Information Security — How to protect Data at Rest in Database (Oracle)

My exposure with quality and information security audits have made me realize that most of the times, smaller organizations, with limited knowledge on security standards are able to understand the standard requirements at a high level but do not have the information on the best practices to be followed or how to implement a control or metrics in order to meet the requirements.

I will take up today one of the practices which you can use in order to protect your data at rest. I see the following people can benefit from this post.

Benefits to Information Security Officers

1. Understand the concept of Data at Rest and Encryption.
2. What needs to be documented when you are drafting a SOP or Security Policy.

Benefits to Software Engineers

1. Where to apply the security controls.
2. How to apply the security controls.
3. How to explain the implemented controls during an audit.

Benefits to Security Auditors

1. What to audit when it comes to clauses which relates to data protection during data at rest specifically data stored in a database.
2. What can be suggested when a gap is identified.

Data at Rest (Definition) : Data at rest is an information technology term referring to inactive data which is stored physically in any digital form (e.g. databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices etc.)

Data at Rest can be protected by using Encrypting your data while it is stored. We will today look at how we can protect our data which is stored in the database.

Before we proceed further we also need to understand that Encryption does not solves the problem of data protection. Your data at rest can still be stolen or remain unprotected if

1. There are no access control policies implemented to protect the stored data.
2. If there is no protection against malicious code.
3. Availability is a key aspect of security. If encrypting data makes data unavailable, or adversely affects availability by reducing performance, then encrypting everything will create a new security problem. In short do not encrypt everything, information classification is equally important when you are looking at drafting your information security policies.

What controls can be implement when your data is at rest in Database (Oracle).

Oracle Advanced Security, an option to the Oracle Database server, provides encryption and cryptographic checksums for integrity checking with any protocol supported by the database, including Oracle Net, Java Database Connectivity (JDBC — both thick and thin JDBC), and the Internet Intra-Orb Protocol (IIOP). Oracle Advanced Security also supports SSL for Oracle Net, thick JDBC, and IIOP connections.

In oracle DBMS_CRYPTO provides an interface to encrypt and decrypt stored data, and can be used in conjunction with PL/SQL programs running network communications.

It provides support for several industry-standard encryption and hashing algorithms, including the Advanced Encryption Standard (AES) encryption algorithm. AES has been approved by the National Institute of Standards and Technology (NIST) to replace the Data Encryption Standard (DES).

DBMS_CRYPTO contains basic cryptographic functions and procedures. To use this package correctly and securely, a general level of security expertise is assumed.

The DBMS_CRYPTO package enables encryption and decryption for common Oracle datatypes, including RAW and large objects (LOBs), such as images and sound. Specifically, it supports BLOBs and CLOBs. In addition, it provides Globalization Support for encrypting data across different database character sets.

The following cryptographic algorithms are supported:

• Data Encryption Standard (DES), Triple DES (3DES, 2-key and 3-key)
• Advanced Encryption Standard (AES)
• MD5, MD4, and SHA-1 cryptographic hashes
• MD5 and SHA-1 Message Authentication Code (MAC)
• Learn more on How to Implement AES in Oracle