Data Scrambling in Non-PROD Cloned Instances

Similar documents
Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking. Lucy Feng

Encrypting Sensitive Data in Oracle E-Business Suite

Circumvent Oracle s Database Encryption and Reverse Engineering of Oracle Key Management Algorithms. Alexander Kornbrust 28-July-2005

PCI Compliance in Oracle E-Business Suite

Anonymous Oracle Applications HR Data

Migrate your Discover Reports to Oracle APEX

PCI Compliance in Oracle E-Business Suite

R12 MOAC (Multi-Org Access Control) Uncovered

New Oracle 12c Security Features Oracle E-Business Suite Perspective

Credit Cards and Oracle E-Business Suite Security and PCI Compliance Issues

Oracle Database 11g: Security Release 2. Course Topics. Introduction to Database Security. Choosing Security Solutions

D50323GC20 Oracle Database 11g: Security Release 2

All Things Oracle Database Encryption

Oracle Database 11g: Security Release 2

Protecting Data Assets and Reducing Risk

J j enterpririse. Oracle Application Express 3. Develop Native Oracle database-centric web applications quickly and easily with Oracle APEX

Virtual Private Database Features in Oracle 10g.

Get More for Less: Enhance Data Security and Cut Costs

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8

Data Security: Strategy and Tactics for Success

Oracle Database 11g: Security. What you will learn:

Oracle Database 12c: Introduction to SQL Ed 1.1

Oracle Database 10g: Introduction to SQL

Kovaion Data Masking Solution

Database Security. Oracle Database 12c - New Features and Planning Now

<Insert Picture Here> Application Change Management and Data Masking

Oracle E-Business Suite APPS, SYSADMIN, and oracle Securing Generic Privileged Accounts. Stephen Kost Chief Technology Officer Integrigy Corporation

Oracle Insurance Policy Administration

Secure Test Data Management with ORACLE Data Masking

Oracle Database 11g: Security

DBMS Questions. 3.) For which two constraints are indexes created when the constraint is added?

Oracle Database Security

Oracle 10g PL/SQL Training

Database Extension 1.5 ez Publish Extension Manual

Best Practices for Protecting Sensitive Data in an Oracle Applications Environment. Presented by: Jeffrey T. Hare, CPA CISA CIA

Expert Oracle Application. Express Security. Scott Spendolini. Apress"

SQL Server to Oracle A Database Migration Roadmap

Oracle Database: SQL and PL/SQL Fundamentals

Setting up SQL Translation Framework OBE for Database 12cR1

Real Life Database Security Mistakes. Stephen Kost Integrigy Corporation Session #715

Oracle Architecture, Concepts & Facilities

State of Wisconsin Database Hosting Services Roles and Responsibilities

The Weakest Link : Securing large, complex, global Oracle ebusiness Suite solutions

Upgrade Oracle EBS to Release Presenter: Sandra Vucinic VLAD Group, Inc.

IBM Campaign and IBM Silverpop Engage Version 1 Release 2 August 31, Integration Guide IBM

Oracle Database 10g Express

Oracle Database: SQL and PL/SQL Fundamentals NEW

Configuring an Alternative Database for SAS Web Infrastructure Platform Services

Oracle SQL. Course Summary. Duration. Objectives

linux20 (R12 Server) R Single Node SID - TEST linux1 (10gAS Server) Oracle 10gAS ( ) with OID SID - asinf server name

Oracle. Brief Course Content This course can be done in modular form as per the detail below. ORA-1 Oracle Database 10g: SQL 4 Weeks 4000/-

Optimizing the Performance of the Oracle BI Applications using Oracle Datawarehousing Features and Oracle DAC

HP Quality Center. Upgrade Preparation Guide

Data Archiving - Solutions, Challenges, Considerations & 3rd Party Tools. Putting Customer First

A basic create statement for a simple student table would look like the following.

Oracle Database Security Solutions

Eurobackup PRO: Configuration Best Practices

Creating PL/SQL Blocks. Copyright 2007, Oracle. All rights reserved.

