Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Mask and Subset Sensitive Data For Test/Dev Databases on Premise or in the Cloud Dinesh

Copyright © 2015, Oracle and/or its affiliates. All rights reserved.

Mask and Subset Sensitive DataFor Test/Dev Databases on Premise or in the Cloud

Dinesh RajasekharanSenior Product ManagerOracle Database Security

Seenu SanthalingamSenior Oracle Applications Database ArchitectIntegra LifeSciences Corporation


Program Agenda

1

2

3

Product overview

What’s new

Customer case study

Q & A

Mask and Subset Sensitive Data

4

2


Program Agenda

1

2

3

Product overview

What’s new

Customer case study

Q & A


4

3


Proliferation of Sensitive Data Increases Security Risks

Testing

Development

Partners

Research

Cloud

Demo

Analytics Training

4


Compliance Drivers

The removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required

The Health Insurance Portability and Accountability Act of 1996

The data subject shall have the right to obtain from the controller the rectification of personal data relating to them which are inaccurate.

European Data Protection Directive

6.4.3 Production data (live PANs) should not be used for testing or development purposes.

PCI DSS v3.0 November 2013

HIPAA

… and more

5


Solution Requirements and Challenges

Key Challenges

Discover sensitive dataPreserve application integrityProvide common masking formats and goal-based subsetting

Provide integrated solution

Main Requirements

Replace sensitive with fictitious data before sharing

Extract relevant dataDiscard unneeded sensitive dataMeet compliance requirements

?Data Masking

and Subsetting

6


Oracle Data Masking and Subsetting PackReduces Risk in Sharing by Obfuscating or Removing Sensitive Data

Discover Sensitive Data

Mask Data using Format Library

Subset Based on Goal/Condition

Mask/Subset in Export or on Staging

Modeling Application Data

Mask in Workload Captures & Clones

Pre-installed in Enterprise Manager

7

0100101100101010010010010010010010010010010010001001010100100100100111001001001001001001000010010010111001001010100100101010100110101001010100100000011111111000

SSN463-62-9832

Credit Card 3715-4691-3277-8399

SSN463-62-9832576-40-7056518-12-6157281-50-3106

Credit Card 3715-4691-3277-83995136-6247-3878-32013599-4570-2897-44525331-3219-2331-9437

ProductionTest/Dev

555-12-1234

5555-5555-5555-4444


Application Data ModelingSensitive Data Discovery

Sensitive Columns

Data Relationships

Automated Discovery

Metadata

8


Extensive Masking Format Library

• Provides common masking formats• Supports custom masking formats– Random numbers/strings/dates– Substitute– User defined PL/SQL function

… and more

• Generates sample masked values• Templates for specific versions of E-

Business Suite and Fusion Applications

9


Masking Examples

Country IdentifierCA 226-956-324US 610-02-9191 UK JX 75 67 44 C

Country IdentifierCA 368-132-576US 829-37-4729 UK AI 80 56 31 D Emp ID First Name

324 Albert986 Hussain

Emp ID First Name324 Charlie986 Murali

Emp ID First Name324 Charlie986 Murali

FIN

Health Records

Health Records

Company Closing PriceIBFG $36.92XKJU ¥789.8

Company Closing PriceIBFG $89.57XKJU ¥341.9

Generate Random Values Preserving Format

and more …

Generate Deterministic OutputHR

Mask Based on Condition

BLOB31789734566509876745

Search : [0-9]{10}Replace : *

BLOB********************

Mask Operating System Files stored as Blobs

Shuffle Records

10


010010110010101001001001001001001001001001001000100101010010101010101010100101010010101010100010100100101010101010101001

Goal or Condition Based Subsetting

100%25%

10%

1024 GB 256 GB 102 GB

100M Rows20M Rows

2M Rows

Relative Database Size Relative Table Size

Condition Based

ASIAExtract ASIA Sales

11


010010110010101001001001001001001001001001001000100101010010010010011100100100100100100100001001001011100100101010010010101010011010100101010010000001111111100001011001

