Protecting Sensitive Datain the Oracle E‐Business Suite
Stephen KostChief Technology Officer
Integrigy CorporationSession #8680
Background
Speaker Company
Stephen Kost
CTO and Founder
16 years working with Oracle
12 years focused on Oracle security
DBA, Apps DBA, technical architect, IT security, …
Integrigy Corporation
Integrigy bridges the gap between databases and security
Security Design and Assessment of Oracle Databases
Security Design and Assessment of the Oracle E‐Business suite
AppSentry ‐ Security Assessment Software Tool
ControllingData Access
Sensitive DataOverview
Auditing
Q&A
Encryption
Agenda
1 2 3 4 5
ControllingData Access
Auditing
Q&A
Encryption
Agenda
2 3 4 5
Sensitive DataOverview
1
Security and Compliance Drivers
Payment Card Industry ‐ Data Security Standard (PCI‐DSS)– 12 stringent security requirementsPrivacy (National/State Regulations)– Read access to sensitive data (National Identifier and Bank Account Number)
– Regulations often specifically exclude encrypted data– California and Massachusetts data privacy lawsSarbanes‐Oxley (SOX)– Database object, structure, and configuration changes– User and privilege creation, deletion, and modification– Reports for sampling of changes to change tickets
What is Sensitive Data in Oracle EBS?
Payment Card Industry Data Security Standard (PCI‐DSS 2.0)
Credit Card NumberPrimary Account Number (PAN)
CVV/CV2/CID3 digits on the back for Visa/MC4 digits on the front for AMEX
Magnetic Stripe Data (very rare)
State PrivacyRegulations(employees, customers,Vendors)
First and last namePlus one of the following:
Social security numberCredit card numberBank account numberFinancial account numberDriver license or state ID number
HIPAAPrivacy Standard/Rule
First and last namePlus one of the following (Protected Health Information)
“the past, present, or future physical or mental health, or condition of an individual”“provision of health care to an individual”“payment for the provision of health care to an individual”
Where is Sensitive Data in Oracle EBS?
Credit Card Data
iby_security_segments (encrypted)ap_bank_accounts_alloe_order_headers_allaso_paymentsoks_k_headers_*oks_k_lines_*iby_trxn_summaries_alliby_credit_card
Social Security Number(National Identifier)(Tax ID)
per_all_people_fhr_h2pi_employeesben_reportingap_suppliersap_suppliers_intpo_vendors_obs
Bank Account Numberap_checks_allap_invoice_payments_allap_selected_invoice_checks_all
Protected Health Information (PHI)
Order ManagementAccounts ReceivablesHuman Resources
Where else might be Sensitive Data?
Custom tables– Customizations may be used to store or process sensitive data“Maintenance tables”– DBA copies tables to make backup prior to direct SQL update– hr.per_all_people_f_011510Interface tables– Credit card numbers are often accepted in external applications and
sent to Oracle EBSInterface files– Flat files used for interfaces or batch processingLog files– Log files generated by the application (e.g., iPayment)Oracle EBS Flexfields– It happens – very hard to find
Integrigy Data Protection by Option
Data Access Method and ThreatsOptions
1EBS
Encrypt
2TriggerView
3Oracle TDE
4aFGAC
4bInternal Audit
4cExternal Audit
3 + 4TDE +
Auditing
Application access by end‐users (responsibility) E E C A A A
Application access by application administrators E E C A A A
Database access by DBA E E C A~ A A
Database access by Applications DBA (SYSTEM, APPS) E~ E~ A~ A~ A~
Database access by other database accounts E E C A A A
Operating system access to database data files E E E E
On‐line or off‐line access to database backups E E E E
Exploitation of Oracle Applications security vulnerabilities E~ E~ C~ A~ A~ A~
Exploitation of Oracle Database security vulnerabilities E~ E~ C~ A~ A~ A~
Exploitation of operating system security vulnerabilities E E E E
E = Encrypted, C = Access Controlled, A = Access Audited, ~ = Mostly
ControllingData Access
Sensitive DataOverview
Auditing
Q&A
Agenda
1 3 4 5Encryption
2
Types of EncryptionStorage (Data at rest)– Encryption of data at rest such as when stored in files or on media
Access (Data in use)– Encryption of data with access permitted only to a subset of users in order to enforce segregation of duties
Network (Data in motion)– Encryption of data when transferred between two systems– Not in scope of this analysis
Native EBS Encryption(Credit Card Numbers)
Oracle EBS Encryption SolutionsPatch 2809786 – “Encryption of Credit Card Numbers in Oracle EBS”– General Patch Release October 2006– Significant modification to application – 64 packages, 60 web pages, and
