Oracle透明数据加密未加密访问 [英] Oracle Transparent Data Encryption undecrypted access

问题描述

我可以设置一个Oracle数据库，使所有以下语句都是真实的：a）某些列，可能所有的列都是加密的，以便直接文件访问数据库文件不允许攻击者检索任何记录

b）加密列对于授权用户透明地解密，通过具有一定的角色或特权

c）管理员具有执行正常管理任务的可配置权限（调整，创建/删除模式对象，重新启动数据库，选择从数据字典）可以选择表格，但只能看到加密列中的加密数据。

如果可以的话，我该如何做。如果不可能，我有什么选择至少可以接近这些要求？

a）+ b）似乎有可能与Oracle透明数据加密，但我不知道c）

解决方案

透明数据加密只有（a）。这是为了防止数据泄露发生，因为有人偷走硬盘驱动器或备份，或者对DBF文件运行 string 。这仍然是有用的，因为它阻止您的系统管理员使用其特权操作系统访问来绕过您的所有数据库安全性。

如果您要执行某些类似（b）适当的技术虚拟私人数据库 - 或者 DBMS_RLS 与企业版或 Oracle Label Security ，如果您有额外的许可证。

如果要实施（c），您将需要Oracle的 Database Vault产品，这再次是企业许可证的额外费用。

由于TDE要求高级安全选项，这些选项在EE许可证上额定为75％（*）。在这种情况下，您也可以打破并购买 Audit Vault 以及

（*）如果您购买Label Security，则只有50％。

Can I set up an Oracle Database in a way that all of the following statements are true

a) certain columns, potentially all columns are encrypted, so that direct file access to the database file wouldn't allow an attacker to retrieve any records

b) the encrypted columns are transparently decrypted for authorized user, where authorization happens e.g. by having a certain role or privilege

c) an admin who has suiteable privileges for doing 'normal' admin tasks (tuning, creating/droping schema objects, restarting database, selecting from data dictionary) can select the tables but will see only encrypted data in the encrypted columns.

If this is possible, how do I do it. If it is not possible, what are the options I have to at least get 'close' to these requirements?

a)+b) seem to be possible with Oracle Transparent Data Encryption, but I am not sure about c)

解决方案

Transparent Data Encryption only does (a). It is about preventing data breaches occuring because somebody stole the hard drive or backups, or ran strings against the DBF files. That's still useful, because it prevents your sysadmins using their privileged OS access to bypass all your database security.

If you want to enforce something like (b) the appropriate technology is the virtual private database - either DBMS_RLS with the Enterprise Edition or Oracle Label Security if you have the additional license.

If you want to implement (c) you will need Oracle's Database Vault product, which is again a chargeable extra on top of the Enterprise License.

As TDE requires the Advanced Security Option these options amount to a 75%(*) surcharge on the EE license. In which case you might as well go for broke and buy Audit Vault as well!

(*) Only 50% if you buy Label Security.

这篇关于Oracle透明数据加密未加密访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！