Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

Transcription

1 Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules WHITE PAPER Thales e-security

2 TABLE OF CONTENT Introduction...3 Oracle Database 11g Release 2 Advanced Security and Transparent Data Encryption (TDE)...5 Why encryption is unique and important...7 Industry regulation and the costs of breaches...8 What is a hardware security module (HSM)?...9 Benefits of Using HSMs for Key Management...10 The need for centralized key management...11 Oracle and Thales: Added Value for Centralized Key Management and High Security...12 Operational benefits...12 Security and compliance benefits...13 Compliance benefits...13 Conclusion...15 For more information...16 About Thales...16 About Thales e-security

3 INTRODUCTION Sensitive data is everywhere bank transactions, healthcare records, student information, credit card data, and more. Data not only lives in the data center, point-of-sale terminal, or trading workstation, it also travels beyond the controls of the IT department whether transferred over the Internet or shipped by truck for archiving. Businesses and governments are responsible for protecting the privacy and private data of their customers, patients, citizens, employees, and business partners. This responsibility is now part of legislation, regulation, and industry rules. Increasingly, encryption is the means by which organizations meet this responsibility. Databases are a core operational component in running a modern business. Organizations are storing increasing amounts of sensitive information in databases, which poses a risk if there is a breach of data confidentiality. A data breach can result in fines and lost business. Database encryption solutions can be used to help mitigate this risk. Whether data remains in a database, is transferred over a network, or is backed up to tape, encryption ensures that data is readable only by applications or individuals with the appropriate encryption keys. As highlighted in a 2011 Ponemon Institute research report titled What Auditors Think about Crypto Technologies, protecting the confidentiality of data in storage is one of the more challenging aspects for compliance with increasing data security regulations. While encryption is considered the best technology for securing databases, the administration of the key management system is equally important for auditors. Oracle s Database 11g Release 2 Transparent Data Encryption (TDE) provides database encryption to address the risks outlined above. Oracle Database 11g Release 2 supports centralized key management in hardware security modules (HSMs) such as the Thales nshield family. The main business driver for this type of solution is the need to meet compliance requirements, notably PCI. 3

4 This white paper is aimed at IT Security professionals and database administrators. It discusses the benefits of encryption, focusing on database encryption using Oracle s TDE integrated with Thales nshield HSMs. Also discussed is how HSMs improve the operational aspects of key management and offer a higher level of security assurance to the customer and aid compliance. 4

5 ORACLE DATABASE 11G RELEASE 2 ADVANCED SECURITY AND TRANSPARENT DATA ENCRYPTION (TDE) Advanced Security is an option for the Oracle Database 11g Release 2 Enterprise Edition that includes network encryption, transparent data encryption (TDE), and strong authentication. It is TDE that is the main focus of this paper. Oracle Advanced Security TDE can easily secure both new and existing database deployments without modification to any of the applications or processes consuming the data. This is possible because TDE by its very design is transparent to the application as it resides within the database engine. Therefore, TDE can be applied to many types of data: customer data, credit card data, financial, healthcare records and other types of sensitive information. TDE provides two modes of encryption: TDE column encryption TDE Tablespace encryption Figure 1: TDE is part of Oracle Advanced Security 5

6 TDE column encryption permits security managers to identify specific data (for example credit card numbers) in an application table column that should be protected using encryption. This requires a good understanding of where the sensitive information resides in the database that needs protection. Figure 2: Sample database table. Tablespace 1 encryption is a feature unique to the Oracle database. It allows the security officer to select which tablespaces should be encrypted. The feature was first introduced with Oracle Database 11g Release 2 and offers an important advantage compared to the column-level approach: If the exact location of sensitive data is unknown, then use tablespace encryption to protect all data in a tablespace. It removes the effort of having to locate and classify data within the tables. It is the simplest approach to implement and manage precisely because an organization does not need to locate sensitive data and classify it within the database tables. 1 A tablespace is a logical entity within the Oracle database; it can be thought of as a container that stores tables and all other database objects within the database. Every table in the database resides within a tablespace. This logical entity is the bridge between the logical and physical database. Each tablespace is associated with one or many data files. In other words, the data is stored within a database table, which is logically stored within a tablespace where the tablespace physically stores the data within data files on the operating system. 6

