Data Masking using Enterprise Manager


Published on

Data Masking using Enterprise Manager – Managing Sensitive Information in Non-Production Environments. Presented by

1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Data Masking using Enterprise Manager

  1. 1. Data Masking using Enterprise Manager – Managing Sensitive Information in Non-Production Environments Ofir Manor Senior Technology Specialist, Oracle ofir [email_address]
  2. 2. Agenda <ul><li>Introduction </li></ul><ul><li>Data Masking Overview </li></ul><ul><li>Data Masking Examples </li></ul><ul><li>Related EM technology </li></ul>
  3. 3. Agenda <ul><li>Introduction </li></ul><ul><li>Data Masking Overview </li></ul><ul><li>Data Masking Examples </li></ul>
  4. 4. Securing Production Environment <ul><li>In recent years, increasing attention is given to securing the production environment: </li></ul><ul><ul><li>Regulatory Requirements (you know the list…) </li></ul></ul><ul><ul><li>Internet access every where (customers, partners) </li></ul></ul><ul><ul><li>Increasing threats </li></ul></ul><ul><ul><li>Increasing awareness to inside and outside threats </li></ul></ul><ul><li>Oracle Database has a lot of functionality for this. For example: </li></ul><ul><ul><li>Authentication – ASO (Advanced Security Options) </li></ul></ul><ul><ul><li>Network Traffic Encryption - ASO </li></ul></ul><ul><ul><li>Data At Rest Encrypting – ASO’s Transparent Data encryption, Oracle Secure Backup </li></ul></ul><ul><ul><li>Access Control – privileges, roles, VPD, Label Security… </li></ul></ul><ul><ul><li>Auditing – regular audit, Fine-Grained Audit, Oracle Audit Vault </li></ul></ul><ul><ul><li>Limiting “Super Users” – Oracle Data Vault </li></ul></ul>
  5. 5. What About Other Environments? <ul><li>Important systems -> many environments </li></ul><ul><ul><li>Pre-prod, test, dev, training </li></ul></ul><ul><ul><li>Usually more than one of each type </li></ul></ul><ul><ul><li>Sensitive information all over the place </li></ul></ul><ul><li>QA / dev can usually do anything in these environments. </li></ul><ul><li>DBAs / sys admins can usually do anything in these environments </li></ul><ul><li>Sometimes partners have full access to these environments (consultants, outsourcing dev / testing / monitoring etc) </li></ul><ul><li>Are these environments audited? </li></ul><ul><li>Do you practice careful access control? </li></ul>
  6. 6. What Can Be Done? <ul><li>There are two options: </li></ul><ul><li>Heavily investigate in securing all your database environments </li></ul><ul><ul><li>Adds IT administrative overhead – auditing, privilege management etc </li></ul></ul><ul><ul><li>Annoying QA / dev – “Not fun” </li></ul></ul><ul><ul><li>Will be always in lower priority </li></ul></ul><ul><ul><li>Might be neglected, worked around etc over time </li></ul></ul><ul><li>Make sure no sensitive data arrives to these environments </li></ul><ul><ul><li>Mask the data while provisioning these environments </li></ul></ul><ul><ul><li>Sensitive data can not leak if it’s not there </li></ul></ul><ul><ul><li>An elegant, compliant solution </li></ul></ul>
  7. 7. Agenda <ul><li>Introduction </li></ul><ul><li>Data Masking Overview </li></ul><ul><li>Data Masking Examples </li></ul>
  8. 8. What is data masking? <ul><li>What </li></ul><ul><li>The act of anonymizing customer, financial, or company confidential data to create new, legible data which retains the data's properties, such as its width, type, and format. </li></ul><ul><li>Why </li></ul><ul><li>To protect confidential data in test environments when the data is used by developers or offshore vendors </li></ul><ul><li>When customer data is shared with 3 rd parties without revealing personally identifiable information </li></ul>45,000 093-44-3823 FIORANO 80,000 989-22-2403 D’SOUZA 60,000 323-22-2943 BENSON 40,000 203-33-3234 AGUILAR SALARY SSN LAST_NAME 45,000 111-49-3849 FPENZXIEK 80,000 111-97-2749 KDDEHLHESA 60,000 111-34-1345 BKJHHEIEDK 40,000 111—23-1111 ANSKEKSL SALARY SSN LAST_NAME
  9. 9. <ul><li>Major features </li></ul><ul><li>Data mask format library </li></ul><ul><li>Define once; execute multiple times </li></ul><ul><li>View sample data before masking </li></ul><ul><li>Automatic database referential integrity when masking primary keys </li></ul><ul><ul><li>Implicit – database enforced </li></ul></ul><ul><ul><li>Explicit – application enforced </li></ul></ul><ul><li>Installed as part of Oracle Enterprise Manager (Grid Control) 10g Release 4 ( </li></ul>Enterprise Manager Data Masking Pack Production Staging Mask Test Test Clone Clone
  10. 10. Format Libraries <ul><li>Mask Primitives </li></ul><ul><ul><li>Random Number </li></ul></ul><ul><ul><li>Random String </li></ul></ul><ul><ul><li>Random Date within range </li></ul></ul><ul><ul><li>Shuffle </li></ul></ul><ul><ul><li>Sub string of original value </li></ul></ul><ul><ul><li>Table Column </li></ul></ul><ul><li>User Defined Function </li></ul><ul><ul><li>National Identifiers </li></ul></ul><ul><ul><li>Social Security Numbers </li></ul></ul><ul><ul><li>Credit Card Numbers </li></ul></ul>
