:00 CST