Oracle Advanced Security is one of the most audited and most frequently non-compliant database options in the Oracle ecosystem. Security teams enable Transparent Data Encryption to meet regulatory mandates, often without realising it triggers a separately licensed add-on at $15,000 per processor. This advisory provides IT asset managers with a clear breakdown of what Advanced Security covers, how it is licensed, what triggers a licence requirement, and how to manage compliance and cost effectively.
For a broader overview of all Oracle database options, see our Oracle Database Licensing Guide.
1. Understanding Oracle Advanced Security Option
Oracle Advanced Security is an add-on for Oracle Database Enterprise Edition (EE) that provides enhanced data protection capabilities. It addresses the need to protect sensitive data at rest and in transit, enabling organisations to meet stringent security and privacy requirements including GDPR, HIPAA, and PCI-DSS.
| Feature | What It Does | Licence Trigger | Since Version |
|---|---|---|---|
| Transparent Data Encryption (TDE) | Encrypts data at rest โ column-level, tablespace-level, or entire database. Data is unreadable without decryption keys, protecting against theft from files or backups. | Any encrypted column, tablespace, or database triggers the requirement | 10gR2+ |
| Data Redaction | Dynamically masks sensitive data in SQL query results based on user roles and policies. Applications only reveal what is permitted. | Any active redaction policy on any table | 12c+ |
| Backup & Export Encryption | Encrypts RMAN backups and Data Pump export files to secure data outside the live database environment | Encrypted RMAN backup or Data Pump export | 10gR2+ |
| External Key Manager Integration | Integrates with external key management systems (e.g., Oracle Key Vault, third-party KMS) for centralised TDE key storage | Integration with external key management for TDE | 11g+ |
| Strong Authentication | Enables Kerberos, RADIUS, PKI certificate, or smart card authentication with the database | Configuring enterprise authentication beyond username/password | Various |
| Network Encryption (historical) | Encrypts data in transit over SQL*Net using AES | No longer required โ included free with EE from 19c onwards | Free from 19c |
A common source of confusion: Oracle moved native network encryption and TLS support into the base Enterprise Edition with version 19c. This means you no longer need Advanced Security just to encrypt data in transit. However, Transparent Data Encryption for data at rest and Data Redaction still require the separately licensed Advanced Security Option. Do not conflate the two โ many organisations have been caught assuming TDE became free when network encryption did.
For related encryption licensing, see our guide to Oracle Label Security Licensing.
2. When You Need an Advanced Security Licence
Oracle Advanced Security must be licensed whenever its features are used โ it is not included in the standard database licence. Oracle does not prevent you from enabling these features without a licence. The software allows activation freely, but Oracle's licence audit scripts will capture any usage.
| Usage Scenario | Licence Required? | Detection Method |
|---|---|---|
| Encrypt any column, tablespace, or database with TDE | โ Yes โ even a single encrypted column triggers the requirement | DBA_FEATURE_USAGE_STATISTICS โ records "Transparent Data Encryption" |
| Create encrypted RMAN backups | โ Yes โ encryption of backup files is an ASO feature | RMAN backup metadata shows encryption settings |
| Use Data Pump export with encryption | โ Yes โ encrypted export files leverage ASO functionality | Data Pump job logs; feature usage statistics |
| Implement Data Redaction policies | โ Yes โ any active redaction policy | DBA_FEATURE_USAGE_STATISTICS โ records "Data Redaction" |
| Integrate with external key managers for TDE | โ Yes โ part of the ASO feature set | Wallet/keystore configuration, V$ENCRYPTION_WALLET |
| Configure Kerberos or RADIUS authentication | โ Yes โ strong authentication is an ASO feature | SQLNET.ORA parameters, feature usage logs |
| Enable native network encryption (19c+) | โ No โ included free with EE from 19c | Not flagged as ASO in 19c+ audit scripts |
| Standard password authentication | โ No โ base EE feature | N/A |
| OS or storage-level encryption (non-Oracle) | โ No โ not an Oracle feature | N/A โ Oracle cannot detect external encryption |
If Advanced Security features were enabled accidentally, for testing, or for a short period, Oracle still considers this licensable usage. The DBA_FEATURE_USAGE_STATISTICS view records timestamps of first and last usage. Once a feature is flagged, you cannot "unring the bell" โ even if you subsequently disable it. Oracle's audit teams routinely check this view, and historical usage will appear in their LMS script output. The safest approach is to proactively disable ASO features on databases where you are not licensed.
For details on how Oracle's audit scripts detect feature usage, read: Interpreting Oracle LMS Database Script Output.
