Transparent Data Encryption and Data Masking enabling Compliance James Anthony Senior Principal Consultant
Protecting Data Privacy is the Law Those Who Don’t, Pay The Price • GLOBAL Payment Card Industry Data Security Standard (PCI DSS) • $25K/mo penalty for non compliance • $500K per incident + $100K fine if Visa is not notified of incident
• EU Data Directives (27 country laws) • UK unlimited - adding a criminal penalty with prison time • Euro zone - Spain €600K fine per incident, Germany €250K fine per incident, France €150K for a first offense - plus five years in prison
• US Security Breach Notification Laws (40 state laws) • Something to think about • Credit card data changes hands for $0.5 to $12 per record (Symantec 2008) • It only makes sense for criminals to look for large volumes © 2008 Oracle Corporation
When in Doubt, Encrypt Encryption Recognized as Defensible Safeguard • Encryption is now a de-facto solution for regulatory compliance with all data privacy and breach notification laws • Encryption holds up in courts and audits • Based on well-known mathematically proven algorithms • Used by governments world wide to protect top secret data
• Security Breach Notification Law recognized encryption as a safeguard against data breaches • Customers expect it • Much has been made of the Child Benefit Agency and other data losses and lack of encryption.
© 2008 Oracle Corporation
It really is THAT secure! • Computationally infeasible to break through brute force! • Estimate for number of grains of sand on the planet : 7,500,000,000,000,000,000
• AES256 has 2^256 combinations or: • 1157920892373161954235709850086879078532699846656405640394575 84007913129639936
• Assuming ½ the combinations to break and 1 combination every NANOSECOND: • 367174306308080274681541682549111833629090514540970839800410 years • Lifespan (current) of the universe : circa 13,000,000,000 years!
© 2008 Oracle Corporation
Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring
De-Identifying Information for Sharing
© 2008 Oracle Corporation
Data Encryption
Data Classification
Encrypting Sensitive Information Ease of Deployment
Different Solutions
Oracle Database NAS Encryption Disk Application Security
© 2008 Oracle Corporation
What We Heard From Our Customers… • “Our PCI auditors say we have to encrypt credit card data whether it is in motion, rest, or storage.” • “We need to encrypt personal identity information to comply with EU Data Privacy but cannot change our applications.” • “We don’t want users with operating system file ‘read’ access to be able to walk away with our database.” • “We send back-up tapes off-site and need to make sure they are secure even if off-site facility is compromised.” • “We want to encrypt recorded phone conversations with credit card details in them”
© 2008 Oracle Corporation
Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security 47986
Audit Vault
Secure Backup
Configuration Management Total Recall
© 2008 Oracle Corporation
$5%&*
Label Security Data Masking
Oracle Advanced Security Feature Overview • Transparent Data Encryption (TDE) Strong Authentication
• Tablespace encryption • Column encryption including SecureFiles
• Built-In Key Management • Two-tier architecture • Separation of Duties • Hardware Security Module (HSM) integration
• Encrypted Backups (RMAN) and Exports (Data Pump) • Network Encryption • Strong Authentication © 2008 Oracle Corporation
Network Encryption Database Encryption 75000
(
)
^#^*>*
Encrypted Tape Backups, Disk Backups, Exports
Transparent Tablespace Encryption Optimal Oracle Database 11g Solution SQL Layer
• No need to worry about which columns have to be encrypted • Highly efficient
Buffer Cache “NI = 834-63-..”
• High performance • Space preserving
• Highly Secure • Everything on disk is encrypted • Industry standard cryptography
• No application changes required
© 2008 Oracle Corporation
data blocks “*M$b@^s%&d7”
undo blocks
temp blocks
redo logs
flashback logs
One Click Database Encryption It’s That Easy!
