Delivering Oracle Success

Safeguard Sensitive DataA look at Oracle Database Vault,

Transparent Data Encryption and Oracle Data Masking

Lucy FengDecember 13, 2011

© DBAK 2011 2

Agenda

Motivators for Security InvestmentIdentify Sensitive DataOracle Security Offerings• Overview• High-level implementation steps• Performance and operational impact

© DBAK 2011 3

Information Protection and Control

Business Drivers• Data loss incidents• Data is an enterprise asset• Government and industry regulations

– Sarbanes-Oxley– Payment Card Industry – Data Security Standard

(PCI-DSS)– Health Insurance Portability and Accountability Act

(HIPAA)• Outsourcing• Cloud Sourcing

© DBAK 2011 4

Identify Sensitive Data

Determine what constitutes sensitive dataFind and catalog sensitive data• Review design and data modeling documents• Search data dictionary• Use tools to sample data

© DBAK 2011 5

Identify Sensitive Data

http://etrm.oracle.com/pls/et1211d9/etrm_search.search

© DBAK 2011 6

Identify Sensitive DataOracle Data Masking Pack – Data Finder tool

Define pattern match rules• Table name: EMP• Column name: SSN• Data format: ###-##-####

Search against selected databaseGenerate Data Finder reportsAdd fields to data privacy catalog

© DBAK 2011 7

Preemption Is the Best StrategyEncryption and Masking• Advanced Security• Secure Backup• Data Masking

Access Control• Database Vault• Label Security

Monitoring and Auditing• Configuration Management• Audit Vault• Total Recall

© DBAK 2011 8

Oracle Security OfferingsDatabase VaultTransparent Data EncryptionData Masking

© DBAK 2011 9

License Requirement

Oracle Enterprise Manager Data Masking Pack license

Oracle Data Masking

Oracle Advanced Security license (which also includes Network Encryption and Strong Authentication)

TDE

Oracle Database Vault option license.Implicitly installs Oracle Label Security. No additional license for Oracle Label Security required.

Oracle Database Vault

© DBAK 2011 10

What is Oracle Database Vault

Database security option that• Protects data from DBA or privileged user access• Enforces protection of database structures from

unauthorized change• Set robust access controls to implement security

requirements

© DBAK 2011 11

Oracle Database Vault

Out-of-the-box least privilege controls that separate out administrative actions.

separation-of-duty

Environment parameters (IP address, authentication method) that can be used with command rules and realms to create trusted paths, defining who, when, where and how data is accessed.

factors

Security rules that control the execution of database commands.command rules

Boundaries within the database that act like a firewall to prevent privileged users from using special privileges (select any table, etc) to access data.

realms

DescriptionFeature

© DBAK 2011 12

Oracle Database Vault Separation of Duty

Traditional DBA tasksSYSDBAResource Administrator

DBA can no longer grant/revoke DBA roles nor access DVSYS schema

Set up realms, command rules, authorize other users to use them, and execute various security reports. Cannot see data protected by a realm.

DV_OWNERDV_ADMIN

Security Administrator

DBA can no longer manage users

User account management responsibility that can create, drop or modify database users

DV_ACCTMGRAccount Management

ChangeDescriptionRolesResponsibility

© DBAK 2011 13

Oracle Database VaultDatabase Vault Value-Add

restrict DBA or privileged user access• Outsource backend operations without losing control of

data• Prevents hackers from stealing data with a

compromised privileged accountenable preventative controlImplement a variety of access controlprovide out-of-box separation of duty policy

© DBAK 2011 14

Oracle Database Vault Policy Examples

DBA views HR data protected by an HR realm => Blocked by realmPower user queries customer information through SQL*Plus from a desktop=>Blocked by rules/factors that only allow access from application server.

© DBAK 2011 15

Oracle Database VaultGUI for administrating, monitoring and reporting• Database Vault Administrator (DVA)• Database Control• OEM Grid Control

PL/SQL API

© DBAK 2011 16

Oracle Database Vault

© DBAK 2011 17

Oracle Database VaultPrerequisites

• Database 11g or higher• Database 10g Release 2

Certified with all major Oracle applications

© DBAK 2011 18

Oracle Database VaultInstall11g – from RDBMS install kit10gR2 - from Database Vault install media

Turn on the Database Vault option for the Oracle Home• Oracle home cannot contain ASM instance• DV enabled database cannot coexist with non-DV

enabled databasesEnable 11g – dbca GUI or command line10gR2 - dvca

© DBAK 2011 19

Oracle Database VaultOperation Impact• Apply patches

– system should be granted dv_acctmgr role if a patch creates new schemas for new products.

• Use Data Pump – participant of the data dictionary realm; grant import

user dv_acctmgr role if the schema doesn’t exist in the target

• Integrate with Oracle or third-party products

© DBAK 2011 20

Oracle Database VaultPerformance Impact• Realms

– DDL and DML on realm-protected objects do not have a measurable effect on performance.

– Auditing affects performance. Use targeted auditing instead of auditing all operations.