18 formsOracle Transparent Data Encryption (TDE)– Encrypts data at the file level ‐‐ always unencrypted for a database
session– Only provides protection in case database file is stolen or backup tape is
lost– Part of extra‐cost Advanced Security Option (ASO)Custom Encryption Customization– Use native Oracle database encryption packages (DBMS_CRYPTO)– Use Oracle E‐Business Suite encryption packages (FND_VAULT)Third‐party encryption solutions– File/disk level encryption– View/trigger encryption
Oracle Credit Card Encryption (no TDE)
Use the Oracle E‐Business Suite encryption– Application‐level encryption– Better solution than other technologies such as Oracle Transparent Data Encryption (TDE)
Metalink Note ID 338756.1, Patch 4607647– Consolidates card numbers into IBY_SECURITY_SEGMENTS table
– Encrypts card numbers in IBY_SECURITY_SEGMENTS– Uniform masking of card numbers– Significant functional pre‐requisites (11.5.10.2)
iStore
OracleMgmt AR
Collections
iPayment
ap_bank_accounts_all
oe_order_headers_all
Not pictured:Internet Expenses (AP) – R12Lease Management (AP) – same as ARStudent System (IGS) – IGS patch
OracleCapture
ServiceContracts
aso_paymentsoks_k_headers_*oks_k_lines_*
iby_trxn_summaries_alliby_credit_card
iby_security_segments
Oracle Credit Card Encryption Design
Transparent Data Encryption (TDE)
What is TDE?
Transparent database encryption– Requires no application code or database structure changes to implement
– Only major change to database function is the Oracle Wallet must be opened during database startup
– Add‐on feature licensed with Advanced Security OptionLimited to encrypting only certain columns– Cannot be a foreign key or used in another database constraint
– Only simple data types like number, varchar, date, …– Less than 3,932 bytes in length
What does TDE do and not do?
TDE only encrypts “data at rest”TDE protects data if following is stolen or lost ‐– disk drive– database file– backup tape of the database filesAn authenticated database user sees no changeDoes TDE meet legal requirements for encryption?– California SB1386, Payment Card Industry Data Security
– Ask your legal department
Column vs. Tablespace Encryption
Column encryption– Fairly straight forward for simple cases such as NATIONAL_IDENTIFIER in HR.PER_ALL_PEOPLE_F
– Encryption done in place using ALTER TABLE– Do not use SALT for Oracle EBS columns
Tablespace encryption– Tablespace encryption only supported in 11g for 11i/R12– Tablespace must be exported and imported to implement encryption
– OATM uses large tablespaces (APPS_TS_TX_DATA)– Data NOT encrypted in SGA
Performance Considerations
Impact is limited to CPU performance– Data must be encrypted and decrypted– Highly dependent on access patterns to dataNo disk I/O read or write impact– Change is not significantColumn Encryption– 5% to 20% CPU performance impact for several customers
Tablespace Encryption– 10% to 15% CPU performance impact for one customer
Performance Considerations
1. Range scan (between/like) on indexed column– where a.birth_date between start_date and end_date– Index will not be used – full table scan
2. Join on encrypted columns– where a.ssn = b.ssn– Encryption key is unique for each table– Full table scan of both tables– All values in both tables decrypted
Implementation Process
Identify sensitive columns– Manual search design document review– Data dictionary searches (i.e., column name = CCNUM)
– Third‐party tools to sample rowsDetermine if column level encryption or tablespace encryption based on version, limitationsFollow steps in Metalink Notes– 11i = 403294.1 or R12 = 732764.1
TDE and EBS Best Practices
Ensure wallet is not backed up with the db filesProtect the wallet– Backup the wallet– File permissionsWhen encrypting large volumes of data, should create a new tablespace and shred the old one– Unencrypted data may remain in tablespace blocksMix and match column and tablespace encryption– Column for standard tables and tablespace for customAvoid using PKI Certificates for master key
Oracle EBS and TDE Specifics
EBS has a SQL script to validate column and generate necessary ALTER TABLE statement
– $FND_TOP/sql/aftdeval.sql– 11i = 5693160, R12 = 7337863
Output
ALTER TABLE HR.PER_ALL_PEOPLE_F modify (NATIONAL_IDENTIFIER encrypt no salt);
Sensitive DataOverview
Auditing
Q&A
Encryption
Agenda
1 2 4 53
ControllingData Access