3. Licensing Metrics and Pricing
Oracle Advanced Security is licensed in the same way as the Oracle Database itself โ you must use the same metric (and quantity) as your Database Enterprise Edition licence for any given deployment. There are two metrics: Processor and Named User Plus (NUP).
| Licence Component | Metric | List Price (USD) | Annual Support (~22%) | Notes |
|---|---|---|---|---|
| Oracle Database Enterprise Edition | Per Processor | $47,500 | ~$10,450/yr | Base database licence. Core factor applies (e.g., Intel x86 = 0.5). |
| Oracle Advanced Security Option | Per Processor | $15,000 | ~$3,300/yr | Must match EE metric and quantity. Every licensed processor requires an ASO licence. |
| Oracle Database Enterprise Edition | Named User Plus | $950/user | ~$209/yr | Min 25 NUP per processor. Count all humans and devices accessing the DB. |
| Oracle Advanced Security Option | Named User Plus | $300/user | ~$66/yr | Must match EE user count. Min 25 NUP per processor applies. |
Oracle strictly requires that you cannot mix database and option metrics on the same server. If your database is licensed per Processor, Advanced Security must also be per Processor (and vice versa for NUP). The quantity must match: you cannot partially licence some processors or a subset of users. Every server using ASO features must be fully licensed for all cores or all users โ there is no "partial ASO" licensing.
Need help calculating your Oracle Advanced Security licence requirements?
Oracle Licence Management โ4. Cost Drivers and Optimisation Strategies
The cost of Oracle Advanced Security scales quickly in large enterprises. Understanding the key drivers helps forecast spend and identify optimisation opportunities.
| Cost Driver | Impact | Optimisation Strategy |
|---|---|---|
| Number of environments | Every database instance using ASO features requires licensing โ production, test, dev, DR, and staging all count. Non-production is the most commonly overlooked cost area. | Use Oracle's free Developer Edition for individual dev. Disable ASO features on non-prod instances that don't require encryption. |
| Processor core counts | Higher core counts = more processor licences. Oracle's core factor table gives Intel/AMD x86 a 0.5 factor, but SPARC and POWER chips have higher factors. | Consolidate encrypted databases on fewer servers. Choose hardware with favourable core factors. Limit VM core allocations. |
| User counts (NUP) | If licensed by NUP, all named users and application service accounts must be counted. Indirect access through middleware counts too. | If user counts rise above ~100 per server, evaluate switching to Processor licensing. Remove inactive user licences. |
| Annual support (22%) | In under 5 years, cumulative support exceeds the original licence cost. ASO adds ~$3,300/processor/year on top of EE support. | Negotiate multi-year support discounts. Include ASO in ULA discussions. Consider third-party support for stable environments. |
| Audit penalties | Unlicensed ASO usage found during audit = list price + backdated support. No volume discounts. Often the single most expensive line item in Oracle audit findings. | Proactive compliance is always cheaper. Conduct quarterly self-audits. Remediate before Oracle finds gaps. |
A financial services firm runs Oracle EE on 6 servers (each with 16 Intel x86 cores, 0.5 factor = 8 processor licences per server). TDE is enabled on 4 production servers and 2 DR/test servers.
Total ASO processor licences required: 6 servers ร 8 = 48 processor licences
ASO licence cost (list): 48 ร $15,000 = $720,000
Annual ASO support: 48 ร $3,300 = $158,400/year
Not every database requires TDE. Identify which databases handle regulated or highly sensitive data that truly justifies encryption. For lower-tier systems, consider operating system or storage-level encryption (e.g., Linux dm-crypt, Windows BitLocker) which provide basic at-rest protection without triggering Oracle licence requirements. These alternatives may not be as granular as TDE, but they satisfy many compliance frameworks at zero Oracle licence cost.
5. Cloud and OCI Considerations
Cloud deployments introduce important nuances for Oracle Advanced Security licensing. The rules differ significantly between Oracle Cloud Infrastructure (OCI) and third-party clouds like AWS and Azure.
| Deployment | ASO Licence Requirement | Key Detail |
|---|---|---|
| Oracle Cloud (OCI) โ Autonomous Database | โ Not required โ included in service | TDE is always on by default. All database options (including ASO, RAC, Partitioning) are included in the "License Included" pricing model. |
| Oracle Cloud (OCI) โ BYOL | โ Required if using ASO features | Under BYOL, you bring your own licences including any options. If you use TDE on OCI with BYOL, you must bring ASO processor licences. |
| AWS (RDS for Oracle or EC2) | โ Required under BYOL | AWS does not include Oracle options. TDE on RDS Oracle BYOL requires your own ASO licences. Core factor does not apply โ count vCPUs directly. |
| Azure (Oracle on VM) | โ Required under BYOL | Same rules as AWS. BYOL requires ASO licences for any encrypted databases. 2 vCPUs = 1 processor licence (no core factor). |
| On-premises โ any environment | โ Required | Standard Oracle licensing rules. Core factor table applies. All environments (prod, dev, test, DR) must be licensed. |
For new workloads requiring encryption, Oracle's Autonomous Database with "License Included" pricing is the simplest path โ TDE is built in, always on, and no separate ASO licence is needed. This can be significantly cheaper than on-premises ASO licensing for organisations spinning up new database environments. However, evaluate the total OCI cost against your existing on-premises investment before migrating.
