Oracle Data Masking

Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Oracle Data Masking
Copyright SANS Institute
Author Retains Full Rights

SANS Institute Product Review:
Oracle Data Masking
January 2012
A SANS Whitepaper
Written by: Tanya Baccam
Setup and Overview Page 2
Data Masking Format Library Page 3
Masking Sensitive Data Page 6
Sponsored by Oracle

Introduction
Data masking helps protect private and confidential data by replacing sensitive information, such as phone
numbers and Social Security numbers, salary data, health care information and other personal data, with
dummy data. If there was an exposure, the real data is never actually compromised. Data masking has the
specific goal of protecting the original production data from individuals that do not need real data to perform
their tasks.
For example, in a research project where data that is tied to a specific person is not required, data masking
can remove and replace this information with de-identified or“dummy”data. Similarly, in development and
testing environments, data masking enables application development and test personnel to use realistic data
without unnecessarily exposing the original production data itself.
There are many cases where data masking would have protected database data from outright exposure.
Recently, Telstra, an Australian-based telecommunications company, inadvertently exposed 60,000 customer
last names, notes about their accounts, as well as their phone, billing account and Salesforce numbers via
Google search.1
Telstra’s internal search tool had been indexed by Google and made public, so the confidential
information was easily retrieved via a simple Google Search on those types of number sets. In a similar
example involving Yale University, data on 43,000 Yale affiliates was searchable through Google, as reported in
June of 2011.2
Yale’s IT team had failed to update its FTP servers after a change in Google Search caused FTP
data to be searchable. In both cases, if data were masked to all but those with a specific need to know, the real
data would have been protected.
For this reason, laws such as Sarbanes-Oxley, Payment Card Industry (PCI) Data Security Standard (DSS), and
the Health Insurance Portability and Accountability Act (HIPAA), as well as many state privacy laws, include
rules for restricting the use of actual customer data. Oracle Data Masking can assist with compliance for any of
these standards and laws.
This paper is a review of Oracle Data Masking, which comes with a number of formats to mask. Custom
formats can also be created for any data types that do not have predefined masks provided by Oracle Data
Masking. In this paper, we investigate the process of implementing and using data masking to mask specific
confidential data types within Oracle Database 11g.
SANS Analyst Program 1 Oracle Data Masking
1 www.zdnet.com.au/telstra-exposes-customer-information-339327696.htm
2 www.yaledailynews.com/news/2011/aug/26/breach-put-yalies-ssns-in-google-searches/

Setup and Overview
Oracle Data Masking is part of Oracle’s portfolio of database security solutions. It can be used to mask data in
Oracle and non-Oracle databases; however, for purposes of this review we used Oracle Database 11g managed
by Oracle Enterprise Manager.
Oracle Data Masking helps organizations comply with data privacy requirements and other requirements that
restrict the use of actual customer data. This can be very beneficial for data used in testing and development
environments, as well as by outsource vendors or offshore partners for nonproduction data purposes.
In order to test Oracle Data Masking, the first goal was to understand how to utilize data masking templates
from the Oracle Data Masking library of existing templates. We also developed customized templates using
the Oracle Data Masking user interface. The data tested included information such as employee ID, phone
number and salary. Next, we reviewed the process of de-identification. The goal was to de-identify the
employee ID, phone number and salary data using either one of the templates from Oracle’s format library or a
customized template to transform the data consistently.

Data Masking Format Library
The first step in utilizing data masking is to identify the masks needed for the type of data fields being
protected. Oracle Data Masking comes with a library of common masks that can be leveraged. To begin
the evaluation, we observed the masks provided by Oracle Data Masking by logging into Oracle Enterprise
Manager and clicking on Targets, Databases, and then Data Masking Format Library. As shown in Figure 1,
common masks such as Social Security, phone and credit card numbers are provided in the default format
library.
Figure 1: Data Masking Format Library

Data Masking Format Library (CONTINUED)
You can also create Custom Data Mask Formats through the interface. In order to test the creation of a
customized format, we created a new format that included the months of the year. Using the Create Format
option we named the new format Months, and then selected Array List to provide a list of values. Figure 2
shows the options selected.
Figure 2: Creating a Format Mask

Once we named the list and clicked the Go button, we could easily add a list of comma-separated values to
build the array, as shown in Figure 3.
Figure 3: Building the Array

After creating the format, we began the process of exporting the new mask format into a portable XML file by
selecting the mask from the Format Library Screen and clicking the Export button, as shown in Figure 4. This
created an XML file that could then be imported into other Oracle Enterprise Manager environments.
Figure 4: Exporting a Masking Format
Overall, the process of selecting, creating, exporting and importing masks was straightforward. The more
challenging and time-consuming part of using the masks is determining what data needs to be masked and
what manner to format it in. In other words, an administrator would need to know where the data exists that
needs to be masked, and then specify the format mask for each column that requires masking.
Oracle has released a new version of Oracle Data Masking3
that provides new tools to help administrators discover
sensitive data. Although not available at the time of this review, these new application data modeling and sensitive
data discovery capabilities should greatly reduce the time it takes for organizations to deploy data masking.
Once the administrator has accomplished the tasks of identifying and classifying sensitive data in applications,
the process of actually setting up the masks is relatively simple. Once you have set up masks, the data can be
exported and de-identified as many times as needed by using the definitions in place.
3 www.oracle.com/us/corporate/press/512168

