Advanced Data Security
Advanced Data Security offers two types of added data protection. Database Vault protects data from access by highly privileged users and Transparent Data Encryption encrypts data at rest.
Oracle Database Vault
Database Vault reduces the risk of highly privileged users such as database and application administrators accessing and viewing your application data. This feature restricts access to specific database objects, such as the application tables and SOA objects.
Administrators can perform regular database maintenance activities, but can't select from the application tables. If a DBA requires access to the application tables, request temporary access to the Oracle Fusion schema at which point keystroke auditing is enabled.
Transparent Data Encryption
Transparent Data Encryption (TDE) protects Oracle Fusion Applications data, which is at rest on the file system from being read or used. Data in the database files (DBF) is protected because DBF files are encrypted. Data in backups and in temporary files is protected. All data from an encrypted tablespace is automatically encrypted when written to the undo tablespace, to the redo logs, and to any temporary tablespace.
Advanced security enables encryption at the tablespace level on all tablespaces, which contain applications data. This includes SOA tablespaces which might contain dehydrated payloads with applications data.
Encryption keys are stored in the Oracle Wallet. The Oracle Wallet is an encrypted container outside the database that stores authentication and signing credentials, including passwords, the TDE master key, PKI private keys, certificates, and trusted certificates needed by secure sockets layer (SSL). Tablespace keys are stored in the header of the tablespace and in the header of each operating system (OS) file that makes up the tablespace. These keys are encrypted with the master key, which is stored in the Oracle Wallet. Tablespace keys are AES128-bit encryption while the TDE master key is always an AES256-bit encryption.