The Encryption Wizard for Oracle. User Manual

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Replicating to everything

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, Integration Guide IBM

UnionSys Technologies Securing Stored Data Using Transparent Data Encryption And Disaster Recovery Solution

Many DBA s are being required to support multiple DBMS s on multiple platforms. Many IT shops today are running a combination of Oracle and DB2 which

Accessing Your Database with JMP 10 JMP Discovery Conference 2012 Brian Corcoran SAS Institute

Oracle Enterprise Manager 12c New Capabilities for the DBA. Charlie Garry, Director, Product Management Oracle Server Technologies

An Oracle White Paper July Data Masking Best Practices

Oracle Database. Migration Assistant for Unicode Release Notes Release 2.0 E

Table Backup and Recovery using SQL*Plus

How to Make Your Oracle APEX Application Secure

Credit Cards and Oracle: How to Comply with PCI DSS. Stephen Kost Integrigy Corporation Session #600

nshield Modules Integration Guide for Oracle Database 11g Release 2 Transparent Data Encryption

Using SQL Developer. Copyright 2008, Oracle. All rights reserved.

Objectives. Oracle SQL and SQL*PLus. Database Objects. What is a Sequence?

Costing In Oracle HRMS CONCEPTS

Oracle vs. SQL Server. Simon Pane & Steve Recsky First4 Database Partners Inc. September 20, 2012

Paul M. Wright Last updated Sunday 25 th February For

SQL and PL/SQL Development and Leveraging Oracle Multitenant in Visual Studio. Christian Shay Product Manager, NET Technologies Oracle

Implementation Guide

The PCI Compliant Database. Christophe Pettus PostgreSQL Experts, Inc. PGConf Silicon Valley 2015

IGEL Universal Management Suite migration

Data Sanitization Techniques

Division of IT Security Best Practices for Database Management Systems

Top Ten Fraud Risks in the Oracle E Business Suite

Oracle Database: Introduction to SQL

<Insert Picture Here> Oracle Database Security Overview

SQL Server Instance-Level Benchmarks with DVDStore

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Securing Oracle E-Business Suite in the Cloud

Upgrade to Oracle E-Business Suite R12 While Controlling the Impact of Data Growth WHITE PAPER

Oracle Financial Services Data Integration Hub Foundation Pack Extension for Oracle Fusion Accounting Hub

Oracle Database: Introduction to SQL

Top 10 Oracle SQL Developer Tips and Tricks

R12.2 Install/Patch/Maintain Oracle E-Business Suite

HOW TO CONNECT TO CAC DATABASE SERVER USING MySQL

Transcription:

Data Scrambling in Non-PROD Cloned Instances John Peters JRPJR, Inc. john.peters@jrpjr.com John Peters, JRPJR, Inc. 1

Before We Start A Quick Audience Survey How many of you have are on 11.0, 11i, 12? How many of you plan to upgrade to R12 in the next 18 months? John Peters, JRPJR, Inc. 2

What I am going to cover Why obfuscate sensitive data and what is sensitive data OEM Application Management Pack A custom sensitive data backup and obfuscate methodology with sample code Review sensitive table columns John Peters, JRPJR, Inc. 3

Examples of Sensitive Data Employee Data Social Security Number Salary Information Review Information Address and Phone Information Age Information Direct Deposit Bank Account Information Customer Data Credit Card Numbers Vendor Data Direct Deposit Bank Account Information Company Data Bank Account Information John Peters, JRPJR, Inc. 4

Why Obfuscate Sensitive Data Non-PROD instances have a lower level of access control APPS password available to wider group User responsibility control less restrictive Data is sent to Oracle Support during debug Non-Employees often have access to data, contract developers, consultants, etc. John Peters, JRPJR, Inc. 5

Obfuscate Techniques Masking (done usually in UI) Credit Card: NNNNNNNNNNNN1234 SSN: NNN-NN-1234 Substitution Substitute Digits and Characters with a constant Purge Null out the sensitive data Giberish Replace with random characters John Peters, JRPJR, Inc. 6

