To address physical storage, communication, operational and sys-admin related security issues integrating the Primus HSM in an Oracle environment, we will consider the following traditional application deployment illustrated here for our walk-through:
The Primus HSM enables you to centralize the encryption and authentication keys, both when migrating or generating the Oracle key material.
The choice of the HSM architecture is adjustable to your environment as it permits a deployment in various forms: single or multi-tenant, on premises or in the cloud; single HSM or HSM cluster supporting transparent object replication, connection failover and backup. The standard role-based management of the HSM and keys is delegated to the CSO team. HSMs and keys are managed remotely using the Decanus Remote Control Terminal using one or two factor authentication or directly at the HSM console.
You integrate the Primus PKCS#11 interface on each RDBMS server and configure the DB instances to encrypt and decrypt sensitive data using Transparent Data Encryption (TDE). This secures your data on the operating file system. Using the standard Oracle RBAC mechanisms, you control R/W access to your encrypted storage (columns or table space). This operation does not affect the existing applications. Oracle offloads the data cipher operations to the RDBMS monitor process. The processing performance of the shared or dedicated Oracle processes is not affected, nor is the availability of the applications and RDBMS.
In addition to the data encryption, you can take advantage of the HSM and its centralized key management to secure the communication channels between RDBMS server and the application tier by enabling strong client authentication on the RDBMS listener process. Deploying a hardware RSA key and associated certificate on the RDBMS listener process, you enforce authentication of the connecting clients and benefit from the SSL/TLS protocol between application and DB tier.
For each JDBC, SQL*Net, OCI or OCCI client, you issue a hardware based RSA key and associated certificate to authenticate the connection from the application tier to the RDBMS listener to benefit from the SSL/TLS protocol between client and server. Oracle implements TLS with RSA/AES/SHA algorithms supported by the Primus HSM. For this, you install and configure the PKCS#11 interface on each application server connecting to the RDBMS listener.