View
234
Download
6
Category
Preview:
Citation preview
Delivering Oracle Success
Safeguard Oracle E-Business Suite R12 Sensitive Data
A look at Oracle Database Vault, Transparent Data Encryption and Oracle
Data Masking
Lucy FengHeartland Oracle Users Group Conference
October 20, 2011
© DBAK 2011 2
About DBAKOracle solution providerCo-founded in 2005Based in Englewood, COCore Technology and EBS ApplicationsMore than 140 implementations, upgrades, conversions, and support projects for 90+ clientsAverage 15 years of Oracle expertiseOracle Gold PartnerOEM “Specialized”
© DBAK 2011 3
Agenda
Overview of security challengeIdentifying EBS sensitive dataOracle security features – Database Vault, TDE and Data Masking• Overview• Integration with EBS R12• Impact
© DBAK 2011 4
Information Protection and Control
Motivators• Data loss incidents• Government and industry regulations• Outsourcing• Cloud Sourcing
© DBAK 2011 5
Oracle EBS Sensitive Data Samples
Order ManagementAccounts ReceivablesHuman Resources
Protected Health Information
ap_checks_allap_invoice_payments_allap_selected_invoice_checks_all
Bank Account Number
per_all_people_fhr_h2pi_employeesben_reportingap_suppliersap_suppliers_intpo_vendors_obs
Social Security Number
iby_security_segments oks_k_lines_*ap_bank_accounts_all iby_trxn_summaries_alloe_order_headers_all iby_credit_cardaso_paymentsoks_k_headers_*
Credit Card Data
© DBAK 2011 6
Oracle EBS Sensitive DataTake inventory of sensitive and confidential data contained in• Oracle and custom tables• Interface table and files• Log files
Create a matrix of who can access what data
© DBAK 2011 7
Preemption Is the Best StrategyEncryption and Masking• Advanced Security• Secure Backup• Data Masking
Access Control• Database Vault• Label Security
Monitoring and Auditing• Configuration Management• Audit Vault• Total Recall
© DBAK 2011 8
Oracle Security OfferingsPre-certified with Oracle E-Business Suite
Database VaultTransparent Data EncryptionData Masking
© DBAK 2011 9
License Requirement
Oracle Enterprise Manager Data Masking Pack license
Oracle Data Masking
Oracle Advanced Security licenseTDE
Oracle Label Security licenseOracle Database Vault
© DBAK 2011 10
Oracle Database VaultRestricts access to specific areas in a database from users, including users with administrative access. Provides preventive controlsIncreases security transparently
© DBAK 2011 11
Oracle Database Vault
Out-of-the-box least privilege controls that separate out administrative actions.
separation-of-duty
Environment parameters (IP address, authentication method) that can be used with command rules and realms to create trusted paths, defining who, when, where and how data is accesses.
factors
Security rules that control the execution of database commands.command rules
Boundaries within the database that act like a firewall to prevent privileged users from using special privileges (select any table, etc) to access data.
realms
DescriptionFeature
© DBAK 2011 12
Oracle Database Vault Separation of Duty
noneTraditional DBA tasksSYSDBAResource Administrator
DBA can no longer grant/revoke DBA roles nor access DVSYS schema
Set up realms, command rules, authorize other users to use them, and execute various security reports
DV_OWNERDV_ADMIN
Security Administrator
DBA can no longer manage users
User account management responsibility that can create, drop or modify database users
DV_ACCTMGRAccount Management
ChangeDescriptionRolesResponsibility
© DBAK 2011 13
Oracle Database Vault Policy Examples
DBA views HR data protected by an HR realm => Blocked by realmPower user queries customer information through SQL*Plus=>Blocked by rules/factors that only allow access from application server.