Use Oracle Supplied Solutions When possible take advantage of Oracle Supplied Solutions to obfuscate sensitive data. They are already included in your licensing and are supported. Example: Credit Card Data Apply the credit card data encryption patches This secures data in both PROD and non-prod instances Secures data in the UI and the Database It s the law John Peters, JRPJR, Inc. 7

OEM Application Management Pack A data scrambling/purge framework introduced in version 2.0 A generic engine that allows you to specify tables and columns of data that should be scrambled during a clone. Irreversible purge or scramble of the data. There is no seeded data. You need to decide what is scrambled. John Peters, JRPJR, Inc. 8

What I Implemented A customization that allows sensitive data to be: Backed Up Original Data is stored in custom tables Data in encrypted for security Allows for a table by table reversal of obfuscation based on non-prod instance testing requirements Sensitive Data Obfuscated Original numeric data is replaced by a 9 Character strings replaced by constant string Z or N Key data requiring uniqueness is replaced by ID values Obfuscated data is easily identifiable to users Magnitude of data is still available six figure salary John Peters, JRPJR, Inc. 9

Implementation Two components: A PL/SQL Package to Encrypt/Decrypt Data An SQL Script that can be run during cloning that backs up and obfuscates source data John Peters, JRPJR, Inc. 10

PL/SQL Package - GENERATE_KEY Generates a 64 character key value to encrypt/decrypt values Save this value in a safe location if you want to reverse encryption select DBMS_CRYPTO.randombytes(256/8)from dual; John Peters, JRPJR, Inc. 11

PL/SQL Package - DECODE_VARCHAR FUNCTION DECODE_VARCHAR (p_in in raw, p_key in raw) RETURN VARCHAR2 IS l_ret varchar2 (2000); l_dec_val raw (2000); l_mode number := dbms_crypto.encrypt_aes256 + dbms_crypto.chain_cbc + dbms_crypto.pad_pkcs5; BEGIN l_dec_val := dbms_crypto.decrypt (p_in, l_mode, p_key); l_ret:= UTL_I18N.RAW_TO_CHAR(l_dec_val, 'AL32UTF8'); return l_ret; END DECODE_VARCHAR; John Peters, JRPJR, Inc. 12

PL/SQL Package - ENCODE_VARCHAR FUNCTION ENCODE_VARCHAR (p_in in varchar2, p_key in raw) RETURN RAW IS l_enc_val raw(2000); l_mode number := dbms_crypto.encrypt_aes256 + dbms_crypto.chain_cbc + dbms_crypto.pad_pkcs5 ; BEGIN l_enc_val := dbms_crypto.encrypt(utl_i18n.string_to_raw(p_in, 'AL32UTF8'), l_mode, p_key); return l_enc_val; END ENCODE_VARCHAR; John Peters, JRPJR, Inc. 13

DBMS_CRYPTO In order to use DBMS_CRYPTO in the APPS schema you must first grant execute access to it. sqlplus / as sysdba grant execute on dbms_crypto to APPS; create synonym apps.dbms_crypto for sys.dbms_crypto; John Peters, JRPJR, Inc. 14

SQL Script The script consists of three simple steps repeated on each table with Sensitive Data 1. Create Backup Table 2. Insert Sensitive Data Records into Backup Table 3. Obfuscate Sensitive Data Runs as APPS during instance clone John Peters, JRPJR, Inc. 15

SQL Script Create Backup Table Columns in backup table Primary Key of Source Table Sensitive Source Data to Backup create table XX_CUS.ENC_DATA_01 (PERSON_ID NUMBER, EFFECTIVE_START_DATE DATE, EFFECTIVE_END_DATE DATE, ENC_NATIONAL_IDENTIFIER RAW(2000) ); John Peters, JRPJR, Inc. 16

SQL Script Insert into Backup Table insert into xx_cus.enc_data_01 (PERSON_ID, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE, ENC_NATIONAL_IDENTIFIER ) select PERSON_ID, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE, XX_CUS_CLONE_UTILITY.ENCODE_VARCHAR(NATIONAL_IDENTIFIER, &&KEY) enc from PER_ALL_PEOPLE_F; John Peters, JRPJR, Inc. 17

