Delivering Oracle Success

Safeguard Sensitive Data in EBS:

A Look at Oracle Database Vault,
Transparent Data Encryption, and
Data Masking
Lucy Feng
RMOUG Training Days
February 2012

About DBAK
Oracle Solution Provider and License Reseller
Core Technology and EBS Applications
Colorado Owned and Operated
Average 15 Years of Oracle Expertise
Top 250 Private Companies, 2011 CoBIZ Magazine
Emerging Business of the Year, 2008 South Metro Denver
Chamber of Commerce
100+ Clients
170+ Implementations, Upgrades, Conversions, Support Projects
Oracle Gold Partner
OEM Specialized

DBAK2012

Agenda
Overview of security challenge
Identifying EBS sensitive data
Oracle security features Database Vault, TDE and
Data Masking
Overview
Integration with EBS R12
Impact

DBAK2012

Information Protection and Control

Motivators

DBAK2012

Data loss incidents

Government and industry regulations
Outsourcing
Cloud Sourcing

Oracle EBS Sensitive Data Samples

Credit Card Data

iby_security_segments
ap_bank_accounts_all
oe_order_headers_all
aso_payments
oks_k_headers_*

Social Security
Number

per_all_people_f
hr_h2pi_employees
ben_reporting
ap_suppliers
ap_suppliers_int
po_vendors_obs

Bank Account
Number

ap_checks_all
ap_invoice_payments_all
ap_selected_invoice_checks_all

Protected Health
Information

Order Management
Accounts Receivables
Human Resources

DBAK2012

oks_k_lines_*
iby_trxn_summaries_all
iby_credit_card

Oracle EBS Sensitive Data

Take inventory of sensitive and confidential data
contained in
Oracle and custom tables
Interface table and files
Log files

Create a matrix of who can access what data

DBAK2012

Preemption Is the Best Strategy

Encryption and Masking
Advanced Security
Secure Backup
Data Masking

Access Control
Database Vault
Label Security

Monitoring and Auditing

Configuration Management
Audit Vault
Total Recall

DBAK2012

Oracle Security Offerings

Pre-certified with Oracle E-Business Suite
Database Vault
Transparent Data Encryption
Data Masking

DBAK2012

License Requirement
Oracle Database Vault

Oracle Label Security license

TDE

Oracle Advanced Security license

Oracle Data Masking

Oracle Enterprise Manager Data

Masking Pack license

DBAK2012

Oracle Database Vault

Restricts access to specific areas in a database from
users, including users with administrative access.
Provides preventive controls
Increases security transparently

DBAK2012

10

Oracle Database Vault

Feature

Description

realms

Boundaries within the database that act like a firewall to prevent

privileged users from using special privileges (select any table, etc) to
access data.

command rules

Security rules that control the execution of database commands.

factors

Environment parameters (IP address, authentication method) that can be

used with command rules and realms to create trusted paths, defining
who, when, where and how data is accesses.

separation-of-duty

Out-of-the-box least privilege controls that separate out administrative

actions.

DBAK2012

11

Oracle Database Vault

Separation of Duty
Responsibility

Roles

Description

Change

Account
Management

DV_ACCTMGR

User account management responsibility

that can create, drop or modify database
users

DBA can no longer

manage users

Security
Administrator

DV_OWNER
DV_ADMIN

Set up realms, command rules, authorize

other users to use them, and execute
various security reports

DBA can no longer

grant/revoke DBA roles
nor access DVSYS
schema

Resource
Administrator

SYSDBA

Traditional DBA tasks

none

DBAK2012

12

Oracle Database Vault

Policy Examples
DBA views HR data protected by an HR realm =>
Blocked by realm
Power user queries customer information through
SQL*Plus=>Blocked by rules/factors that only allow
access from application server.

DBAK2012

13

Oracle Database Vault

GUI for administrating, monitoring and reporting
Database Vault Administrator (DVA)
OEM Database Control
OEM Grid Control

PL/SQL API

DBAK2012

14

Oracle Database Vault

DBAK2012

15

Oracle Database Vault

Metalink note 428403.1
Prerequisites
Oracle E-Business Suite Release 12.0.4 or higher
Oracle E-Business Suite Release 12.1.1 or higher
Oracle E-Business Suite Release 11i 11.5.10.2 or
higher
Database Vault 11.2.0 is certified with R12

DBAK2012

16

Oracle Database Vault

Install Options
Oracle Database Vault in the EBS database
Use a single installation of Database Vault to manage
the EBS database

Install Register Database Vault with the database

DBAK2012

17

Oracle Database Vault

Integration with EBS R12
Note 1091083.1
Set database security initilization parameters

