What Is Oracle Advanced Security?
Oracle Advanced Security (ASO) is a separately licensed add-on to Oracle Database Enterprise Edition that provides enhanced data protection capabilities. It is not included in the base Enterprise Edition licence. ASO addresses the need to protect sensitive data at rest and in transit, enabling organisations to meet regulatory mandates including GDPR, HIPAA, PCI-DSS, and industry-specific data protection requirements.
The option bundles several features under a single licence: Transparent Data Encryption (TDE) for encrypting data at rest — at column, tablespace, or full database level — Data Redaction for dynamically masking sensitive data in query results, RMAN backup encryption, Data Pump export encryption, integration with external key management systems (Oracle Key Vault, third-party KMS), and strong authentication services (Kerberos, RADIUS, PKI certificates).
ASO is an all-or-none bundle: one licence covers all sub-features for the licensed database instance. There is no separate licence for individual components — you cannot licence TDE without also being entitled to Data Redaction, or vice versa. This simplifies entitlement tracking but means that even a single use of any ASO feature triggers the full licence requirement.
| Feature | What It Does | Licence Trigger | Since Version |
|---|---|---|---|
| Transparent Data Encryption (TDE) | Encrypts data at rest — column, tablespace, or full database | Any encrypted column or tablespace | 10gR2+ |
| Data Redaction | Dynamically masks sensitive data in SQL query results | Any active redaction policy | 12c+ |
| Backup & Export Encryption | Encrypts RMAN backups and Data Pump exports | Encrypted RMAN backup or Data Pump export | 10gR2+ |
| External Key Manager Integration | Centralised TDE key storage via Oracle Key Vault or third-party KMS | KMS integration for TDE keys | 11g+ |
| Strong Authentication | Kerberos, RADIUS, PKI certificate authentication | Configuring enterprise auth beyond password | Various |
| Network Encryption (19c+) | AES encryption for SQL*Net traffic | FREE — included with EE from 19c | Free from 19c |
"The most dangerous confusion in Oracle database licensing is assuming that because network encryption became free in 19c, TDE also became free. It did not. Network encryption protects data in transit; TDE protects data at rest. They address different security requirements, and only network encryption was moved into the base Enterprise Edition. TDE still requires the separately licensed Advanced Security Option at $15,000 per processor."
When Advanced Security Must Be Licensed
Oracle Advanced Security must be licensed whenever any of its features are used — on any database instance, in any environment, for any duration. Oracle does not technically prevent you from enabling ASO features without a licence. The software allows activation freely. But Oracle's licence audit scripts — specifically the queries against DBA_FEATURE_USAGE_STATISTICS — will capture every activation, including timestamps of first and last usage.
This creates the most common compliance scenario in Oracle database licensing: a security team enables TDE to meet a regulatory requirement, the DBA configures it without consulting the licensing team, and the organisation runs for months or years with unlicensed ASO usage until an Oracle LMS audit discovers it. At that point, the remediation cost is list price with no negotiated discounts, plus backdated support fees for the entire period of unlicensed usage.
TDE — Any Encryption
A single encrypted column, tablespace, or database triggers the full ASO licence requirement for that server. No partial licensing — all cores must be covered.
Data Redaction
Any active redaction policy on any table requires ASO licensing. Developers often implement redaction for GDPR without realising it is a separately licensed feature. Learn more about independent Oracle advisory services.
Backup Encryption
Configuring RMAN backup encryption or Data Pump export encryption triggers ASO. DBAs frequently enable this as a security best practice without awareness of the licence cost.
Historical Usage Counts
DBA_FEATURE_USAGE_STATISTICS records timestamps. Even brief or accidental activation — for testing, for a migration, for a POC — creates a permanent audit trail that Oracle LMS will find.