Masking Sensitive Data
After setting up the mask format library, it was time to actually mask the selected sensitive data types. The
first step was to create a data masking definition by clicking the New button on the Data Masking Definitions
screen. This began the process of masking data. In this case, we created a mask definition titled
EMPLOYEE_DATA_MASK as shown in Figure 5.
Figure 5: Creating an Employee Data Mask

Masking Sensitive Data (CONTINUED)
To add a column to be masked, we clicked the Add button. We also specified the login credentials required to
access the database and specified the search criterion to determine the column to be masked, in this case, the
EMPLOYEE_ID column, as shown in Figure 6.
Figure 6: Selecting the Column to be Masked
Once we selected the column to be added, the associated foreign key columns were automatically listed.
In other words, if a customer ID were 101 in one table, and data masking changed the customer ID to 736
for data masking, all customer ID records (including those in other tables with foreign key relationships)
would also be changed from 101 to 736. This provides referential integrity and ensures the ability to track all
associated records. Optionally, we could have added more columns if the built-in foreign key relationships
had not been defined in the database.

Next, we specified a format for the EMPLOYEE_ID column by selecting the Format icon shown in Figure 7.
Figure 7: Setting Up the Column Masking Definition

After selecting the Format icon, we had multiple options available to mask the column data. We could use
either an existing mask format from the library via the Import option or an option from the drop-down list to
create a custom mask format. In this case, we selected the Random Number option, as highlighted in Figure
8.This allowed data masking to generate a random number for the EMPLOYEE_ID field. The appropriate
range of values was then entered.
Figure 8: Selecting the Format Entry
In addition to masking the EMPLOYEE_ID column, we also added the PHONE_NUMBER and SALARY columns
to be masked, and a mask format was defined for each. For the phone number field, we selected the Import
Format option and used the Bay Area Phone Number mask so that all the phone numbers would contain a
408, 415, 650, 925 or other area code from the San Francisco Bay area. The ability to regionalize area codes
and other masking features may be needed to make the replaced data realistic and useful for testing. For the
SALARY field, we used the Shuffle option for the format entry so the original data could no longer be mapped
to the appropriate record.

By going through these steps, we created a Data Masking Definition. Based on the definition, a script could be
generated as shown in Figure 9.
Figure 9: Script Generation

Once the script was generated, we ran the masking operation by selecting the Schedule Job option, as shown
in Figure 10.
Figure 10: Scheduling the Masking Job

We compared the data from before and after the masking was applied, with special attention given to a couple
of records to note the results of the masking process. Figure 11 reveals the original records’representation
without masking.
Figure 11: Original Data before Masking

As shown in Figure 11, Donald OConnell and Douglas Grant were two of the original records. We also viewed
these records after the masking, and the new records showed the data noted in Figure 12.
Figure 12: Data after Masking
Note that the fields, including the EMPLOYEE_ID, PHONE_NUMBER and SALARY fields, were successfully
masked by replacing the real data in those fields. The EMPLOYEE_ID field was set to a six-digit value based on
the masking criteria, and the PHONE_NUMBER field was set to a masked value with area codes from the San
Francisco Bay area. Finally, the SALARY field was shuffled so the original data could no longer be mapped to
the appropriate record. As a result of this masking effort, each of these data elements has been protected, and
yet the data can be used as realistic data for testing purposes.

Conclusion
Oracle Data Masking is a strong component of Oracle’s Database Security solution, which includes products
for data encryption, privileged user access control, centralized auditing and reporting, and database activity
monitoring and blocking.
During this review, masking data within Oracle Database 11g was straightforward, automatic and repeatable
across other Oracle systems. The most challenging part of this process was identifying the data to mask and
deciding how to mask it. In a small testing environment, the data set is limited. However, in a true production
environment with larger data sets, the process of identifying the data and deciding how to mask it will be the
most complex part of the data masking process.
Once we defined the masking process and created the script, the process of regenerating masked data was
painless and automatic, and the definitions were easy to use repeatedly. Oracle Data Masking was easy to
administer and provides database administrators a way to create realistic, but de-identified, data for a testing
or development environment. Importantly, Oracle Data Masking worked without changing or interrupting the
applications in which it masked data.
Overall, Oracle Data Masking demonstrated that would-be intruders or insiders could not read the specified
sensitive data if it were extracted. That protection was provided with minimal trouble in the set-up process.
There are many other applications for Oracle Data Masking—for example in test environments, it is helpful
for those who need realistic data to do testing without violating privacy regulations, as well as helping
organizations meet specific compliance requirements for data protection.

