Oracle Advanced Security Licensing
Advanced Security is a separately licensed Enterprise Edition option covering Transparent Data Encryption and Data Redaction. It is licensed for the full database footprint on the same metric as the database. Because encryption is often mandated by compliance teams who do not own the database licence, enabling TDE to satisfy a security requirement is a common and expensive route to an unlicensed option finding.
Advanced Security sits at the intersection of two pressures that rarely talk to each other: a compliance function that mandates encryption and a procurement function that owns the Oracle licence. The result is one of the most common unlicensed option findings in regulated industries, where Transparent Data Encryption is switched on to satisfy an auditor and inadvertently creates a different audit liability. This article explains the option, why the compliance route is so risky, and how a buyer side estate keeps encryption and licensing aligned. It sits under the database licensing pillar and the options and packs overview.
What is Oracle Advanced Security?
Advanced Security is an Enterprise Edition option that provides data protection at rest and in use. In current database releases it comprises two principal features: Transparent Data Encryption, which encrypts data files, tablespaces, and columns transparently to the application, and Data Redaction, which masks sensitive data in query results based on policy without altering the stored data. Network encryption of Oracle client traffic is included with the base database in modern releases and is not part of the chargeable option.
The option exists because data protection is a high value capability that regulated organisations need and will pay for. It carries its own price line on top of the Enterprise Edition database, and it follows the same full footprint licensing rule as every other option, where using the feature anywhere on the database licenses it everywhere.
TDE and Data Redaction explained
Transparent Data Encryption protects data at rest. It encrypts the physical storage so that a stolen data file, backup, or disk cannot be read without the encryption keys, while remaining invisible to the application, which sees decrypted data through normal queries. It is the feature most often mandated by compliance frameworks that require encryption of sensitive data at rest.
Data Redaction protects data in use. It dynamically masks columns such as card numbers or national identifiers in query results, showing full values only to authorised users. Both features are part of the same chargeable option, so an organisation that adopts either one needs the Advanced Security licence. Neither should be confused with the free network encryption, a distinction as important as the Enterprise versus Standard Edition line discussed in the Enterprise Edition article.
How Advanced Security is licensed
Advanced Security is licensed on the same metric as the database it protects and for the same quantity. A Processor licensed database needs the option for the identical processor count with the same core factor; a Named User Plus database needs it for the same user count subject to the Named User Plus minimums. Encrypting a single tablespace licenses the option across the whole database.
| Feature | Status | Notes |
|---|---|---|
| Transparent Data Encryption | Advanced Security option | Encryption of data at rest |
| Data Redaction | Advanced Security option | Dynamic masking in query results |
| Native network encryption | Included with base database | Encrypts client server traffic |
There is no partial licensing for encrypting only some data. This is the same all or nothing footprint rule that governs the Diagnostics and Tuning packs, and it means the scope of the option licence is the database, not the encrypted object.
Why compliance mandates trigger the option
The defining risk with Advanced Security is organisational rather than technical. A compliance or information security team issues a mandate that sensitive data must be encrypted at rest, the database team implements TDE to satisfy it, and no one connects the encryption requirement to an Oracle option that must be purchased. The database now reports Advanced Security usage, but the licence was never bought, because the team that triggered the requirement does not own the Oracle agreement.
This disconnect is why Advanced Security findings are so common in financial services, healthcare, and the public sector, where encryption mandates are strongest. The fix is procedural: any encryption mandate touching an Oracle database must route through licensing before implementation. The same governance gap appears whenever a non database team can trigger an option, as discussed in the broader options audit analysis.
How does Oracle detect Advanced Security usage?
Oracle reads the feature usage statistics views, which record TDE and Data Redaction usage separately with first and last usage dates. Encrypting a tablespace or column, or applying a redaction policy, registers immediately and permanently. As with every option, the database itself reports the usage, so an audit finding rests on Oracle's own instrumentation rather than on any disputed interpretation.
The permanence matters in regulated estates, where encryption is rarely removed once applied because doing so would breach the compliance mandate that prompted it. This means the usage record persists for the life of the database, and the option exposure compounds until the licence is purchased. This is the same detection model that surfaces the wider option set.
Key findings
- 1Advanced Security covers TDE and Data Redaction; native network encryption is free.
- 2The option is licensed for the full database footprint, not the encrypted object.
- 3Compliance mandated encryption is the most common unlicensed trigger.
- 4Usage is recorded permanently and is rarely removed because compliance requires it.
What Advanced Security costs
Because the option is licensed for the full database core count, the cost scales with the size of the database, not the sensitivity or volume of the encrypted data. On a large multi processor database, retroactively licensing Advanced Security across years of TDE usage, with back support, can become a major settlement line, often discovered at exactly the moment a regulated organisation can least afford an unbudgeted Oracle cost.
The right approach is to budget the option as part of the encryption project from the outset, treating it as a cost of compliance rather than a surprise. Comparing the option cost against alternatives, such as application level encryption or storage level encryption that does not invoke the database option, is the work the database licensing service brings to security architecture decisions.
How to contain Advanced Security exposure
Containment is primarily about governance between teams. Every encryption mandate that could touch an Oracle database must pass through a licensing review before implementation, so the option cost is budgeted rather than discovered. Where encryption is required and the database option is the right tool, the option is licensed deliberately on the affected databases.
Where the option is not yet licensed, the estate should monitor the feature usage views to catch any TDE or redaction usage early, and security standards should specify that database level encryption requires a licence check. Architectural alternatives that meet the compliance requirement without invoking the option should be evaluated where the cost is material. Reconstructing this after the fact is the expensive path that audit defence exists to manage.
The buyer side view
The buyer side position on Advanced Security is that encryption is a licensing decision before it is a security decision. Wire the compliance and licensing functions together so no encryption mandate reaches an Oracle database without a licence check, budget the option as a known cost of compliance, and monitor the feature usage views so any inadvertent usage is caught while it is still small. Governed this way, the option protects data where it is genuinely paid for and never turns a compliance win into a licensing liability. To align your own encryption and licensing positions, see the database pillar, the database licensing white paper, or request a consultation.
Common questions.
Is Transparent Data Encryption free in Oracle?
No. Transparent Data Encryption requires the separately licensed Advanced Security option on Enterprise Edition. Native network encryption of client server traffic is included with the base database at no option cost, but encrypting data at rest with TDE, and using Data Redaction, both require the Advanced Security licence for the full database footprint.
How is Oracle Advanced Security licensed?
Advanced Security is licensed on the same metric as the database, Processor or Named User Plus, and for the same quantity calculated with the same core factor and minimums. There is no partial licensing, so encrypting a single tablespace or applying one redaction policy requires the option across the entire database core count.
Why do compliance teams cause Advanced Security findings?
A compliance or security team often mandates encryption of sensitive data at rest, and the database team implements TDE to satisfy it, without anyone connecting the requirement to an Oracle option that must be purchased. Because the team triggering the mandate does not own the Oracle licence, the option is used but never bought, creating a common and expensive audit finding.
Can I remove TDE to avoid the Advanced Security licence?
Technically yes, but in regulated estates encryption is rarely removed because doing so would breach the compliance mandate that required it. The historical usage also remains recorded in the feature usage views, so removal does not erase past exposure. The practical answer is to budget and license the option as part of the encryption project.