Oracle charges $15,000 per processor for the Advanced Security Option — which includes Transparent Data Encryption (TDE), the encryption at rest feature mandated by GDPR, PCI DSS, HIPAA, and dozens of other data protection frameworks. The result is a uniquely adversarial licensing situation: enterprises that encrypt Oracle databases to meet legal obligations discover that Oracle treats regulatory compliance as a revenue opportunity. Former Oracle insiders explain exactly what the Advanced Security Option covers, where Oracle's licensing terms are genuinely ambiguous, and how to defend against OAS audit findings where the usage was driven by regulatory requirements rather than commercial choice.
Oracle Advanced Security Option (OAS, also referred to as ASO in older documentation) is an Enterprise Edition-only database option that bundles several security and data protection features into a single separately licensed product. Oracle prices OAS at $15,000 per processor (perpetual list), with annual support of approximately $3,300 per processor at Oracle's 22% support rate. The features included in OAS are:
The OAS pricing model means that a four-processor Oracle Database EE environment requires $60,000 in OAS perpetual licences and $13,200 per year in annual support — purely to use TDE for regulatory compliance purposes. For organisations with large Oracle Database estates (20, 50, or 100+ processors), OAS costs can reach $300,000–$1.5M in perpetual licences, making it one of the largest line items in an Oracle options spend.
Transparent Data Encryption is the specific OAS feature that generates the most controversy — and the most audit disputes. TDE encrypts Oracle data files, temporary files, redo logs, and database backups using AES-256 or AES-128 encryption, ensuring that data is unreadable if the underlying storage media is accessed without Oracle's key management infrastructure. TDE is the standard Oracle mechanism for achieving encryption at rest, which is a mandatory control under most enterprise data protection frameworks.
The controversy: GDPR Article 32 requires "encryption of personal data" as a technical measure. PCI DSS Requirement 3.5 requires encryption of stored cardholder data. HIPAA Security Rule 45 CFR § 164.312(a)(2)(iv) specifies encryption as an addressable implementation specification for PHI protection. These regulations do not specify which encryption product to use, but for organisations running Oracle Database, TDE is the natural and Oracle-recommended mechanism. Oracle's position is that TDE is a separately licensed feature of the Advanced Security Option — regardless of whether its use is voluntary or regulatory mandated. Oracle's LMS team has pursued OAS claims against organisations that implemented TDE specifically and solely because their legal team required it for regulatory compliance.
This creates a specific and deeply uncomfortable dynamic: Oracle charges for the means of compliance with data protection law. Enterprise legal teams, security teams, and compliance officers who implement TDE based on regulatory advice frequently do so without IT asset management involvement or Oracle licensing review. The OAS back-licence claim arrives months or years later during an LMS audit, when Oracle asserts that TDE usage from the date of first implementation requires retroactive OAS licences for every processor in the database environment. The back-licence claim can cover the full period of TDE usage — potentially years of unlicensed usage — generating claims of $500,000 to several million dollars for organisations with significant Oracle Database estates.
Our Oracle Audit Defence service has successfully defended TDE-related OAS claims for healthcare, financial services, and retail organisations that implemented encryption to meet GDPR, PCI DSS, and HIPAA requirements. Independent expert representation changes the outcome.
Oracle's licensing policy for TDE has changed across database versions and editions in ways that are incompletely documented and commercially disputed. Understanding the version-specific rules is critical for determining whether your TDE usage requires OAS licences.
Oracle Database 12c Release 1 (12.1): TDE tablespace encryption and TDE column encryption were OAS-only features. TDE could not be used without OAS under any circumstances for databases in this version range.
Oracle Database 12c Release 2 (12.2) and Oracle Database 18c: Oracle published guidance suggesting that TDE was included in EE without a separate OAS licence for databases that were created with TDE configured as part of the initial database creation. The "include TDE in EE" messaging was communicated informally by some Oracle account teams during this period. Oracle subsequently clarified that TDE in EE (without OAS) applied only in specific OCI deployments and Oracle-managed cloud environments — not on-premises. The confusion generated by Oracle's inconsistent messaging from this period is the source of many OAS audit disputes.