About the Author
Tanya Baccam is a SANS senior instructor as well as a SANS courseware author. She is the current author
for the SANS Security 509: Securing Oracle Databases course. Tanya works for Baccam Consulting, where
she provides many security consulting services for clients, including system audits, vulnerability and risk
assessments, database audits, and web application audits. Today much of her time is spent on the security of
databases and applications within organizations. Tanya has also played an integral role in developing multiple
business applications. She currently holds the CPA, GCFW, GCIH, CISSP, CISM, CISA and OCP DBA certifications.
SANS would like to thank its sponsor:

Last Updated: May 24th, 2017
Upcoming SANS TrainingClick Here for a full list of all Upcoming SANS Events by Location
SANS Madrid 2017 Madrid, ES May 29, 2017 - Jun 03, 2017 Live Event
SANS Atlanta 2017 Atlanta, GAUS May 30, 2017 - Jun 04, 2017 Live Event
SANS San Francisco Summer 2017 San Francisco, CAUS Jun 05, 2017 - Jun 10, 2017 Live Event
Security Operations Center Summit Training Washington, DCUS Jun 05, 2017 - Jun 12, 2017 Live Event
SANS Houston 2017 Houston, TXUS Jun 05, 2017 - Jun 10, 2017 Live Event
SANS Thailand 2017 Bangkok, TH Jun 12, 2017 - Jun 30, 2017 Live Event
SANS Milan 2017 Milan, IT Jun 12, 2017 - Jun 17, 2017 Live Event
SANS Charlotte 2017 Charlotte, NCUS Jun 12, 2017 - Jun 17, 2017 Live Event
SANS Secure Europe 2017 Amsterdam, NL Jun 12, 2017 - Jun 20, 2017 Live Event
SEC555: SIEM-Tactical Analytics San Diego, CAUS Jun 12, 2017 - Jun 17, 2017 Live Event
SANS Rocky Mountain 2017 Denver, COUS Jun 12, 2017 - Jun 17, 2017 Live Event
SANS Minneapolis 2017 Minneapolis, MNUS Jun 19, 2017 - Jun 24, 2017 Live Event
DFIR Summit Training 2017 Austin, TXUS Jun 22, 2017 - Jun 29, 2017 Live Event
SANS Columbia, MD 2017 Columbia, MDUS Jun 26, 2017 - Jul 01, 2017 Live Event
SANS Cyber Defence Canberra 2017 Canberra, AU Jun 26, 2017 - Jul 08, 2017 Live Event
SANS Paris 2017 Paris, FR Jun 26, 2017 - Jul 01, 2017 Live Event
SEC564:Red Team Ops San Diego, CAUS Jun 29, 2017 - Jun 30, 2017 Live Event
SANS London July 2017 London, GB Jul 03, 2017 - Jul 08, 2017 Live Event
Cyber Defence Japan 2017 Tokyo, JP Jul 05, 2017 - Jul 15, 2017 Live Event
SANS Los Angeles - Long Beach 2017 Long Beach, CAUS Jul 10, 2017 - Jul 15, 2017 Live Event
SANS Cyber Defence Singapore 2017 Singapore, SG Jul 10, 2017 - Jul 15, 2017 Live Event
SANS ICS Energy-Houston 2017 Houston, TXUS Jul 10, 2017 - Jul 15, 2017 Live Event
SANS Munich Summer 2017 Munich, DE Jul 10, 2017 - Jul 15, 2017 Live Event
SANSFIRE 2017 Washington, DCUS Jul 22, 2017 - Jul 29, 2017 Live Event
Security Awareness Summit Training 2017 Nashville, TNUS Jul 31, 2017 - Aug 09, 2017 Live Event
SANS San Antonio 2017 San Antonio, TXUS Aug 06, 2017 - Aug 11, 2017 Live Event
SANS Prague 2017 Prague, CZ Aug 07, 2017 - Aug 12, 2017 Live Event
SANS Hyderabad 2017 Hyderabad, IN Aug 07, 2017 - Aug 12, 2017 Live Event
SANS Boston 2017 Boston, MAUS Aug 07, 2017 - Aug 12, 2017 Live Event
SANS Salt Lake City 2017 Salt Lake City, UTUS Aug 14, 2017 - Aug 19, 2017 Live Event
SANS New York City 2017 New York City, NYUS Aug 14, 2017 - Aug 19, 2017 Live Event
SANS Virginia Beach 2017 Virginia Beach, VAUS Aug 21, 2017 - Sep 01, 2017 Live Event
SANS Stockholm 2017 OnlineSE May 29, 2017 - Jun 03, 2017 Live Event
SANS OnDemand Books MP3s OnlyUS Anytime Self Paced

Oracle Data Masking

More Related Content

What's hot (20)

Similar to Oracle Data Masking (20)

More from Inprise Group (7)

Recently uploaded (20)

Oracle Data Masking