For more on Oracle cloud licensing models, see: Oracle Autonomous Database Licensing โ UCC and BYOL Options.
For broader cloud deployment rules, read: Oracle Database Licensing in Cloud Environments.
6. Managing Compliance โ Audits and Entitlements
Oracle Advanced Security is one of the most commonly audited database options because it is both frequently required (for regulatory compliance) and frequently overlooked in licensing. Proactive compliance management is essential.
Know Your Entitlements
Inventory all Oracle licences your organisation owns. Collect ordering documents, licence certificates, and contract schedules to confirm whether you have purchased Advanced Security Option licences, the quantity, and the metric (NUP or Processor). Track any ASO licences acquired through bundles, migrations, or ULA certifications. Maintain a central repository โ it is not uncommon for companies to lose track of entitlements after mergers or personnel changes.
Monitor Feature Usage
Oracle provides the DBA_FEATURE_USAGE_STATISTICS view in each database that logs usage of licensable features including TDE and Data Redaction. Regularly query this view (or run Oracle's LMS collection tool in read-only mode) to detect any ASO features in use. This is critical because DBAs or security teams frequently enable encryption without routing the request through licence management. Catching it internally lets you either disable the feature or procure the licence before Oracle's auditors find it.
Conduct Internal Audits
Perform periodic internal licence audits focusing on Oracle Database options. For every environment where Oracle Database EE is deployed, verify: Are any Advanced Security features enabled or configured? Check for encryption keys/wallets, initialisation parameters related to encryption, existence of redaction policies. If features are enabled, do you have sufficient licences allocated to that environment? Run this check at least annually โ ideally quarterly โ or before any expected Oracle audit or contract renewal.
๐ What Oracle Auditors Check for ASO
LMS Script Output: Oracle's LMS collection scripts query DBA_FEATURE_USAGE_STATISTICS and generate a compliance report showing all features used, including timestamps of first and last usage.
Specific checks: Encrypted tablespaces (DBA_ENCRYPTED_COLUMNS), encryption wallets (V$ENCRYPTION_WALLET), active redaction policies (DBMS_REDACT configurations), RMAN backup encryption settings, and SQLNET.ORA authentication parameters.
Non-production environments: Auditors check test, dev, and DR databases with the same rigour as production. The "it was only for testing" defence does not work.
Received an Oracle audit notification? Get independent defence advice before responding.
Oracle Audit Defense โ7. Common Compliance Pitfalls
| Pitfall | Risk Level | What Goes Wrong | Financial Impact |
|---|---|---|---|
| TDE enabled without licence | ๐ด Critical | Security teams enable TDE to meet GDPR/HIPAA/PCI-DSS requirements without informing the licensing team. Even a single encrypted column triggers the full ASO licence requirement for that server. | List price ($15K/processor) + backdated support for the entire unlicensed period. No volume discounts in audit settlements. |
| Non-production environments overlooked | ๐ด Critical | TDE or Data Redaction enabled on test, dev, QA, or staging databases. Common assumption that "non-prod doesn't count" is wrong โ Oracle's policy is unambiguous. | Full licensing required for every non-prod instance using ASO features. Only the individual OTN Developer Licence is exempt. |
| Disaster recovery exposure | ๐ด High | Standby databases with TDE enabled that are opened for read access or testing beyond Oracle's 10-day rule. If a standby DB has TDE and is opened >10 days/year, full licensing is triggered. | Full ASO processor licensing for every DR server where TDE is active beyond the 10-day threshold. |
| Data Redaction overlooked | โ ๏ธ Medium-High | Application developers implement Data Redaction policies for GDPR compliance without realising it is an ASO feature requiring separate licensing. | Same licence cost as TDE โ the entire ASO option must be licensed for the server. |
| Encrypted backups without awareness | โ ๏ธ Medium-High | DBA configures RMAN backup encryption as a security best practice. This is an ASO feature โ not a free backup enhancement. | ASO licensing triggered for the database server. Often discovered late because backup encryption is configured at the infrastructure level. |
| Metric mismatch | โ ๏ธ Medium | Attempting to licence ASO by NUP when the base database is licensed by Processor (or vice versa). Oracle requires metrics to match. | Non-compliant deployment even if you hold ASO licences โ wrong metric = wrong licence. |
| Partial licensing assumption | โ ๏ธ Medium | Licensing ASO for some cores on a server but not all. Oracle does not allow partial licensing โ if TDE is used, all cores on that server must be covered. | Under-licensing gap for the unlicensed cores. Oracle calculates the full server requirement. |
| Over-licensing (shelfware) | โ ๏ธ Medium | Purchasing ASO licences for servers that don't actually use encryption. Often occurs when licences aren't reclaimed after decommissioning. | Wasted budget + 22%/year annual support on unused licences. |
Oracle audit findings for Advanced Security typically require purchasing shortfalls at full list price with no negotiated discounts, plus backdated support fees for the entire period of unlicensed usage. A proactive self-audit that identifies and remediates gaps internally โ either by purchasing licences or disabling features โ is invariably cheaper and less disruptive than having Oracle discover them. Budget for quarterly feature usage reviews as a standard ITAM practice.
