Professional Documents
Culture Documents
Data Masking using Enterprise Manager Managing Sensitive Information in Non-Production Environments
Ofir Manor Senior Technology Specialist, Oracle
ofir.manor@oracle.com
Agenda
Introduction Data Masking Overview Data Masking Examples Related EM technology
Agenda
Introduction Data Masking Overview Data Masking Examples
QA / dev can usually do anything in these environments. DBAs / sys admins can usually do anything in these environments Sometimes partners have full access to these environments (consultants, outsourcing dev / testing / monitoring etc) Are these environments audited? Do you practice careful access control?
Adds IT administrative overhead auditing, privilege management etc Annoying QA / dev Not fun Will be always in lower priority Might be neglected, worked around etc over time
Agenda
Introduction Data Masking Overview Data Masking Examples
LAST_NAME SSN
AGUILAR BENSON DSOUZA FIORANO 203-33-3234 323-22-2943 989-22-2403 093-44-3823
SALARY
40,000 60,000 80,000 45,000
LAST_NAME SSN
ANSKEKSL 11123-1111
SALARY
40,000
BKJHHEIEDK
KDDEHLHESA FPENZXIEK
111-34-1345
111-97-2749 111-49-3849
60,000
80,000 45,000
Production
Staging
Major features Data mask format library Define once; execute multiple times View sample data before masking Automatic database referential integrity when masking primary keys
Implicit database enforced Explicit application enforced
Installed as part of Oracle Enterprise Manager (Grid Control) 10g Release 4 (10.2.0.4)
Format Libraries
Mask Primitives
Random Number Random String Random Date within range Shuffle Sub string of original value Table Column
Masking Definitions
Associates formats with database
Maps formats to table columns being masked Defines dependent columns Associated Database target
Automatically identifies Foreign key relationships Can specify undeclared constraints as related columns Import-from or export-to XML Create like to apply to similar databases
Database -enforced
Application -enforced
Pre-Masking Validation
Ensure uniqueness can be maintained Ensure formats match column data types Check Space availability Warn about Check Constraints Check presence of default Partitions
Masking Workflow
Security Admin
Forma t Librar y
Masking Definition
DBA
Execute Mask
Prod
Staging
Test
Performance
Optimizations
SQL Parallelism for tables > 1 million rows Statistics collection before & after masking CTAS statement with NOLOGGING
Test results
Case 1 60GB Database 100 tables, 215 columns 20mins Case 2 6 column, 100 million row table Random Number 1.3 hours
Validation
Mask validation with data type Data overflow validation Multiple parent FKs, circular dependency, constraints Automatic exclusion of CLOB, BLOB, NCLOB, LONG, LONG RAW, XML column types Imported mask definition validated against database schema Space availability check
Masking algorithms
Unique value generation Shuffle Constant
Mask definition
Association of masking formats with application schema Related application columns without defined constraints in data dictionary Exportable and importable XML mask definitions Create Like to apply mask definition to other databases
Efficiency
One bulk operation per table regardless of number of masked columns CTAS to recreate masked table Leverage database features, e.g. parallelism, no logging.
Agenda
Introduction Data Masking Overview Data Masking Examples
ID Number
Israeli ID Number uses a check digit
IsraCard, Mastercard etc also uses some kind of check digit
ID Number Algorithm
ID Number Algorithm
Agenda
Introduction Data Masking Overview Data Masking Examples