Data
Reader small image

You're reading from  Oracle Database 12c Security Cookbook

Product typeBook
Published inJun 2016
PublisherPackt
ISBN-139781782172123
Edition1st Edition
Tools
Oracle Enterprise ManagerOracle Database
Concepts
Database Administration
Right arrow
Authors (2):
Zoran Pavlovic
Zoran Pavlovic
author image
Zoran Pavlovic

Zoran Pavlovic is currently working as an Oracle Technical Architect in his company. He works with Oracle technologies (primary Oracle Database) since 2005. Areas of his expertise are Security and Performance Tuning of Oracle Database. Zoran has worked on various complex database environments including RAC, ASM, Data Guard, etc. He has worked as a consultant for Oracle Consulting as well as instructor for Oracle University across EMEA region. Zoran is first member of Oracle ACE Program in Serbia, and a featured speaker/author at many conferences/magazines.
Read more about Zoran Pavlovic

Maja Veselica
Maja Veselica
author image
Maja Veselica

Maja Veselica, MSc in software engineering, is currently working for Parallel d.o.o., Belgrade, as an Oracle Database consultant (security, performance tuning, and so on). She has been working as an instructor for Oracle University since 2010. In the last couple of years, she has also been working for Oracle Consulting. Also, Maja is a member of Oracle ACE Program and has more than 20 Oracle certificates. She enjoys (beta) testing Oracle products and participating in other Oracle-related activities.
Read more about Maja Veselica

View More author details
Right arrow

Chapter 6. Transparent Sensitive Data Protection

In this chapter, we will cover the following tasks:

  • Creating a sensitive type

  • Determining sensitive columns

  • Creating transparent sensitive data protection policy

  • Associating transparent sensitive data protection policy with sensitive type

  • Enabling, disabling, and dropping policy

  • Altering transparent sensitive data protection policy

Introduction

Oracle Transparent Sensitive Data Protection (TSDP) is a new security feature, introduced in Oracle Database 12c (available only in Enterprise Edition). TSDP provides a way to create classes of sensitive data and enables more centralized control of how sensitive data is protected. In database versions 12.1.0.1 and 12.1.0.2, it leverages two Oracle security mechanisms:

  • Oracle Virtual Private Database (VPD), described in Chapter 4 , Virtual Private Database

  • Oracle Data Redaction, explained in Chapter 5 , Data Redaction

To implement TSDP, you should complete steps shown in Figure 1:

Figure 1 - Steps to implement TSDP

For all recipes in this chapter, we assume that the database is up and running and each user has at least a create session privilege. In this chapter, it is assumed that user c##zoran has a DBA role and it executes privileges on the following packages:

  • DBMS_TSDP_MANAGE

  • DBMS_TSDP_PROTECT

  • DBMS_RLS

  • DBMS_REDACT

Recipes are tested on Oracle Database 12.1.0.2 in multitenant and...

Creating a sensitive type

To create a sensitive type, you can use Oracle Enterprise Manager or a command-line interface. In this recipe, you'll use the command-line interface to execute a PL/SQL procedure. You decided that you want to protect e-mail addresses stored in your database, so first you are going to create sensitive type email_type.

Getting ready

To complete this recipe, you'll need an existing user who can create a sensitive type (for example, c##zoran).

How to do it...

  1. Connect to the database (for example, pdb1) as a user who has appropriate privileges (for example, c##zoran):

    $ sqlplus c##zoran@pdb1

  2. Create a sensitive type (for example, email_type):

    SQL> BEGIN 
 DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE ( 
 sensitive_type => '<your_type>', 
 user_comment=> '<description>');
 END;
 /

    Figure 2 - Creating a sensitive type

How it works...

In step 2, you created a sensitive type (for example, email_type), which you can use to consistently mask (protect), in our case, e-mail...

Determining sensitive columns

After you decide which data is sensitive, you'll need to find all places where that data is stored. Once you do that, you'll classify the data (associate sensitive columns with sensitive types). In this recipe, you'll associate two sensitive columns (from two tables) with sensitive type you created in the previous recipe.