010010110010101001001001001001001001001001001000100101010010

010010110010101001001001001001001001001001001000100101010010

Deployment Options

In-Database In-Export

Production Test/DevStaging

Minimal impact on the production environment

Production Test/DevExport

Sensitive data remains within the production perimeter

12


Program Agenda

1

2

3

Product overview

What’s new

Customer case study

Q & A


4

14


Improvements in Automation and Performance• Automated initialization– Setup packages are deployed automatically on target databases

• Performance improvements– 30% overall improvement– 60% reduced time for Encrypt masking format– Extensible parallelism support for subsetting

15


Oracle Data Masking and Subsetting Journey to the Cloud

On-Premise Oracle Cloud Hybrid

01001011001010100100100100100100100100100100100010010101001001001001110010010010010010101010

Improve Security and Save on Storage Cost

16


Mask/Subset on Premise and Upload to the Cloud

01001011001010100100

10010010010010010010

01001000100101010010

010010110010101001001001001001001001001001001000100101010010

01001011001010100100

10010010010010010010

01001000100101010010

010010110010101001001001001001001001001001001000100101010010

Clone => Mask/Subset => Upload Extract => Mask/Subset => Upload

Oracle Database Cloud Service (PaaS)

On Premise On Premise

17


Mask/Subset in the Cloud

01001011001010100100

10010010010010010010

01001000100101010010

Clone & Mask PDB to the Cloud Mask/Subset in the Cloud

Oracle Database Cloud Service (PaaS)

010010110010101001001001001001001001001001001000100101010010

On PremiseOn Premise

18


Demonstration

19


Program Agenda

1

2

3

Product overview

What’s new

Customer case study

Q & A


4

21

Integra LifeSciences• Who we are– A world leader in medical technology and devices– Founded in 1989 and headquartered in Plainsboro, New Jersey – 3,500 employees worldwide

• What we do–Offer a broad portfolio of implants, devices, instruments and systems used in

orthopedic , surgery(general, neuron, reconstructive), neuromonitoring, neurotrauma, critical care, and more

• Our mission– Provide best patience care by limiting uncertainty for surgeons

Requirements and Challenges• Business drivers– Achieve data privacy and compliance in outsourced test and development

environments by limiting sensitive data (PII) propagation

• Challenges with home grown scripts– Added performance overhead to the data provisioning process by taking 5 hours to

mask few sensitive columns– Added operational overhead to the DBA team due to the manual and cumbersome

process of updating indexes and constraints post masking– Increased IT costs due to delayed test and development cycles– Limited resources to support and maintain the masking code

Why Oracle Data Masking and Subsetting• Automates most of the masking process which can be repeated on multiple

test and development databases• Provides comprehensive masking templates for Oracle E-Business Suite

(EBS) without additional cost• Comes pre-installed with Oracle Enterprise Manager• Integrates with Oracle EBS R12 Application Management Pack for

automated smart cloning• Integrates with other Oracle Database Security products such as Advanced

Security and Database Vault

The Verdict• Environment–Oracle E-Business Suite (EBS) R12 running on Intel x86-64 platform with 24 CPUs and

256 GB of primary memory– 8 development and test instances of EBS– 1.8 TB of database per instance

• Results–Masked using Oracle EBS Data Masking templates (Doc ID 1481916.1)–Overall masking time is reduced to 45 minutes from 5 hours

• Benefits–Minimized security risk by masking a broad range of sensitive elements– Lowered IT costs due to improved production to dev/test provisioning time– Increased efficiency of DBA team and process due to minimized operation overhead


