Encrypting data at rest

To meet GDPR requirements , all data stored in databases must be encrypted. OneSpan Risk Analytics is fully compatible with Oracle Transparent Data Encryption (TDE) to enforce GDPR requirements for encrypting data at rest.

For a description of the concepts, refer to the Oracle product documentation.

Encrypting data at rest with Oracle TDE

Oracle TDE is part of the Advanced Security option of Oracle Database Enterprise Edition. It encrypts Oracle data files on the hardware storage, thus preventing theft of data files or hardware storage. Data is encrypted on the fly when written to hardware, and decrypted when read from hardware, all fully transparently. Oracle clients do not need to use encryption keys to read or write data. Prevention of unauthorized access to data is not addressed by Oracle TDE; as encryption keys are used to encrypt data on the hardware storage, a user cannot read or modify the data without these keys. For more details, refer to the Oracle Database product documentation.

OneSpan Risk Analytics supports Oracle TDE data encryption at the tablespace level; this mode is transparent to applications.

The encryption keys are stored in a wallet, which can be either a software keystore or a hardware security module (HSM) keystore. If a software keystore is used, the keys must not be stored on the same hardware device as the data. Different types of software keystores can be used: password-based, auto-login, or local auto-login keystores. The best choice depends on balancing the security level against the ease of administration.

For more information on keystores, refer to the Oracle Database product documentation.

Creating an encrypted tablespace

Oracle TDE encrypts data at the tablespace level, which results in encrypted data files at the operating system level. We recommend that you create BIGFILE data files for considerations of performance and ease of administration.

A dedicated data file and tablespace must be created before installing the application, for more information refer to the OneSpan Risk Analytics Installation Guide. The name of this tablespace must be defined as DEFAULT PERMANENT TABLESPACE in the database properties when the OneSpan Risk Analytics database is created by the Database Deployment Tool.

If TDE is used, this tablespace should be encrypted at the time of creation. For more information on creating an encrypted new tablespace, refer to the Oracle Database product documentation.

Installing OneSpan Risk Analytics with TDE enabled

To install OneSpan Risk Analytics on Oracle with TDE enabled at tablespace level outlines the required steps to install OneSpan Risk Analytics on Oracle with TDE enabled.

To install OneSpan Risk Analytics on Oracle with TDE enabled at tablespace level

1. Install Oracle Database Enterprise Edition.

   RAC, Dataguard, RMAN, and other Oracle products are compatible with TDE.

2. Create a database.

   TDE is compatible with both multi-tenant and single-tenant applications.

3. Create a wallet for key management; this can be either a software or hardware keystore.
4. Create an encrypted tablespace using an encryption key and an algorithm.
5. In the database properties, declare this tablespace as DEFAULT PERMANENT TABLESPACE.
6. Install OneSpan Risk Analytics. For detailed instructions, refer to the OneSpan Risk Analytics Installation Guide.

Application performance and storage with Oracle TDE

Application performance may vary when Oracle TDE is used. The processor overhead is actually low when the database server is fitted with processors that include built-in encryption functions (Intel AES-NI, Oracle SPARC T4/T5). On Linux, this extension’s availability can be checked with cat /proc/cpuinfo | grep aes. Specific tests have shown no significant space overhead when TDE is enabled.