8. Recommendations for ITAM Professionals
- AEducate your team. Ensure database administrators and security engineers understand that Advanced Security features (TDE, Data Redaction, backup encryption) are not free with Oracle Database. Provide clear guidelines on which features require separate licences. Prevent well-intentioned but unlicensed usage.
- BEnable technical controls. Use Oracle Database initialisation parameters or feature usage controls to disable ASO options on databases where you are not licensed. Proactively disabling the Advanced Security Option prevents accidental activation by DBAs or automated security tools.
- CAudit regularly. Perform routine internal audits using Oracle's
DBA_FEATURE_USAGE_STATISTICSview or LMS scripts to detect ASO feature usage. Catching usage early lets you take action โ either licence it or disable it โ before it becomes an audit finding. - DIntegrate licensing into change management. Whenever your organisation implements encryption or other ASO capabilities in a new database, require licensing team sign-off. Add a licence review step to your database provisioning checklist for any system where TDE, redaction, or backup encryption will be enabled.
- EMaintain an entitlement inventory. Track the number of ASO licences owned and how they are allocated (to specific servers or user counts). This prevents both under-licensing and over-licensing. Reclaim licences from decommissioned servers and reallocate to new encryption deployments.
- FConsider enterprise licence options. If encryption is required across many databases, negotiate a ULA or enterprise agreement that explicitly includes Advanced Security. This provides cost certainty and eliminates per-core counting. Ensure ASO is explicitly named in the agreement โ implicit assumptions lead to compliance problems.
- GLeverage Oracle Cloud for new workloads. Oracle's Autonomous Database includes TDE by default with "License Included" pricing โ no separate ASO licence needed. For new projects requiring encryption, this can sidestep on-premises licence management entirely.
- HPlan ahead โ don't scramble. If an application will require database encryption next year, budget and negotiate ASO licences now. Oracle's sales teams offer better terms before you are out of compliance than after the fact. Avoid enabling TDE first and purchasing licences later.
๐ Need Independent Oracle Advanced Security Advisory?
Redress Compliance provides vendor-independent Oracle licence assessments, audit defence, and contract negotiation. We help enterprises identify unlicensed ASO usage, quantify compliance gaps, negotiate optimal settlements, and build governance frameworks that prevent future exposure โ all on a fixed-fee basis with complete vendor independence.
9. Action Checklist โ 5 Steps to Take Now
- 1Inventory all Oracle databases and features. Scan every Oracle Database instance (production, test, dev, DR) and check whether Advanced Security features are in use. Query
DBA_FEATURE_USAGE_STATISTICSor run Oracle's LMS scripts to flag any usage of TDE, Data Redaction, encrypted backups, or strong authentication. Document which databases have ASO features enabled. - 2Verify licence entitlements vs usage. Gather your Oracle licensing agreements to determine how many Advanced Security licences you own (Processor or NUP) and compare against the usage identified in Step 1. For each database using ASO, confirm sufficient licences are allocated. Flag any gaps โ usage without matching licences โ for immediate remediation.
- 3Remediate non-compliance. For unlicensed usage: purchase additional licences to cover the gap, or disable ASO features on databases where encryption is not legally or operationally required, or migrate encryption needs to OS/storage-level alternatives that don't trigger Oracle licensing. Coordinate with DBAs and security teams to implement and verify remediation.
- 4Implement governance controls. Update database provisioning checklists to include licence review before enabling encryption. Configure monitoring to alert if someone creates an encrypted tablespace or redaction policy on an unlicensed system. Include ITAM in change management for any database security feature changes.
- 5Establish ongoing monitoring and audit readiness. Review ASO usage and licence compliance quarterly. Keep a log of changes (new encryption deployments, licence purchases, decommissions). Simulate an Oracle audit internally โ verify you can quickly produce evidence of ASO licences and usage mapping. Staying audit-ready eliminates last-minute surprises.
10. Frequently Asked Questions
Our Oracle Advisory Services
Vendor-independent. Fixed-fee. Proven results across hundreds of enterprise engagements.