Delivering Oracle Success Safeguard Sensitive Data in EBS: A Look at Oracle Database Vault, Transparent Data Encryption, and Data Masking Lucy Feng RMOUG Training Days February 2012
About DBAK Oracle Solution Provider and License Reseller Core Technology and EBS Applications Colorado Owned and Operated Average 15 Years of Oracle Expertise Top 250 Private Companies, 2011 CoBIZ Magazine Emerging Business of the Year, 2008 South Metro Denver Chamber of Commerce 100+ Clients 170+ Implementations, Upgrades, Conversions, Support Projects Oracle Gold Partner OEM Specialized DBAK 2012 2
Agenda Overview of security challenge Identifying EBS sensitive data Oracle security features Database Vault, TDE and Data Masking Overview Integration with EBS R12 Impact DBAK 2012 3
Information Protection and Control Motivators Data loss incidents Government and industry regulations Outsourcing Cloud Sourcing DBAK 2012 4
Oracle EBS Sensitive Data Samples Credit Card Data iby_security_segments ap_bank_accounts_all oe_order_headers_all aso_payments oks_k_headers_* oks_k_lines_* iby_trxn_summaries_all iby_credit_card Social Security Number per_all_people_f hr_h2pi_employees ben_reporting ap_suppliers ap_suppliers_int po_vendors_obs Bank Account Number ap_checks_all ap_invoice_payments_all ap_selected_invoice_checks_all Protected Health Information Order Management Accounts Receivables Human Resources DBAK 2012 5
Oracle EBS Sensitive Data Take inventory of sensitive and confidential data contained in Oracle and custom tables Interface table and files Log files Create a matrix of who can access what data DBAK 2012 6
Preemption Is the Best Strategy Encryption and Masking Advanced Security Secure Backup Data Masking Access Control Database Vault Label Security Monitoring and Auditing Configuration Management Audit Vault Total Recall DBAK 2012 7
Oracle Security Offerings Pre-certified with Oracle E-Business Suite Database Vault Transparent Data Encryption Data Masking DBAK 2012 8
License Requirement Oracle Database Vault Oracle Label Security license TDE Oracle Advanced Security license Oracle Data Masking Oracle Enterprise Manager Data Masking Pack license DBAK 2012 9
Oracle Database Vault Restricts access to specific areas in a database from users, including users with administrative access. Provides preventive controls Increases security transparently DBAK 2012 10
Oracle Database Vault Feature Description realms command rules Boundaries within the database that act like a firewall to prevent privileged users from using special privileges (select any table, etc) to access data. Security rules that control the execution of database commands. factors Environment parameters (IP address, authentication method) that can be used with command rules and realms to create trusted paths, defining who, when, where and how data is accesses. separation-of-duty Out-of-the-box least privilege controls that separate out administrative actions. DBAK 2012 11
Oracle Database Vault Separation of Duty Responsibility Roles Description Change Account Management DV_ACCTMGR User account management responsibility that can create, drop or modify database users DBA can no longer manage users Security Administrator DV_OWNER DV_ADMIN Set up realms, command rules, authorize other users to use them, and execute various security reports DBA can no longer grant/revoke DBA roles nor access DVSYS schema Resource Administrator SYSDBA Traditional DBA tasks none DBAK 2012 12
Oracle Database Vault Policy Examples DBA views HR data protected by an HR realm => Blocked by realm Power user queries customer information through SQL*Plus=>Blocked by rules/factors that only allow access from application server. DBAK 2012 13
Oracle Database Vault GUI for administrating, monitoring and reporting Database Vault Administrator (DVA) OEM Database Control OEM Grid Control PL/SQL API DBAK 2012 14
Oracle Database Vault DBAK 2012 15
Oracle Database Vault Metalink note 428403.1 Prerequisites Oracle E-Business Suite Release 12.0.4 or higher Oracle E-Business Suite Release 12.1.1 or higher Oracle E-Business Suite Release 11i 11.5.10.2 or higher Database Vault 11.2.0 is certified with R12 DBAK 2012 16
Oracle Database Vault Install Options Oracle Database Vault in the EBS database Use a single installation of Database Vault to manage the EBS database Install Register Database Vault with the database DBAK 2012 17
