In the previous post we talked about GDPR and how it could be enforced in the scope of SQL Server databases. We now cover the same topic but with Oracle databases in mind.
Please refer to GDPR Data Security requirements as stated in the post. We will religiously walk the same task and activity structure for all RDBMs we cover. Let’s move fast to the identified GDPR tasks and requireements and then the identified database options, features and/or related products to implement recommendations.
Risk Assessment
- Personal Data identification
- Access, role and privilege analysis
- Security configuration analysis
Attack Prevention
- Encryption of data and data transfers
- Anonimyzation/Pseudonymization of Personal Data
- Personal Data Access Control
Monitoring
- Audit implementation and centralization
- Audit event notification implementation
As with SQL Server, Oracle provides a very rich of options and products to help us implement GDPR recommendations.
In this case, however, the necessary budget will probably be bigger.
Oracle built-in features and tools of the trade
Oracle databases provides the necessary tools and technologies to address each of the above mentioned tasks.
Risk Assessment
- Personal Data identification: Enterprise Manager Cloud Control 12c Data Discovery and Modeling (aka Application Data Models in EMCC12cR3).
- Access, role and privilege analysis: Oracle Database Vault Privilege Analysis
- Security configuration analysis: Enterprise Manager Cloud Control 12c Database Lifecycle Management, Oracle Database Security Assessment Tool (DBSAT)
Attack Prevention
- Encryption of data and data transfers: Transparent Data Encryption (TDE), Oracle Key Vault, Oracle Database Network Encryption and Data Integrity
- Anonimyzation/Pseudonymization of Personal Data: Oracle Data Reduction (Advanced Security), Oracle Database Vault, Oracle Data Masking and Subsetting
- Personal Data Access Control: Oracle Virtual Private Database, Row-level security (Oracle Label Security), Oracle Real Application Security
Monitoring
- Audit implementation and centralization: Oracle Audit Vault and Database Firewall
- Audit event notification: Oracle Audit Vault and Database Firewall
Surprise, surprise
As always with Oracle products licensing, watch your back ! Not all those long impressive products and options are free for immediate use. Oracle Licensing is a subtle network of entangled “restricted-use” licenses and its management has become an art. Here are a few links on licensing that will get you set:
Enterprise Manager Data Masking and Subsetting pack.
Oracle Database Licensing Information – Options and Packs
Conclusion
Oracle database and its ecosystem provides a complete and rich set of features and a toolset to enforce GDPR.
Compared to SQL Server quite a few of these features are separate licensed options and/or products. From a practical point of view a balance should be found between licensing costs of an option/product and the development cost of a more “creative” solution (in APEX or PL/SQL) for some of the GDPR requirements, especially for user of Standard or Standard One database editions with a limited budget.
Next post will cover GDPR and Postgresql in the same way. Stay tuned.
Alexis
Alexis is the founder of Aleph Technologies, a data infrastructure consulting and professional services provider based in Brussels, Belgium.
Follow Me:
