Oracle Database 12c - Data Redaction

Oracle Data Redaction
Presented by:
Alex Zaballa, Oracle DBA

Oracle Database 12.1.0.2 New Features [UGF11311]
Deiby Mauricio Gómez Robles, Oracle Database Consultant, Pythian
Alex Zaballa, Oracle Senior DBA, Accenture Enkitec Group
Sunday, Oct 25, 11:00 a.m. | Moscone West—3011
More Than Another 12 on Oracle Database 12c [UGF3190]
Sunday, Oct 25, 1:30 p.m. | Moscone South—306

Alex Zaballa
http://alexzaballa.blogspot.com/
@alexzaballa
146 and counting…

Worked 8 years for the Ministry of Finance
March - 2007 until March - 2015

Data Redaction
• One of the new features introduced in Oracle
Database 12c
• Part of the Advanced Security option
• Enables the protection of data shown to the
user in real time, without requiring changes to
the application

Data Redaction
• This new feature has been backported to
Oracle Database 11.2.0.4

• Applies protection at query execution time
• The stored data remain unchanged
Redaction takes place immediately preceding the return of selected data and
only at the top level of a SELECT list
• It is not an operation shown in the execution plan

Policy
SELECT rep.object_name as "OBJECT",
rep.policy_name,
rep.expression,
rep.enable,
rec.column_name as "COLUMN",
rec.function_type
FROM redaction_policies rep,
redaction_columns rec
WHERE rep.object_owner = rec.object_owner
AND rep.object_name = rec.object_name;
OBJECT POLICY_NAME EXPRESSION ENABLE COLUMN FUNCTION_TYPE
------ ----------- ------------------------------------------------ ------ ------ --------------
EMP SCOTT_EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY FULL REDACTION

SQL> EXPLAIN PLAN FOR SELECT * FROM EMP;
SQL> SELECT * FROM table(DBMS_XPLAN.DISPLAY(format=>'ALL'));
As SCOTT with the MGR role:
--------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
--------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 |
--------------------------------------------------------------------------
As SCOTT without the MGR role:
--------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
--------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 |
--------------------------------------------------------------------------

Not to be confused with
Oracle Data Masking
With Oracle Data Masking, the data is processed
using masked shapes and this updated data is
stored in new data blocks. For this reason, Data
Masking is more suitable for non-production
environments.
** Oracle Data Masking is available only with Enterprise
Edition database and it requires licensing of Advanced
Security.

Oracle Data Masking – Secure Your
Nonproduction Environments
• Introduced in 10G;
• Designed to hide sensitive data during the copy
from production to non-production;
• Useful to create environments like Development,
Testing, UAT, etc;

Oracle Data Masking – Secure Your
Nonproduction Environments
• Replaces the real data based on masking rules, like: Credit
Card numbers, names, phone, address, social security
number, etc;
• Compliance with regulatory requirements:
(Sarbanes - Oxley, PCI DSS or HIPAA);

Oracle Data Masking
Source: Oracle Documentation

Below are some other features that already
existed to help making the data more secure:
•Virtual Private Database (VPD) - Allows control access
on both row and column levels by dynamically adding a
predicate to SQL statements issued against the database.
•Oracle Label Security – Allows you to add user-defined
values to table records combining it with VPD to allow fine
control of who sees what.
•Database Vault – Data Redaction does not prevent
privileged users (such as DBAs) from having access to the
data being protected. To solve this, you can make use of
Database Vault.

Planning on Oracle Data Redaction Policy
1. Ensure that you have been granted the EXECUTE privilege on
the DBMS_REDACT PL/SQL package.
2. Determine the data type of the table or view column that you want to
redact.
3. Ensure that this column is not used in an Oracle Virtual Private
Database (VPD) row filtering condition. That is, it must not be part of
the VPD predicate generated by the VPD policy function.
4. Decide on the type of redaction that you want to perform: full,
random, partial, regular expressions, or none.
5. Decide which users to apply the Data Redaction policy to.
6. Based on this information, create the Data Redaction policy by using
the DBMS_REDACT.ADD_POLICY procedure.
7. Configure the policy to have additional columns to be redacted

Conditional Redaction Examples
•User Environment
expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''SMITH'''
•Database Role
expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''SUPERVISOR'') = ''FALSE'''
•Oracle Label Security Label Dominance
expression => 'OLS_LABEL_DOMINATES (''hr_ols_pol'',''hs'') = 0'
•Application Express Session States
expression => 'V(''APP_USER'') != ''mavis@example.com'' or V(''APP_USER'') is null'

DBMS_REDACT
• DBMS_REDACT.ALTER_POLICY
Allows changes to existing policies.
• DBMS_REDACT.DISABLE_POLICY
Disables an existing policy.
• DBMS_REDACT.DROP_POLICY
Drop an existing policy.
• DBMS_REDACT.ENABLE_POLICY
Enables an existing policy.
• DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
Change the default return value for full redaction.
You must restart the database to take effect.

