safeguard sensitive data -...
TRANSCRIPT
Delivering Oracle Success
Safeguard Sensitive DataA look at Oracle Database Vault,
Transparent Data Encryption and Oracle Data Masking
Lucy FengDecember 13, 2011
© DBAK 2011 2
Agenda
Motivators for Security InvestmentIdentify Sensitive DataOracle Security Offerings• Overview• High-level implementation steps• Performance and operational impact
© DBAK 2011 3
Information Protection and Control
Business Drivers• Data loss incidents• Data is an enterprise asset• Government and industry regulations
– Sarbanes-Oxley– Payment Card Industry – Data Security Standard
(PCI-DSS)– Health Insurance Portability and Accountability Act
(HIPAA)• Outsourcing• Cloud Sourcing
© DBAK 2011 4
Identify Sensitive Data
Determine what constitutes sensitive dataFind and catalog sensitive data• Review design and data modeling documents• Search data dictionary• Use tools to sample data
© DBAK 2011 5
Identify Sensitive Data
http://etrm.oracle.com/pls/et1211d9/etrm_search.search
© DBAK 2011 6
Identify Sensitive DataOracle Data Masking Pack – Data Finder tool
Define pattern match rules• Table name: EMP• Column name: SSN• Data format: ###-##-####
Search against selected databaseGenerate Data Finder reportsAdd fields to data privacy catalog
© DBAK 2011 7
Preemption Is the Best StrategyEncryption and Masking• Advanced Security• Secure Backup• Data Masking
Access Control• Database Vault• Label Security
Monitoring and Auditing• Configuration Management• Audit Vault• Total Recall
© DBAK 2011 8
Oracle Security OfferingsDatabase VaultTransparent Data EncryptionData Masking
© DBAK 2011 9
License Requirement
Oracle Enterprise Manager Data Masking Pack license
Oracle Data Masking
Oracle Advanced Security license (which also includes Network Encryption and Strong Authentication)
TDE
Oracle Database Vault option license.Implicitly installs Oracle Label Security. No additional license for Oracle Label Security required.
Oracle Database Vault
© DBAK 2011 10
What is Oracle Database Vault
Database security option that• Protects data from DBA or privileged user access• Enforces protection of database structures from
unauthorized change• Set robust access controls to implement security
requirements
© DBAK 2011 11
Oracle Database Vault
Out-of-the-box least privilege controls that separate out administrative actions.
separation-of-duty
Environment parameters (IP address, authentication method) that can be used with command rules and realms to create trusted paths, defining who, when, where and how data is accessed.
factors
Security rules that control the execution of database commands.command rules
Boundaries within the database that act like a firewall to prevent privileged users from using special privileges (select any table, etc) to access data.
realms
DescriptionFeature
© DBAK 2011 12
Oracle Database Vault Separation of Duty
Traditional DBA tasksSYSDBAResource Administrator
DBA can no longer grant/revoke DBA roles nor access DVSYS schema
Set up realms, command rules, authorize other users to use them, and execute various security reports. Cannot see data protected by a realm.
DV_OWNERDV_ADMIN
Security Administrator
DBA can no longer manage users
User account management responsibility that can create, drop or modify database users
DV_ACCTMGRAccount Management
ChangeDescriptionRolesResponsibility
© DBAK 2011 13
Oracle Database VaultDatabase Vault Value-Add
restrict DBA or privileged user access• Outsource backend operations without losing control of
data• Prevents hackers from stealing data with a
compromised privileged accountenable preventative controlImplement a variety of access controlprovide out-of-box separation of duty policy
© DBAK 2011 14
Oracle Database Vault Policy Examples
DBA views HR data protected by an HR realm => Blocked by realmPower user queries customer information through SQL*Plus from a desktop=>Blocked by rules/factors that only allow access from application server.
© DBAK 2011 15
Oracle Database VaultGUI for administrating, monitoring and reporting• Database Vault Administrator (DVA)• Database Control• OEM Grid Control
PL/SQL API
© DBAK 2011 16
Oracle Database Vault
© DBAK 2011 17
Oracle Database VaultPrerequisites
• Database 11g or higher• Database 10g Release 2
Certified with all major Oracle applications
© DBAK 2011 18
Oracle Database VaultInstall11g – from RDBMS install kit10gR2 - from Database Vault install media
Turn on the Database Vault option for the Oracle Home• Oracle home cannot contain ASM instance• DV enabled database cannot coexist with non-DV
enabled databasesEnable 11g – dbca GUI or command line10gR2 - dvca
© DBAK 2011 19
Oracle Database VaultOperation Impact• Apply patches
– system should be granted dv_acctmgr role if a patch creates new schemas for new products.
• Use Data Pump – participant of the data dictionary realm; grant import
user dv_acctmgr role if the schema doesn’t exist in the target
• Integrate with Oracle or third-party products
© DBAK 2011 20
Oracle Database VaultPerformance Impact• Realms
– DDL and DML on realm-protected objects do not have a measurable effect on performance.
– Auditing affects performance. Use targeted auditing instead of auditing all operations.
