Encrypting Sensitive Data

in Oracle E-Business Suite

December 19, 2013

Stephen Kost
Chief Technology Officer
Integrigy Corporation
About Integrigy

ERP Applications Databases

Oracle E-Business Suite Oracle and Microsoft SQL Server

Products Services
Verify
Security Security Assessments
AppSentry
Validates
Security ERP, Database, Sensitive Data, Pen Testing
ERP Application and Database
Security Auditing Tool Ensure
Compliance Compliance Assistance
SOX, PCI, HIPAA

AppDefend
Protects
Oracle EBS
Build
Enterprise Application Firewall Security Security Design Services
for the Oracle E-Business Suite
Auditing, Encryption, DMZ

You
Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
Why – Sensitive Data Encryption Drivers

 PCI (Payment Card Industry - Data Security Standard)

- Must encrypt credit card numbers

 Privacy Laws (National/State Regulations)

- Read access to sensitive data (National Identifier and Bank
Account Number)
- Breach regulations often specifically exclude encrypted data
- California (SB 1386) and Massachusetts data privacy laws

 HIPAA (Health Insurance Portability and Accountability Act)

- Electronic Protected Health Information (ePHI) should be
encrypted – an addressable implementation specification
- Breach regulations exclude encrypted data
 What is Sensitive Data in Oracle EBS?

 Credit Card Number

Payment Card Industry  Primary Account Number (PAN)
 CVV/CV2/CID
Data Security Standard  3 digits on the back for Visa/MC
(PCI-DSS 3.0)  4 digits on the front for AMEX
 Magnetic Stripe Data (very rare in EBS)

 First and last name

 Plus one of the following:
Privacy Regulations  Social security number (SSN, Tax ID, 1099)
(employees, customers,  Credit card number
 Bank account number
vendors)  Financial account number
 Driver license or state ID number

 First and last name

 Plus one of the following (Protected Health Information)
HIPAA  “the past, present, or future physical or mental
(Privacy Standard and health, or condition of an individual”
 “provision of health care to an individual”
Security Rule)  “payment for the provision of health care to an
individual”
Where is Sensitive Data in Oracle EBS?
iby_security_segments (encrypted)
ap_bank_accounts_all
oe_order_headers_all
aso_payments
Credit Card Data oks_k_headers_*
oks_k_lines_*
iby_trxn_summaries_all
iby_credit_card
per_all_people_f
Social Security Number hr_h2pi_employees
(National Identifier) ben_reporting
(Tax ID) ap_suppliers
(1099) ap_suppliers_int
po_vendors_obs
ap_checks_all
Bank Account Number ap_invoice_payments_all
ap_selected_invoice_checks_all

Electronic Protected Order Management

Accounts Receivables
Health Information (ePHI) Human Resources
Where else might be Sensitive Data?

Custom tables
- Customizations may be used to store or process sensitive data
“Maintenance tables”
- DBA copies tables to make backup prior to direct SQL update

Database
- hr.per_all_people_f_011510
Interface tables
- Credit card numbers are often accepted in external applications
and sent to Oracle EBS or processed using XML Gateway
Oracle EBS Flexfields
- It happens – very hard to find
Interface files
Flat files used for interfaces or batch processing

File System
-

Log files
- Log files generated by the application (e.g., Oracle Payments)
 How – Integrigy EBS Data Protection Process
P1
Enterprise Data EBS Data Protection Policy
1 Privacy Policy to the data element level

P2
2 Data Protection Design
and Data Discovery
Detailed Data Inventory
(element  table.column  action)

Annually

3 Native EBS
E1 Access Controls
Encryption C1
(application & database)
(credit card/bank acct)

Add-on Encryption

Clone
E2 Auditing A1 Scrambling/
(disk or database) 4 Data Masking
S1

Network Encryption E3
(web and database)

5 Security, Hardening, and General IT Controls C2

Production Test/Development
 How – Integrigy EBS Data Protection Process
P1
Enterprise Data EBS Data Protection Policy
1 Privacy Policy to the data element level

P2
2 Data Protection Design
and Data Discovery
Detailed Data Inventory
(element  table.column  action)

Annually

3 Native EBS
E1 Access Controls
Encryption C1
(application & database)
(credit card/bank acct)

Add-on Encryption

Clone
E2 Auditing A1 Scrambling/
(disk or database) 4 Data Masking
S1

Network Encryption E3
(web and database)

