Upload
corey-hutchinson
View
215
Download
1
Tags:
Embed Size (px)
Citation preview
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Mask and Subset Sensitive DataFor Test/Dev Databases on Premise or in the Cloud
Dinesh RajasekharanSenior Product ManagerOracle Database Security
Seenu SanthalingamSenior Oracle Applications Database ArchitectIntegra LifeSciences Corporation
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
1
2
3
Product overview
What’s new
Customer case study
Q & A
Mask and Subset Sensitive Data
4
2
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
1
2
3
Product overview
What’s new
Customer case study
Q & A
Mask and Subset Sensitive Data
4
3
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Proliferation of Sensitive Data Increases Security Risks
Testing
Development
Partners
Research
Cloud
Demo
Analytics Training
4
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Compliance Drivers
The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required
The Health Insurance Portability and Accountability Act of 1996
The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate.
European Data Protection Directive
6.4.3 Production data (live PANs) should not be used for testing or development purposes.
PCI DSS v3.0 November 2013
HIPAA
… and more
5
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Solution Requirements and Challenges
Key Challenges
Discover sensitive dataPreserve application integrityProvide common masking formats and goal-based subsetting
Provide integrated solution
Main Requirements
Replace sensitive with fictitious data before sharing
Extract relevant dataDiscard unneeded sensitive dataMeet compliance requirements
?Data Masking
and Subsetting
6
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Data Masking and Subsetting PackReduces Risk in Sharing by Obfuscating or Removing Sensitive Data
Discover Sensitive Data
Mask Data using Format Library
Subset Based on Goal/Condition
Mask/Subset in Export or on Staging
Modeling Application Data
Mask in Workload Captures & Clones
Pre-installed in Enterprise Manager
7
0100101100101010010010010010010010010010010010001001010100100100100111001001001001001001000010010010111001001010100100101010100110101001010100100000011111111000
SSN463-62-9832
Credit Card 3715-4691-3277-8399
SSN463-62-9832576-40-7056518-12-6157281-50-3106
Credit Card 3715-4691-3277-83995136-6247-3878-32013599-4570-2897-44525331-3219-2331-9437
ProductionTest/Dev
555-12-1234
5555-5555-5555-4444
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Application Data ModelingSensitive Data Discovery
Sensitive Columns
Data Relationships
Automated Discovery
Metadata
8
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Extensive Masking Format Library
• Provides common masking formats• Supports custom masking formats– Random numbers/strings/dates– Substitute– User defined PL/SQL function
… and more
• Generates sample masked values• Templates for specific versions of E-
Business Suite and Fusion Applications
9
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Masking Examples
Country IdentifierCA 226-956-324US 610-02-9191 UK JX 75 67 44 C
Country IdentifierCA 368-132-576US 829-37-4729 UK AI 80 56 31 D Emp ID First Name
324 Albert986 Hussain
Emp ID First Name324 Charlie986 Murali
Emp ID First Name324 Charlie986 Murali
FIN
Health Records
Health Records
Company Closing PriceIBFG $36.92XKJU ¥789.8
Company Closing PriceIBFG $89.57XKJU ¥341.9
Generate Random Values Preserving Format
and more …
Generate Deterministic OutputHR
Mask Based on Condition
BLOB31789734566509876745
Search : [0-9]{10}Replace : *
BLOB********************
Mask Operating System Files stored as Blobs
Shuffle Records
10
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
010010110010101001001001001001001001001001001000100101010010101010101010100101010010101010100010100100101010101010101001
Goal or Condition Based Subsetting
100%25%
10%
1024 GB 256 GB 102 GB
100M Rows20M Rows
2M Rows
Relative Database Size Relative Table Size
Condition Based
ASIAExtract ASIA Sales
11
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010000001111111100001011001
010010110010101001001001001001001001001001001000100101010010
010010110010101001001001001001001001001001001000100101010010
Deployment Options
In-Database In-Export
Production Test/DevStaging
Minimal impact on the production environment
Production Test/DevExport
Sensitive data remains within the production perimeter
12
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
1
2
3
Product overview
What’s new
Customer case study
Q & A
Mask and Subset Sensitive Data
4
14
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Improvements in Automation and Performance• Automated initialization– Setup packages are deployed automatically on target databases
• Performance improvements– 30% overall improvement– 60% reduced time for Encrypt masking format– Extensible parallelism support for subsetting
15
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Data Masking and Subsetting Journey to the Cloud
On-Premise Oracle Cloud Hybrid
01001011001010100100100100100100100100100100100010010101001001001001110010010010010010101010
Improve Security and Save on Storage Cost
16
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Mask/Subset on Premise and Upload to the Cloud
01001011001010100100
10010010010010010010
01001000100101010010
010010110010101001001001001001001001001001001000100101010010
01001011001010100100
10010010010010010010
01001000100101010010
010010110010101001001001001001001001001001001000100101010010
Clone => Mask/Subset => Upload Extract => Mask/Subset => Upload
Oracle Database Cloud Service (PaaS)
On Premise On Premise
17
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Mask/Subset in the Cloud
01001011001010100100
10010010010010010010
01001000100101010010
Clone & Mask PDB to the Cloud Mask/Subset in the Cloud
Oracle Database Cloud Service (PaaS)
010010110010101001001001001001001001001001001000100101010010
On PremiseOn Premise
18
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Demonstration
19
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
1
2
3
Product overview
What’s new
Customer case study
Q & A
Mask and Subset Sensitive Data