Oracle Database Vault Integration with EBS R12 Note 1091083.1 Set database security initilization parameters REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE REMOTE_OS_ROLES = FALSE OS_ROLES = FALSE O7_DICTIONARY_ACCESSIBILITY = FALSE AUDIT_SYS_OPERATIONS = TRUE SQL92_SECURITY = TRUE OS_AUTHENT_PREFIX = '' DBAK 2012 18
Oracle Database Vault Apply R12 realm creation patches Run scripts to create default realms that protect EBS Schemas E-Business Suite realm E-Business Suite realm applsys schema E-Business Suite realm apps schema E-Business Suite realm applsyspub E-Business Suite realm msc CTXSYS data dictionary DBAK 2012 19
Oracle Database Vault Operation Impact Apply patches FNDCPASS Clone instance Use Data Pump Intergrate with Oracle products RMAN and apply database patches DBAK 2012 20
Oracle Database Vault Performance Impact Realms minimal performance impact DBAK 2012 21
Oracle Database Vault Best practices Document security policies Test rules and rule sets in non-production thoroughly Develop temporary or emergency policies DBAK 2012 22
Oracle Database Vault vs VPD and OLS Virtual Private Database (VPD) restricts access to certain rows for a user by modifying the where clause Oracle Label Security (OLS) mediates access to a given row, based on the label on the row and the security level of the user VPD and OLS restrict access at the row level. Database Vault restricts access at the object and command levels. DBAK 2012 23
Transparent Data Encryption Encrypts data in the datafiles Protects data in case disk drive, datafiles or backup are compromised Users with the right privileges are unaffected Oracle transparently decrypts data DBAK 2012 24
Transparent Data Encryption TDE column encryption introduced in 10GR2 TDE tablespace encryption introduced in 11GR1 Two-tier key architecture Table or Tablespace key Unified master key DBAK 2012 25
Transparent Data Encryption Implementation Steps: TDE column Prepare a list of columns to encrypt Create a wallet Download and apply patch 7337863 For each column you want to encrypt, run script to check. The script will return an alter table command or explain why it cannot be done. DBAK 2012 26
Transparent Data Encryption Implementation Steps: TDE tablespace Choose master key storage method: Oracle Wallet or Hardware Security Module Create new tablespaces with encrypt parameter. Use data pump export and import to move data to new tablespace. DBAK 2012 27
Transparent Data Encryption Performance Impact: Column encryption inserts, updates and queries that include encrypted columns may decrease by up to 5%. Severe degradation is possible if inappropriate columns are chose. Tablespace encryption performance penalty up to 10% DBAK 2012 28
Transparent Data Encryption Operation Impact: Be sure to back up wallet keep it separate from database backup Open the wallet when restarting database Column encryption Patches may fail if 1) an index is added to an encrypted column; 2) a column increasing in length beyond the threshold (3932) Not supported with Streams or Logical Standby (streams/ls with EBS?) DBAK 2012 29
Oracle Data Masking OEM Data Masking Pack OEM 10gR4+ Replaces sensitive data with realistic-looking values in a non-production environment Protects confidential information from being disclosed to unauthorized parties Uses an irreversible process DBAK 2012 30
Oracle Data Masking Data Masking Pack features: Maintains database referential integrity when masking primary keys Provides out-of-the-box data mask format library View sample data before masking Creates masking templates using the export mask definition capability Define once; execute multiple times DBAK 2012 31
Oracle Data Masking Data Masking Pack features: Masking format libraries a collection of ready-to-use masking formats. Format Data Type Sample SSN Character 111-39-9600 Masking definitions defines a data masking operation to be implemented on one or more tables. DBAK 2012 32
Data Masking Workflow DBAK 2012 33
Oracle Data Masking Performance Impact Takes advantage of built-in database optimizations: Disables database logging Runs in parallel DBAK 2012 34
Oracle Data Masking Operation Impact Change in cloning process: Prod -> Staging (mask) ->Test Prod -> Staging (mask and use as test) DBAK 2012 35
OEM Data Masking vs Application Management Pack for EBS DBAK 2012 36
Questions DBAK 2012 37
Contact Lucy Feng 720.475-8600 lfeng@dbaknow.com Presentation available at: www.dbaknow.com/downloads www.dbaknow.com DBAK 2012 38