11 Introduction to Oracle Data Redaction

Oracle Data Redaction is the ability to redact sensitive data in real time.

• What Is Oracle Data Redaction?
  Redaction is the process of selectively removing or obscuring sensitive or confidential information from documents or databases. Oracle Data Redaction enables you to redact data that is returned from queries issued by applications.
• When to Use Oracle Data Redaction
  Unlike data masking, which masks sensitive data by permanently replacing it with fictitious but realistic data, data redaction masks data as it is received from the database, leaving the data in the database unchanged.
• Benefits of Using Oracle Data Redaction
  Oracle Data Redaction provides several benefits when you use it to protect your data.
• Target Use Cases for Oracle Data Redaction
  Oracle Data Redaction addresses common use case scenarios.

11.1 What Is Oracle Data Redaction?

Redaction is the process of selectively removing or obscuring sensitive or confidential information from documents or databases. Oracle Data Redaction enables you to redact data that is returned from queries issued by applications.

You can redact column data by using one of the following methods:

• Full redaction. You redact all of the contents of the column data. The redacted value returned to the querying application user depends on the data type of the column. For example, columns of the NUMBER data type are redacted with a zero (0), and character data types are redacted with a single space.

• Partial redaction. You redact a portion of the column data. For example, you can redact a Social Security number with asterisks (*), except for the last 4 digits.

• Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only.

• Random redaction. The redacted data presented to the querying application user appears as randomly generated values each time it is displayed, depending on the data type of the column.

• Nullify redation. The Nullify redaction type redacts all the data in a column and replaces it with null values.

• No redaction. The No redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment.

Oracle Database applies the redaction at runtime when users access the data (that is, at query-execution time). This solution works well in a production system. During the time that the data is being redacted, all of the data processing is performed normally, and the back-end referential integrity constraints are preserved.

Data redaction can help you comply with industry regulations such as Payment Card Industry Data Security Standard (PCI DSS) by, for example, helping to restrict access to card holder data by business need to know.

11.2 When to Use Oracle Data Redaction

Unlike data masking, which masks sensitive data by permanently replacing it with fictitious but realistic data, data redaction masks data as it is received from the database, leaving the data in the database unchanged.

Data Redaction enables you to easily disguise the data using several different redaction styles.

Oracle Data Redaction is ideal for situations in which you must redact specific characters out of the result set of queries of Personally Identifiable Information (PII) returned to certain application users. For example, you may want to present a U.S. Social Security number that ends with the numbers 4320 as ***-**-4320.

Oracle Data Redaction is particularly suited for call center applications and other applications that are read-only. Take care when using Oracle Data Redaction with applications that perform updates back to the database, because redacted data can be written back to this database.

11.3 Benefits of Using Oracle Data Redaction

Oracle Data Redaction provides several benefits when you use it to protect your data.

These benefits are as follows:

• Applies the redaction at runtime, with no impact on underlying data or storage requirements

• Runs with little or no performance impact

• Requires no application changes

• Enables you to to specify and manage Oracle Redaction with scripts or through the Oracle Enterprise Manger user interface

• Is available for both on-premises and cloud databases

11.4 Target Use Cases for Oracle Data Redaction

Oracle Data Redaction addresses common use case scenarios.

• Oracle Data Redaction for Sensitive Data in Read-Only Static Pages
  Oracle Data Redaction enables you to redact sensitive data in application screens that have read-only static pages, such as dashboards and reports.
• Oracle Data Redaction for Preventing Data Exposure by Management Tools
  Oracle Data Redaction prevents sensitive data from being exposed by data management tools, such as tools for loading and viewing data.
• Oracle Data Redaction to Prevent Disclosure of Data from Offline Analytics
  Oracle Data Redaction prevents the disclosure of sensitive data to users who perform offline analytics on production data.
• Oracle Data Redaction Use with Database Applications
  Oracle Data Redaction protects sensitive data that is displayed in database applications.
• Oracle Data Redaction with Ad Hoc Database Queries Considerations
  You may encounter situations where it is convenient to redact sensitive data for ad hoc queries that are performed by database users.

11.4.1 Oracle Data Redaction for Sensitive Data in Read-Only Static Pages

Oracle Data Redaction enables you to redact sensitive data in application screens that have read-only static pages, such as dashboards and reports.

You can use Oracle Data Redaction to dynamically redact data for operational interfaces such as dashboards or reports. You can define a redaction policy on sensitive columns so that the data is redacted before it is passed to the application. Because the pages are for static display only, and data is not posted back to the database, redacted data would not be written back to the database and potentially corrupt records.

11.4.2 Oracle Data Redaction for Preventing Data Exposure by Management Tools

Oracle Data Redaction prevents sensitive data from being exposed by data management tools, such as tools for loading and viewing data.

Many applications include tools that enable users to load and manage their data. An example could be an SaaS application that allows subscribers to bulk load and manage customer information. You can define a redaction policy on the sensitive data so that sensitive data is redacted when it is displayed to these users when they perform these administrative activities.

11.4.3 Oracle Data Redaction to Prevent Disclosure of Data from Offline Analytics

Oracle Data Redaction prevents the disclosure of sensitive data to users who perform offline analytics on production data.

Oracle Data Redaction can be used to prevent the exposure of sensitive information to users who perform analytics on data that is contrained in a data warehouse. You can define a redaction policy on sensitive data so that it is redacted as it is retrieved from the database and displayed to the user of the analytics software.

11.4.4 Oracle Data Redaction Use with Database Applications

Oracle Data Redaction protects sensitive data that is displayed in database applications.

Data Redaction is transparent to application users because it preserves the original data type and (optionally) the formatting. It is highly transparent to the database because the data remains the same in buffers, caches, and storage—only being changed at the last minute just before SQL query results are returned to the caller. The redaction is enforced consistently across all of the applications that use the same underlying database. You can specify which application users should see only redacted data by checking application user information that is passed into the database through the SYS_CONTEXT function; you can redact data based on attributes of the current database or application user; and you can implement multiple logical conditions within a given redaction policy. In addition, Data Redaction is implemented in a way that minimizes performance overhead. These characteristics make Oracle Data Redaction particularly well suited for usage by a range of applications, analytics tools, reporting tools, and monitoring tools that share common production databases. Although its primary target is redaction of production data for applications, Oracle Data Redaction also can be used with custom data administration tools (where they are not issuing ad hoc queries).

11.4.5 Oracle Data Redaction with Ad Hoc Database Queries Considerations

You may encounter situations where it is convenient to redact sensitive data for ad hoc queries that are performed by database users.

For example, in the course of supporting a production application, a user may need to run ad hoc database queries to troubleshoot and fix an urgent problem with the application. Even though Oracle Data Redaction is not designed to prevent data exposure to database users who run ad hoc queries directly against the database, it can provide an additional layer to reduce the chances of accidental data exposure. Because such users may have rights to change data, alter the database schema, and circumvent the SQL query interface entirely, it is possible for a malicious user to bypass Data Redaction policies in certain circumstances.

Be aware that Data Redaction does not place any restriction on the WHERE clause of ad hoc SQL, so the WHERE clause can be used in an iterative fashion to infer the actual data even when there is a Data Redaction policy on the queried column and only the redacted value is displayed.

Remember that the Oracle Database security tools are designed to be used together to improve overall security. By deploying one or more of these tools as a complement to Oracle Data Redaction, you can securely increase your overall security posture.