Encrypting data in transit

To meet GDPR requirements, data in transit between application servers and database servers must be encrypted. OneSpan Risk Analytics is fully compatible with Oracle Network Encryption and Data Integrity algorithms.

For a description of the concepts, refer to the Oracle product documentation.

Encrypting data in transit with Oracle Network Encryption and Data Integrity

Oracle Network Encryption and Data Integrity are available in all Oracle Database editions, both on-premises and in the cloud.

  • Network encryption enforces the bi-directional encryption of queries and result sets during transit between database clients and servers. It monitors piracy actions such as network sniffing, man-in-the-middle attacks, etc. Various algorithms are supported; for more information, refer to the Oracle product documentation.
    A common algorithm is chosen by client and server and is applied to every data transfer. This feature is similar to an SSH tunnel between client and server, but it is more secure as the data is encrypted/decrypted IN the database engine and not before being submitted / after being extracted.
  • Data integrity ensures protection against replay attacks. It is useful for security, but not required by the GDPR. Its deployment is similar to network encryption so it is usually best practice to implement both at the same time.

Preventing unauthorized database access is not addressed by network encryption or data integrity.

Enabling Oracle Network Encryption and Data Integrity

The following instructions apply to on-premises environments. For cloud implementations, refer to the Oracle product documentation for cloud environments.

All Oracle-supported algorithms are available on the client-side OneSpan Risk Analytics applications. Therefore, enabling Network Encryption and Data Integrity on the database server side is sufficient to enforce these algorithms.

To enable Oracle network encryption and data integrity

  1. On the database server, start Oracle Network Manager (netmgr tool).
  2. Navigate to Oracle Net Configuration > Local > Profile and switch to the Encryption tab.
  3. Select Encryption = SERVER and Encryption type = Required.
  4. Type an encryption seed.
  5. Select one or more encryption algorithms.
  6. Switch to the Integrity tab.
  7. Select Integrity = SERVER and Checksum level = Required.
  8. Select one or more integrity methods.
  9. Select File > Save Network Configuration to save your changes.

Restarting the database is not required, modifications take effect immediately. However, all connected clients must reconnect to use the new setup.

To verify if network encryption and data integrity are being enforced

  • In an Oracle SQL client and whilst connected as an authorized user, enter the following query:

    SELECT * FROM V$SESSION_CONNECT_INFO;

    A line displays all algorithms currently in use for each client connection.

Application performance with Oracle Network Encryption and Data Integrity

Specific performance tests have been run to assess the affect of Network Encryption and Data Integrity overhead on application performance. Network Encryption and Data Integrity were used simultaneously and several algorithms were tested.

At maximum application throughput, a negligible increase in processor use was noted (several percent of processor time).

There is no consequence to data storage as these features are not applied to stored data.