Overview
The Oracle Eloqua Advanced Data Security Cloud Service is an optional database encryption offering which can solve a compliance need for customers who have a requirement or internal policy that their data be encrypted at rest. This offering mitigates the risk associated with customer data being leaked through lost or stolen hardware.
How does it work?
When Oracle Eloqua Advanced Data Security Cloud Service is selected as an add-on to an Eloqua deployment, Eloqua will encrypt the customer database, the transaction logs and all backups associated with that database. Eloqua currently uses AES-256 encryption with our Transparent Data Encryption (TDE) implementation. The database encryption keys are backed up in our secure password server. This password server is encrypted itself and requires a two-factor RSA token code to access.
What technology is used?
The Database Encryption Offering utilizes Transparent Data Encryption (TDE). Here is a description of TDE:
You can take several precautions to help secure the database such as designing a secure system, encrypting confidential assets, and building a firewall around the database servers. However, in a scenario where the physical media (such as drives or backup tapes) are stolen, a malicious party can just restore or attach the database and browse the data. One solution is to encrypt the sensitive data in the database and protect the keys that are used to encrypt the data with a certificate. This prevents anyone without the keys from using the data, but this kind of protection must be planned in advance.
Transparent data encryption (TDE) performs real-time I/O encryption and decryption of the data and log files. The encryption uses a database encryption key (DEK), which is stored in the database boot record for availability during recovery. The DEK is a symmetric key secured by using a certificate stored in the master database of the server or an asymmetric key protected by an EKM module. TDE protects data "at rest," meaning the data and log files. It provides the ability to comply with many laws, regulations, and guidelines established in various industries. This enables software developers to encrypt data by using AES and 3DES encryption algorithms without changing existing applications.
Are backups encrypted?
Backups of TDE-protected databases are encrypted. We also encrypt any archival tapes that go offsite (again AES-256), so any TDE-protected data that leaves our data center is encrypted twice, with different keys.
Why TDE?
TDE was selected because it offers a well-supported and industry-standard method of providing complete encryption of a database. Eloqua investigated the encryption of individual fields, but this had two serious drawbacks which precluded us from using that method:
- Most customers who are interested in this would want email addresses encrypted, because those are often considered sensitive information. Email addresses are used in a large number of fields in Oracle Eloqua and could be used in areas not always used to store addresses (for example, datacards). This would result in a large number of fields requiring encryption, and it runs the risk that some fields containing sensitive data would not be encrypted.
- If a database column is encrypted, we can’t create an index of that field, seriously degrading performance for any processes that need to search on that field (such as a search for an email address, or an automated operation like an email batch).
Caveats
Purchasing this option doesn’t change the types of data allowed in the system. Electronic health information, financial account information and EU-defined sensitive information is still not allowed in the application as described in the Master Services Agreement[DK1].
Currently, publicly viewable content (such as images and PDFs) which is stored in our system for use in emails and hypersites may be cached in Amazon S3 and/or Akamai where it is not encrypted. Note that this content is accessible to anyone with a link to it; as such, this should not be sensitive data.
How is this provisioned?
If the application instance has not been provisioned yet, the database provisioning team will set up the new instance on a database server that supports the encryption offering. If the instance has already been provisioned, the database will need to be migrated to a database server that supports TDE, and then the database will need to be encrypted. If the database is still small, this should only require an hour or so of downtime. If this is an older database that is much larger, the downtime associated with the move depends on the size of the database.