© DBAK 2011 14
Oracle Database VaultGUI for administrating, monitoring and reporting• Database Vault Administrator (DVA)• OEM Database Control• OEM Grid Control
PL/SQL API
© DBAK 2011 16
Oracle Database VaultMetalink note 428403.1Prerequisites• Oracle E-Business Suite Release 12.0.4 or higher • Oracle E-Business Suite Release 12.1.1 or higher• Oracle E-Business Suite Release 11i 11.5.10.2 or
higher• Database Vault 11.2.0 is certified with R12
© DBAK 2011 17
Oracle Database VaultInstall Options• Oracle Database Vault in the EBS database• Use a single installation of Database Vault to manage
the EBS databaseInstall Register Database Vault with the database
© DBAK 2011 18
Oracle Database VaultIntegration with EBS R12
Note 1091083.1• Set database security initilization parameters
– REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE– REMOTE_OS_ROLES = FALSE– OS_ROLES = FALSE– O7_DICTIONARY_ACCESSIBILITY = FALSE – AUDIT_SYS_OPERATIONS = TRUE– SQL92_SECURITY = TRUE– OS_AUTHENT_PREFIX = ''
© DBAK 2011 19
Oracle Database VaultApply R12 realm creation patchesRun scripts to create default realms that protect EBS Schemas• E-Business Suite realm• E-Business Suite realm – applsys schema• E-Business Suite realm – apps schema• E-Business Suite realm – applsyspub• E-Business Suite realm – msc• CTXSYS data dictionary
© DBAK 2011 20
Oracle Database VaultOperation Impact• Apply patches• FNDCPASS• Clone instance• Use Data Pump• Intergrate with Oracle products• RMAN and apply database patches
© DBAK 2011 22
Oracle Database VaultBest practices• Document security policies• Test rules and rule sets in non-production thoroughly• Develop temporary or emergency policies
© DBAK 2011 23
Oracle Database Vault vsVPD and OLS
Virtual Private Database (VPD) restricts access to certain rows for a user by modifying the where clauseOracle Label Security (OLS) mediates access to a given row, based on the label on the row and the security level of the userVPD and OLS restrict access at the row level. Database Vault restricts access at the object and command levels.
© DBAK 2011 24
Transparent Data EncryptionEncrypts data in the datafilesProtects data in case disk drive, datafiles or backup are compromisedUsers with the right privileges are unaffected – Oracle transparently decrypts data
© DBAK 2011 25
Transparent Data EncryptionTDE column encryption – introduced in 10GR2 TDE tablespace encryption – introduced in 11GR1 Two-tier key architecture• Table or Tablespace key• Unified master key
© DBAK 2011 26
Transparent Data EncryptionImplementation Steps:TDE column• Prepare a list of columns to encrypt• Create a wallet• Download and apply patch 7337863• For each column you want to encrypt, run script to
check. The script will return an alter table command or explain why it cannot be done.
© DBAK 2011 27
Transparent Data EncryptionImplementation Steps:TDE tablespace• Choose master key storage method: Oracle Wallet or
Hardware Security Module• Create new tablespaces with encrypt parameter. • Use data pump export and import to move data to new
tablespace.
© DBAK 2011 28
Transparent Data EncryptionPerformance Impact:• Column encryption – inserts, updates and queries that
include encrypted columns may decrease by up to 5%. Severe degradation is possible if inappropriate columns are chose.
• Tablespace encryption – performance penalty up to 10%
© DBAK 2011 29
Transparent Data EncryptionOperation Impact:• Be sure to back up wallet – keep it separate from
database backup• Open the wallet when restarting database• Column encryption
– Patches may fail if 1) an index is added to an encrypted column; 2) a column increasing in length beyond the threshold (3932)
– Not supported with Streams or Logical Standby (streams/LS with EBS?)
© DBAK 2011 30
Oracle Data MaskingOEM Data Masking Pack –OEM 10gR4+Replaces sensitive data with realistic-looking values in a non-production environmentProtects confidential information from being disclosed to unauthorized partiesUses an irreversible process
© DBAK 2011 31
Oracle Data MaskingData Masking Pack features:• Maintains database referential integrity when masking
primary keys• Provides out-of-the-box data mask format library• View sample data before masking• Creates masking templates using the export mask
definition capability• Define once; execute multiple times
© DBAK 2011 32
Oracle Data MaskingData Masking Pack features:• Masking format libraries – a collection of ready-to-use
masking formats.
• Masking definitions – defines a data masking operation to be implemented on one or more tables.
111-39-9600CharacterSSN
SampleData TypeFormat
© DBAK 2011 34
Oracle Data MaskingPerformance Impact• Takes advantage of built-in database optimizations:
– Disables database logging– Runs in parallel
© DBAK 2011 35
Oracle Data MaskingOperation ImpactChange in cloning process:• Prod -> Staging (mask) ->Test• Prod -> Staging (mask and use as test)
Recommended