Oracle Database 19c and 21c: Oracle's published documentation for these versions maintains that TDE is an OAS feature on-premises. Oracle's Autonomous Database service on OCI includes encryption by default without OAS charges — but this is an OCI-specific commercial provision, not a change to on-premises licensing.
The practical implication: for on-premises Oracle Database deployments at any version, TDE usage requires OAS licences unless a specific contractual provision (such as an EA or ULA that includes OAS) explicitly covers it. For cloud deployments, OCI-specific TDE inclusion provisions may apply. Any other scenario requires OAS licences. If you believe Oracle told you that TDE was included without OAS, you need a written confirmation of that position in your Oracle licence agreement — verbal assurances or informal account team communications are not licence grants.
Version uncertainty: If your organisation implemented TDE between 2016 and 2019 based on Oracle account team messaging that TDE was "included in EE", you are in a high-risk position for an OAS audit claim. Oracle's LMS team does not accept the informal account team messaging as a defence. Engage our Audit Defence team to assess your position and develop a challenge strategy before Oracle raises this finding.
Oracle Native Network Encryption (NNE) — the Oracle Net Services feature that encrypts data in transit between Oracle Database clients and the server using AES or RC4 — is a subject of licensing ambiguity that is closely related to OAS disputes. NNE was historically considered an OAS feature but has been subsequently characterised in some Oracle documentation as included in the base Oracle Database EE licence without OAS.
Oracle's current published position is that Oracle Native Network Encryption and Oracle Native Data Integrity features — which encrypt and authenticate Oracle Net connections — are included in Oracle Database EE without an additional OAS licence. This is a specific, narrow carve-out: NNE for Oracle Net connections (SQLNET.ENCRYPTION_SERVER, SQLNET.ENCRYPTION_CLIENT parameters) is included. It does not extend to TDE, data redaction, or other OAS features.
The implication for organisations receiving OAS audit claims that include network encryption findings: if Oracle's LMS finding cites NNE usage as an OAS violation, this is challengeable. Oracle's own published documentation supports the position that NNE is included in EE. If OAS usage detected in DBA_FEATURE_USAGE_STATISTICS includes NNE as the primary or sole detected feature, the OAS claim can often be significantly reduced or eliminated by demonstrating that TDE and other OAS features were not used — and that the feature usage detection was driven exclusively by NNE, which is included in EE.
Oracle's detection of Advanced Security Option usage relies on the same DBA_FEATURE_USAGE_STATISTICS mechanism used to detect other database options. The specific feature names that Oracle's LMS scripts look for in the context of OAS include: "Transparent Data Encryption", "Oracle Data Redaction", "Fine Grained Auditing", "Database Native Encryption", "Advanced Replication", "Label Security", and various security-related feature names depending on the database version.
Oracle's LMS scripts also check V$ENCRYPTED_TABLESPACES (to identify TDE-encrypted tablespaces) and V$ENCRYPTED_COLUMNS (to identify TDE column encryption) as direct evidence of TDE usage independent of DBA_FEATURE_USAGE_STATISTICS. This means that even if DBA_FEATURE_USAGE_STATISTICS has been reset or shows low detected usage counts, Oracle can independently confirm TDE usage by querying the encrypted tablespace and column metadata directly. An organisation that implements TDE, runs LMS scripts, and then hopes that limited DBA_FEATURE_USAGE_STATISTICS history will minimise the claim is likely to be disappointed — Oracle has multiple independent detection vectors for TDE.
Timing of Oracle's LMS script execution relative to TDE implementation also matters: if Oracle's LMS scripts are collected shortly after TDE is disabled, V$ENCRYPTED_TABLESPACES may already be empty (if tablespaces were decrypted) but the undo log and archived redo logs may still contain evidence of historical TDE usage. Our Compliance Review includes a forensic assessment of what TDE evidence is detectable in your current Oracle environment and what Oracle's LMS team will find at the point of data collection.
Oracle's OAS audit findings are among the most successfully challenged of any Oracle option claim, for several reasons: the TDE licensing rules are genuinely ambiguous for specific version and time periods; Oracle's own account team messaging created legitimate confusion about TDE inclusion; the regulatory compulsion argument provides commercial leverage that Oracle is reluctant to test in formal dispute; and NNE-only detection findings can be challenged as non-OAS usage.
