World's leading financial institutions run their mission critical databases on Oracle and the biggest concerns they have around moving their database to cloud is encryption in transit and at rest.
Oracle TDE prevents attacks from users attempting to read sensitive data from tablespace files and users attempting to read information from acquired disks or back ups by denying access to clear text data. Oracle TDE technology uses two-tier encryption key architecture to enforce clear separation of keys from encrypted data. The encryption keys for this feature are all managed by Oracle TDE. The encryption algorithm used is AES128.
Redaction is the process of censoring or obscuring part of a text for legal or security purposes. The Data Redaction feature redacts customer data in Responsys to obfuscate consumers' Personally Identifiable Information (PII) from Responsys users.
For example, Responsys accounts may want to redact customer data such as Email Addresses and Mobile Phone Numbers in the profile list to ensure customer data is hidden from Responsys end users. Data redaction ensures that Responsys accounts are compliant with data protection regulations to keep consumers' PII or medical records (for HIPAA compliance) confidential.
It is imperative that you test your database migrations to cloud with these redaction techniques and your well architecture review must include these use cases.
Oracle has implemented a “ubiquitous encryption” program with the goal of encrypting all data, everywhere, always. For customer tenant data, we use encryption both at-rest and in-transit. The Block Volumes and Object Storage services enable at-rest data encryption by default, by using the Advanced Encryption Standard (AES) algorithm with 256-bit encryption. In-transit control plane data is encrypted by using Transport Layer Security (TLS) 1.2 or later.