NorCal OAUG Training Day, Paper01/21/09 4.01 John Peters, JRPJR, Inc.1 Data Scrambling in Non-PROD Cloned Instances John Peters JRPJR, Inc.

Slides:



Advertisements
Similar presentations
Copyright © 2001 by Anne E. Ristau Descriptive Flexfields OAUG Training Anne Ristau Jeanne McDonald.
Advertisements

Session 2Introduction to Database Technology Data Types and Table Creation.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 8 Application Data Auditing.
© 2012 IBM Corporation Information Management How to create right-sized test database ? Step-by-step Use Case Jan Musil, Database Specialist, Community.
NorCal OAUG Training Day, Pres 5.09John Peters, JRPJR, Inc.1 So you want Multiple Languages in your Oracle E-Business Suite John Peters JRPJR, Inc.
Advantage Data Dictionary. agenda Creating and Managing Data Dictionaries –Tables, Indexes, Fields, and Triggers –Defining Referential Integrity –Defining.
Let’s try Oracle. Accessing Oracle The Oracle system, like the SQL Server system, is client / server. For SQL Server, –the client is the Query Analyser.
Advanced Package Concepts. 2 home back first prev next last What Will I Learn? Write packages that use the overloading feature Write packages that use.
Online Application Upgrade Using Edition-Based Redefinition Alan Choi PL/SQL, Database Sever Technology
Fundamentals, Design, and Implementation, 9/e Chapter 7 Using SQL in Applications.
Microsoft Dynamics AX Technical Conference 2013
Using SQL Queries to Insert, Update, Delete, and View Data © Abdou Illia MIS Spring 2015 Wednesday 1/28/2015 Chapter 3A.
Introduction to PL/SQL Lecture 0 – Self Study Akhtar Ali.
ORACLE DATABASE SECURITY
07/19/04 NorCal OAUG Training Day, Paper 2.4 John Peters, JRPJR, Inc.1 Oracle Workflow Notifications John Peters JRPJR, Inc.
Adapted from Afyouni, Database Security and Auditing Database Application Auditing – Ch. 8.
Your Oracle Account UserName is the same as your UWP username Followed Not case sensitive Initial Password: UWPstudent Password is case sensitive.
Phil Brewster  One of the first steps – identify the proper data types  Decide how data (in columns) should be stored and used.
Introduction To Databases IDIA 618 Fall 2014 Bridget M. Blodgett.
Data-tier Application, Import, Refactoring, Publish, Schema Comparison, Database Unit Testing Borislav Statev Telerik Software Academy academy.telerik.com.
CSCI 6962: Server-side Design and Programming
Copyright © 2010 Pearson Education, Inc. Publishing as Prentice Hall 1 1. Chapter 2: Relational Databases and Multi-Table Queries Exploring Microsoft Office.
Oracle for Software Developers. What is a relational database? Data is represented as a set of two- dimensional tables. (rows and columns) One or more.
Federal Student Aid Identification username and password – this is how students and parents will sign the FAFSA application. The FSA ID process replaced.
Copyright © 2003 Pearson Education, Inc. Slide 8-1 The Web Wizard’s Guide to PHP by David Lash.
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
01/17/07 NorCal OAUG Training Day, Paper 3.9 John Peters, JRPJR, Inc.1 Getting Started With Approvals Management Engine John Peters JRPJR, Inc.
UNIT TESTING FOR SQL Prepared for SUGSA CodeLabs Alain King Paul Johnson.
CHAPTER 6 Users and Basic Security. Progression of Steps for Creating a Database Environment 1. Install Oracle database binaries (Chapter 1) 2. Create.
CSIS 4310 – Advanced Databases Virtual Private Databases.
INTRODUCTION TO ORACLE Lynnwood Brown System Managers LLC Application Development For DBA’s Lecture 8 Copyright System Managers LLC 2007 all rights reserved.