• Rules and Rule Sets– The more complex the rules, the more performance
overhead.• Factors
– For factors that are evaluated by session, DV performs the check during session initialization and caches the results. The resource used by a large amount of users could affect performance.
© DBAK 2011 21
Oracle Database VaultBest practices• Document security policies• Test rules and rule sets in non-production thoroughly• Develop temporary or emergency policies
© DBAK 2011 22
Oracle Database Vault vs VPD and OLS
Virtual Private Database (VPD) restricts access to certain rows for a user by modifying the where clauseOracle Label Security (OLS) mediates access to a given row, based on the label on the row and the security level of the userVPD and OLS restrict access at the row level. Database Vault restricts access at the object and command levels.
© DBAK 2011 23
Transparent Data EncryptionEncrypts data in the datafilesProtects data in case disk drive, datafiles or backup are compromised• To comply with the PCI-DSS standard, credit card
numbers need to be stored encryptedUsers with the right privileges are unaffected – Oracle transparently decrypts data
© DBAK 2011 24
Transparent Data EncryptionTDE column encryption – introduced in 10GR2 TDE tablespace encryption – introduced in 11GR1 Two-tier key architecture• Table or Tablespace key• Unified master key
© DBAK 2011 25
Transparent Data EncryptionData traveling to and from a database over SQL*Net is not encrypted. Need Oracle network encryption solution. TDE column encryption – data remains encrypted inside SGA. TDE tablespace encryption – not encrypted in SGA.
© DBAK 2011 26
Transparent Data EncryptionSummary Implementation Steps
TDE column• Prepare a list of columns to encrypt• Set a wallet location and generate a master key• Create a new table with encrypted column
sql>create table test(col1 number, col2 varchar2(100) encrypt using 'AES256' NO SALT);
• Encrypt column of an existing tablesql>alter table test modify( col2 encrypt SALT);
• Use Online Table Redefinition if access to table is needed.
© DBAK 2011 27
Transparent Data EncryptionSummary Implementation Steps
TDE tablespace• Choose master key storage method: Oracle Wallet or
Hardware Security Module• Set a wallet location and generate a master key• Create new tablespaces with encrypt parameter
CREATE TABLESPACE encryptedtbsDATAFILE '/u01/app/oracle/oradata/d1v11201/encryptedtbs01.dbf' SIZE 100MENCRYPTION USING 'AES256'DEFAULT STORAGE(ENCRYPT);
• Use data pump export and import to move data to new tablespace.
© DBAK 2011 28
Transparent Data EncryptionPerformance impact related to
CPU overhead from encrypt/decrypt operations• Column encryption – inserts, updates and queries that
include encrypted columns may decrease performance by 5%.
• Tablespace encryption – performance penalty in single digit
Operations not possible due to TDE• Column encryption- Index range scans not possible• Tablespace encryption – when full table scan, entire
table has to be decrypted
© DBAK 2011 29
Transparent Data EncryptionUse tablespace encryption when
all columns with sensitive data cannot locateddata type and/or data length not supported by column encryptioncolumn is used as foreign keyrange scans over indexed, encrypted columns index types other than B-tree over encrypted columns are needed
Use column encryption whenTable is heavily accessed with FTS plans
© DBAK 2011 30
Transparent Data EncryptionOperation Impact:• Be sure to back up wallet – keep it separate from
database backup• Open the wallet when restarting database• Column encryption
– Patches may fail if 1) an index is added to an encrypted column; 2) a column increasing in length beyond the threshold (3932)
– Not supported with Streams or Logical Standby– Storage overhead
© DBAK 2011 31
Oracle Data MaskingOEM Data Masking Pack –OEM 10gR4+Replaces sensitive data with realistic-looking values in a non-production environmentProtects confidential information from being disclosed to unauthorized partiesUses an irreversible process
© DBAK 2011 32
Oracle Data MaskingData Masking Pack features:• Maintains database referential integrity when masking
primary keys• Provides out-of-the-box data mask format library• View sample data before masking• Creates masking templates using the export mask
definition capability• Define once; execute multiple times• Supports heterogeneous databases through Oracle
Database Gateways
© DBAK 2011 33
Oracle Data MaskingData Masking Pack features:• Masking format libraries – a collection of ready-to-use
masking formats.
• Masking definitions – defines a data masking operation to be implemented on one or more tables.
111-39-9600CharacterSSN
SampleData TypeFormat
© DBAK 2011 34
Oracle Data Masking
© DBAK 2011 35
Oracle Data MaskingPerformance Impact• Takes advantage of built-in database optimizations:
– NOLOGGING bypasses database logging– Runs in parallel for large tables
• Generates mapping tables for all the sensitive fields and their masked values. These temporary tables are dropped once all data has been successfully masked. Restores indexes, constraints, grants and triggers to original tables.
© DBAK 2011 36
Oracle Data Masking
© DBAK 2011 37
Oracle Data MaskingOperation Impact• Change in cloning process:
– Prod -> Staging (mask) ->Test– Prod -> Staging (mask and use as test)
© DBAK 2011 38
Questions