Oracle® Fusion
Applications Security Guide 11g Release 1 (11.1.1.5.0) Part Number E16689-01 |
Contents |
Previous |
Next |
This chapter contains the following:
Secure Information Life Cycle: Explained
Types of Sensitive Data: Explained
Protecting Sensitive Data: Points To Consider
The information life cycle of a business is the movement of products and data from beginning to end through the following stages.
Installation
Implementation
Test
Production and change control
Archive or back up
Purge
Oracle Fusion Applications data security policies are applicable and active at each stage.
Oracle Fusion Applications optionally respects the Information Life Cycle Management policies that your enterprise establishes based on business goals and drivers. These policies likely adhere to the following.
Overall IT governance and management
Change control processes
Requirements for system availability and recovery times
Service level agreements (SLAs)
Oracle Fusion Applications provides encryption application programming interfaces (APIs) to protect sensitive fields in application user interfaces. Oracle Fusion Applications is certified to use the Oracle Advanced Security option for the Oracle database. Oracle Fusion Applications deploys with features of this option, such as Transparent Data Encryption (TDE) and Oracle Database Vault (ODV), enabled if installed. TDE and ODV provide information life cycle protections such as the following.
Data access restrictions on database administrators and other privileged users
Sensitive data at rest in database files and file backups
Sensitive data in transit
Sensitive attributes in non-production databases
With these protections, database administrators do not have access rights to select from tables in applications that they administer. Oracle Fusion encrypts sensitive data as it is written to file, either on disk or in backup. Network security protects sensitive data in transit. Sensitive data is masked when you create test databases from production databases.
Oracle Database Vault (ODV) establishes limitations on the power of entitled users to access sensitive data through segregation of duties policies on database administrator (DBA) roles and by securely consolidating application data in the database.
These limitations prevent DBAs and other privileged users from overriding the protections placed on sensitive data by the Virtual Private Database (VPD). Oracle Fusion Applications deploy with ODV enabled when ODV is installed.
Oracle Database Vault remains enabled during patching.
A single realm protects Oracle Fusion Applications data. DBA's do not have select privileges within the realm within which the applications data resides. You can extend that realm to include integrations with applications that are not Oracle Fusion applications. You can establish subset realms within the Oracle Fusion Applications realm. Adding realms to your Oracle Fusion Applications deployment is a custom implementation.
Transparent Data Encryption (TDE) protects confidential data, such as credit card and social security numbers.
Database users need not take any action to decrypt the data when accessed. Decryption is transparent. To prevent unauthorized decryption, transparent data encryption stores the encryption keys in a security module external to the database.
TDE does not require administrators to manage key storage or create auxiliary tables, views, and triggers. You control encryption policies in the Advance Security Option of the Oracle Database.
For more information on TDE, see the Oracle Database Advanced Security Administrator's Guide.
Sensitive data is any data that should not be accessed by everyone or without restriction.
Information lifecycle context and business justifications determine what data is sensitive. Oracle Fusion Applications security protects types of sensitive data variously, depending on access circumstances.
Note
Oracle Fusion Applications encryption application programming interfaces (APIs) mask data such as credit card numbers in application user interface fields. For encryption and masking beyond that, Transparent Data Encryption (TDE) and Oracle Database Vault are certified but optional with Oracle Fusion Applications.
Type of Data |
Life Cycle Phase |
Protection provided by: |
Tool |
---|---|---|---|
Oracle Fusion Application data |
All |
Access restrictions and segregation of duties |
Oracle Database Vault, single realm |
Sensitive |
Installation |
Transparent data encryption |
Oracle Advanced Security (OAS) and Transparent Data Encryption (TDE) |
|
Implementation |
Transparent data encryption |
OAS and TDE |
|
Test |
Data Masking |
Oracle Data Masking |
|
Production and change control |
Transparent data encryption |
OAS and TDE |
|
Archive and purge |
Transparent data encryption |
OAS and TDE |
|
Data at rest |
Transparent data encryption |
OAS and TDE |
|
Data in transit |
Network encryption |
Network Data Encryption and Data Integrity features of Oracle Advanced Security |
Oracle Fusion Applications deploy with Transparent Data Encryption enabled at the tablespace level. Information on disc is encrypted and is transparently decrypted by the database server process.
Oracle Fusion Applications deploy with a Data Masking Pack in Oracle Enterprise Manager allowing clones of the production database to be created with sensitive data masked.
Transparent Data Encryption (TDE) protect sensitive data at rest.
Network Data Encryption and Data Integrity features of Oracle Database Advanced Security protect sensitive data when it is transmitted over the network.