7 Figure 3: Each tablespace can contain one or several tables and other database objects like Indexes. Any applications, including non-oracle applications that use Oracle Database 11g Release 2 or plan to use the database, can take advantage of the full range of TDE capabilities. For example, there is a growing list of applications that have been tested and certified by Oracle to use TDE tablespace encryption. At the time of going to press the list includes: Oracle E-Business Suite Oracle PeopleSoft Enterprise Oracle Siebel CRM 8.0+ Oracle JD Edwards Enterprise One SAP (6.40_EX and later) Why encryption is unique and important Securing sensitive data against security breaches helps mitigate reputational and compliance risks to the business. Encryption provides a unique solution to the problem of data security when compared to access controls that can manage user access to database tables. 7

8 Encryption offers protection in many scenarios: when database disks are exchanged for maintenance purposes or when database files are written to an export file or to backup such as a tape library. In these instances database encryption becomes far more important than access controls because by moving data from the database the encrypted data has been separated from the master encryption key that is required to access the data. As a result, anyone finding the media containing the encrypted database files is unable to read it. There is an additional benefit to encrypting data. When data needs to be destroyed and disposed of, simply destroying the keys will prevent the data ever being read. This is especially valuable in cases where disks might be accidentally sold or lost without being wiped or cleared. Why is encryption so important? Enterprises need encryption to satisfy various compliance requirements, which vary depending on the industry sector. For example, encryption plays an important role in aiding compliance with PCI DSS 2, which is an industry standard that mandates the consistent protection of credit card data. While traditional security mechanisms that monitor and control access to applications are still required, encryption is an increasingly necessary component to achieve compliance. Encryption protects data wherever it goes, even beyond the boundaries of the data center. Industry regulation and the costs of breaches Many industries are proactively taking steps to protect their customers privacy and avert government regulation. For example, PCI DSS consolidates security standards created by American Express, Discover, JCB, MasterCard, and Visa. All organizations processing, transmitting, or handling credit card data must document and report their PCI DSS compliance. PCI DSS mandates the protection of Primary Account Numbers (PANs) in transit and in storage. Encryption is commonly used to achieve PCI DSS compliance, and audits are used to verify compliance. Passing an external audit can be time-consuming, complex and expensive, often requiring changes to processes and technology. In addition to the regulatory activities led by industry there are numerous privacy breach notification laws in place that effectively mandate encryption. The first such law was the 2 Payment Card Industry Data Security Standard 8

9 State of California Senate Bill 1386 and more recently the State of Massachusetts mandated stricter requirements for the use of encryption. Not encrypting data can prove to be very costly to organizations. Published in 2009, the U.S. Cost of a Data Breach Study by the Ponemon Institute reports that data breaches cost organizations an average of US$202 per lost record, with the total cost of an average breach reaching US$6.6 million. Most of the costs arise from the notification of customers and lost future business due to reputational damage. As such, security and compliance can prove to be competitive advantages. What is a hardware security module (HSM)? A HSM is a hardware device that is typically deployed in the data center. Generally, HSMs are either plug-in cards that serve a single server or network-based hardware appliances that support many servers concurrently. HSMs are deployed in a variety of applications identity management, public key infrastructure (PKI), database encryption, POS format preserving encryption and tokenization, web services, hi-tech manufacturing, digital rights management and more. They do the following: Protect cryptographic keys and perform cryptographic functions within a secure tamper-resistant hardware environment. Overcome the threat of a software-based attack on the OS by protecting the keys within the hardware, and provide robust tools to enforce key management policies across the key life cycle. Provide a simple strong authentication mechanism for key management administrators and can be used to establish and enforce powerful separation of duty schemes (e.g. so that no one person could subvert the key security). Are dedicated to individual servers (usually in the form of a PCI or PCIe card) or when using an appliance can be shared by multiple servers. Incorporate high-speed cryptographic processors to improve performance and therefore system capacity. 9

