Compressed and Encrypted Dump File Sets In this release, you can use Oracle Data Pump to compress and encrypt an entire dump file set. You can optionally compress and encrypt the data, metadata, or complete dump file set during an Oracle Data Pump export. For more information, see Oracle Database Utilities.
Transparent Data Encryption with Hardware Security Module Integration Transparent data encryption (TDE) stores the master key in an encrypted software wallet and uses this key to encrypt the column keys, which in turn encrypt column data. While this approach to key management is sufficient for many applications, it may not be sufficient for environments that require stronger security. Because the master key must reside in memory to perform cryptographic operations, an intruder could perform various types of logical attacks to dump the memory and then retrieve the key. To avoid the problem of insecure system memory, the transparent data encryption functionality is extended to use hardware security modules (HSMs). This enhancement offers far better physical and logical protection of the master keys. This release focuses on storing the master key within the hardware security module at all times and limiting the hardware security module to the encryption and decryption of the column keys. The column keys are passed back to the database. Oracle recommends that you encrypt the traffic between HSM device and databases with Advanced Security Option Network Encryption. This new feature provides additional security for transparent data encryption, because the master key cannot leave the HSM device. Furthermore, it enables the sharing of the same key between multiple databases and instances in an Oracle Real Applications Clusters (RAC) environment. To configure transparent data encryption with hardware security module integration, see Oracle Database Advanced Security Administrator's Guide.
Transparent Tablespace Encryption Transparent tablespace encryption enables you to encrypt an entire tablespace. This encryption includes all the data within the tablespace. When an application accesses the tablespace, Oracle Database transparently decrypts the relevant data blocks for the application. Tablespace encryption provides an alternative to transparent data encryption column encryption. This eliminates the need for granular analysis of applications to determine which columns to encrypt, especially for applications with a large number of columns containing personally identifiable information (PII) such as social security numbers or patient health care records. If your tables have small amounts of data to encrypt, you can continue to use the transparent data encryption column encryption solution. For an introduction to transparent encryption, see Oracle Database 2 Day + Security Guide. For detailed information about transparent tablespace encryption, see Oracle Database Advanced Security Administrator's Guide.
Fine-Grained Access Control on Network Services on the Database Oracle Database provides a set of PL/SQL utility packages, such as UTL_TCP, UTL_ SMTP, UTL_MAIL, UTL_HTTP, and UTL_INADDR, that are designed to enable database users to access network services on the database. Oracle Database PL/SQL Packages and Types Reference describes the PL/SQL utility packages in detail. In a default database installation, these packages are created with EXECUTE privileges granted to PUBLIC users. This release enhances the security of these packages by
xxv