Data Redaction in Oracle Database 12c to Secure Data

About Data Redaction

Oracle Database 12c has one new feature called Data Redaction. Databases contain several sensitive data, like credit card number, SSN or other personal information. This data redaction concept is big boom for security.

How It Works

We can create redaction policies which specify conditions that must be met before the data gets redacted and returned to the user. During the definition of such policies, the DBA can specify which columns and the type of protection that must be applied.
The package used to create protection rules is called DBMS_REDACT. The package includes five procedures to manage the rules and an additional procedure to change the default value for full redaction policy.
DBMS_REDACT.ALTER_POLICY – allows changes to existing policies.
DBMS_REDACT.DISABLE_POLICY – disables an existing policy.
DBMS_REDACT.DROP_POLICY – drop an existing policy.
DBMS_REDACT.ENABLE_POLICY – enables an existing policy.
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES – change the default return value for full redaction. You must restart the database to take effect.

Example
Example of Credit Card numbers, billing department need all details same time another department (like call center) may need only part of this information (like 4 last digits of the credit cards) and for security compliance you are not able to show them original data. At this case data redaction play a major role.

Types of Redaction
Full redaction – All data present in the table are redacted. For numeric columns, the value 0 will be return and for other type character, a space will be returned.
Partial redaction – Certain part of the information is changed. For example, the first digits of the credit card number are replaced by defined symbols.
Regular expressions – You can use regular expressions to search for patterns of data that must be protected.
Random redaction – Returned values are random; each time a query is executed; the displayed data will be different.

Data Redaction can help meet safety regulations, such as Payment Card Industry, Data Security Standard (PCI DSS) and Sarbanes-Oxley.
It can be used with the following column data types: NUMBER, BINARY_FLOAT, BINARY_DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, BLOB, CLOB, and NCLOB.
Dictionary Views:

The following new database views can be used to obtain information regarding existing redaction policies:
REDACTION_POLICIES
REDACTION_COLUMNS
REDACTION_VALUES_FOR_TYPE_FULL

Data Redaction and Data Pump

The role DATAPUMP_EXP_FULL_DATABASE includes the EXEMPT REDACTION POLICY system privilege. This way, tables can be exported using Data Pump without being redacted.

Data Redaction and Create tables as select (CTAS):

In order to issue CTAS from a table protected by an active redaction policy, the user must have privileges to see the actual data on the source table.

Live Example

Securing E-MAILID using Data Redaction Concept.

Actual Email Address Data

Redacted Email Address Data

Source / Reference Links

https://docs.oracle.com/database/121/ASOAG/redaction.htm#ASOAG597

http://www.oracle.com/technetwork/articles/database/data-redaction-odb12c-2331480.html

http://www.oracle.com/technetwork/database/options/advanced-security/advanced-security-wp-12c-1896139.pdf

https://oracle-base.com/articles/12c/data-redaction-12cr1?display_type=printable

Posted on behalf of Ramya Tech Consultant | 4iApps India