OracleAS Reports Services. Problem Statement To simplify the process of managing, creating and execution of Oracle Reports.
DBA’s, Oracle Designer and the Development Life Cycle By Peter Wilkinson, Mercury International Ltd. Leslie Tierstein, SCI Consulting, Inc.
Chapter 7 Working with Databases and MySQL PHP Programming with MySQL 2 nd Edition.
CS 3630 Database Design and Implementation. Your Oracle Account UserName is the same as your UWP username Followed Not case sensitive Initial.
Data and its manifestations. Storage and Retrieval techniques.
15/10/20151 PHP & MySQL 'Slide materials are based on W3Schools PHP tutorial, 'PHP website 'MySQL website.
Copyright © 2008, Solbourne Confidential Accelerate Training: UPK with Oracle’s E-Business Suite A Glimpse into a Large Public Transit Agency’s UPK Solution.
Discovering Computers Fundamentals Fifth Edition Chapter 9 Database Management.
1.NET Web Forms Business Forms © 2002 by Jerry Post.
R12 MOAC (Multi-Org Access Control) Uncovered John Peters JRPJR, Inc.
Database Design and Management CPTG /23/2015Chapter 12 of 38 Functions of a Database Store data Store data School: student records, class schedules,
CS 3630 Database Design and Implementation. Assignment 3 Style! Agreement between database designer and the client. UserName1_EasyDrive UserName2_EasyDrive.
01/24/06 NorCal OAUG Training Day, Paper 3.9 John Peters, JRPJR, Inc.1 Taking the plunge, migrating to LINUX John Peters JRPJR, Inc.
1 Introduction to Oracle Chapter 1. 2 Before Databases Information was kept in files: Each field describes one piece of information about student Fields.
What is a Package? A package is an Oracle object, which holds other objects within it. Objects commonly held within a package are procedures, functions,
Visual Programing SQL Overview Section 1.
1 Active Records. 2 What’s Active Records? O-R Mapping layer To make database access almost a non-issue Relies heavily on convention over configuration.
Database Design Normalisation. Last Session Looked at: –What databases were –Where they are used –How they are used.
Chapter 9: Advanced SQL and PL/SQL Guide to Oracle 10g.
Database Management Systems (DBMS)
Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.
Using MS Excel to validate & load your data into Oracle EBS.
Finding a PersonBOS Finding a Person! Building an algorithm to search for existing people in a system Rahn Lieberman Manager Emdeon Corp (Emdeon.com)
Database Access Control IST2101. Why Implementing User Authentication? Remove a lot of redundancies in duplicate inputs of database information – Your.
1 Do You Need an ETL Tool? Ben Bor NZ Ministry of Health Ben Bor NZ Ministry of Health.
PL/SQL programming Procedures and Cursors Lecture 1 [Part 2]
DATABASE DEVELOPMENT WITH VISUAL STUDIO 2010 Chris Dahlberg 1.
Oracle Field Service NorCal OAUG Training Day, January 17, 2007 Almir Hrnjadovic Dionex Corporation.
SQL constrains and keys. SORTED RESULTS Sort the results by a specified criterion SELECT columns FROM tables WHERE predicates ORDER BY column ASC/DESC;
Database System Concepts, 6 th Ed. ©Silberschatz, Korth and Sudarshan See for conditions on re-usewww.db-book.com Chapter 4: Intermediate.
 CONACT UC:  Magnific training   
uses of DB systems DB environment DB structure Codd’s rules current common RDBMs implementations.
Putting Your Head in the Cloud Working with SQL Azure David Postlethwaite 18/06/2016David Postlethwaite.
1 Copyright © 2005, Oracle. All rights reserved. Oracle Database Administration: Overview.
Digital Forensics 2 Lecture 2A: Obfuscation and Synchronization of
Teaching slides Chapter 8.
Presentation transcript:

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.1 Data Scrambling in Non-PROD Cloned Instances John Peters JRPJR, Inc.

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.2 How many of you have are on 11.0, 11i, 12? How many of you plan to upgrade to R12 in the next 18 months? Before We Start A Quick Audience Survey

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.3 Why obfuscate sensitive data and what is sensitive data OEM Application Management Pack A custom sensitive data backup and obfuscate methodology with sample code Review sensitive table columns What I am going to cover

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.4 Employee Data –Social Security Number –Salary Information –Review Information –Address and Phone Information –Age Information –Direct Deposit Bank Account Information Customer Data –Credit Card Numbers Vendor Data –Direct Deposit Bank Account Information Company Data –Bank Account Information Examples of Sensitive Data

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.5 Non-PROD instances have a lower level of access control –APPS password available to wider group –User responsibility control less restrictive –Data is sent to Oracle Support during debug –Non-Employees often have access to data, contract developers, consultants, etc. Why Obfuscate Sensitive Data

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.6 Masking (done usually in UI) –Credit Card: NNNNNNNNNNNN1234 –SSN: NNN-NN-1234 Substitution –Substitute Digits and Characters with a constant Purge –Null out the sensitive data Giberish –Replace with random characters Obfuscate Techniques

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.7 When possible take advantage of Oracle Supplied Solutions to obfuscate sensitive data. They are already included in your licensing and are supported. Example: Credit Card Data –Apply the credit card data encryption patches –This secures data in both PROD and non-PROD instances –Secures data in the UI and the Database –“It’s the law” Use Oracle Supplied Solutions

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.8 A data scrambling/purge framework introduced in version 2.0 A generic engine that allows you to specify tables and columns of data that should be scrambled during a clone. Irreversible purge or scramble of the data. There is no seeded data. You need to decide what is scrambled. OEM Application Management Pack

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.9 A customization that allows sensitive data to be: –Backed Up Original Data is stored in custom tables Data in encrypted for security Allows for a table by table reversal of obfuscation based on non-PROD instance testing requirements –Sensitive Data Obfuscated Original numeric data is replaced by a 9 Character strings replaced by constant string ‘Z’ or ‘N’ Key data requiring uniqueness is replaced by ID values Obfuscated data is easily identifiable to users Magnitude of data is still available “six figure salary” What I Implemented

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.10 Two components: A PL/SQL Package to Encrypt/Decrypt Data An SQL Script that can be run during cloning that backs up and obfuscates source data Implementation

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.11 Generates a 64 character key value to encrypt/decrypt values Save this value in a safe location if you want to reverse encryption select DBMS_CRYPTO.randombytes(256/8)from dual; PL/SQL Package - GENERATE_KEY

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.12 FUNCTION DECODE_VARCHAR (p_in in raw, p_key in raw) RETURN VARCHAR2 IS l_ret varchar2 (2000); l_dec_val raw (2000); l_mode number := dbms_crypto.ENCRYPT_AES256 + dbms_crypto.CHAIN_CBC + dbms_crypto.PAD_PKCS5; BEGIN l_dec_val := dbms_crypto.decrypt (p_in, l_mode, p_key); l_ret:= UTL_I18N.RAW_TO_CHAR(l_dec_val, 'AL32UTF8'); return l_ret; END DECODE_VARCHAR; PL/SQL Package - DECODE_VARCHAR

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.13 FUNCTION ENCODE_VARCHAR (p_in in varchar2, p_key in raw) RETURN RAW IS l_enc_val raw(2000); l_mode number := dbms_crypto.ENCRYPT_AES256 + dbms_crypto.CHAIN_CBC + dbms_crypto.PAD_PKCS5 ; BEGIN l_enc_val := dbms_crypto.encrypt(UTL_I18N.STRING_TO_RAW(p_in, 'AL32UTF8'), l_mode, p_key); return l_enc_val; END ENCODE_VARCHAR; PL/SQL Package - ENCODE_VARCHAR

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.14 In order to use DBMS_CRYPTO in the APPS schema you must first grant execute access to it. sqlplus / as sysdba grant execute on dbms_crypto to APPS; create synonym apps.dbms_crypto for sys.dbms_crypto; DBMS_CRYPTO

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.15 The script consists of three simple steps repeated on each table with Sensitive Data 1.Create Backup Table 2.Insert Sensitive Data Records into Backup Table 3.Obfuscate Sensitive Data Runs as APPS during instance clone SQL Script

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.16 Columns in backup table –Primary Key of Source Table –Sensitive Source Data to Backup create table XX_CUS.ENC_DATA_01 (PERSON_ID NUMBER, EFFECTIVE_START_DATE DATE, EFFECTIVE_END_DATE DATE, ENC_NATIONAL_IDENTIFIER RAW(2000) ); SQL Script – Create Backup Table