5 Security, Hardening, and General IT Controls C2

Production Test/Development
 Types of Encryption

 Storage (Data at rest)

- Disk, storage, media level encryption
- Encryption of data at rest such as when stored in files or
on media

 Network (Data in motion)

- Encryption of data when transferred between two
systems
- SSL/HTTPS (users) and SQL*Net encryption (database)

 Access (Data in use)**

- Application or database level encryption
- Encryption of data with access permitted only to a
subset of users in order to enforce segregation of duties
Storage/Access Oracle EBS Encryption Solutions

Application  Oracle EBS Credit Card Number Encryption

 Encryption for Customizations
(access = responsibility)
(DBMS_CRYPTO/FND_VAULT)

Database
 View/Trigger Encryption for Customizations
(access = db account)

 Oracle Transparent Data Encryption (TDE)

Disk/Storage  Third-party Solutions (e.g., Vormetric)
(access = database)  Disk/SAN Vendor Encryption Solutions
 Backup Encryption (e.g., RMAN)
Network Oracle EBS Encryption Solutions

User
  Native EBS SSL Encryption
Application
 SSL Endpoint
Server
− Use a load balancer or reverse proxy
(http)

Application
Server  SQL*Net Encryption

Database − Formerly part of Advanced Security Option
Server
− Now included with Oracle EBS Database
(SQL*Net)
 Big 3 Sensitive Data Elements in EBS

Sensitive Most Common EBS EBS Native

Data Element Data Types Module Encryption

Customer OM/AR/IBY Optional

Credit Card
Number
Employee Corporate Card AP/IBY/iExp Optional

Employee HR No

Social Security
Vendor Tax ID/1099 AP No
Number

Customer AR/Custom No

Company Bank Account CE No

Bank Account Employee Bank Account

HR No
Number (direct deposit)

Vendor Bank Account AP/IBY Optional

Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
Oracle EBS Native Encryption
Oracle E-Business Suite includes native application-level
encryption for a limited set of fields based on version and
module.

 Not enabled by default in 11i or R12

 11i = general patch release availability
October 2006
 R12 = included with base R12 release
 Significantly better solution than TDE or
disk level encryption
 Big 3 Sensitive Data Elements in EBS

Sensitive Most Common EBS EBS Native

Data Element Data Types Module Encryption

Customer OM/AR/IBY 11i and R12

Credit Card
Number
Employee Corporate Card AP/IBY/iExp R12

Employee HR No

Social Security
Vendor Tax ID/1099 AP No
Number

Customer AR/Custom No

Company Bank Account CE No

Bank Account Employee Bank Account

HR No
Number (direct deposit)

Vendor Bank Account AP/IBY R12

Oracle EBS Native Encryption

 MOS Note ID 338756.1 – Patch 4607647

 Significant functional pre-requisites
11i (11.5.10.2)
 Only credit card numbers
 Keys stored in the database
 MOS Note ID 863053.1
 Credit card numbers and bank account
R12 numbers
 Uses Oracle Wallet to store encryption keys
 Oracle Credit Card Encryption Design

iby_security_segments
ap_bank_accounts_all
Collections

oks_k_headers_*
aso_payments oe_order_headers_all
oks_k_lines_*

Service Oracle Oracle

AR
Contracts Capture Mgmt

iStore

iPayment
iby_trxn_summaries_all
iby_credit_card

Not pictured:
 Internet Expenses (AP) – R12
 Lease Management (AP) – same as AR
 Student System (IGS) – IGS patch
EBS Native Encryption Challenges
 Encryption keys must be rotated
periodically as required by PCI

 No method or supported procedure to

purge encrypted data as required by PCI

 Encryption keys must be changed in test

and development environments

 For PCI, no live credit card numbers

allowed in test and development
Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
What is Oracle TDE?

