Real-Time Data Masking
By Roxana Bradescu on Feb 05, 2008
Have received several follow-up questions on whether Oracle offers real-time data masking in addition to the data masking capabilities discussed in previous post. The answer is YES via Oracle Virtual Private Database (VPD). VPD provides real-time enforcement of row and/or column level security policies inside the database for privacy and regulatory compliance. Using VPD Column Masking it is possible to automatically mask out (set to NULL for now) certain columns in the results of a query.
Additionally, VPD Column Masking policies can also be expressed based on "application context" - attributes like time of day, client ip address, application, etc. This means it is possible to setup a data masking policy that for example returns the actual value of a column to an application but masks the column value if the data is being returned to an ad-hoc query tool.
By enforcing security policies like data masking in real-time inside the database, VPD ensures that users who have access to ad-hoc query or reporting tools cannot bypass the security mechanisms of the application. Centrally managed security policies applied directly to data enable security to be enforced no matter how a user gets to the data, whether through an application, by a query, or using a report-writing tool.
Since VPD Column Masking is transparently enforced at the database layer, it also does not require changes to applications. Both commercial off-the-shelf applications and custom-built applications can take advantage of Oracle VPD without the need to change any lines of application code. Oracle offers the only transparent real-time solution for data masking and other fine grain access control policy enforcement inside the database.
Managing VPD policies and application contexts can be done via the Oracle Policy Manager tool. To get more familliar with VPD, you can also check out the Oracle By Example tutorial.