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.17 insert into xx_cus.ENC_DATA_01 (PERSON_ID, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE, ENC_NATIONAL_IDENTIFIER ) select PERSON_ID, EFFECTIVE_START_DATE, EFFECTIVE_END_DATE, XX_CUS_CLONE_UTILITY.ENCODE_VARCHAR(NATIONAL_IDENTIFIER, &&KEY) enc from PER_ALL_PEOPLE_F; SQL Script – Insert into Backup Table

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.18 update PER_ALL_PEOPLE_F a set NATIONAL_IDENTIFIER = 'NNN-NN-NNNN' where substr(NATIONAL_IDENTIFIER,4,1) = '-' and exists (select 'Y' from xx_cus.ENC_DATA_01 b where b.PERSON_ID = a.PERSON_ID and b.EFFECTIVE_START_DATE = a.EFFECTIVE_START_DATE and b.EFFECTIVE_END_DATE = a.EFFECTIVE_END_DATE ); SQL Script – Obfuscate Data

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.19 update PER_ALL_PEOPLE_F a set NATIONAL_IDENTIFIER = select XX_CUS_CLONE_UTILITY.DECODE_VARCHAR(ENC_NATIONAL_IDENTIFIER, &&KEY) enc from xx_cus.ENC_DATA_01 b where b.PERSON_ID = a.PERSON_ID and b.EFFECTIVE_START_DATE = a.EFFECTIVE_START_DATE and b.EFFECTIVE_END_DATE = a.EFFECTIVE_END_DATE where exists (select 'Y' from xx_cus.ENC_DATA_01 b where b.PERSON_ID = a.PERSON_ID and b.EFFECTIVE_START_DATE = a.EFFECTIVE_START_DATE and b.EFFECTIVE_END_DATE = a.EFFECTIVE_END_DATE ); SQL Script – Restore Data

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.20 PER_ALL_PEOPLE_F.NATIONAL_IDENTIFIER PER_PAY_PROPOSALS.PROPOSED_SALARY_N PER_PAY_PROPOSAL_COMPONENTS.CHANGE_AMOUNT_N PAY_ELEMENT_ENTRY_VALUES_F. SCREEN_ENTRY_VALUE PER_PERFORMANCE_REVIEWS.PERFORMANCE_RATING PAY_EXTERNAL_ACCOUNTS.SEGMENT1 to SEGMENT30 Sensitive Data Tables – Employees 11i

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.21 AP_BANK_ACCOUNTS_ALL.BANK_ACCOUNT_NUM AP_BANK_BRANCHES.EFT_USER_NUMBER and EFT_SWIFT_CODE AP_CARDS_ALL.CARD_NUMBER AP_INVOICE_PAYMENTS_ALL.BANK_ACCOUNT_NUM AP_CHECKS_ALL.BANK_ACCOUNT_NUM Sensitive Data Tables – Payables 11i

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.22 ASO_PAYMENTS.PAYMENT_REF_NUMBER IBY_CREDITCARD. CCNUMBER OE_ORDER_HEADERS_ALL. CREDIT_CARD_NUMBER OKS_K_HEADERS_B. CC_NO OKS_K_LINES_B.CC_NO CS_INCIDENTS_ALL_B.CREDIT_CARD_NUMBER Sensitive Data Tables - Credit Card Data 11i

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.23 You need to work with the functional users to try to find sensitive data in your version of the E-Business Suite based on how your company uses the E- Business Suite. Take a look at DBA_TAB_COLS Write scripts to look at all VARCHAR2 columns for sensitive data patterns –16 characters (could be a credit card) –3 ‘-’ 2 ‘-’ 4 Social Security Number Sensitive Data Tables Summary

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.24 As we upgrade from 10 to 11 to 11i to R12 Oracle leaves obsolete tables in the database. These still contain valid data in some cases. Example: SO_HEADERS_ALL was replaced by OE_ORDER_HEADERS_ALL and contains the column CREDIT_CARD_NUMBER Don’t Forget Old Tables With Sensitive Data

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.25 Take advantage of Oracle Supplied data obfuscation functionality first Ask user community to verify that all sensitive data has been found and obfuscated in non-PROD instance Preserve you encryption keys in a safe place, these are the keys to the kingdom Things to Remember

NorCal OAUG Training Day, Paper01/21/ John Peters, JRPJR, Inc.26 My contact information: John Peters Additional reference papers can be found at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.