Oracle’s Crypto-Secure Data Management

Oracle has unveiled new interesting capabilities in the Oracle database today, which they refer to as Immutable and Blockchain tables. While I am not entirely convinced by the names they have chosen, I can absolutely get behind the overall Crypto-secure data management concept that has emerged along with them.

Whenever people discuss various applications of cryptography for information protection, they almost inevitably tend to think about encryption or, in other words, protecting the data’s confidentiality. However, while keeping the data out of reach of unauthorized persons is arguably the most important task of cybersecurity and compliance, it is not the only one. The CIA triad of information security refers to confidentiality, integrity, and availability of data as the three principles that must be applied in balance to ensure full protection.

Oracle databases already have a multitude of security features to ensure data confidentiality including encryption and data masking, access management, and threat prevention – that’s why the company was recognized as one of the leaders in our Leadership Compass on Database and Big Data Security. The same applies to availability – the Oracle Autonomous Database was basically designed for this purpose. However, data integrity is a trickier subject. There are multiple ways malicious actors, especially company insiders or administrators, could modify corporate data stored in databases without ever tripping any security controls – after all, how would a database firewall distinguish an illegal modification of financial data from a valid transaction?

Blockchain has become the go-to solution for such challenges in recent years. At least in its original sense, Blockchain is just a data structure specifically designed to be resistant to modifications in its data using timestamps and cryptographic hashes of previous blocks to record new ones. Often, however, the name is associated with public distributed ledgers that were created specifically for multiple, potentially untrusted parties working without central oversight.

This is why, by the way, I don’t think calling the new immutable and cryptographically verified tables in the Oracle database “Blockchain tables” was such a good idea. While technically correct, it can be somewhat misleading since Oracle does not rely on distributed ledgers for this implementation. What it does is to provide additional security controls for data that by design is required to be immutable and to prevent malicious insiders from tampering with it, even if they have all the necessary access rights and encryption keys at hand.

Such data can be anything from financial transactions to IoT sensor measurements – but until now you would need to write it into a separate ledger, either a “proper” distributed Blockchain or a specialized database like Amazon’s Quantum Ledger DB. Of course, distributed Blockchains require a dedicated and potentially expensive infrastructure to maintain, but even in a centralized ledger, your data is still stored in a separate information silo. Oracle’s new table types however are for all intents and purposes just like other tables in a relational database, only with additional protection features. They support all kinds of operations (other than modifying existing records, obviously), can be queried using standard SQL, and do not need to be exported to yet another location to run analytic workloads.

In addition to making records in a table immutable and signed with cryptographic digests, functions were added to simplify data verification – both through the database engine or independently through external utilities to ensure that even hacking the database itself won’t help the malicious actors.

Additionally, to prevent storing falsified data in a blockchain table using stolen credentials, the database can optionally allow users to sign each record with their private keys and countersign them with Oracle’s keys to ensure that the data was not manipulated anywhere between the user and the database. Cryptographic digests can be automatically distributed when a new row is inserted – over email or an API. They can even be exported into a public distributed ledger. This ensures that even large-scale manipulations, when whole databases are replaced to hide malicious activities, can be promptly uncovered.

Anyway, even if the new immutable and blockchain tables have less to do with “The Blockchain” than the name implies, I would argue they come with nearly all the benefits of a distributed ledger but without its massive overhead and isolation from traditional relational databases. The new capabilities are now available both in the latest Oracle Database 21c and the previous 19c release, at no extra cost for the customers.



KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

KuppingerCole on social media

Subscribe to our Podcasts

KuppingerCole Podcasts - listen anywhere


How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00