By: Raoul Miller - Enterprise Architect
With the increased focus on security in the workplace, TEAM IM is seeing that more and more of our clients have the requirement to encrypt important data. The content that is managed in their WebCenter Content instance is already an important asset, so the business may see a need to encrypt some or all of that content.
Because there are different areas that can be encrypted, there has been some confusion as to how to go about this process. The following lists the three major options for data encryption within WCC and some of the pros and cons associated with each:
Transport Layer Security (TLS) for Traffic
The easiest and quickest level of encryption to deploy is SSL (Secure Sockets Layer) configuration for web traffic, JDBC connection, and LDAP queries. All of these can be configured from the WebLogic Server (WLS) console interface and require only certificate procurement and management from the client.
Pros
Cons
Metadata Encryption
The next step in encryption is to encrypt some or all of the tables or columns in the database. While encryption is now available in Microsoft SQL Server 2016, this is not officially supported by Oracle and has not been tested by TEAM IM. For those using Oracle Database Enterprise Edition, this path requires licensing of the Advanced Security option and deployment of TDE (transparent data encryption) within the JDBC client.
While it is possible to encrypt only some of the metadata, the overhead involved with this would be quite substantial and there would be a risk of exposing newly created custom metadata. All of TEAM IM’s clients that use encryption have chosen to encrypt the entire metadata schema.
Pros
Cons
Content Encryption
The ultimate step in security is to encrypt the content as well as the metadata. The only supported method for this is to store the content in the Oracle database using SecureFiles. While in theory this could be done without metadata security, to do so would be very poor practice, so this assumes that both metadata and content are to be encrypted.
The FileStore Provider within WebCenter Content (WCC) manages file storage and when content is created / submitted to the content management system, it must be tagged with a metadata field (xStorageRule) indicating where it is to be stored. The system can manage multiple file system storage rules, but only a single JDBC rule. Assignment of the storage rule is normally done either through profiles or workflow.
Clients have 3 options for storage of content:
Clients may also choose to store some (or most) content unencrypted on the file system, and another portion encrypted within the database, but WCC does not (currently) support storage of some content unencrypted in the database while other content is also encrypted in the database. Combining unencrypted storage rules for content on the file system and an encrypted storage rule for the database will allow for a “mixed” system where only that content that is required to be encrypted has the overhead.
Pros
Cons
All of the above options assume that the deployment is on-premises, or deployed on infrastructure as a service (IaaS). You can still encrypt content on hosted systems, and I will follow up on your choices for hosted systems in another post in the near future.
Please feel free to contact TEAM IM for all of your WebCenter Content questions, particularly those around content security, encryption, and redaction.
Want to talk at OpenWorld? Email sales@teamim.com
More Information
SSL Setup
http://docs.oracle.com/middleware/12211/wls/SCOVR/concepts.htm#SCOVR163
http://docs.oracle.com/middleware/12211/wls/SECMG/ssl_jsse_impl.htm#SECMG502
TDE (Transparent Data Encryption)
http://www.oracle.com/technetwork/database/security/tde-faq-093689.html#A12003
Advanced Security on Oracle Database
http://www.oracle.com/technetwork/database/options/advanced-security/index-082628.html
SecureFiles
http://www.oracle.com/technetwork/database/features/secure-files/dbfs-benchmark-367122.pdf
http://www.oracle.com/technetwork/database/perf-087187.html
https://docs.oracle.com/cloud/latest/db121/ASOAG/asotrans_other.htm#ASOAG10436