In our current environment, all PeopleSoft data is stored in an unencrypted format on our servers. While we go to great lengths to secure this data while it is in transit (i.e. while being accessed by a user) we currently do not have any encryption for this data while it is at rest. In addition, we currently use production data in our non-production environments that has not been masked or obfuscated. This creates several risks that may result in unauthorized disclosure of sensitive and confidential data. The following is a list of the main security considerations associated with these risks:
Oracle database systems that include the Advanced Security Option pack provide a turnkey solution named Transparent Data Encryption (TDE) for encrypting confidential PeopleSoft data as it resides on the storage media. While infrastructure and application security mechanisms can protect this data as users and administrators interact with the application, data stored unencrypted on the storage media is vulnerable to exploitation outside of the application framework.
Data masking refers to the process of obfuscating potentially sensitive data in non-production databases. Database administrators (DBAs) will occasionally copy production data into development or test environments to allow developers to perform application development and application testing. The problem with data sharing is that copies of production data contain confidential, sensitive or personally identifiable information, access to which should be controlled.
Both the Data Masking Software Pack and the Advanced Security Option are collectively referred to the Oracle Security Software in this business case. The Advanced Security Option will be used to encrypt our data in all environments, with the exception of DEMO. The Data Masking Software Pack will be used to obfuscate the data in all non-production environments, with the exception of DEMO.