You can use Oracle Data Finder to discover sensitive information in custom fields.
Data masking removes sensitive data from non-production copies of the database such as when leaving a production environment to conduct testing or when outsourcing, off-shoring, or sharing data with partners.
Note
Regulations such as HIPAA (the Health Insurance Portability and Accountability Act) in the US, and the Data Protection Directive in the European Union mandate the protection of sensitive data.
Oracle Data Masking replaces the sensitive data with randomly generated meaningless data to preserve the integrity of the applications that refer to the data. Once removed, the data cannot be recovered in the non-production copies of the database.
Oracle Fusion Applications use an extensible library of templates and policies to automate the data masking process when you create a clone of your production database. The templates change personal and sensitive data, but preserve the accuracy of enough data to support realistic testing. Validation, formatting, and syntax rules, such as Vertex requirements for a valid combination of city, state and zip code, limit the level of data masking to levels of destruction that preserve realistic testing but are therefore less protective. For example meaningful payroll or tax tests may require addresses to remain unmasked at the state level.
Manage masking definitions using Oracle Enterprise Manager. A masking definition identifies the mask format for the sensitive data and the schema, table, and column of the sensitive attributes. The masking format can be set to generate realistic and fully functional data in place of sensitive data depending on your security requirements and the usage of the cloned database.
For information on viewing data masking definitions, see the Oracle Fusion Applications Administrator's Guide.
For more information on TDE, see the Oracle Database Advanced Security Administrator's Guide.
For information on settings and deployment options to protect sensitive data, see the Oracle Fusion Applications Security Hardening Guide.
For information on settings and deployment options to protect sensitive data, see the Oracle Fusion Applications Security Hardening Guide.
Sensitive attributes include personally identifiable information(PII) and non-PII attributes.
As a security guideline, consider protecting copies of the sensitive data, as well as the live system.
Oracle Transparent Data Encryption (TDE) prevents access to PII in the file system or on backups or disk. Oracle Virtual Private Database (VPD) protects PII from users with DBA access, and Oracle Data Vault (ODV), if installed, prevents this protection from being overridden. Oracle Data Masking protects PII and sensitive data in cloned databases.
Oracle Fusion Applications uses encryption application programming interfaces (APIs) to mask sensitive fields in application user interfaces such as replacing all but the last four digits of a credit card with a meaningless character.
Oracle Data Masking is available for masking data in non-production instances or clones.
Oracle Fusion Applications optionally provides predefined data masking templates as a starting point for use with the Oracle Enterprise Manager Data Masking Pack. The templates specify the tables and columns being masked and the masking formats. Determine the needs of your enterprise or the purpose of database clones and make modifications accordingly by adding or removing the tables and columns being masked, and changing masking formats.
Oracle Enterprise Manager provides views of masked tables and columns.
Warning
Oracle Data Masking converts non production data irreversibly. For example, you can mask data in formats that allow applications to function without error, but the data cannot be reconstituted.
Non-production phases require realistic data, which potentially precludes masking all sensitive data.
Tip
Offset the danger of gaps in masking with business processes that limit unauthorized view of sensitive data. For example, apply the same policies for handling Human Resources (HR) data to testers as are applied to Human Capital Management (HCM) staff. Provide individual test accounts provisioned with limited roles rather than generic accounts with widely known passwords. The processes for accessing test data should mirror the processes for accessing the live data on which the test data is based.
For more information, see Data Masking Best Practices, an Oracle White Paper on Oracle Technology Network at http://www.oracle.com/technetwork.
For information on column masking and using Oracle Virtual Private Database to control data access, see the Oracle Database Security Guide.
For information on settings and deployment options to protect sensitive data, see the Oracle Fusion Applications Security Hardening Guide.
Masking formats rely on a PL/SQL function or table of values to pick masked values.
The maximum length of the random string format used to mask data is 4000 characters. For performance reasons, set these strings only as large as necessary to preserve uniqueness on a unique column. For a non-unique column, set the random string smaller.
Random string and number formats are not available in compound masking.
Most masking formats mask the same values in a table consistently. Applying format shuffling on distinct data such as marital status changes the distribution of values (number of records with each value).
Oracle Fusion Applications uses Oracle Data Masking to mask values in a single column consistently across all masking formats rather than mask for generalization to prevent inference-based attacks.
When the group column is specified with a group number the columns from the same table with the same group number are masked consistently.
Oracle Data Masking supports compound masking or tuple masking of a group of columns with the following formats and no conditions.
Shuffle
User Defined Function
Table Column and Substitute formats.