Licensing Metrics and Pricing
Oracle Advanced Security is licensed using the same metric and quantity as the Oracle Database Enterprise Edition licence on the same server. If the database is licensed per Processor, ASO must also be per Processor — and the quantity must match. If the database is licensed per Named User Plus (NUP), ASO must also be per NUP with the same user count. Mixing metrics between the base database and the option is not permitted.
| Licence Component | Metric | List Price (USD) | Annual Support (~22%) |
|---|---|---|---|
| Oracle Database Enterprise Edition | Per Processor | $47,500 | ~$10,450/yr |
| Oracle Advanced Security Option | Per Processor | $15,000 | ~$3,300/yr |
| Oracle Database Enterprise Edition | Named User Plus | $950/user | ~$209/yr |
| Oracle Advanced Security Option | Named User Plus | $300/user | ~$66/yr |
| Combined EE + ASO (Processor) | Per Processor | $62,500 | ~$13,750/yr |
The cost adds up quickly. An 8-core Intel server (0.5 core factor = 4 Processor licences) requires $60,000 in ASO licences at list price plus $13,200/year in annual support. Over five years, the total ASO cost on a single server is $126,000 — on top of the $190,000 base EE cost. Across a typical enterprise with multiple production, DR, and non-production servers, the total ASO spend routinely exceeds $1 million.
The metrics-must-match rule is a frequent source of non-compliance. Oracle strictly requires that you cannot mix database and option metrics on the same server. If your database is licensed per Processor, Advanced Security must also be per Processor — and the quantity must match. If the database is licensed per Named User Plus, ASO must also be per NUP with the same user count. You cannot partially licence some processors or a subset of users. Every server using ASO features must be fully licensed for all cores or all users. There is no "partial ASO" licensing — a single encrypted column triggers the full licence requirement for the entire server.
For large enterprise environments, the cumulative cost is substantial. Consider a financial services firm running Oracle EE on 6 servers, each with 16 Intel x86 cores (0.5 core factor = 8 Processor licences per server). If TDE is enabled on all 6 servers — 4 production and 2 DR/test — the total ASO Processor licence count is 48. At list price: 48 × $15,000 = $720,000 in ASO licences, plus $158,400/year in annual support. Over five years, the total ASO cost on those 6 servers alone is $1,512,000. Limiting TDE to only the 4 production servers would save $360,000 in licences and $79,200/year in ongoing support — a straightforward optimisation that many organisations miss simply because no one questioned whether the non-production environments truly needed encryption.
Cost Drivers and Optimisation Strategies
The cost of Oracle Advanced Security scales with the number of servers, the core counts of those servers, and the environments where ASO features are enabled. Understanding these drivers is essential for controlling spend. Learn more about Oracle database licensing guide.
Number of Environments Using ASO
Every database instance with ASO features enabled requires licensing — production, test, dev, DR, and staging. Non-production is the most commonly overlooked cost area. A security team that enables TDE on production often replicates the configuration to test and DR environments, tripling the licence requirement without anyone noticing.
Processor Core Counts
Higher core counts mean more Processor licences. Consolidating encrypted databases on fewer, smaller servers directly reduces ASO licence cost. A 32-core server requires 16 ASO Processor licences ($240,000); the same workload on an 8-core server requires 4 ($60,000).
Annual Support (22%)
Annual support on ASO adds $3,300/processor/year on top of EE support. In under five years, cumulative support exceeds the original licence cost. Over a 10-year lifecycle, support is the dominant cost component.
🎯 ASO Cost Optimisation Strategies
- Scope control: Not every database needs TDE. Identify which databases handle regulated or highly sensitive data. For lower-tier systems, use OS-level or storage-level encryption (Linux dm-crypt, Windows BitLocker) which provides basic at-rest protection without triggering Oracle ASO licensing.
- Consolidate encrypted databases: Run all TDE-encrypted databases on fewer, dedicated servers to minimise the total Processor licence count. One well-sized server with multiple encrypted databases is cheaper than spreading encryption across many servers.
- Disable ASO on non-production: If non-production environments do not legally require encryption, disable TDE and Data Redaction on test, dev, and staging databases. Use Oracle's free Developer Edition for individual developer encryption testing.
- Negotiate ASO into enterprise agreements: Include ASO explicitly in ULA or enterprise agreement discussions. Bundling ASO with other options and products provides volume leverage and cost certainty.
- Leverage OCI for new encrypted workloads: Oracle Autonomous Database with "License Included" pricing includes TDE by default — no separate ASO licence needed. For new databases requiring encryption, OCI eliminates per-option licensing entirely.