DBAK2012

REMOTE_LOGIN_PASSWORDFILE = EXCLUSIVE
REMOTE_OS_ROLES = FALSE
OS_ROLES = FALSE
O7_DICTIONARY_ACCESSIBILITY = FALSE
AUDIT_SYS_OPERATIONS = TRUE
SQL92_SECURITY = TRUE
OS_AUTHENT_PREFIX = ''

18

Oracle Database Vault

Apply R12 realm creation patches
Run scripts to create default realms that protect EBS
Schemas

DBAK2012

E-Business Suite realm

E-Business Suite realm applsys schema
E-Business Suite realm apps schema
E-Business Suite realm applsyspub
E-Business Suite realm msc
CTXSYS data dictionary

19

Oracle Database Vault

Operation Impact

DBAK2012

Apply patches
FNDCPASS
Clone instance
Use Data Pump
Intergrate with Oracle products
RMAN and apply database patches

20

Oracle Database Vault

Performance Impact
Realms minimal performance impact

DBAK2012

21

Oracle Database Vault

Best practices
Document security policies
Test rules and rule sets in non-production thoroughly
Develop temporary or emergency policies

DBAK2012

22

Oracle Database Vault vs

VPD and OLS
Virtual Private Database (VPD) restricts access to
certain rows for a user by modifying the where clause
Oracle Label Security (OLS) mediates access to a
given row, based on the label on the row and the
security level of the user
VPD and OLS restrict access at the row level.
Database Vault restricts access at the object and
command levels.

DBAK2012

23

Transparent Data Encryption

Encrypts data in the datafiles
Protects data in case disk drive, datafiles or backup
are compromised
Users with the right privileges are unaffected Oracle
transparently decrypts data

DBAK2012

24

Transparent Data Encryption

TDE column encryption introduced in 10GR2
TDE tablespace encryption introduced in 11GR1
Two-tier key architecture
Table or Tablespace key
Unified master key

DBAK2012

25

Transparent Data Encryption

Implementation Steps:
TDE column

DBAK2012

Prepare a list of columns to encrypt

Create a wallet
Download and apply patch 7337863
For each column you want to encrypt, run script to
check. The script will return an alter table command or
explain why it cannot be done.

26

Transparent Data Encryption

Implementation Steps:
TDE tablespace
Choose master key storage method: Oracle Wallet or
Hardware Security Module
Create new tablespaces with encrypt parameter.
Use data pump export and import to move data to new
tablespace.

DBAK2012

27

Transparent Data Encryption

Performance Impact:
Column encryption inserts, updates and queries that
include encrypted columns may decrease by up to 5%.
Severe degradation is possible if inappropriate columns
are chose.
Tablespace encryption performance penalty up to
10%

DBAK2012

28

Transparent Data Encryption

Operation Impact:
Be sure to back up wallet keep it separate from
database backup
Open the wallet when restarting database
Column encryption
Patches may fail if 1) an index is added to an
encrypted column; 2) a column increasing in length
beyond the threshold (3932)
Not supported with Streams or Logical Standby
(streams/LS with EBS?)

DBAK2012

29

Oracle Data Masking

OEM Data Masking Pack OEM 10gR4+
Replaces sensitive data with realistic-looking values
in a non-production environment
Protects confidential information from being disclosed
to unauthorized parties
Uses an irreversible process

DBAK2012

30

Oracle Data Masking

Data Masking Pack features:
Maintains database referential integrity when masking
primary keys
Provides out-of-the-box data mask format library
View sample data before masking
Creates masking templates using the export mask
definition capability
Define once; execute multiple times

DBAK2012

31

Oracle Data Masking

Data Masking Pack features:
Masking format libraries a collection of ready-to-use
masking formats.
Format

Data Type

Sample

SSN

Character

111-39-9600

Masking definitions defines a data masking operation to

be implemented on one or more tables.

DBAK2012

32

Data Masking Workflow

DBAK2012

33

Oracle Data Masking

Performance Impact
Takes advantage of built-in database optimizations:
Disables database logging
Runs in parallel

DBAK2012

34

Oracle Data Masking

Operation Impact
Change in cloning process:
Prod -> Staging (mask) ->Test
Prod -> Staging (mask and use as test)

DBAK2012

35

OEM Data Masking vs

Application Management Pack for EBS

DBAK2012

36

Questions

DBAK2012

37

Contact
Lucy Feng
720.475-8600
lfeng@dbaknow.com
Presentation available at:
www.dbaknow.com/downloads

www.dbaknow.com

DBAK2012

38