Can Oracle TDE protect data from the DBA?

Question

Hello there, oracle experts.

My client of mine wants to deploy an application that has to hold credit card numbers in a database. The client is obviously concerned with security.

We are particularly concerend with one painful issue. How can we make sure that only authorized users with a 'business need to know' are allowed to access the data? How can we protect the data from the DBA?

One obvious solution is to encrypt at the application level. We don't want to do that.

An oracle product that came up as a possible solution is Orace TDE (Transparent Data Encryption). It seems to cover the on-disk encryption case well. However, there have been disputing claims if it can be used to hide data from someone with DBA privileges.

I want to be very specific about the use case we're dealing with. We have an up and running application, 24/7/365, that is doing data access constantly. That means that the Oracle wallet is open and data is being decrypted by the database. AT THE SAME TIME a DBA should still be unable to access the data.

I know that Oracle is marketing Oracle Database Vault for this very issue. Given that all I want to do is block DBA access from just one particular table, do I really need the Vault or can I use TDE?

Assistance would be much appreciated,

Or

Answer 1

My guess is that you need Oracle Vault. TDE makes it impossible to read the datafiles but a simple select will still retrieve the data unencrypted.

But ask the dudes or dudettes who made the claim that TDE is sufficient, to explain how to do it without Oracle Vault.

Edit: Two threads on this issue:

http://forums.oracle.com/forums/thread.jspa?messageID=3249532&#3249532

http://forums.oracle.com/forums/thread.jspa?messageID=3261345&#3261345

Answer 2

"there have been disputing claims if it can be used to hide data from someone with DBA privileges." Probably because there can be conflicting ideas about what constitutes DBA privileges. There is a DBA database role, a SYSDBA privilege and someone who can login as oracle (or Administrator) to the server at the operating system level, each with higher privileges Privileges can be revoked from the DBA role, so that is even more vague.

VPD can ensure that, for example, the credit-card column is only visible to users logged in from a specific IP (eg the application server), as a certain user or with a certain role. While a user with DBA role would be able to change the VPD privileges, or grant themselves the appropriate role or impersonate the relevant user, this would show up in the audit log.

Answer 3

An alternative database encryption tool called the Encryption Wizard for Oracle, to protect data from malicious DBA accounts, allows for administrative and runtime passwords to protect Oracle AES encryption keys at either the column, table, or schema level.

Free downloads of the Encryption Wizard software are available at:

www.relationalwizards.com

Answer 4

Hi,

i came across a similiar problem with one of our customers. During the evaluation process i have found a possible solution from a german security company. It seems they have developed a system that should prevent the DBA to access any sensitive data. Take a look at their website. It didn´t take a deeper look yet, so i cannot give you further information about this solution.