Delivering Oracle Success

Safeguard Sensitive Data in EBS:A Look at Oracle Database Vault, Transparent Data Encryption, and

Data Masking

Lucy Feng

RMOUG Training DaysFebruary 2012

© DBAK 2012 2

About DBAKOracle Solution Provider and License ResellerCore Technology and EBS ApplicationsColorado Owned and OperatedAverage 15 Years of Oracle Expertise “Top 250 Private Companies, 2011” – CoBIZ Magazine “Emerging Business of the Year, 2008” – South Metro Denver Chamber of Commerce100+ Clients170+ Implementations, Upgrades, Conversions, Support ProjectsOracle Gold PartnerOEM “Specialized”

© DBAK 2012 3

Agenda

Overview of security challengeIdentifying EBS sensitive dataOracle security features – Database Vault, TDE and Data Masking• Overview• Integration with EBS R12• Impact

© DBAK 2012 4

Information Protection and Control

Motivators• Data loss incidents• Government and industry regulations• Outsourcing• Cloud Sourcing

© DBAK 2012 5

Oracle EBS Sensitive Data Samples

Order ManagementAccounts ReceivablesHuman Resources

Protected Health Information

ap_checks_allap_invoice_payments_allap_selected_invoice_checks_all

Bank Account Number

per_all_people_fhr_h2pi_employeesben_reportingap_suppliersap_suppliers_intpo_vendors_obs

Social Security Number

iby_security_segments oks_k_lines_*ap_bank_accounts_all iby_trxn_summaries_alloe_order_headers_all iby_credit_cardaso_paymentsoks_k_headers_*

Credit Card Data

© DBAK 2012 6

Oracle EBS Sensitive DataTake inventory of sensitive and confidential data contained in• Oracle and custom tables• Interface table and files• Log files

Create a matrix of who can access what data

© DBAK 2012 7

Preemption Is the Best StrategyEncryption and Masking• Advanced Security• Secure Backup• Data Masking

Access Control• Database Vault• Label Security

Monitoring and Auditing• Configuration Management• Audit Vault• Total Recall

© DBAK 2012 8

Oracle Security OfferingsPre-certified with Oracle E-Business Suite

Database VaultTransparent Data EncryptionData Masking

© DBAK 2012 9

License Requirement

Oracle Enterprise Manager Data Masking Pack license

Oracle Data Masking

Oracle Advanced Security licenseTDE

Oracle Label Security licenseOracle Database Vault

© DBAK 2012 10

Oracle Database VaultRestricts access to specific areas in a database from users, including users with administrative access. Provides preventive controlsIncreases security transparently

© DBAK 2012 11

Oracle Database Vault

Out-of-the-box least privilege controls that separate out administrative actions.

separation-of-duty

Environment parameters (IP address, authentication method) that can be used with command rules and realms to create trusted paths, defining who, when, where and how data is accesses.

factors

Security rules that control the execution of database commands.command rules

Boundaries within the database that act like a firewall to prevent privileged users from using special privileges (select any table, etc) to access data.

realms

DescriptionFeature

© DBAK 2012 12

Oracle Database Vault Separation of Duty

noneTraditional DBA tasksSYSDBAResource Administrator

DBA can no longer grant/revoke DBA roles nor access DVSYS schema

Set up realms, command rules, authorize other users to use them, and execute various security reports

DV_OWNERDV_ADMIN

Security Administrator

DBA can no longer manage users

User account management responsibility that can create, drop or modify database users

DV_ACCTMGRAccount Management

ChangeDescriptionRolesResponsibility

© DBAK 2012 13

Oracle Database Vault Policy Examples

DBA views HR data protected by an HR realm => Blocked by realmPower user queries customer information through SQL*Plus=>Blocked by rules/factors that only allow access from application server.

© DBAK 2012 14

Oracle Database VaultGUI for administrating, monitoring and reporting• Database Vault Administrator (DVA)• OEM Database Control• OEM Grid Control

PL/SQL API

© DBAK 2012 15

Oracle Database Vault

© DBAK 2012 16

Oracle Database VaultMetalink note 428403.1Prerequisites• Oracle E-Business Suite Release 12.0.4 or higher • Oracle E-Business Suite Release 12.1.1 or higher• Oracle E-Business Suite Release 11i 11.5.10.2 or

higher• Database Vault 11.2.0 is certified with R12

© DBAK 2012 17

Oracle Database VaultInstall Options• Oracle Database Vault in the EBS database• Use a single installation of Database Vault to manage

the EBS databaseInstall Register Database Vault with the database

© DBAK 2012 18

Oracle Database VaultIntegration with EBS R12

Note 1091083.1• Set database security initilization parameters

– REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE– REMOTE_OS_ROLES = FALSE– OS_ROLES = FALSE– O7_DICTIONARY_ACCESSIBILITY = FALSE – AUDIT_SYS_OPERATIONS = TRUE– SQL92_SECURITY = TRUE– OS_AUTHENT_PREFIX = ''