10 Benefits of Using HSMs for Key Management HSMs are important for three main reasons: Security: HSMs ensure the security of cryptographic keys as they are created, stored, and used. They provide the highest level of security assurance for the keys that are protecting sensitive data. Typically HSMs are required to be certified and comply with well-known security standards, FIPS and Common Criteria 3. Operations: Management of the encryption keys is handled by the HSM. Many key management operations can be simplified by using an HSM. Compliance: Organizations address and reduce the amount of effort needed for compliance by deploying an HSM as part of their encryption solution. Encryption keys are central to data security your data is only as secure as your keys. This makes key management extremely important. The need for centralized key management An Oracle Advanced Security TDE deployment may involve a number of database instances, each with their own encryption keys and associated TDE master keys. Rotating and managing each of these keys individually can be expensive when compared to the use of an HSM to centralize the management. Some of the benefits in using a HSM to provide centralized key management to multiple databases and possibly other applications too include: 3 The Federal Information Processing Standard (FIPS) defines security requirements for cryptographic modules used in protecting sensitive data within government and enterprise information systems. The standard is promulgated by the United States and Canada and enjoys international recognition. Common Criteria is an internationally recognized computer security product evaluation framework. 10

11 All the HSM functions outlined earlier in the section What is a hardware security module (HSM) equally apply to a centralized HSM appliance. One central appliance that can be deployed in a clustered failover and loadbalancing configuration. Central location for key life cycle management simplifies the operational management. Reduction in key rotation frequency. When compared to using software protection of a key, the use of a HSM reduces the frequency of key rotation because of the higher level of security afforded which reduces operating costs. Central repository for key storage e.g. this assists with PCI compliance requirements for the keys to be stored in as few places as possible. Audits are simplified. HSMs are a well understood part of the modern IT security infrastructure, simplifying key management in a manner that readily aids auditors in assessing adherence to good policy. This in turn reduces the expense of meeting compliance. 11

12 ORACLE AND THALES: ADDED VALUE FOR CENTRALIZED KEY MANAGEMENT AND HIGH SECURITY Oracle and Thales have partnered to integrate the Oracle Database 11g Release 2 and the Thales nshield HSM product family. The Thales nshield Solo PCI or PCIe card can be installed in a server to provide local key management to that server (appropriate when multiple database instances are installed on one server, replacing their individual Oracle Wallets), while the Thales nshield Connect appliances can be deployed centrally to service multiple servers. A unique feature of the Thales nshield family is that the HSMs are compatible with each other. The nshield Solo and nshield Connect are fully compatible and if required may be deployed together in the same installation. HSMs centrally manage the master encryption keys, which improves operational efficiency and provides a higher level of assurance for the keys. As a result, organizations can more easily and efficiently meet PCI compliance requirements by managing keys effectively and storing them in as few places as possible. Below we outline the important benefits of deploying a Thales nshield with the Oracle Database 11g Release 2 TDE. Operational benefits Smooth deployment Fully tested and supported by Thales and Oracle for quick deployment - integrates out of the box via the industry standard PKCS#11 API Scalability As the number of databases and tablespaces increases or the encryption load increases more HSMs can be added that also includes automatic load balancing. Support for virtualized environments For Thales nshield Connect, users have the option to add hardware-based key management to virtualized servers 12