Healthcare Organisation: $1.2M ASO Audit Exposure Reduced to $180K
Situation: A US healthcare organisation with 12 Oracle Database Enterprise Edition servers was audited by Oracle LMS. The audit discovered TDE enabled on 8 servers (6 production + 2 DR) — but the organisation held ASO licences for only 2 servers. The unlicensed servers had a combined 80 Processor licences worth of ASO shortfall at $15,000 each, plus backdated support for 3 years. Oracle's initial audit claim was $1.2M + $792K in backdated support — approximately $2M total.
Need Expert Oracle Licensing Guidance?
Redress Compliance provides independent Oracle licensing advisory — fixed-fee, no vendor affiliations. Our specialists have conducted 500+ Oracle license reviews and ULA certifications.
Explore Oracle Advisory Services →What happened: Redress Compliance identified that 3 of the 8 servers running TDE were non-production environments where encryption was not legally required (test and staging). We immediately disabled TDE on those 3 servers and documented the remediation. For the remaining 5 servers (4 production + 1 HIPAA-required DR), we negotiated a forward-looking licence purchase at 55% discount rather than a punitive audit settlement.
Cloud and OCI Considerations
Cloud deployments introduce important nuances for Advanced Security licensing. The rules differ significantly between Oracle Cloud Infrastructure (OCI) and third-party clouds.
| Deployment | ASO Licence Required? | Key Detail |
|---|---|---|
| OCI — Autonomous Database (Licence Included) | No — included in service | TDE always on by default. All options included in Licence Included pricing. |
| OCI — BYOL | Yes, if using ASO features | Under BYOL, you bring your own licences including options. |
| AWS (RDS Oracle or EC2) | Yes, under BYOL | AWS does not include Oracle options. 2 vCPUs = 1 processor licence (no core factor). |
| Azure (Oracle on VM) | Yes, under BYOL | Same rules as AWS. BYOL requires ASO licences for encrypted databases. |
| On-premises — any environment | Yes — always required | Standard rules. Core factor applies. All environments must be licensed. |
For organisations deploying new databases that require encryption, OCI Autonomous Database with Licence Included pricing is the simplest path. TDE is built in, always on, and no separate ASO licence is needed. This can be significantly cheaper than on-premises ASO licensing — particularly for organisations that would otherwise need to purchase ASO licences for production, DR, and non-production environments. However, evaluate the total OCI cost (compute, storage, networking, egress) against your existing on-premises investment before committing to migration. For organisations with existing on-premises Oracle estates, the BYOL model on OCI or third-party clouds does not eliminate the ASO requirement — you must still bring your own Advanced Security licences if TDE is used, and the same metric-matching rules apply. Learn more about Oracle audit defense and response.
How Oracle Auditors Detect ASO Usage
Oracle LMS and GLAS auditors have specific, well-documented methods for detecting Advanced Security usage. Understanding what they check helps organisations prepare for audits and ensures that internal self-assessments are thorough. ASO is one of the top three most frequently flagged database options in Oracle audits — alongside Partitioning and the Diagnostic/Tuning Packs — because it is both widely needed (regulatory encryption mandates) and widely under-licensed (security teams enable it without licensing awareness).
The detection methods are automated and comprehensive. Oracle's LMS collection scripts run standardised queries against database dictionary views that record feature usage with timestamps. There is no way to "hide" ASO usage from these scripts — the database itself maintains the audit trail. The most effective compliance strategy is to run the same queries internally, on a quarterly basis, to identify any ASO activation before Oracle's auditors do. Discovering a compliance gap internally gives you the option to either procure the licence at negotiated pricing or disable the feature — both of which are dramatically cheaper than an audit finding at list price.
DBA_FEATURE_USAGE_STATISTICS
The primary detection method. This view logs every activation of licensable features including "Transparent Data Encryption" and "Data Redaction" with timestamps of first and last usage. Oracle's LMS collection scripts query this view automatically. Historical usage is retained even after features are disabled — you cannot delete the audit trail.
Encrypted Tablespace and Column Detection
Auditors query DBA_ENCRYPTED_COLUMNS and DBA_TABLESPACES (with encryption status) to identify any encrypted objects in the database. Even a single encrypted column on a single table triggers the ASO licence requirement for the entire server.