© DBAK 2012 19

Oracle Database VaultApply R12 realm creation patchesRun scripts to create default realms that protect EBS Schemas• E-Business Suite realm• E-Business Suite realm – applsys schema• E-Business Suite realm – apps schema• E-Business Suite realm – applsyspub• E-Business Suite realm – msc• CTXSYS data dictionary

© DBAK 2012 20

Oracle Database VaultOperation Impact• Apply patches• FNDCPASS• Clone instance• Use Data Pump• Intergrate with Oracle products• RMAN and apply database patches

© DBAK 2012 21

Oracle Database VaultPerformance ImpactRealms – minimal performance impact

© DBAK 2012 22

Oracle Database VaultBest practices• Document security policies• Test rules and rule sets in non-production thoroughly• Develop temporary or emergency policies

© DBAK 2012 23

Oracle Database Vault vsVPD and OLS

Virtual Private Database (VPD) restricts access to certain rows for a user by modifying the where clauseOracle Label Security (OLS) mediates access to a given row, based on the label on the row and the security level of the userVPD and OLS restrict access at the row level. Database Vault restricts access at the object and command levels.

© DBAK 2012 24

Transparent Data EncryptionEncrypts data in the datafilesProtects data in case disk drive, datafiles or backup are compromisedUsers with the right privileges are unaffected – Oracle transparently decrypts data

© DBAK 2012 25

Transparent Data EncryptionTDE column encryption – introduced in 10GR2 TDE tablespace encryption – introduced in 11GR1 Two-tier key architecture• Table or Tablespace key• Unified master key

© DBAK 2012 26

Transparent Data EncryptionImplementation Steps:TDE column• Prepare a list of columns to encrypt• Create a wallet• Download and apply patch 7337863• For each column you want to encrypt, run script to

check. The script will return an alter table command or explain why it cannot be done.

© DBAK 2012 27

Transparent Data EncryptionImplementation Steps:TDE tablespace• Choose master key storage method: Oracle Wallet or

Hardware Security Module• Create new tablespaces with encrypt parameter. • Use data pump export and import to move data to new

tablespace.

© DBAK 2012 28

Transparent Data EncryptionPerformance Impact:• Column encryption – inserts, updates and queries that

include encrypted columns may decrease by up to 5%. Severe degradation is possible if inappropriate columns are chose.

• Tablespace encryption – performance penalty up to 10%

© DBAK 2012 29

Transparent Data EncryptionOperation Impact:• Be sure to back up wallet – keep it separate from

database backup• Open the wallet when restarting database• Column encryption

– Patches may fail if 1) an index is added to an encrypted column; 2) a column increasing in length beyond the threshold (3932)

– Not supported with Streams or Logical Standby (streams/LS with EBS?)

© DBAK 2012 30

Oracle Data MaskingOEM Data Masking Pack –OEM 10gR4+Replaces sensitive data with realistic-looking values in a non-production environmentProtects confidential information from being disclosed to unauthorized partiesUses an irreversible process

© DBAK 2012 31

Oracle Data MaskingData Masking Pack features:• Maintains database referential integrity when masking

primary keys• Provides out-of-the-box data mask format library• View sample data before masking• Creates masking templates using the export mask

definition capability• Define once; execute multiple times

© DBAK 2012 32

Oracle Data MaskingData Masking Pack features:• Masking format libraries – a collection of ready-to-use

masking formats.

• Masking definitions – defines a data masking operation to be implemented on one or more tables.

111-39-9600CharacterSSN

SampleData TypeFormat

© DBAK 2012 33

Data Masking Workflow

© DBAK 2012 34

Oracle Data MaskingPerformance Impact• Takes advantage of built-in database optimizations:

– Disables database logging– Runs in parallel

© DBAK 2012 35

Oracle Data MaskingOperation ImpactChange in cloning process:• Prod -> Staging (mask) ->Test• Prod -> Staging (mask and use as test)

© DBAK 2012 36

OEM Data Masking vsApplication Management Pack for EBS

© DBAK 2012 37

Questions

© DBAK 2012 38

Contact

Lucy Feng720.475-8600

lfeng@dbaknow.com

Presentation available at:www.dbaknow.com/downloads

www.dbaknow.com