13 Performance Hardware acceleration enables organizations to avoid server CPU bottlenecks caused by the high processing requirements of cryptography. Failover capability The Thales nshield HSM family provides users with the option of deploying a redundant configuration in the event of an HSM failure. Recovery Thales HSMs offer a unique ability for simple and secure backup of sensitive keys and recovery in the event of a disk, server or HSM failure. Cost-effectiveness Thales nshield Connects enable the shared use of single modules across several servers to reduce costs Security and compliance benefits Hardware key protection Stores the TDE master keys in a secure environment, the keys are never exposed to anyone outside of the HSM. High security An HSM provides a TDE deployment with the highest level of security assurance for protecting the encryption keys. This level of protection is only achievable by the use of tamper-resistant hardware a security strength that software protection alone could not provide. Advanced separation of duties Where (1) the key management is separated from the database administration functions, (2) management of the HSM includes separation of roles, (3) strong authentication (including smartcard quorums) of HSM administrators and operators. Compliance benefits Reduced cost of compliance The centralized key management of the nshield Connect reduces the operational costs that includes a reduced need for key rotation, and reduces the cost of meeting compliance. FIPS validated hardware The nshield Solo and nshield Connect security are certified to FIPS level 3. Only purpose built hardware solutions can meet this level of security certification, thus augmenting the certifications of the Oracle database. 13

14 Common criteria The nshield Solo and nshield Connect security are certified to Common Criteria EAL4+. Again this also augments the security certification of the Oracle database. Figure 4: nshield HSMs can be dedicated to one server or provide cryptographic services to an entire infrastructure. In summary, for the purposes of PCI compliance nshield HSMs offer strong cryptography with associated key-management processes and procedures. This includes secure key generation and key storage in as few locations as possible, along with tight integration with the Oracle database. 14

15 CONCLUSION Sensitive data is worth its weight in gold to cyber-criminals, product counterfeiters, and other corporate and rogue government data thieves. Therefore, databases must be protected at the highest level of security or risk breaches that can result in damage to an organization s brand and competitive advantage, not to mention the incurrence of serious fines for non-compliance of data protection laws. Database encryption is the answer to the challenge since it ensures that stolen encrypted data will be useless to thieves. Encryption also satisfies compliance and regulatory compliance. For databases, Oracle has addressed the need for security and compliance using a defense-in-depth approach that emphasizes preventive and detective controls data encryption, data masking, access controls, and monitoring. Oracle Advanced Security TDE provides organizations with an easy way to encrypt sensitive data with minimal impact on business applications and administrators. Implemented as a native encryption service inside the database, TDE is a big step forward for organizations running Oracle Database 11g Release 2. However, simply encrypting the data with TDE is not enough. Organizations must take another critical step forward with centralized key management if they want to adopt database encryption in the most efficient and cost-effective manner throughout the enterprise. Industry regulations demand stringent key management processes, while data breach notification rules with safe harbor clauses require strong custody and control of keys. Database encryption with Oracle Advanced Security TDE and Thales nshield HSMs raises the bar for the operation, management, and protection of TDE encryption keys. By providing centralized key storage, backup, and recovery, as well as fault tolerance, this combined encryption and key management solution helps organizations comply with international security standards while achieving the highest levels of database security. 15

16 FOR MORE INFORMATION For more information, on Thales security solutions for Oracle users, please contact or visit About Thales Thales is a global technology leader for the Aerospace and Space, Defense, Security and Transportation markets. In 2009, the company generated revenues of 12.9 billion Euros with 68,000 employees in 50 countries. With its 25,000 engineers and researchers, Thales has a unique capability to design, develop and deploy equipment, systems and services that meet the most complex security requirements. Thales has an exceptional international footprint, with operations around the world working with customers as local partners. About Thales e-security Thales is a leading global provider of data encryption solutions to the financial services, manufacturing, government and technology sectors. With a 40-year track record of protecting corporate and government information, Thales solutions are used by four of the five largest energy and aerospace companies, 22 NATO countries, and they secure more than 70 percent of worldwide payment transactions. Thales e-security has offices in France, Hong Kong, Norway, United States and the United Kingdom. For more information, visit Thales e-security 16