The below policy replaces phone_number column with random values only for database user – REDACT.Įxpression => 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') = ''REDACT''') Oracle data redaction can conditionally redact data making original data available for some and redacted for all others. Up until now we have used “ expression => ‘1=1’” on all of our redaction policies, this means that data will be reduced whenever the redacted column is accessed. With the following parameters – ‘VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV, ,1,12′ – for every row that credit_card data matches this pattern – “VVVVFVVVVFVVVVFVVVV”, replace it with this pattern “VVVV-VVVV-VVVV-VVVV” and replace the first 12 characters with ““.įunction_parameters => 'VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV,*,1,12',Īnd this is how it looks like when trying to query credit_card column: Notice that I have used ” DBMS_REDACT.PARTIAL” function It is time do more complicated redaction and return part of the original value but mask all the rest, the below policy is used to redact credit_card column of employees table. All create policy statements has been issued by SYS:Īnd not let’s connect as HR and retrieve some data from employees including the redacted columnĪs you can see original data was replaced with zero values, if the redacted column was string, null was returned from redaction policy. In the first example I have created a policy on EMPLOYEE table of HR schema, I have used DBMS_REDACT.FULL to completely replace the original data in commission_pct field with nulls or 0.
Let’s understand how it works, first we need to create a redaction policy. Data Redaction minimizes changes to applications because it does not alter actual data in internal database buffers, caches, or storage, and it preserves the original data type and formatting when transformed data is returned to the application. It enables consistent redaction of database columns across application modules accessing the same database information.
Actual data is changed, original data can’t be accessed if needed.Allow organizations to share data with external companies.Provides more comprehensive masking capabilities.Original data can’t be retrieved – best practice preventing data leakage to non-production environments.Oracle deliver static data masking using grid control – Data Masking Pack. This approach is used when production database or subset of the production database is being copied for non-production use like development QA and testing. Replacing the accrual data inside the database with fictitious data that looks realistic, in most cases after static data masking original data can’t be retrieved. Limited masking functionality can be applied.Actual data is not changed – strong users such as DBA or data owners can access original data.Data can be masked per IP address, per user, or per application.No effect on actual data – can be implemented in production environments.Starting Oracle 12c (now available in 11.2.0.8 also) a built in DDM capability was introduced by Oracle – Data reduction
This approach is mainly used in production or training environments where original data can’t be changed but there is a need to hide sensitive data from one or more data consumer. Today, organizations are required to protect sensitive data these requirements come from regulations, laws and the necessity of the organization to protect its own data and customer’s information from falling to the wrong hands.ĭata masking can dynamically or statically protect sensitive data by replacing it with fictitious data that looks realistic to prevent data loss in different use cases, understanding the difference between Static Data Masking – SDM and Dynamic Data Masking – DDM is crucial for implementing the right solution for each situation.Ĭhanging the returned result set on the fly living the original data intact. Sensitive data is everywhere in our organization’s systems. This time, Oded tells us about Data Redaction. Here is a real treat: my good friend and colleague, Oracle ACE Director Oded Raz has agreed to publish couple of his high-end content about database security in my blog.