• Rules and Rule Sets– The more complex the rules, the more performance

overhead.• Factors

– For factors that are evaluated by session, DV performs the check during session initialization and caches the results. The resource used by a large amount of users could affect performance.

© DBAK 2011 21

Oracle Database VaultBest practices• Document security policies• Test rules and rule sets in non-production thoroughly• Develop temporary or emergency policies

© DBAK 2011 22

Oracle Database Vault vs VPD and OLS

Virtual Private Database (VPD) restricts access to certain rows for a user by modifying the where clauseOracle Label Security (OLS) mediates access to a given row, based on the label on the row and the security level of the userVPD and OLS restrict access at the row level. Database Vault restricts access at the object and command levels.

© DBAK 2011 23

Transparent Data EncryptionEncrypts data in the datafilesProtects data in case disk drive, datafiles or backup are compromised• To comply with the PCI-DSS standard, credit card

numbers need to be stored encryptedUsers with the right privileges are unaffected – Oracle transparently decrypts data

© DBAK 2011 24

Transparent Data EncryptionTDE column encryption – introduced in 10GR2 TDE tablespace encryption – introduced in 11GR1 Two-tier key architecture• Table or Tablespace key• Unified master key

© DBAK 2011 25

Transparent Data EncryptionData traveling to and from a database over SQL*Net is not encrypted. Need Oracle network encryption solution. TDE column encryption – data remains encrypted inside SGA. TDE tablespace encryption – not encrypted in SGA.

© DBAK 2011 26

Transparent Data EncryptionSummary Implementation Steps

TDE column• Prepare a list of columns to encrypt• Set a wallet location and generate a master key• Create a new table with encrypted column

sql>create table test(col1 number, col2 varchar2(100) encrypt using 'AES256' NO SALT);

• Encrypt column of an existing tablesql>alter table test modify( col2 encrypt SALT);

• Use Online Table Redefinition if access to table is needed.

© DBAK 2011 27

Transparent Data EncryptionSummary Implementation Steps

TDE tablespace• Choose master key storage method: Oracle Wallet or

Hardware Security Module• Set a wallet location and generate a master key• Create new tablespaces with encrypt parameter

CREATE TABLESPACE encryptedtbsDATAFILE '/u01/app/oracle/oradata/d1v11201/encryptedtbs01.dbf' SIZE 100MENCRYPTION USING 'AES256'DEFAULT STORAGE(ENCRYPT);

• Use data pump export and import to move data to new tablespace.

© DBAK 2011 28

Transparent Data EncryptionPerformance impact related to

CPU overhead from encrypt/decrypt operations• Column encryption – inserts, updates and queries that

include encrypted columns may decrease performance by 5%.

• Tablespace encryption – performance penalty in single digit

Operations not possible due to TDE• Column encryption- Index range scans not possible• Tablespace encryption – when full table scan, entire

table has to be decrypted

© DBAK 2011 29

Transparent Data EncryptionUse tablespace encryption when

all columns with sensitive data cannot locateddata type and/or data length not supported by column encryptioncolumn is used as foreign keyrange scans over indexed, encrypted columns index types other than B-tree over encrypted columns are needed

Use column encryption whenTable is heavily accessed with FTS plans

© DBAK 2011 30

Transparent Data EncryptionOperation Impact:• Be sure to back up wallet – keep it separate from

database backup• Open the wallet when restarting database• Column encryption

– Patches may fail if 1) an index is added to an encrypted column; 2) a column increasing in length beyond the threshold (3932)

– Not supported with Streams or Logical Standby– Storage overhead

© DBAK 2011 31

Oracle Data MaskingOEM Data Masking Pack –OEM 10gR4+Replaces sensitive data with realistic-looking values in a non-production environmentProtects confidential information from being disclosed to unauthorized partiesUses an irreversible process

© DBAK 2011 32

Oracle Data MaskingData Masking Pack features:• Maintains database referential integrity when masking

primary keys• Provides out-of-the-box data mask format library• View sample data before masking• Creates masking templates using the export mask

definition capability• Define once; execute multiple times• Supports heterogeneous databases through Oracle

Database Gateways

© DBAK 2011 33

Oracle Data MaskingData Masking Pack features:• Masking format libraries – a collection of ready-to-use

masking formats.

• Masking definitions – defines a data masking operation to be implemented on one or more tables.

111-39-9600CharacterSSN

SampleData TypeFormat

© DBAK 2011 34

Oracle Data Masking

© DBAK 2011 35

Oracle Data MaskingPerformance Impact• Takes advantage of built-in database optimizations:

– NOLOGGING bypasses database logging– Runs in parallel for large tables

• Generates mapping tables for all the sensitive fields and their masked values. These temporary tables are dropped once all data has been successfully masked. Restores indexes, constraints, grants and triggers to original tables.

© DBAK 2011 36

Oracle Data Masking

© DBAK 2011 37

Oracle Data MaskingOperation Impact• Change in cloning process:

– Prod -> Staging (mask) ->Test– Prod -> Staging (mask and use as test)

© DBAK 2011 38

Questions