Separating encryption keys from encrypted data is a best practice and the foundation of an effective security strategy. Organizations that choose Oracle TDE on Exadata can use CipherTrust Application Key Management (CAKM) with CipherTrust Manager (CM) to secure their database encryption keys to ensure that their database data cannot be accessed without proper authentication and the Master Encryption Key (MEK) to decrypt the Data Encryption Keys (DEKs).

Resources and Additional Information

Securing Oracle Exadata Data with CipherTrust - Solution Brief

Oracle Advanced Security, an option to Oracle Database, helps address privacy and regulatory requirements with its data encryption functionality known as transparent data encryption (TDE) to safeguard sensitive data against unauthorized access to the network, operating system or through theft of hardware or backup media. 

While TDE provides encryption, regulations and best practice security call for external encryption key storage and management that enforces appropriate separation of duties. Separating encryption keys from encrypted data is a best practice and the foundation of an effective and compliant encryption strategy. 

Fortunately, Thales solves this problem for Oracle TDE customers with two solutions from its portfolio: Thales CipherTrust Manager, and Thales Luna HSM. Organizations will choose between the two options according to the specific needs of their Oracle TDE implementation. 

Thales CipherTrust Manager is an encryption key management platform that centralizes Oracle TDE key administration in addition to keys from a wide ecosystem of 3rd party encryption providers. Organizations that choose Oracle TDE can secure and manage their encryption keys with CipherTrust Manager to ensure that an encrypted database cannot be accessed without CipherTrust Manager authentication. This barrier to entry both secures data and serves as a deterrent to any would-be attackers. Customers choose CipherTrust Manager when their primary concerns are externally storing their keys to enforce separation of duties and managing encryption key operations across large-scale landscapes. 

Additionally, organizations can choose Thales Luna Hardware Security Modules (HSMs) to secure their Oracle TDE keys in a purpose built, dedicated appliance. With Luna HSMs master encryption keys never leave the secure confines of the physical appliance. Similarly to CipherTrust Manager, storing TDE keys externally in a Thales Luna HSM is considered a sufficient control for a wide variety of data security and privacy regulations. Customers choose Thales Luna HSMs when their primary concerns are secure storage in physical devices, and addressing FIPS 140-2 Level 3 compliance requirements.

CipherTrust Manager Resources and Additional Information

	Learn more about Thales CipherTrust Manager
	Securing Oracle Database Data and Demonstrating Compliance on Amazon Web Services (AWS) - Solution Brief
	Securing Oracle Database Data and Demonstrating Compliance on Microsoft Azure - Solution Brief
	Oracle Database with Thales CipherTrust Manager - Integration Docs

Luna Network HSM Resources and Additional Information

	Learn more about Thales Luna HSMs
	Learn more about Thales Data Protection on Demand
	Encryption key management solutions for Microsoft SQL Server and Oracle Database - Solution Brief
	Oracle Database with Thales Luna HSM and Thales Luna Cloud HSM Service - Integration Guide

Oracle's complete, integrated approach makes it easy for companies to get started in the cloud and even easier to expand as business grows. With Oracle Cloud Infrastructure, developers, IT professionals, and business leaders to develop, extend, connect, and secure cloud applications and share data. Oracle makes the full cloud experience available to its customers in whatever consumption models makes the most sense to them, from standard public cloud offerings to Dedicated Region Cloud@Customer and Roving Edge Devices for greater customer control. Companies use Oracle's IaaS, PaaS and SaaS offerings to run any workload in the cloud, encompassing compute, storage, network, container services, and service-based versions of the legacy Oracle applications customers on which customers have long depended. Oracle Cloud facilitates companies’ efforts to innovate faster, increase productivity, and lower costs.

Oracle encrypts all of the data in its cloud services by default. In partnership with Thales, Oracle relies on CipherTrust Manager for full, customer controlled external key management to satisfy a wide range of compliance and security requirements. In conjunction with Thales’ CipherTrust Data Security Platform, CipherTrust Manager supports Oracle customers’ hybrid and multi-cloud adoption in a secure and controlled way.

Resources and Additional Information

	Thales CipherTrust Cloud Key Management for Oracle Cloud Infrastructure - Solution Brief
	Secure Data-at-Rest in Oracle Cloud Infrastructure with Thales CipherTrust Data Security Platform - Solution Brief
	Oracle Cloud Resources - ThalesDocs
	Centralized Security for Red Hat in Oracle Cloud - Solution Brief

Securing Oracle Database with Transparent Data Encryption (TDE) is a security best practice and a critical step to addressing data security and privacy regulations governing sensitive data. As part of its efforts to support customers who manage TDE encryption deployments at scale, Oracle offers its Oracle Key Vault (OKV) encryption management platform to ensure high availability and maximum performance along with compliant security. OKV is available as a virtual machine. Organizations needing hardware encryption key security can connect OKV with Thales Luna HSM to store top-level encryption keys in a FIPS 140-2 Level 3 validated physical appliance. Together OKV and Thales Luna HSM offers the best of both worlds – maximum Oracle performance with the industry’s leading hardware key security.

Resources and Additional Information

	Securing Oracle Key Vault Keys in Thales Luna Network HSMs - Solution Brief
	Oracle Key Vault with Thales Luna HSM - Integration Guide

Oracle WebLogic Server is an enterprise-ready Java Platform, Enterprise Edition (Java EE) application server that supports the deployment of distributed applications. WebLogic Server provides a standard set of APIs for creating distributed Java applications that can access databases, messaging services, and connections to external enterprise systems. Enterprises using WebLogic can deploy mission-critical applications in a robust, highly available, and scalable environment with extensive security features to keep data secure and prevent malicious attacks.

Thales HSMs integrate with Oracle WebLogic Server to provide significant performance improvements by off-loading cryptographic operations from the Server to the HSMs. In addition, the Thales HSMs help provide a secure server environment by protecting and managing the server’s high value SSL private key within a FIPS 140-2 certified hardware security module.

Resources and Additional Information

Oracle WebLogic Server with Thales HSM Integration Guide