Database encryption
The Oracle Eloqua Advanced Data Security Cloud Service is an optional database encryption offering which can solve a compliance need for customers who have a requirement or internal policy that their data be encrypted at rest. This offering mitigates the risk associated with customer data being leaked through lost or stolen hardware.
Note: Database encryption is also enabled by the Oracle Eloqua HIPAA Advanced Security Add-on Cloud Service, and is included in the Oracle Eloqua Marketing for Life Sciences Consumers Cloud Service. Learn more about the HIPAA add-on.
How does it work?
When Oracle Eloqua Advanced Data Security Cloud Service is selected as an add-on to an Eloqua deployment, Eloqua will encrypt the customer database, the transaction logs and all backups associated with that database. Eloqua currently uses AES-256 encryption with our Transparent Data Encryption (TDE) implementation. The database encryption keys are backed up in our secure password server. This password server is encrypted itself and requires a two-factor RSA token code to access.
What technology is used?
The Database Encryption Offering utilizes Transparent Data Encryption (TDE). Here is a description of TDE:
You can take several precautions to help secure the database such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.
Transparent data encryption (TDE) performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data "at rest," meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data by using AES and 3DES encryption algorithms without changing existing applications.
Are backups encrypted?
Backups of TDE-protected databases are encrypted. We also encrypt any archival tapes that go offsite (again AES-256), so any TDE-protected data that leaves our data center is encrypted twice, with different keys.
Why TDE?
TDE was selected because it offers a well-supported and industry-standard method of providing complete encryption of a database. Eloqua investigated the encryption of individual fields, but this had two serious drawbacks which precluded us from using that method:
- Most customers who are interested in this would want email addresses encrypted, because those are often considered sensitive information. Email addresses are used in a large number of fields in Oracle Eloqua and could be used in areas not always used to store addresses (for example, datacards). This would result in a large number of fields requiring encryption, and it runs the risk that some fields containing sensitive data would not be encrypted.
- If a database column is encrypted, we can't create an index of that field, seriously degrading performance for any processes that need to search on that field (such as a search for an email address, or an automated operation like an email batch).
How is this provisioned?
If the application instance has not been provisioned yet, the database provisioning team will set up the new instance on a database server that supports the encryption offering. If the instance has already been provisioned, the database will need to be migrated to a database server that supports TDE, and then the database will need to be encrypted.
Caveats
Consult your Oracle Cloud Services Agreement for details regarding data protection. Go to www.oracle.com/contracts, select Oracle Cloud Services and choose the appropriate agreement based on your location.