|
Siebel Security Hardening Guide > Securing the Siebel Database >
Protecting Sensitive Data in the Siebel Database
It is recommended that you protect sensitive application data in the Siebel database by encrypting the data. You can choose to encrypt the following:
- Specific database fields
- Specific database tables
- The entire database
Siebel Business Applications support field-level encryption of sensitive information stored in the Siebel database, for example, credit card numbers or national identity numbers. You can configure Siebel Business Applications to encrypt field data before it is written to the Siebel database and decrypt the same data when it is retrieved. This configuration prevents attempts to view sensitive data directly from the Siebel database. Siebel Business Applications support data encryption using Advanced Encryption Standard (AES) and RC2 algorithms. By default, data encryption is not configured. It is recommended that you set data encryption for business component fields using Siebel Tools. For information on encrypting data, see Siebel Security Guide. When field-level encryption is implemented, data is not decrypted until it is displayed by a user who has the necessary privileges to view the data. The data remains encrypted even when it is loaded into memory, which increases data security. However, using field-level encryption affects performance. As an alternative to field-level encryption, you can secure sensitive data using products such as the following:
- Transparent Data Encryption. If you are using a Microsoft or Oracle database with Siebel Business Applications, then you can use the Transparent Data Encryption feature to encrypt data in the Siebel database. Oracle databases support the use of Transparent Data Encryption to encrypt data at the column and tablespace level. Microsoft databases support the use of Transparent Data Encryption to encrypt data at the cell and database level.
Transparent Data Encryption encrypts data when it is written to the database and decrypts it when it is accessed by Siebel Business Applications. Application pages are decrypted as they are read and are stored in memory in clear text. Because the data is not encrypted when it is being sent to Siebel Business Applications, you must also enable TLS or SSL to protect communications between the server and clients. The performance impact of implementing Transparent Data Encryption is minimal.
If you enable Transparent Data Encryption, then all database file backups are also encrypted. For information about Oracle support for Transparent Data Encryption, go to the Oracle Technology Network Web site at
http://www.oracle.com/technetwork/database/options/advanced-security/index-099011.html
For information about Microsoft support for Transparent Data Encryption, go to the Microsoft MSDN Web site at
http://msdn.microsoft.com/
- Oracle Database Vault. If you are using an Oracle database with Siebel Business Applications, then you can use Oracle Database Vault to restrict access to all the schemas and objects in your application database, or to individual objects and schemas by users, including users with administrative access to the database.
Oracle Database Vault allows you to define a Realm, a protection boundary, around all or some of the objects in your database. The database administrator can work with all the objects within the Realm but cannot access the application data that they contain. This restriction protects your data from insider threats from users with extensive database privileges.
You can integrate Oracle Database Vault with Transparent Data Encryption without the need for additional configuration. For additional information on Oracle Database Vault, go to the Oracle Technology Network Web site at
http://www.oracle.com/technetwork/database/options/database-vault/index-085211.html
|