No application changes required
© 2008 Oracle Corporation
Column Transparent Data Encryption Flexibility to Encrypt Individual Columns
No application changes required © 2008 Oracle Corporation
Transparent Encryption for SecureFiles New Oracle Database 11g Unstructured Data Type • Faster and more secure maintenance of unstructured data than native file systems • Transparent encryption, compression, and de-duplication • Unified security model • Unified management of structured and unstructured data • High performance and cost-effective
• Similar to LOB data types but much faster, and with more capabilities • Preserves security, reliability, and scalability of database • Superset of LOB interfaces for easy migration from LOBs
© 2008 Oracle Corporation
Transparent Data Encryption Key Management Built-in Automated Key Management
• Two-tier architecture • Master Key stored in a PKCS #12 wallet outside the database • Data encryption keys stored in the database for performance reasons but encrypted with the Master Key
• Built-in key management • Rekey supported for both master and column keys • Master key can be generated and managed in an external system • Separation of Duties
• Hardware Security Module (HSM) support • • • •
Special purpose hardware PKCS#11 (Public Key Cryptographic Standard) API Meet FIPS and Common Criteria standards Certified partners: nCipher, RSA, Safenet
© 2008 Oracle Corporation
Transparent Data Encryption Key Management Architecture Master key in PKCS#12 wallet or HSM
Security DBA
Data encryption keys stored in the database encrypted using master key
Transparent Data Encryption
Application Users
© 2008 Oracle Corporation
FIN application data encrypted using FIN application column key HR application data encrypted using HR application tablespace key
Encrypted Database Exports Transparent Data Encryption for Data Pump • Data Pump used for bulk export/import • Encrypt the export with ENCRYPTION parameter • Use wallet or a password for encryption Encrypted Export file
Password
PKCS#12 wallet
© 2008 Oracle Corporation
Top Secret NI: … CC#: … DOB: …
@#4f9kq9 0b23490b v@#$9vj9 43)IB4390 #90w3b0a qer9”P[32
D E M O N S T R A T I O N
Oracle Advanced Security Transparent Data Encryption
© 2008 Oracle Corporation
• 89% of companies use production customer data - often exceeding 10M records - for testing, development, support, training, etc. • 74% use consumer data, 24% use credit card numbers!!! • Only 23% do anything to suppress sensitive information and 81% relied on contractual clauses to protect live data transferred to outsourcers and other third parties • 23% said live data used for development or testing had been lost or stolen and 50% had no way of knowing © 2008 Oracle Corporation
Sensitive Data is Highly Regulated Non-Production Use Risks Compliance and Penalties • Regulations restrict use of sensitive data and mandate access control (who, where, how, and why) • • • •
Payment Card Industry Data Security Standard (PCI DSS) 6.3.4 Graham-Leach-Bliley Act (GLBA) and Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPAA) Communications Act (Title 47,222)
• 90% fail compliance, facing fines and remediation costs • Non-production environments more vulnerable to breaches • Non-production breaches must be disclosed • • • •
Database Security Breach Notification Act (California SB 1386) $239/record Up to $35M/breach And that’s if the data doesn’t end up on the Internet…
© 2008 Oracle Corporation
What We Heard From Our Customers… Need to Share Production Data… • “Our Shipping Department needs to get order information but should not see credit card numbers.” • “We’ve outsourced testing and need to provide our partner with production data for testing but we cannot expose real customer records.” • “Our off-shore development team needs production data for testing but we cannot provide them with employee names or social security numbers.” • “Our analysts need to model real claims but HIPAA requires that they are not allowed to see actual patient records or doctor information.” © 2008 Oracle Corporation
Business Drivers For Masking Non-Production Use Risks Compliance and Penalties • Regulations restrict use of sensitive data and mandate access control (who, where, how, and why) • • • •
Payment Card Industry Data Security Standard (PCI DSS) 6.3.4 Sarbanes-Oxley Act (SOX) and Graham-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Communications Act (Title 47,222)
• 90% fail compliance, facing fines and remediation costs • Non-production environments more vulnerable to breaches • Non-production breaches must be disclosed • • • •
Database Security Breach Notification Act (California SB 1386) $239/record Up to $35M/breach And that’s if the data doesn’t end up on the Internet…
© 2008 Oracle Corporation
PII Is One Of The Top Concerns For Execs •A 2008 Survey conducted by ISACA of more than 3,100 professionals in more than 95 countries revealed that Securing personally identifiable information (PII) is a top concern facing business and technology executives this year
