Vipin Samar, vice president of database security at Oracle, provided some candid information about when to use some of the new security features in Oracle Database 11g, which I reviewed in early October.
In a session at Oracle's OpenWorld titled "Oracle Database 11g: Secure Your Data Transparently," Samar talked about how tablespace encryption now includes support for LOBs (Large Objects). He told the audience that if you have more than four or five sensitive columns in a table then the new tablespace encryption should likely be used. Tablespace encryption is also called for if you cannot identify all of the sensitive columns or if the sensitive columns change. It's reasonable to say that this is likely the case for applications that are used in different countries where data privacy laws may change. Depending on the size of the application and the type of data being processed, Samar said that TPC-C performance tests run by Oracle showed a 5 to 10 percent performance degradation when tablespace encryption was used.
Oracle Database 11g also made changes in key storage and management so that the master key needed to decrypt table data is no longer stored on the server. The key management system is common to both the column-level and tablespace encryption.
I think the changes to key management are some of the most important security improvements. Keys that are stored locally to the database are subject to greater security risks than the new method that moves keys to a wallet on a different server.