Product Review: Oracle Key Vault
Businesses have a growing need to protect personally identifiable information, guard health information, financial information, and dozens of other types of data on various systems within the enterprise. The most acceptable way of protecting data is through encryption, which means encryption is no longer optional for managing enterprise data. It has become an essential element of end-to-end data protection especially with the introduction and inclusion of the cloud. As enterprises implement encryption in their databases, operating systems and communication channels, management of those encryption keys become increasingly complex and difficult. Enterprises need a way to sensibly and securely manage those keys in a central repository.
The vault can store and manage encryption keys for Oracle Transparent Data Encryption used to protect sensitive data in Oracle Databases, Oracle Wallets, Java keystores, credential files that contain SSH keys or Kerberos keytabs or server password files. Oracle Key Vault manages the keys using the industry standard OASIS Key Management Interoperability Protocol (KMIP), so the software can work with other non-Oracle products if they are end-point KMIP complaint.
Enter Oracle Key Vault (OKV), which has been designed to store, manage and protect the keys that unlock the encryption protecting enterprise data thereby reducing the costs associated with generating and managing keys throughout the lifecycle. OKV promises to simplify encryption key management by storing copies of the thousands, or even hundreds of thousands, of keys an enterprise utilizes in protecting its data and operations. Additionally, OKV is not limited to just the encryption of keys but can also safeguard credentialed documents as well as other “secrets” for the enterprise. In this process, OKV makes sure that organizations meet regulations and industry standards related to how keys are rotated, accessed and destroyed.
Additionally, OKV is optimized for managing Oracle Advanced Security Transparent Data Encryption (TDE) master keys. The full-stack, security-hardened software appliance uses Oracle Linux and Oracle Database technology for security, availability and scalability. Oracle Key Vault (OKV) is packaged as an ISO image. It comes as a preconfigured and secured software appliance, which is easy to install and can be deployed on compatible x86-64 hardware of users’ choice depending on the scale of deployment.
OKV supports endpoints. Endpoints include Oracle Databases, Middleware, Application Servers or systems that want to manage encryption keys and security artifacts centrally through Oracle Key Vault. Endpoint enrollment and provisioning can be automated by enabling protected RESTful interfaces for mass deployment on-premises or in the cloud. Oracle Key Vault is deployed in a primary and standby configuration for increased availability.
The vault can store keys for Secure Shell, Secure Sockets Layer (SSL), Kerberos keytabs, Oracle Wallet files, Java KeyStores, and other certificates. As an early proponent of the standard, Oracle Key Vault manages the keys using the industry standard OASIS Key Management Interoperability Protocol (KMIP), so the product can interoperate with other non-Oracle products as long as they are KMIP complaint.
OKV is a centralized management platform, which archives credential files in a master repository, supporting fast, easy file sharing and recovery. A browser-based management console offers point-and-click administration, simplified server enrollment and audit reports. Oracle Key Vault recently added hybrid cloud key management for accessing and connecting data centers to the cloud. On-premises Oracle Key Vault now also manages Oracle Advanced Security TDE master encryption keys for Oracle Databases in the Cloud including Oracle Database Cloud Service.
The original OKV package included an operating system, database, Oracle Key Vault software, and other related files. Oracle’s documentation indicates that the OKV environment is security hardened and the system removes unneeded software and disables unused services and ports. These security promises and features are included in the hybrid cloud key management solution.
The system also provides reports and alerts on key management activity and audits of all access to keys and keys’ lifecycle. For additional protection, the system separates administrator-level roles. Update and bug fix patches for the appliance are bundled and tested together and are generally issued every 90 days.
Enterprises often distribute Oracle Wallets and Java Keystores across servers and server clusters manually. OKV has been designed to itemize and store contents of these files in a master repository while simultaneously allowing server endpoints to continue operating disconnected from OKV by using local copies. Once archived, wallets and keystores can be recovered back to servers if local copies are mistakenly deleted or their passwords are forgotten thereby minimizing the risk of service disruptions from lost keys. Secure sharing of wallets also facilitates movement of encrypted data by utilizing Oracle DataPump and Oracle Transportable Tablespaces.
For databases using TDE, OKV centrally manages TDE master keys over a direct network connection instead of local wallet files. This direct connection eliminates operational challenges of wallet files management such as periodic password rotation, backing up wallet files and recovery from forgotten password situations. It also provides physical separation between the encryption key and encrypted data often needed in regulatory compliance.
By manipulating the endpoint access control settings, the master keys stored in OKV can be made available for decrypting tablespace keys or table keys across databases. This method of sharing keys without local wallet copies is useful when TDE is running on database clusters like Oracle RAC. According to the website, “existing master keys used for encrypted data in Oracle databases can be easily migrated from Oracle Wallet to OKV as part of the initial setup.”
Many enterprises do not properly protect credential files containing SSH keys, Kerberos keytab files, and other similar credential files. OKV backs up credential files for long-term retention and recovery, and OKV can easily recover these files when needed, allows access to them, and shares them across trusted endpoints.
Hybrid Cloud Key Management is a deployment topology for cloud encryption solutions where data is encrypted in the cloud while the encryption key is managed from the on-premises Oracle Key Vault. Hybrid cloud key management enables customers to maintain control and visibility of keys used in the cloud as well as on-premises databases.
A browser-based management console makes it easy to administer OKV, prepare server endpoints, securely regulate key groups, and report on access to keys. Administrator roles can be divided into key, system and audit management functions for separation of duties. Additional users with operation responsibilities for server endpoints can be granted access to their keys and wallets for ease of management. Administrators can also receive email alerts for important status updates and system activities such as upcoming password and key expirations.
OKV uses various Oracle database security technologies to protect keys and secrets stored inside OKV. For instance, OKV uses TDE to encrypt keys stored in the embedded Oracle database. It also uses Oracle Database Vault to restrict unauthorized user access, and it audits all critical operations including key access and key life cycle changes.
Of course, Key Vault can be plugged into other Oracle software products, such as Oracle Database, Oracle Fusion Middleware, Oracle Real Application Clusters, Oracle Active Data Guard and Oracle GoldenGate. Additionally, however, Oracle is not alone in offering vaults for storing encryption keys.
SafeNet, WinMagic and Symantec also all offer centralized key management systems as well. SafeNet, from Gemalto, offers SafeNet KeySecure, which is available as a hardware appliance or virtual security appliance like Oracle Key Vault. SafeNet KeySecure can be deployed in physical databases, virtualized infrastructure and public cloud environments. Additionally, it delivers “key management appliances across FIPS-validated hardware or a virtual appliance with a hardware root of trust using SafeNet Hardware Security Modules or Amazon Cloud HSM service.”
WinMagic’s solution, SecureDoc, incorporates beyond the key management system. Though it is a key part of the solution, it also includes security measures, encryption services and more. This solution is more comprehensive and encompassing in its approach for enterprises.
Most recently, RSA has announced the end date for its data protection manager, which includes its key management system. Several enterprises that might have utilized this source will be customers seeking an experienced vendor to replace the management need.
As enterprises look for ways to protect and easily manage keys with the rising usage of encryption, a centralized management system could be a pivotally important choice. The choices are varied out there, but for experienced vendor options, Oracle Key Vault has been around for a few years and has certainly shown to continue to improve the key management market.
Oracle’s Data Sheet
Oracle’s Resource Page
FAQ for Oracle Key Vault
FAQ for Oracle Key Vault Hybrid Cloud Key Management