© 2008 Oracle Corporation
Data Privacy and Regulatory Compliance Database Security Challenges Protecting Access to Application Data Database Monitoring
De-Identifying Information for Sharing
© 2008 Oracle Corporation
Protecting Data-at-Rest
Data Classification
De-Identifying Information Making Sensitive Data Safe for Non-Production Use • Referred to as data masking, data obfuscation, data deidentification, data de-personalisation, data scrubbing, data scrambling, etc. • De-identifying information irreversibly substitutes sensitive information in a production database with nonsensitive data to prevent access by un-authorised users • Typically sensitive or regulated production data is replaced with realistic looking values to maintain usability for non-production activities
© 2008 Oracle Corporation
Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security 47986
Audit Vault
Secure Backup
Configuration Management Total Recall
© 2008 Oracle Corporation
$5%&*
Label Security Data Masking
Enterprise Manager Data Masking Pack Major Features • Automatic database referential integrity if masking primary keys • Implicit – database enforced • Explicit – application enforced
• Data mask format library • Preview sample data before masking • Application masking templates • Define once - execute many
© 2008 Oracle Corporation
L_NAME
CREDIT_CARD
AMT
AGUILAR
4408041254369873
80.00
BENSON
4417123456789112
60.00
Production Database
Mask Cloned Database
L_NAME
CREDIT_CARD
AMT
ANSKEKSL
4111111111111111
80.00
BKJHHEIEDK
4408041234567890
60.00
Format Libraries • Mask Primitives • • • • • •
Random Number Random String Random Date within range Shuffle Sub string of original value Table Column
• User Defined Function • National Identifiers • NI Numbers • Credit Card Numbers
• Post Processing Functions • Confirm a masked value fulfils validation criteria
© 2008 Oracle Corporation
User-Defined Mask Formats Email notification testing
© 2008 Oracle Corporation
Masking Definitions • Associates formats with database • Maps formats to table columns being masked • Defines dependent columns • Associated Database target
• Automatically identifies Foreign key relationships • Can specify undeclared constraints as related columns • Import-from or export-to XML • “Create like” to apply to similar databases
© 2008 Oracle Corporation
Referential Integrity Enforcement
Database -enforced
Application -enforced
© 2008 Oracle Corporation
Pre-Masking Validation • Ensure uniqueness can be maintained • Ensure formats match column data types • Check Space availability • Warn about Check Constraints • Check presence of default Partitions
© 2008 Oracle Corporation
Other Features Of Data Masking Clone Production
• • • • •
Mask
Staging
• Advanced Masking Options Condition-based Masking • REDO log generation Compound Masking • Statistics Refresh Secure Clone + Mask workflow • Comparing before & after values Enhanced user workflow • Degree of Parallelism Rich mask format libraries • Privilege Delegation support
© 2008 Oracle Corporation
Data Masking Internals Disable Constraints on table
Build mapping table containing original sensitive and masked values using masking routines
Drop Renamed table and mapping table
© 2008 Oracle Corporation
Rename table
Recreate masked table copy & populate using renamed original table and mapping tables
Collect statistics
Restore Constraints based on original table
Performance • Optimizations • SQL Parallelism for tables > 1 million rows • Statistics collection before & after masking • CTAS statement with NOLOGGING
Test results • Linux x86 4 CPU: Single core Pentium 4 (Northwood) [D1]) • Memory: 5.7G • Column scalability • 215 columns masked across 100 tables • 60GB Database • 20 minutes
• Rows scalability • 100 million row table, 6 columns masked • Random Number • 1.3 hours
© 2008 Oracle Corporation
Security Admin
Identify Sensitive Information
DBA
Masking Workflow
Clone Prod to Staging
Prod
© 2008 Oracle Corporation
Identify Data Formats
Format Library
Review Mask Definition
Staging
Execute Mask
Masking Definition
Clone Staging to Test
Test
D E M O N S T R A T I O N
Oracle Data Masking De-Indentifying Information for Sharing
© 2008 Oracle Corporation
What About Production Environments? Data Masking with Virtual Private Database • Policy based real-time masking • Return all records but redact sensitive columns • Optionally unmask select records if user authorized Select * from customers; 148
VPD adds where account_mgr_id = sys_context('APP','CURRENT_MGR');
VP
y olic P D
SSN
701-495-2123
25000
121-791-4212 181-095-1232
15000
581-295-7603
12000
431-395-9332
17000
381-395-9223
15000
483-562-0912 461-978-8212
© 2008 Oracle Corporation
10000
APP
Oracle Database Security Solutions for Privacy and Compliance Database Vault Advanced Security 47986
Audit Vault
Secure Backup
Configuration Management Total Recall
© 2008 Oracle Corporation
$5%&*
Label Security Data Masking
For More Information
http://search.oracle.com database security
oracle.com/database/security
© 2008 Oracle Corporation
© 2008 Oracle Corporation