Oracle Advanced Security Licensing:
TDE, Data Redaction & Compliance

What Oracle Advanced Security Actually Covers

Oracle Advanced Security is a separately licensed option for Oracle Database Enterprise Edition that bundles two distinct data protection capabilities: Transparent Data Encryption (TDE) and Data Redaction. Neither feature is available under the base Enterprise Edition licence, and neither is included in any Oracle support contract or cloud service tier unless explicitly purchased. The Oracle Advanced Security Option (ASO) must be procured separately, priced at $15,000 per Processor or $300 per Named User Plus at Oracle's published list price. Annual support, charged at 22% of the licence fee, is added on top — and Oracle support fees increase by 8% per year, meaning the retroactive cost of unresolved non-compliance compounds with every passing renewal cycle.

Understanding precisely what falls inside and outside the ASO boundary is the essential first step for any Oracle licensing review. Transparent Data Encryption covers tablespace-level encryption, column-level encryption, RMAN encrypted backups, and encrypted Data Pump exports. All of these capabilities require ASO to be licensed on every database instance where they are deployed. Data Redaction — the ability to mask sensitive data dynamically in query output without modifying the underlying storage — is also covered by ASO. It is worth noting that Oracle Label Security, which controls row-level access based on sensitivity labels, is a completely separate product with its own price of $11,500 per Processor or $230 per Named User Plus, and is frequently confused with ASO in licence reviews. All three products appear in DBA_FEATURE_USAGE_STATISTICS and all three are swept by Oracle's LMS collection scripts during audit. For a broader picture of the database options landscape, our guide to Oracle Knowledge Hub resources covers every commonly audited option in detail.

Oracle Advanced Security Licensing: The Rules That Catch Enterprises Off Guard

The Oracle Advanced Security licensing requirement contains several rules that are counterintuitive in practice and that Oracle's LMS team exploits systematically in audit. The most important is the rule of matching: if your database is licensed per Processor, your ASO licence must also be per Processor, and the quantities must match exactly. If your database is licensed per Named User Plus, ASO must also be per Named User Plus with the same or greater user count. You cannot license ASO on fewer processors than your database runs on, even if TDE is only enabled on one tablespace on one instance.

The second critical rule is the absence of a use threshold. Oracle does not require that a feature be in active production use to trigger the licence requirement — any activation recorded in DBA_FEATURE_USAGE_STATISTICS constitutes a licensing obligation. A development environment where TDE was tested for a weekend and then disabled still shows first-use and last-use timestamps in the feature usage view. Oracle's LMS team will present those timestamps and the licence shortfall they imply. For enterprises that have run Oracle databases across multiple environments for years without a systematic licence review, this creates substantial hidden exposure. Our TDE-specific licensing guide covers the exact database views that create this exposure and the practical steps to address it.

The third issue is virtualisation. Enterprises running Oracle databases on VMware ESXi, Microsoft Hyper-V, or other non-Oracle hypervisors face Oracle's hard-partition vs. soft-partition rules. For most virtualisation platforms not on Oracle's approved hard-partition list, the full physical host must be licensed — not just the virtual machines. If you have eight cores of Oracle Database Enterprise Edition running on a VMware cluster with twenty-four physical cores, Oracle's position is that you need twenty-four processors of database licence and twenty-four processors of every option in use, including ASO. This is one of the most financially material aspects of Oracle Advanced Security compliance and the area where Redress Compliance most frequently identifies the largest gaps when conducting independent Oracle advisory reviews for enterprise clients.

Oracle Advanced Security Audit Risk: What Happens When Oracle Knocks

Oracle's LMS audit process for Advanced Security follows a well-established sequence. The audit is typically initiated with a letter from Oracle's Global Licensing Advisory Services (GLAS) or LMS team requesting that you run the SOSI scripts within 45 days. These scripts query DBA_FEATURE_USAGE_STATISTICS, capturing every Oracle option and management pack activation across every database in scope. The resulting output is sent to Oracle's LMS team, which cross-references it against your existing licence position. Any gap between what is licensed and what the scripts find becomes an audit finding.

Advanced Security non-compliance is present in approximately 40% of Enterprise Edition environments reviewed in audit — making it the third most common database option compliance gap after the Diagnostic Pack and Tuning Pack. When Oracle presents its findings, the resolution it demands invariably includes purchasing the full licence shortfall at list price plus backdated annual support for the entire unlicensed period, compounding at 8% per year. An organisation that has run unlicensed TDE for five years across ten processor licences faces a list-price exposure of $150,000 in licence fees plus support that has compounded annually — often totalling more than the licence value itself.

There are, however, legitimate routes to reducing Oracle's initial audit claim. Oracle's calculation of licence shortfalls is frequently based on a maximalist interpretation of the rules. In virtualised environments, Oracle sometimes claims processors that are not actually running database workloads. In multi-instance environments, Oracle may double-count instances or apply metrics incorrectly. Redress Compliance has consistently reduced Oracle's initial audit claims by 60% to 90% across more than 100 Oracle audit engagements. The white paper available at our Oracle Audit Defence resource documents the specific challenge strategies, the Oracle clauses that govern them, and the outcomes our clients have achieved. To understand whether your current position warrants pre-emptive action, book a confidential call with a Redress Oracle specialist today.

Oracle Advanced Security Data Redaction: The Overlooked Compliance Risk

While Transparent Data Encryption draws the most attention in Oracle Advanced Security audits, Data Redaction is a growing source of unlicensed use that many enterprises overlook entirely. Oracle Data Redaction enables the dynamic masking of sensitive data in query results — for example, displaying only the last four digits of a credit card number in an application query while leaving the full value stored in the database. It does not modify the underlying data, which is precisely why security and application teams enable it with relatively little ceremony: there is no physical encryption key to manage, no performance impact to measure, and no structural database change to document. It simply appears in a policy and is applied to a column.

That operational simplicity makes Data Redaction one of the most under-licensed ASO features. Security architects deploy it to meet PCI-DSS or GDPR masking requirements without realising that Oracle Advanced Security must be licensed for the server where the redaction policy is active. When Oracle's LMS team runs its collection scripts, every Data Redaction policy appears in DBA_FEATURE_USAGE_STATISTICS with precise activation timestamps. In a typical Oracle database audit across an estate with several hundred database instances, it is common to find Data Redaction deployed in development and QA environments alongside production — each requiring its own ASO licence at $15,000 per processor.

The approach to addressing Data Redaction compliance is fundamentally the same as for TDE: query the feature usage view across every Oracle database instance, identify every instance where a redaction policy exists or has historically existed, cross-reference against your licence position, and either procure the licence or remove the policy with documented evidence of disablement. The important distinction from TDE is that removing a Data Redaction policy is typically operationally simpler than decrypting tablespaces — but that does not make it a quick fix. Oracle will still claim back-support for the unlicensed period, and back-support compounds at 8% per year. For the most complete and current guidance on managing your Oracle Advanced Security position, including the specific queries your DBA team should run and the sign-off process that prevents future gaps, download our Oracle audit white paper or speak directly with a Redress Oracle adviser. Organisations that have engaged our Oracle advisory services consistently report that a pre-audit review pays for itself many times over in avoided compliance exposure.