Redaction Methods
• Full redaction
• Partial redaction
• Regular expressions
• Random redaction
• No redaction

FULL Data Redaction
• Character Data Types
The output text is a single space
Column Real Value Redacted Value
Last_Name Smith ‘ ‘

FULL Data Redaction
• Number Data Types
The output text is a zero
Salary 8000 0

FULL Data Redaction
• Date-Time Data Types
The output text is set to the first day of January, 2001
BirthDay 01/Dec/1980 01/Jan/2001

RANDOM Data Redaction
• CHAR Data Types
Redacted in same character set and byte length as the column
definition
Select 1
Last_Name Smith Txaqw
Select 2
Last_Name Smith Wascq

•Number Data Types
Redacted in same character set and the length is limited based
on the length of the actual data
Select 1
Salary 8000 4321
Select 2
Salary 8000 6789

•Date-Time Data Types
Redacted as random dates that are always different from those
of the actual data
Select 1
BirthDay 01/Dec/1980 10/Oct/1960
Select 2
BirthDay 01/Dec/1980 30/Aug/1932

Column data types
NUMBER, BINARY_FLOAT, BINARY_DOUBLE,
CHAR, VARCHAR2, NCHAR, NVARCHAR2,
DATE, TIMESTAMP, TIMESTAMP WITH TIME
ZONE, BLOB, CLOB, and NCLOB

Operational Activities - No Redaction
•Backup and Restore
•Import and Export
•Patching and Upgrades
•Replication
•Users SYS and SYSTEM automatically have
the EXEMPT REDACTION POLICY system
privilege
•Data Redaction is not enforced for users
connected as SYSDBA

Data Redaction and Data Pump
ORA-28081: Insufficient privileges - the command
references a redacted object
Use the EXEMPT REDACTION POLICY system privilege
in these cases. However, use it with caution.
Note that the role DATAPUMP_EXP_FULL_DATABASE
includes the EXEMPT REDACTION POLICY system
privilege

If you try to CREATE TABLE ... AS SELECT (CTAS) against a
redacted table you get the following error message: ORA-
28081: Insufficient privileges - the command references a
redacted object.
In order to perform a CREATE TABLE AS SELECT operation from
a table protected by an active redaction policy, the user must
have privileges to see the actual data on the source table
Because applications may need to perform CREATE TABLE AS
SELECT operations that involve redacted source columns, you
can grant the application the EXEMPT DDL REDACTION
POLICY system privilege.
Data Redaction and CTAS

Redacted Columns and GROUP BY SQL Expressions
Redacted Columns included in SQL expressions on a GROUP BY clause will fail as follows:
SQL> select * from emp;
EMP_NO NAME SALARY
---------- ---------------------------------------- ----------
1 Daniel 702
2 Juca 607
3 Manuel 314
SQL> select (salary*1.10) from emp group by (salary*1.10);
select (salary*1.10) from emp group by (salary*1.10)
*
ERROR at line 1:
ORA-00979: not a GROUP BY expression

Redacted Columns and Virtual Columns
SQL> alter table hr.employees add sal number as (salary*1.10) virtual;
alter table hr.employees add sal number as (salary*1.10) virtual
*
ERROR at line 1:
ORA-28083: A redacted column was referenced in a virtual column expression.

•Columns from MVIEWS as well as regular VIEWS
can be redacted
Data Redaction and Views

Overhead
• It could reach up to 10% of performance impact
when using complex Regular Expressions
• Between 2-3% performance impact using other
redaction methods

•Never to be considered as a way to protect data from
anyone with SQL access to the database
•Extremely easy to hack once you have access to
SQL
Hacking

Oracle Database 12c - Data Redaction

More Related Content

What's hot (19)

Viewers also liked (19)

Similar to Oracle Database 12c - Data Redaction (20)

More from Alex Zaballa (20)

Recently uploaded (20)

Oracle Database 12c - Data Redaction

Editor's Notes