The challenge strategy for OAS audit findings should address four dimensions: technical accuracy (is Oracle measuring the right features as OAS versus included-in-EE features?); scope period (when did OAS-qualifying usage actually begin, and can early usage be excluded from the back-licence claim?); intentionality and context (was TDE implemented under Oracle account team assurances of inclusion, or to meet regulatory requirements?); and commercial resolution (what is Oracle actually trying to achieve commercially, and can a package deal address both the OAS claim and Oracle's revenue objectives?)
In our experience across Oracle Audit Defence engagements involving OAS claims, the most effective outcomes combine: a forensic technical challenge that reduces Oracle's claimed OAS usage period; a regulatory compulsion argument that creates reputational risk for Oracle in pursuing the claim aggressively; and a commercial negotiation that resolves the OAS claim as part of a broader Oracle agreement restructuring — often at 20–40% of Oracle's initial claim value. Organisations that accept Oracle's initial OAS claim without challenge are consistently overpaying. See the Pharma Java & Middleware Compliance case study for an example of how regulatory compliance arguments combined with technical challenge reduced a security-related options claim from $4.5M to a fraction of the initial amount.
Oracle's OAS claims are among the most challengeable in Oracle licensing. Our Audit Defence team combines technical forensics with commercial negotiation to reduce OAS back-licence claims by 60–80% on average. View client outcomes →
The regulatory compulsion defence is the argument that Oracle should not be able to commercially exploit a legal mandate — that charging a premium licence fee for a security feature that organisations are legally required to implement creates an unconscionable commercial situation. While this argument does not constitute a legal defence to Oracle's licence terms (which are clear that TDE requires OAS), it creates a reputational and public relations risk for Oracle that Oracle is reluctant to accept, particularly in regulated industries where Oracle's enterprise customer base is large and influential.
The regulatory compulsion defence is most effective when: the TDE implementation is directly traceable to a specific regulatory audit finding or legal compliance programme (with documented evidence); the organisation is in a regulated sector where Oracle has significant customer concentration (healthcare, financial services, government, utilities); the organisation's legal team is prepared to make the regulatory compulsion argument formally in Oracle dispute resolution; and the argument is deployed as part of a broader commercial negotiation rather than as a pure legal challenge.
In practice, Oracle's commercial teams will often accept a significantly discounted OAS settlement — or agree to include OAS licences in a new EA or ULA at a substantial discount — when faced with a well-documented regulatory compulsion argument and a credible risk that the dispute could attract public attention or regulatory interest. Oracle's commercial interest in maintaining revenue from regulated-sector customers outweighs its interest in extracting the maximum theoretical OAS back-licence value from an organisation that implemented TDE to protect patient data, cardholder data, or personal data subject to GDPR.
Our Audit Defence and Contract Negotiation teams have successfully deployed the regulatory compulsion defence in healthcare, financial services, and retail environments across North America and Europe. The approach requires skilled legal and commercial coordination — it is not effective as an ad hoc argument by the customer's IT team in isolation.
For organisations seeking to reduce or eliminate OAS licence costs, there are several architectural alternatives to Oracle TDE that provide encryption at rest without requiring OAS. These alternatives have trade-offs in terms of performance, operational complexity, and feature completeness — but for organisations with significant OAS exposure, the cost savings can justify the architectural change.
Each of these alternatives has implications for your Oracle licence estate, your Oracle support agreements, and your database operations that should be assessed independently before implementation. Our License Optimisation service includes a specific OAS elimination review that identifies which approach is most practical and cost-effective for your environment.
Our comprehensive white paper covers OAS, TDE, all database options, audit detection methods, and defence strategies — with worked examples for common enterprise compliance scenarios.
Download Free →Weekly briefings on Oracle database options changes, TDE licensing developments, regulatory compliance arguments, and audit defence tactics. Read by 2,000+ enterprise Oracle stakeholders.
About the Author
Oracle Licensing Experts Team — Former Oracle insiders with 25+ years of combined experience in Oracle licensing, LMS audits, and enterprise contract negotiation. Now working exclusively for enterprise buyers. Learn about our team →
Free Research
Download our Oracle OCI Licensing Guide — expert analysis from former Oracle insiders, 100% buyer-side.
Download the OCI Licensing Guide →