 Transparent database encryption

- Requires no application code or database structure
changes to implement
- Only major change to database function is the
Oracle Wallet must be opened during database
startup
- Add-on feature licensed with Advanced Security
Option

 Limited to encrypting only certain columns

- Cannot be a foreign key or used in another
database constraint
- Only simple data types like number, varchar, date,
…
- Less than 3,932 bytes in length
What does TDE do and not do?
 TDE only encrypts “data at rest”

 TDE protects data if following is stolen or lost -

- disk drive
- database file
- backup tape of the database files

 An authenticated database user sees no change

 Does TDE meet legal requirements for

encryption?
- California SB1386, Payment Card Industry Data Security
- Ask your legal department
Data Center Theft

From Chicago Police Report -

 At least two masked intruders entered
the suite after cutting into the reinforced
walls with a power saw.
 During the robbery, the night manager
was repeatedly tazered and struck with
a blunt instrument.
 At least 20 data servers were stolen.
Column vs. Tablespace Encryption
Column encryption
- Fairly straight forward for simple cases such as
NATIONAL_IDENTIFIER in HR.PER_ALL_PEOPLE_F
- Encryption done in place using ALTER TABLE
- Do not use SALT for Oracle EBS columns
- Use for standard Oracle EBS columns

Tablespace encryption
- Tablespace encryption only supported in 11g for
11i/R12
- Tablespace must be exported and imported to
implement encryption
- OATM uses large tablespaces (APPS_TS_TX_DATA)
- Use for custom tablespaces or entire database
Performance Considerations
 Impact is limited to CPU performance
- Data must be encrypted and decrypted
- Highly dependent on access patterns to data

 No disk I/O read or write impact

- Change is not significant

 Column Encryption
- 5% to 20% CPU performance impact for several
customers

 Tablespace Encryption
- Encrypting entire database is feasible
- 10% to 15% CPU performance impact for one customer
on high transaction volume tables
Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
Oracle EBS Default Network Communication

Oracle EBS
Application Server
1 2

Client HTTP SQL*Net

Database
Browser Java
Apache
Container

1 Communication from the client browser to the application server uses the HTTP
protocol and all traffic is unencrypted, including passwords.

2 Communication from the application server to the database uses the Oracle
SQL*Net protocol and all traffic is unencrypted, except database passwords.
Client to Application Server (Native)

1 Oracle EBS
Application Server
2
SSL/
Client HTTPS SQL*Net
Database
Browser Java
Apache
Container

 SSL encryption (just like with your bank uses) should be implemented for Oracle EBS as
EBS natively supports SSL. Modify SSL encryption settings to strengthen.
 See My Oracle Support Notes 376700.1 (R12) and 123718.1 (11i).
 Many Oracle EBS implementations will only encrypt external application servers
(iSupplier, iStore, etc.).
Client to Application Server (Proxy)

SSL/ Load 2
Balancer HTTP
Client HTTPS Oracle EBS SQL*Net
or Application Database
Browser
Server
Reverse
Proxy

 SSL encryption may be off-loaded to a load balancer (F5 BigIP) or reverse proxy server to
centralize the SSL implementation and reduce load on the application server. SSL
terminates on the load balancer and communication is HTTP between load balancer and
application server.
 See My Oracle Support Notes 380489.1 (R12), 217368.1 (11i) , and 727171.1 for more
information.
Application Server to Database Server

Oracle EBS
Application Server
1 2

Client HTTP SQL*Net

Database
Browser Java
Apache
Container using ANO

 SQL*Net encryption requires Advanced Networking Option (ANO). ANO is included with
the database as of July 2013.
 See My Oracle Support Notes 376700.1 (R12) and 391248.1 (11i) for implementation
details.
 How - Data Protection vs. Threats
Options
Data Access Method and Threats 1 2 3 4a 4b 4c 3 +4
EBS Trigger Oracle FGAC Internal External TDE +
Encrypt View TDE Audit Audit Auditing

1. Application access by end-users (responsibility) E E C A A A

2. Application access by application administrators E+ E- C A A A

3. Database access by DBA E E C A+ A A

4. Database access by Applications DBA (SYSTEM, APPS) E+ E+ A+ A+ A+

5. Database access by other database accounts E E C A A A

6. Operating system access to database data files E E E E

7. On-line or off-line access to database backups E E E E

8. Exploitation of Oracle Applications security vulnerabilities E- E- C+ A+ A+ A+

9. Exploitation of Oracle Database security vulnerabilities E+ E+ C+ A+ A+ A+

10. Exploitation of operating system security vulnerabilities E E E E

E = Encrypted, C = Access Controlled, A = Access Audited, + = Mostly - = Partially

Agenda

Sensitive Data Non-EBS

Overview Encryption Q&A

1 2 3 4 5
EBS Native Network
Encryption Encryption
Contact Information

Stephen Kost web: www.integrigy.com

Chief Technology Officer e-mail: [email protected]
Integrigy Corporation blog: integrigy.com/oracle-security-blog

Copyright © 2013 Integrigy Corporation. All rights reserved.