Access to Sensitive DataDatabase access is a key problem– APPS_READ All data duplicated in development and test databases– Data not always scrambled in non‐production databaseLimited data encryption capabilities– No third‐party encryption solutions work effectively– Oracle EBS only natively encrypts credit card numbers– Need to encrypt sensitive data on backup mediaData and transaction retention policy – Oracle EBS is “data in” for life– Seldom data is purged or archived unless for performance– PCI Compliance = 1 to 2 years recommended retention
Sensitive Data Access Risks
Sensitive data accessible in test & development– All sensitive data must be scrambled in all non production databases
– Must periodically review database for instances of non‐scrambled data as often in custom, interface, and temporary tables
Access to sensitive data by generic accounts– Granularity of database privileges, complexity of data model, and number of tables/views make it difficult to create limited privilege database accounts
– Must use individual database accounts with roles limiting access to data along with other security
Privileges and Access in Oracle EBSMany generic and privileged accounts in application and database– Database ‐ APPS, SYS, SYSTEM, APPLSYS, …– Application – SYSADMIN, GUEST– DBAs must use generic accounts for many maintenance activities– Generic application accounts used for scheduling key batch processes– Database access is a key problem (Again)Generic accounts are often used for ad‐hoc database access– APPS_READLimited auditing and control over the use of generic accounts– No auditing is enabled by default in database or application– Auditing on transactions often a major performance impact
Database Vaultwith Oracle E‐Business Suite
What is Database Vault?
Powerful protection– Data protection realms– Control by IP address, time, etc.– Control SQL commands and other database operations
Provides segregation of duties between DBA and security administratorAdd‐on option licensed separately
Database Vault and EBS Scenarios
Protect some DBAs from application data– No protection for the SYSTEM, APPS, CTXSYS, or Oracle EBS module schema accounts
– Named, non‐application database accounts must be used for this level of protection – can be granted DBA role
Server/Database Consolidation– Multiple applications running in Oracle E‐Business Suite database (against best practice)
– DBAs for other applications cannot access EBS data
Default Oracle EBS Realms
Realm Name What is Protected? Who is authorized to access?
EBS RealmAll tables in Oracle E‐Business Suite 11i Product Schemas
All Oracle E‐Business Suite 11i Product Schemas, and APPS, APPLSYS, SYSTEM, CTXSYS
EBS Realm ‐ ApplsysSchema
Most tables in the APPLSYS Schema APPS, APPLSYS, SYSTEM and CTXSYS
EBS Realm ‐ Apps SchemaAll objects in the APPS Schema (except the views)
APPS, APPLSYS, SYSTEM, CTXSYS and All product schemas, that uses intermedia indexes
EBS Realm ‐ ApplsyspubSchema
Objects required for EBS authorizationAPPS, APPLSYS, SYSTEM, APPLSYSPUB and CTXSYS
EBS Realm ‐MSC SchemaTables in the MSC Schema ‐ except those that require partitions to be exchanged
APPS, APPLSYS, SYSTEM, CTXSYS and MSC
CTXSYS Data Dictionary Objects in the CTXSYS SchemaAll Oracle E‐Business Suite 11i Product Schemas and APPS, APPLSYS, SYSTEM
Source: Oracle Metalink Note ID 428503.1
Database Vault Implementation
1. Install Database Vault option and database patches
– May need to upgrade database– Need to check database initialization parameters
2. Create EBS realms– A number of manual steps required– Follow manual setups for enabling patching
3. Struggle to integrate custom users– Need to identify and review all custom user and
programs accessing the database
Oracle E‐Business Suite Requirements
Oracle E‐Business Suite – 11.5.10 CU2– 12.0– 12.1Oracle Database – 10.2.0.3 (Linux x86, IBM AIX only)– 10.2.0.4– 1.1.0.711.5.10 CU2 on 10.2.0.4 required 12 additional patches
DV and EBS Best Practices
Ensure all pre‐requisite DB patches are applied– 20+ Database and DV bugs need to be fixed
For custom code there are two options –1. Use custom realms and only provide access to
required objects2. Register as an application and database schema
in EBS and will use the EBS realms
Database Vault Useful Scriptsfnddbvebs.sql
– Creates the standard Oracle E‐Business suite 11i realms – use as template for custom realm creation
fnddbvuser.sql– Adds or removes realm authorization in Oracle E‐Business Suite 11i realms
fnddbvstatus.sql– Use to enable or disable realms during testing
fnddbvpatch.sql– Enables or disables Oracle Database Vault triggers – used to be used during patching – no longer needed
fnddbvpatch2.sql– Update command rule for grant on DBMS_RLS. Must be run as the DV Owner.
