TransUnion Interactive
transunion.com
Headquarters: Chicago, Illinois
Industry: Financial services
Oracle products: Oracle Database 11g, Oracle
Advanced Security, Oracle Database Firewall
SNAPSHOT
attacks,” says Andrew Meade, senior
database administrator at TransUnion
Interactive. “We don’t want that informa-
tion stored in plain text on a disk. Oracle
Advanced Security’s Transparent Data
Encryption ensures that any time infor-
mation is written to disk or backed up to
another location, it is completely encrypted.”
Meade leads a team of database administrators charged with
keeping TransUnion Interactive’s data available, secure, and com-
pliant. It’s a high-volume, nonstop operation that processes thou-
sands of transactions per second.
TransUnion Interactive is the consumer subsidiary of TransUnion,
providing credit-report, credit-monitoring, and alert services for consumers along with educational tools to help them stay on top of their
finances and avoid identity theft.
“We used tablespace encryption in Oracle Database 11 g to
protect our databases and address regulatory compliance issues,”
says Ramdas Kenjale, director of architecture and infrastructure
at TransUnion Interactive. “This method allowed us to encrypt our
data very quickly, without changing our applications or modifying
our infrastructure. Transparent Data Encryption encrypts data when
written to disk and decrypts it after a user has been successfully
authenticated and authorized.”
Kenjale says Oracle’s approach with Transparent Data Encryption
shields his team from the details of encrypting specific columns in
each database table. It fulfills PCI DSS requirements by encrypting
data in storage, in transit, and on backup media. All access controls
that are enforced by Oracle Database remain in effect, including
object grants, roles, virtual private database, and Oracle Database
Vault. Oracle’s two-tier system includes a master encryption key that
protects data encryption keys.
been time consuming and costly,” says
Meade. “For us, tokenization is not really a
viable solution.”
Full-disk encryption wasn’t viable either
because it would have required TransUnion
Interactive to take key databases offline
whenever encryption keys are rotated.
“Neither solution satisfied our needs for a
zero-downtime implementation,” Meade says.
TransUnion Interactive chose Transpararent Data Encryption in
part because of the flexibility it provides. “Oracle Advanced Security
with Transparent Data Encryption is the perfect solution for us,”
Meade says. “It lets us encrypt all of our data without any application
or infrastructure changes. It’s fully integrated with Oracle Database.
And key management is built in. No downtime is required to create
or rotate the keys, so it works well for us. It is easy to use, easy to
implement, and easy to maintain.”
TransUnion Interactive recently passed a PCI audit that focused on
encryption and key rotation, validating the effectiveness of its Oracle
solution. Users see little or no difference in the level of service. “The
performance impact of Transparent Data Encryption is negligible,”
adds Meade. “In our case, it is less than 1 percent.”
WEIGHING THE ALTERNATIVES
TransUnion Interactive considered alternatives from other security
vendors such as full-disk encryption, in which data is encrypted at
the hardware level, and tokenization, in which a token represents
the actual data. “Tokenization would have meant changing all of
our applications and parts of our architecture, which would have
ORACLE DATABASE FIRE WALL
TransUnion Interactive is now implementing Oracle Database
Firewall to complement its existing network security strategy. Most
security experts see database firewalls as an important adjunct to
network firewalls, which protect a data center from unauthorized
access from the outside.
To guard against unauthorized database access, Oracle Database
Firewall monitors the SQL network traffic going to the database,
and provides a first line of defense against threats originating from
both outside and inside the organization. It monitors data access,
enforces access policies, highlights anomalies, and protects against
network-based attacks.
“Oracle Database Firewall reveals precisely what types of queries
are hitting our database, who is submitting them, and where they
come from,” says Meade. “All that information is exposed based on
our preferences, which we specify via a graphical user interface.”
Database Security: The Big Picture
Database security is an essential component
of a complete IT security program. According to
Vipin Samar, vice president of database security
technologies at Oracle, it often begins with
the three As: authentication, authorization,
and auditing.
Many Oracle customers implement Oracle
Identity Management to enable centralized access
control, along with granular role-based controls
and provisioning capabilities.
In addition, Oracle Database Vault limits the
activities of privileged users by placing sensitive
database tables and applications in a protective
realm. Oracle Audit Vault provides robust moni-
toring and auditing of these privileged users.
