Security Inside Out

Have received several follow-up questions on whether Oracle offers real-time data masking in addition to the data masking capabilities discussed in previous post. The answer is YES via Oracle Virtual Private Database (VPD). VPD provides real-time enforcement of row and/or column level security policies inside the database for privacy and regulatory compliance. Using VPD Column Masking it is possible to automatically mask out (set to NULL for now) certain columns in the results of a query.

Additionally, VPD Column Masking policies can  also be expressed based on "application context" - attributes like time of day, client ip address, application, etc. This means it is possible to setup a data masking policy that for example returns the actual value of a column to an application but masks the column value if the data is being returned to an ad-hoc query tool.

By enforcing security policies like data masking in real-time inside the database, VPD ensures that users who have access to ad-hoc query or reporting tools cannot bypass the security mechanisms of the application. Centrally managed security policies applied directly to data enable security to be enforced no matter how a user gets to the data, whether through an application, by a query, or using a report-writing tool. 

Since VPD Column Masking is transparently enforced at the database layer, it also does not require changes to applications. Both commercial off-the-shelf applications and custom-built applications can take advantage of Oracle VPD without the need to change any lines of application code. Oracle offers the only transparent real-time solution for data masking and other fine grain access control policy enforcement inside the database.

Managing VPD policies and application contexts can be done via the Oracle Policy Manager tool. To get more familliar with VPD, you can also check out the Oracle By Example tutorial.

Last week we announced the certification of Oracle Database Vault for use with Oracle E-Business Suite. It couldn�t have happened without the hard work our E-Business Suite colleagues. They put out a great post explaining Database Vault so wanted to let them bask in some much deserved glory before posting about this as well.

We talk about the benefits of Database Vault all the time but it really takes considering its use with an application like E-Business Suite to drive home the point. Organizations rely on Oracle E-Business Suite applications to drive key components of their business from finance to human resources to supply chain. E-Business Suite includes applications like Oracle Human Capital Management, Oracle Financial Management and Oracle Customer Relationship Management contain personal identification information (PII), social security numbers, employee salary data, all your customers, credit card numbers, etc.

Today anyone with DBA privileges can look all the application data in the database and pretty much do anything they want to the database objects that manage that data. Think about it: the DBA you hired last week go into the database to find out how much all the other DBAs make, get a list of the company customers and their credit card numbers (his golden parachute), and decide to test his backup script against the production database accidentally dropping the whole thing due to a bug in his script! Not once do we describe this nightmare new DBA without the people in the room calling out names �Oh yeah that was Joe� or �Or yeah that was Phil�.

Using Oracle Database Vault, E-Business Suite customers can protect E-Business Suite data from unauthorized access inside the Oracle database. They can enforce separation of duties within the Oracle database, ensuring that even a DBA cannot access sensitive E-Business Suite application data, as well as defend against intentional or accidental database changes that can harm E-Business Suite application data. Also Database Vault can protect against ad-hoc access to E-Business Suite data based on extensible rules and multiple factors such as IP address, time of day, and application. Using Database Vault, E-Business Suite customers can consolidate application databases and enforce strong boundaries between sensitive business data such as that found in financial and human resource application databases.

To obtain Oracle Database Vault policies for use with Oracle E-Business Suite Release as well as technical information and best practices, please refer to Integrating Oracle E-Business Suite 11i  with Oracle Database Vault 10.2.0.3 (Metalink Note 428503.1)