fnddbvpatch3.sql– Grants or revokes DV_ACCTMGR role from SYSTEM. Must be run by a user with the DV_ACCTMGR role.
check_enabled_using_dv_control.sql– Check to see if the command rule modified by fnddbvpatch2.sql is in production mode
check_enabled_using_sysdba.sql– Check to see if the database is in Production mode with Database Vault enabled. Reports any discrepancies found.
EBS and DV Metalink Notes
11i and 10.2.0.3 = 744172.111i and 10.2.0.4 = 428503.111i and 11.1.0.7 = 859399.1R12 and 10.2.0.4 = 566841.1R12 and 11.1.0.7 = 859397.1
Sensitive DataOverview Q&A
Encryption
Agenda
1 2 3 5
ControllingData Access
4Auditing
Auditing Access to Sensitive Data
Encryption may not be possible– TDE is not sufficient or too costly
Sensitive Data access is required– DBAs must use the APPS
Auditing should be used to mitigate risk– Accurate and reliable audit trail of access
Auditing Access to Sensitive Data
Native audit trail in Oracle Database and Oracle EBS can be accessed and manipulated by the DBA– SYSLOG auditing can be used to protect native database audit trail – DBA can disable it
External auditing solution required– Protect audit trail in external database/appliance– Provide reporting and archiving of audit data
Integrigy Data Protection by Option
Data Access Method and ThreatsOptions
1Appl
Encrypt
2TriggerView
3Oracle TDE
4aFGAC
4bInternal Audit
4cExternal Audit
3 + 4TDE +
Auditing
Application access by end‐users (responsibility) E E C A A A
Application access by application administrators E E C A A A
Database access by DBA E E C A~ A A
Database access by Applications DBA (SYSTEM, APPS) E~ E~ A~ A~ A~
Database access by other database accounts E E C A A A
Operating system access to database data files E E E E
On‐line or off‐line access to database backups E E E E
Exploitation of Oracle Applications security vulnerabilities E~ E~ C~ A~ A~ A~
Exploitation of Oracle Database security vulnerabilities E~ E~ C~ A~ A~ A~
Exploitation of operating system security vulnerabilities E E E E
E = Encrypted, C = Access Controlled, A = Access Audited, ~ = Mostly
Sensitive DataOverview
AuditingEncryption
Agenda
1 2 3 4
ControllingData Access Q&A
5
Integrigy Sessions
Securing the Oracle E‐Business Suite Best Practices PanelOAUG Session #4967Monday, April 113:45pm – 4:45pm
IOUG Security Bootcamp: Real‐life Database Security MistakesIOUG Session #1573Tuesday, April 129:15am – 10:15am
Credit Cards and Oracle: How to Comply with PCI‐DSSIOUG Session #1718Tuesday, April 1211:45am – 12:12pm
Real‐life Oracle E‐Business Suite Security MistakesOAUG Session #8387Wednesday, April 132:15pm – 3:15pm
Copyright © 2011 Integrigy Corporation. All rights reserved.
www.integrigy.com
For information on ‐Oracle Database SecurityOracle E‐Business Suite SecurityOracle Critical Patch UpdatesOracle Security Blog
Stephen KostChief Technology OfficerIntegrigy Corporation
e‐mail: [email protected]: integrigy.com/oracle‐security‐blog
Protecting Sensitive Data in the Oracle EBS Session #8680