Oracle Data

Redaction
Oracle Data Redaction enables you to mask (redact) data that is returned
from queries issued by applications.

Oracle Data Redaction is a transparent, flexible, and simple solution. It

modifies sensitive data columns contained in SQL query results on-the-fly
right before the results are returned to applications.

Unauthorized users see the same data differently and Redacted, therefore
Oracle Data Redaction is a very powerful feature. Because companies have a
lot of problems due to security weaknesses nowadays.
Methods:
Full redaction:
You redact all of the contents of the column data. The redacted
value returned to the querying application user depends on the data
type of the column. For example, columns of the NUMBER data type
are redacted with a zero (0), and character data types are redacted
with a single space.
Partial redaction:
You redact a portion of the column data. For example, you can
redact a Social Security number with asterisks (*), except for the last
4 digits.
Regular expressions:
You can use regular expressions to look for patterns of data to
redact. For example, you can use regular expressions to redact email
addresses, which can have varying character lengths. It is designed for
use with character data only.
Random redaction:
The redacted data presented to the querying application user
appears as randomly generated values each time it is displayed,
depending on the data type of the column.
When redaction is applies

• Oracle Database applies the redaction at runtime, when users access the data (that is,
at query-execution time).
• Eg: This solution works well in a production system. During the time that the data is
being redacted,
1. All of the data processing is performed normally.
2. And the back-end referential integrity constraints are preserved.
• Data redaction can help you to comply with industry regulations such as
1. Payment Card Industry Data Security Standard (PCI DSS)
2. Sarbanes-Oxley Act.
When to Use Oracle Data Redaction

• Use Oracle Data Redaction when you must disguise sensitive data that your
• applications and application users must access.
• Data Redaction enables you to easily disguise the data using several different redaction styles.
• Oracle Data Redaction is ideal for situations in which you must redact specific characters
• out of the result set of queries of Personally Identifiable Information (PII) returned to certain
• application users.For example, you may want to present a U.S. Social Security number
• that ends with the numbers 4320 as ***-**-4320.
• Oracle Data Redaction is particularly suited for call center applications and other applications
• that are read-only. Take care when using Oracle Data Redaction with applications that perform
• updates back to the database, because redacted data can be written back to this database.
Benefits of Using Oracle Data Redaction

1. Because the data is redacted at runtime, Data Redaction is well suited

to environments in which data is constantly changing.
2. You can create the Data Redaction policies in one central location and easily
manage them from there.
3. The Data Redaction policies enable you to create a wide variety of
function conditions based on SYS_CONTEXT values, which can be used at runtime
to decide when the Data Redaction policies will apply to the results of the application
user's query.
4. You have different styles of redaction from which to choose.
Target Use Cases for Oracle Data Redaction

• Oracle Data Redaction fulfils common use case scenarios.

1. Oracle Data Redaction Use with Database Applications

2. Oracle Data Redaction with Ad Hoc Database Queries Considerations
rget Use Cases for Data Redactionarget Target use
cases for data redaction:Use Cases for Data
Redaction
Using Oracle Data Redaction with Database
Applications

• like data redaction in predefined query hiding the employee salary salary
from the employ table for user who have not complete acess.
• Here’s an example of how it works for
credit card numbers.
Data masking and susetting
using oracle data redaction with adhoc queries
 Oracle 12 c

• The latest version of the Oracle Database, introduced in 2013 ("c"

stands for "cloud").

• Oracle 12c added numerous enhancements for queries, migration,

replication and recovery. Containers and Pluggable Databases were
introduced,
 Oracle 12 c

• a major new structure that targets multitenancy (multiple customers

sharing server resources).

• Memory and process are controlled by the Container Database, and

the Pluggable Databases (PDBs)
 Hiding Sensitive Data

Part of Oracle Advanced Security

What it On The Fly Redaction

Provides? Transparent , Flexible and Simple soloution

No separate Installation Required

Appropriate for call centres ,DSS and with PCI, PHI

AND PII
Oracle Advanced SDR

• SDR stands for security data redaction.

• Oracle Advanced Security Data Redaction provides selective, on-the-fly redaction of

sensitive data in database query results prior to display by applications so that
unauthorized users cannot view the sensitive data.
Oracle Advanced SDR

• Data Redaction reduces exposure of sensitive information and helps prevent

exploitation of application flaws that may disclose sensitive data in application pages.
Comparison to Alternative Approaches

• Oracle 10g gave us to ability to perform column masking to prevent sensitive data from
being displayed by applications. In Oracle 12c, he data redaction feature uses
the DBMS_REDACT package to define redaction policies that give a greater level of
control and protection over sensitive data..
Cont....

Data Encryption means encrypting data in motion and data at rest. Simply data flowing
over the wire is unencrypted and can be viewed via sniffers it is also vulnerable to man in
middle attacks.

• 2nd if database files are lost , one can using tools or string command to view binary data
and in turn access sensitive tables and columns containing Personal information, credit
cards numbers etc.
Cont....
Traditional approaches to redacting sensitive data typically relied on application coding or
installing third-party software on the database server to modify its behavior. These
alternatives have important drawbacks compared to Data Redaction.
Data Redaction Policies:
Characteristics of Data Redaction Policies:
Continued....
DBMS_REDACT Procedures:
Procedure Description

DBMS_REDACT.ADD_POLICY Adds a Data Redaction policy to a table or view

DBMS_REDACT.ALTER_POLICY Modifies a Data Redaction policy

DBMS_REDACT.UPDATE_FULL_REDACTION_VAL Globally updates the full redaction value for a given data
UES type.

DBMS_REDACT.ENABLE_POLICY Enables a Data Redaction policy

DBMS_REDACT.DISABLE_POLICY Disables a Data Redaction policy

DBMS_REDACT.DROP_POLICY Drops a Data Redaction policy

Who Can Create Oracle Data Redaction
policies???
Planning the Creation of an Oracle Data
Redaction Policy:
Continued...
General Syntax of the
DBMS_REDACT.ADD_POLICY Procedure
Specification of syntax:
 Explanation

• In this example ,a redaction policy named EMPSAL_POLICY is defined

on the SALARY column of the HR EMPLOYEES table .

• This policy specify Full Redaction is used for all the SALARY column
values that are returned to all users other than HR-VP.
 Explanation

• You specify Partial Redaction by setting Function_Type =>

DBMS_REDACT . PARTIAL

• In addition , you specify parameters so that the portion of a data is

redacted and part of the original data is preserved.
Easy to Deploy Data Redaction

• Data Redaction can be deployed for existing applications quickly using either a
command line API or Oracle Enterprise Manager.

• Oracle Enterprise Manager provides a convenient Policy Expression Builder that

enables administrators to define and apply redaction policies on existing applications.
•THANK YOU..........