Monday

Oracle 12c Redaction Policy

     Oracle Data Redaction is one of the new features introduced in Oracle Database 12c. This new feature is part of the Advanced Security option and enables the protection of data shown to the user in real time, without requiring changes to the application.

     Oracle Database 12c applies protection at query execution time. The stored data remain unchanged, while the data to be displayed is transformed on-the-fly before leaving the database.

     This feature is not to be confused with Oracle Data Masking which has been available since version 11g. With Oracle Data Masking, the data is processed using masked shapes and this updated data is stored in new data blocks. For this reason, Data Masking is more suitable for non-production environments.

Below are some other features that already existed to help making the data more secure:

Virtual Private Database (VPD) - Allows control access on both row and column levels by dynamically adding a predicate to SQL statements issued against the database.

Oracle Label Security – Allows you to add user-defined values to table records combining it with VPD to allow fine control of who sees what.

Database Vault – Data Redaction does not prevent privileged users (such as DBAs) from having access to the data being protected. To solve this, you can make use of Database Vault.

Licensing wise, Oracle Data Masking is available only with Enterprise Edition database and it requires licensing of Advanced Security.

How It Works

We can create redaction policies which specify conditions that must be met before the data gets redacted and returned to the user. During the definition of such policies, the DBA can specify which columns and the type of protection that must be applied.

The package used to create protection rules is called DBMS_REDACT. The package includes five procedures to manage the rules and an additional procedure to change the default value for full redaction policy.

DBMS_REDACT.ALTER_POLICY – allows changes to existing policies.

DBMS_REDACT.DISABLE_POLICY – disables an existing policy.

DBMS_REDACT.DROP_POLICY – drop an existing policy.

DBMS_REDACT.ENABLE_POLICY – enables an existing policy.

DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES – change the default return value for full redaction. You must restart the database to take effect.



You can protect data at the column level using one of the following methods:

Full redaction – All content of the column is protected and the type of value returned depends on the data type of the column. For numeric columns, the value zero will be returned. For columns of type character, a space will be returned. This setting can be changed at the database level.

Partial redaction – Only part of the information is changed. For example, the first digits of the credit card number are replaced by asterisks.

Regular expressions - You can use regular expressions to search for patterns of data that must be protected.

Random redaction – Returned values ??are random; each time a query is executed, the displayed data will be different.

No redaction - Allows testing the inner workings of redaction policies, with no effect on the results of current running queries. This is widely used during testing phase of redaction policies that will eventually find their way to production environments.

No comments:

Post a Comment