Program Agenda

1

2

3

Product overview

What’s new

Customer case study

Q & A


4

26


Connect With Us

oracle.com/database/securityoracle.com/technetwork/database/security

/OracleDatabase /OracleSecurity blogs.oracle.com/SecurityInsideOut

blogs.oracle.com/datamasking

Oracle Database Insider /Oracle/database

/OracleLearning

27


EVALUATE

Sensitive Data Discovery

Least Privilege Use

Security Configuration

Defense-in-Depth Security Controls

28

Auditing

Activity Monitoring

Alerting & Reporting

DETECT

Masking & Subsetting

DBA & Operational Controls

Encryption & Redaction

PROTECT


Oracle Database Security Sessions at OpenWorld 2015Session Title Speaker Time and LocationWhat’s New in Oracle Database Security [CON6819] Vipin Samar October 26, 4:00 pm - 4:45 pm | Moscone South—303

Oracle Audit Vault and Database Firewall—Detect Breaches and Prevent Attacks [CON8668]

Andrey Brozhko October 26, 5:15 pm - 6:00 pm | Moscone South—301

Oracle Database Maximum Security Architecture—Protecting Critical Data Assets [CON8803]

Scott Rotondo October 27, 12:15 pm - 1:00 pm | Moscone South—303

Mask and Subset Sensitive Data for Test/Dev Databases On Premises or in the Cloud [CON8625]

Dinesh Rajasekharan October 27, 5:15 pm - 6:00 pm | Moscone South—308

Oracle Database Vault—Shrinking the Attack Surface for Your Application [CON8624]

Alan Williams October 28, 1:45 pm - 2:30 pm | Moscone South—254

Oracle Advanced Security—Enterprise-Grade Encryption for Your Sensitive Data [CON8563]

Todd Bottger October 28, 4:15 pm - 5:00 pm | Moscone South—104

Managing Advanced Security Database Encryption Keys with Oracle Key Vault [CON8562]

Saikat Saha October 29, 10:45 am - 11:30 am | Moscone South—254

Oracle Database Security Customer Panel: Strategies and Best Practices [CON8655] Troy Kitch (Moderator) October 29, 1:15 pm - 2:00 pm | Moscone South—254

29


Oracle Database Security HOLs at OpenWorld 2015

HOL Title Speaker Time and Location

Database Security: Preventing and Detecting Privileged User Attacks [HOL10437]

Andrey Brozhko, Alan Williams

Oct 26, 12:30 p.m. | Hotel Nikko—Golden Gate (25th Floor)

Database Security: Preventing and Detecting Privileged User Attacks [HOL10437]

Andrey Brozhko, Alan Williams

Oct 27, 5:30 p.m. | Hotel Nikko—Golden Gate (25th Floor)

Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Development [HOL10507]

Dinesh Rajasekharan Oct 28, 1:15 p.m. | Hotel Nikko—Bay View (25th Floor)

Minimize Security Risks by Masking and Subsetting Sensitive Data in Test and Development [HOL10507]

Dinesh Rajasekharan Oct 29, 9:30 a.m. | Hotel Nikko—Bay View (25th Floor)

30


Oracle Database Security Demo Grounds

Demo Booth Title Location

Oracle Database Encryption and Key Management Moscone South Upper Left, Database SLD-019

Mask and Subset Sensitive Data for Nonproduction Databases Moscone South Upper Left, Database SLD-020

Auditing and Monitoring Databases Moscone South Upper Left, Database SLD-021

Database Security for Application Developers Moscone South Upper Left, Database SLD-022

31

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. 32

SLD-019SLD-020SLD-021SLD-022

Moscone South


Classroom Training

Learning Subscription

Live Virtual Class

Training On Demand

Keep Learning with Oracle University

education.oracle.com

Cloud

Technology

Applications

Industries


Session Surveys

Help us help you!!• The [Program Committee J1] [organizing committee OW] would like to

invite you to take a moment to give us your session feedback. Your feedback will help us to improve your conference. • Please be sure to add your feedback for your attended sessions by using

the Mobile Survey or in Schedule Builder.


Documents

Copyright © 2015, Oracle and/or its affiliates. All rights reserved. Mask and Subset Sensitive Data For Test/Dev Databases on Premise or in the Cloud Dinesh