  11. 11. Example – Create a New Format
  12. 12. User-defined mask formats Email notification testing
  13. 13. Masking Definitions <ul><li>Associates formats with database </li></ul><ul><ul><li>Maps formats to table columns being masked </li></ul></ul><ul><ul><li>Defines dependent columns </li></ul></ul><ul><ul><li>Associated Database target </li></ul></ul><ul><li>Automatically identifies Foreign key relationships </li></ul><ul><li>Can specify undeclared constraints as related columns </li></ul><ul><li>Import-from or export-to XML </li></ul><ul><li>“ Create like” to apply to similar databases </li></ul>
  14. 14. Referential Integrity Enforcement Database-enforced Application-enforced
  15. 15. Pre-Masking Validation <ul><li>Ensure uniqueness can be maintained </li></ul><ul><li>Ensure formats match column data types </li></ul><ul><li>Check Space availability </li></ul><ul><li>Warn about Check Constraints </li></ul><ul><li>Check presence of default Partitions </li></ul>
  16. 16. Masking Workflow Security Admin DBA Identify Data Formats Identify Sensitive Information Format Library Masking Definition Staging Prod Test Review Mask Definition Execute Mask Clone Prod to Staging Clone Staging to Test
  17. 17. Performance <ul><li>Optimizations </li></ul><ul><ul><li>SQL Parallelism for tables > 1 million rows </li></ul></ul><ul><ul><li>Statistics collection before & after masking </li></ul></ul><ul><ul><li>CTAS statement with NOLOGGING </li></ul></ul><ul><li>Test results </li></ul><ul><ul><li>Case 1 </li></ul></ul><ul><ul><ul><li>60GB Database </li></ul></ul></ul><ul><ul><ul><li>100 tables, 215 columns </li></ul></ul></ul><ul><ul><ul><li>20mins </li></ul></ul></ul><ul><ul><li>Case 2 </li></ul></ul><ul><ul><ul><li>6 column, 100 million row table </li></ul></ul></ul><ul><ul><ul><li>Random Number </li></ul></ul></ul><ul><ul><ul><li>1.3 hours </li></ul></ul></ul>
  18. 18. Data Masking Pack feature details <ul><li>Data Masking primitives </li></ul><ul><ul><li>Random numbers </li></ul></ul><ul><ul><li>Random digits </li></ul></ul><ul><ul><li>Random strings </li></ul></ul><ul><ul><li>Random date </li></ul></ul><ul><ul><li>User defined function (PL/SQL) </li></ul></ul><ul><ul><li>Exportable and importable format definition (XML-based) </li></ul></ul><ul><li>Masking algorithms </li></ul><ul><ul><li>Unique value generation </li></ul></ul><ul><ul><li>Shuffle </li></ul></ul><ul><ul><li>Constant </li></ul></ul><ul><li>Mask definition </li></ul><ul><ul><li>Association of masking formats with application schema </li></ul></ul><ul><ul><li>Related application columns without defined constraints in data dictionary </li></ul></ul><ul><ul><li>Exportable and importable XML mask definitions </li></ul></ul><ul><ul><li>“ Create Like” to apply mask definition to other databases </li></ul></ul><ul><li>Validation </li></ul><ul><ul><li>Mask validation with data type </li></ul></ul><ul><ul><li>Data overflow validation </li></ul></ul><ul><ul><li>Multiple parent FKs, circular dependency, constraints </li></ul></ul><ul><ul><li>Automatic exclusion of CLOB, BLOB, NCLOB, LONG, LONG RAW, XML column types </li></ul></ul><ul><ul><li>Imported mask definition validated against database schema </li></ul></ul><ul><ul><li>Space availability check </li></ul></ul><ul><li>Efficiency </li></ul><ul><ul><li>One bulk operation per table regardless of number of masked columns </li></ul></ul><ul><ul><li>CTAS to recreate masked table </li></ul></ul><ul><ul><li>Leverage database features, e.g. parallelism, no logging. </li></ul></ul>
  19. 19. Agenda <ul><li>Introduction </li></ul><ul><li>Data Masking Overview </li></ul><ul><li>Data Masking Examples </li></ul>
  20. 20. Handling First / Last Name <ul><li>Using Shuffle </li></ul><ul><ul><li>Useful if first name and last name are in different columns </li></ul></ul><ul><ul><li>Preserves real values and real data distribution </li></ul></ul><ul><ul><li>Bigger data sets minimize leak risk </li></ul></ul><ul><li>Using Random Strings </li></ul><ul><ul><li>Really random </li></ul></ul><ul><ul><li>Not real names, different data distribution </li></ul></ul><ul><li>Using a table based lookup </li></ul><ul><ul><li>Example – </li></ul></ul>
  21. 22. Israeli ID Number <ul><li>Israeli ID Number uses a check digit </li></ul><ul><ul><li>IsraCard, Mastercard etc also uses some kind of check digit </li></ul></ul><ul><li>The check digit protects from: </li></ul><ul><ul><li>One digit error </li></ul></ul><ul><ul><li>Two adjacent digits replaced </li></ul></ul><ul><li>The algorithm is well documented </li></ul><ul><li>Easy to write a function to do it </li></ul>
  22. 23. Israeli ID Number Algorithm
  23. 24. Israeli ID Number Algorithm
  24. 25. Israeli ID Number Algorithm
  25. 26. Israeli ID Number - Format
  26. 27. Agenda <ul><li>Introduction </li></ul><ul><li>Data Masking Overview </li></ul><ul><li>Data Masking Examples </li></ul>
  27. 28. Q A &