4
21
Integra LifeSciences• Who we are– A world leader in medical technology and devices– Founded in 1989 and headquartered in Plainsboro, New Jersey – 3,500 employees worldwide
• What we do–Offer a broad portfolio of implants, devices, instruments and systems used in
orthopedic , surgery(general, neuron, reconstructive), neuromonitoring, neurotrauma, critical care, and more
• Our mission– Provide best patience care by limiting uncertainty for surgeons
Requirements and Challenges• Business drivers– Achieve data privacy and compliance in outsourced test and development
environments by limiting sensitive data (PII) propagation
• Challenges with home grown scripts– Added performance overhead to the data provisioning process by taking 5 hours to
mask few sensitive columns– Added operational overhead to the DBA team due to the manual and cumbersome
process of updating indexes and constraints post masking– Increased IT costs due to delayed test and development cycles– Limited resources to support and maintain the masking code
Why Oracle Data Masking and Subsetting• Automates most of the masking process which can be repeated on multiple
test and development databases• Provides comprehensive masking templates for Oracle E-Business Suite
(EBS) without additional cost• Comes pre-installed with Oracle Enterprise Manager• Integrates with Oracle EBS R12 Application Management Pack for
automated smart cloning• Integrates with other Oracle Database Security products such as Advanced
Security and Database Vault
The Verdict• Environment–Oracle E-Business Suite (EBS) R12 running on Intel x86-64 platform with 24 CPUs and
256 GB of primary memory– 8 development and test instances of EBS– 1.8 TB of database per instance
• Results–Masked using Oracle EBS Data Masking templates (Doc ID 1481916.1)–Overall masking time is reduced to 45 minutes from 5 hours
• Benefits–Minimized security risk by masking a broad range of sensitive elements– Lowered IT costs due to improved production to dev/test provisioning time– Increased efficiency of DBA team and process due to minimized operation overhead
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Program Agenda
1
2
3
Product overview
What’s new
Customer case study
Q & A
Mask and Subset Sensitive Data
4
26
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Connect With Us
oracle.com/database/securityoracle.com/technetwork/database/security
/OracleDatabase /OracleSecurity blogs.oracle.com/SecurityInsideOut
blogs.oracle.com/datamasking
Oracle Database Insider /Oracle/database
/OracleLearning
27
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
EVALUATE
Sensitive Data Discovery
Least Privilege Use
Security Configuration
Defense-in-Depth Security Controls
28
Auditing
Activity Monitoring
Alerting & Reporting
DETECT
Masking & Subsetting
DBA & Operational Controls
Encryption & Redaction
PROTECT
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security Sessions at OpenWorld 2015Session Title Speaker Time and LocationWhat’s New in Oracle Database Security [CON6819] Vipin Samar October 26, 4:00 pm - 4:45 pm | Moscone South—303
Oracle Audit Vault and Database Firewall—Detect Breaches and Prevent Attacks [CON8668]
Andrey Brozhko October 26, 5:15 pm - 6:00 pm | Moscone South—301
Oracle Database Maximum Security Architecture—Protecting Critical Data Assets [CON8803]
Scott Rotondo October 27, 12:15 pm - 1:00 pm | Moscone South—303
Mask and Subset Sensitive Data for Test/Dev Databases On Premises or in the Cloud [CON8625]
Dinesh Rajasekharan October 27, 5:15 pm - 6:00 pm | Moscone South—308
Oracle Database Vault—Shrinking the Attack Surface for Your Application [CON8624]
Alan Williams October 28, 1:45 pm - 2:30 pm | Moscone South—254
Oracle Advanced Security—Enterprise-Grade Encryption for Your Sensitive Data [CON8563]
Todd Bottger October 28, 4:15 pm - 5:00 pm | Moscone South—104
Managing Advanced Security Database Encryption Keys with Oracle Key Vault [CON8562]
Saikat Saha October 29, 10:45 am - 11:30 am | Moscone South—254
Oracle Database Security Customer Panel: Strategies and Best Practices [CON8655] Troy Kitch (Moderator) October 29, 1:15 pm - 2:00 pm | Moscone South—254
29
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security HOLs at OpenWorld 2015
HOL Title Speaker Time and Location
Database Security: Preventing and Detecting Privileged User Attacks [HOL10437]
Andrey Brozhko, Alan Williams
Oct 26, 12:30 p.m. | Hotel Nikko—Golden Gate (25th Floor)
Database Security: Preventing and Detecting Privileged User Attacks [HOL10437]
Andrey Brozhko, Alan Williams
Oct 27, 5:30 p.m. | Hotel Nikko—Golden Gate (25th Floor)
Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Development [HOL10507]
Dinesh Rajasekharan Oct 28, 1:15 p.m. | Hotel Nikko—Bay View (25th Floor)
Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Development [HOL10507]
Dinesh Rajasekharan Oct 29, 9:30 a.m. | Hotel Nikko—Bay View (25th Floor)
30
Copyright © 2015, Oracle and/or its affiliates. All rights reserved.
Oracle Database Security Demo Grounds
Demo Booth Title Location
Oracle Database Encryption and Key Management Moscone South Upper Left, Database SLD-019
Mask and Subset Sensitive Data for Nonproduction Databases Moscone South Upper Left, Database SLD-020
Auditing and Monitoring Databases Moscone South Upper Left, Database SLD-021
Database Security for Application Developers Moscone South Upper Left, Database SLD-022
31
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 32
SLD-019SLD-020SLD-021SLD-022
Moscone South
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 33
Classroom Training
Learning Subscription
Live Virtual Class
Training On Demand
Keep Learning with Oracle University
education.oracle.com
Cloud
Technology
Applications
Industries
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 34
Session Surveys
Help us help you!!• The [Program Committee J1] [organizing committee OW] would like to
invite you to take a moment to give us your session feedback. Your feedback will help us to improve your conference. • Please be sure to add your feedback for your attended sessions by using
the Mobile Survey or in Schedule Builder.
Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 35