Encryption Wallet Status
The V$ENCRYPTION_WALLET view reveals whether an encryption wallet or keystore is configured and open. An active wallet indicates TDE is in use. Auditors check both the wallet status and the wallet location to confirm encryption configuration.
RMAN Backup Encryption
RMAN backup metadata reveals whether backup encryption is configured. Auditors examine RMAN configuration settings and backup set metadata to identify encrypted backups — a frequently overlooked ASO trigger.
Non-Production Environments
Auditors check test, dev, QA, staging, and DR databases with the same rigour as production. The "it was only for testing" defence does not reduce the licence requirement. Every database instance with any ASO feature flagged as "used" requires full licence coverage. Learn more about Oracle Active Data Guard licensing.
Common Compliance Pitfalls
Advanced Security compliance failures follow consistent patterns. These pitfalls account for the vast majority of ASO-related audit findings, and addressing them proactively eliminates the most expensive risks. In our experience advising hundreds of Oracle licence assessments, ASO non-compliance is present in approximately 40% of Enterprise Edition environments — making it the most common database option compliance gap after the Diagnostic and Tuning Packs.
The root cause is almost always the same: the licensing decision and the technical decision are made by different teams. Security teams evaluate encryption requirements based on regulatory mandates and data sensitivity. Database administrators implement the encryption based on the security team's directive. Neither team consults the licensing or procurement function. The result is a technically correct, operationally sound encryption deployment that is completely unlicensed — and remains so until Oracle's auditors arrive.
| Pitfall | Risk | What Goes Wrong | Financial Impact |
|---|---|---|---|
| TDE enabled without licence | Critical | Security teams enable TDE for GDPR/HIPAA without informing licensing. A single encrypted column triggers full ASO licensing for the server. | List price + backdated support. No volume discounts in audit settlements. |
| Non-production overlooked | Critical | TDE or Data Redaction on test/dev/staging. "Non-prod doesn't count" is wrong — Oracle's policy is unambiguous. | Full licensing required for every non-prod instance using ASO. |
| DR standby exposure | High | Standby databases with TDE opened for read access beyond Oracle's 10-day failover rule. | Full ASO Processor licensing for every DR server. |
| Encrypted backups | High | DBA configures RMAN backup encryption as best practice without knowing it is an ASO feature. | ASO licensing triggered for the database server. |
| Data Redaction by developers | Medium-High | Application developers implement redaction for GDPR compliance without realising it requires ASO. | Same cost as TDE — full ASO licensing for the server. |
| 19c network encryption confusion | High | Assuming TDE became free when network encryption did in 19c. It did not. | Unlicensed TDE across every server where this assumption was made. |
Five Strategic Recommendations
Integrate Licensing Into Security Change Management
Require licensing team sign-off before any database encryption, redaction, or backup encryption is enabled. Add a licence review step to your database provisioning and security hardening checklists. This single governance control prevents the most common ASO compliance failure — well-intentioned security teams enabling features without awareness of the licensing cost.
Conduct Quarterly Feature Usage Scans
Query DBA_FEATURE_USAGE_STATISTICS across all Oracle databases every quarter. Flag any new ASO feature activations immediately — either procure the licence or disable the feature before it becomes an audit finding. Quarterly scanning is the single most effective compliance control for database options.
Minimise the ASO Licensing Footprint
Enable TDE only on databases that genuinely require it for regulatory or contractual reasons. Use OS-level or storage-level encryption for databases that need basic at-rest protection but are not subject to specific Oracle TDE requirements. Disable ASO features on non-production environments where encryption is not legally mandated. Consolidate encrypted databases on fewer, smaller servers.
Leverage OCI for New Encrypted Workloads
For new databases requiring encryption, Oracle Autonomous Database with Licence Included pricing includes TDE at no additional option cost. This eliminates per-server ASO licensing entirely and simplifies compliance. Evaluate OCI migration for workloads where the total cost of ownership (including OCI compute and storage) is lower than on-premises licensing plus support.
Negotiate ASO Into Enterprise Agreements
If encryption is required across many databases, include ASO explicitly in ULA or enterprise agreement discussions. Bundling ASO with other options provides volume leverage and eliminates per-core counting. Ensure ASO is explicitly named in the agreement text — implicit assumptions about which options are included lead to compliance disputes. Learn more about Oracle analytics server licensing.