Re: Encryption in Oracle Database - Help!!

Ricky is right on the security issue. Imagine if the data is stored encrypted. Where to store the key, hardcode in the program or store in the database. hardcode in program is never a good practice, lack flexibility, once complimised the security is gone. if store in the database, do we need to encrypt it too ?

Encyption can only protect the data only when you can protect the algorithm or the key. The algorithm shouldn't be more secure than DBA password, because at lease the programmer knows it, can't change by Managing Director (Unless your MD can write encryption program). The key is also unsecure compare with the DBA password. As a security policy, the problem lies on how to secure the DBA password rather than the format of data stored. With good security design and implementation, the database can suerly protect the data regardless how it is stored.

My suggestion is try looking for good security consultant.

Angana Ghosh wrote:

> Thanks Rick for your input. Our company policy dictates that highly confidential
> information ( red data) should be stored encrypted. The particular application in
> my mind
> is a web enabled application using Oracle database at the backend. The information
> is
> executive information and is encrypted during transmission by SSL. Would database
> priviledges be the only solution or is there any way to encrypt data in the Oracle
> 8 servers?

> Rick Wessman wrote:
>
> > Trusted Oracle does not support encryption of the data in the database. Also,
> > it only runs on operating systems that are rated B1.
> >
> > However, I totally agree with Alexander's comments about the complexity of key
> > distribution. This is not an easy problem.
> >
> > Since I don't know what problem, you are trying to solve, I can't present any
> > alternatives. However, if you are trying to prevent ordinary users from seeing
> > data, then I suggest that you use database privileges to limit what they can
> > see.
>
Received on Sat Jul 10 1999 - 11:02:00 CDT