SQL Script Obfuscate Data update PER_ALL_PEOPLE_F a set NATIONAL_IDENTIFIER = 'NNN-NN-NNNN' where substr(national_identifier,4,1) = '-' and exists (select 'Y' from xx_cus.enc_data_01 b where b.person_id = a.person_id and b.effective_start_date = a.effective_start_date and b.effective_end_date = a.effective_end_date ); John Peters, JRPJR, Inc. 18

SQL Script Restore Data update PER_ALL_PEOPLE_F a set NATIONAL_IDENTIFIER = select XX_CUS_CLONE_UTILITY.DECODE_VARCHAR(ENC_NATIONAL_IDENTIFIER, &&KEY) enc from xx_cus.enc_data_01 b where b.person_id = a.person_id and b.effective_start_date = a.effective_start_date and b.effective_end_date = a.effective_end_date where exists (select 'Y' from xx_cus.enc_data_01 b where b.person_id = a.person_id and b.effective_start_date = a.effective_start_date and b.effective_end_date = a.effective_end_date ); John Peters, JRPJR, Inc. 19

Sensitive Data Tables Employees 11i PER_ALL_PEOPLE_F.NATIONAL_IDENTIFIER PER_PAY_PROPOSALS.PROPOSED_SALARY_N PER_PAY_PROPOSAL_COMPONENTS.CHANGE_AMOUNT_N PAY_ELEMENT_ENTRY_VALUES_F. SCREEN_ENTRY_VALUE PER_PERFORMANCE_REVIEWS.PERFORMANCE_RATING PAY_EXTERNAL_ACCOUNTS.SEGMENT1 to SEGMENT30 John Peters, JRPJR, Inc. 20

Sensitive Data Tables Payables 11i AP_BANK_ACCOUNTS_ALL.BANK_ACCOUNT_NUM AP_BANK_BRANCHES.EFT_USER_NUMBER and EFT_SWIFT_CODE AP_CARDS_ALL.CARD_NUMBER AP_INVOICE_PAYMENTS_ALL.BANK_ACCOUNT_NUM AP_CHECKS_ALL.BANK_ACCOUNT_NUM John Peters, JRPJR, Inc. 21

Sensitive Data Tables - Credit Card Data 11i ASO_PAYMENTS.PAYMENT_REF_NUMBER IBY_CREDITCARD. CCNUMBER OE_ORDER_HEADERS_ALL. CREDIT_CARD_NUMBER OKS_K_HEADERS_B. CC_NO OKS_K_LINES_B.CC_NO CS_INCIDENTS_ALL_B.CREDIT_CARD_NUMBER John Peters, JRPJR, Inc. 22

Sensitive Data Tables Summary You need to work with the functional users to try to find sensitive data in your version of the E-Business Suite based on how your company uses the E- Business Suite. Take a look at DBA_TAB_COLS Write scripts to look at all VARCHAR2 columns for sensitive data patterns 16 characters (could be a credit card) 3-2 - 4 Social Security Number John Peters, JRPJR, Inc. 23

Don t Forget Old Tables With Sensitive Data As we upgrade from 10 to 11 to 11i to R12 Oracle leaves obsolete tables in the database. These still contain valid data in some cases. Example: SO_HEADERS_ALL was replaced by OE_ORDER_HEADERS_ALL and contains the column CREDIT_CARD_NUMBER John Peters, JRPJR, Inc. 24

Things to Remember Take advantage of Oracle Supplied data obfuscation functionality first Ask user community to verify that all sensitive data has been found and obfuscated in non-prod instance Preserve you encryption keys in a safe place, these are the keys to the kingdom John Peters, JRPJR, Inc. 25

My contact information: John Peters john.peters@jrpjr.com http://www.jrpjr.com Additional reference papers can be found at: http://www.norcaloaug.org http://www.jrpjr.com John Peters, JRPJR, Inc. 26

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information