Getting ready

To complete this recipe, create a user challengezoran, create table T1, and insert several values into the table (see Figure 1) or use your own table. Also, you'll need an existing user who has an execute privilege on dbms_tsdp_manage package (for example, c##zoran).

Figure 4 - Creating table T1

How to do it...

  1. Connect to the database (for example, pdb1) as a user who has appropriate privileges (for example, c##zoran user):

    $ sqlplus c##zoran@pdb1

  2. Associate a sensitive column (for example, schema CHALLENGEZORAN, table T1, column EMAIL_ADDRESS) with sensitive type you created in the previous recipe (for example, email_type)

    Figure 5...

Creating transparent sensitive data protection policy

This step defines the way you want to protect sensitive data. You can use Data Redaction or VPD settings for your TSDP policy. In this recipe, you'll use regular expression redaction to protect previously defined sensitive data.

Getting ready

To complete this recipe, you'll need an existing user who has the execute privilege on the dbms_tsdp_protect package (for example, c##zoran).

How to do it...

  1. Connect to the database (for example, pdb1) as a user who has appropriate privileges (for example, c##zoran user):

    $ sqlplus c##zoran@pdb1

  2. Create TSDP policy using Data Redaction.

    Figure 7 - TSDP policy using Oracle Data Redaction

How it works...

In step 2, lines 2 and 3 define variables redact_features_options and policy_conditions. Data redaction settings, for TSPD policy, are defined by using redact_features_options variable that holds parameter-value pairs that correspond with the parameters in DBMS_REDACT.ADD_POLICY procedure (lines 4-8). Line...

Associating transparent sensitive data protection policy with sensitive type

In this recipe, you'll associate TSDP policy and sensitive type you created in the previous recipes.

Getting ready

To complete this recipe, you'll need an existing user who has the execute privilege on the dbms_tsdp_protect package (for example, c##zoran).

How to do it...

  1. Connect to the database as a user (for example, pdb1) who has appropriate privileges (for example, c##zoran user):

    $ sqlplus c##zoran@pdb1

  2. Associate TSDP policy with sensitive type:

There's more...

To verify that you successfully associated the TSDP policy and the sensitive type, execute the following query:

SQL> SELECT POLICY_NAME, SENSITIVE_TYPE FROM DBA_TSDP_POLICY_TYPE;

See also

  • Creating a sensitive type

  • Determining sensitive columns

  • Creating transparent sensitive data protection policy

Enabling, disabling, and dropping policy

In this recipe, you'll learn to enable, disable, and drop transparent sensitive data protection policies.

Getting ready

To complete this recipe, you'll need two existing users-one to manage TSDP policies and the other to view sensitive data.

How to do it...

  1. Connect to the database (for example, pdb1) as a user who has the SELECT privilege on the HR.EMPLOYEES table and the CHALLENGEZORAN.T1 table or the SELECT ANY TABLE privilege (for example, maja).

    $ sqlplus maja@pdb1

  2. View sensitive data by executing the following two queries:

    SELECT EMAIL FROM HR.EMPLOYEES FETCH FIRST 10 ROWS ONLY;

    Figure 9 - Before enabling the policy

    SELECT EMAIL_ADDRESS FROM CHALLENGEZORAN.T1;

    Figure 10 - Before enabling the policy

  3. Connect to the database (for example, pdb1) as a user who can manage TSDP policies (for example, c##zoran). Enable the TSDP policy:

  4. Repeat step 2 as user maja.

    Figure 12 - Sensitive data is protected

  5. Result of the second query is shown in Figure 13:

    Figure...

Altering transparent sensitive data protection policy

In this recipe, you'll alter policy you created in recipe Creating transparent sensitive data protection policy and enable it.

Getting ready

To complete this recipe, you'll need two existing users (for example, c##zoran and maja). Also, update the table hr.employees, as shown in Figure 20:

Figure 20 - Set new e-mail addresses in the hr.employees table

How to do it...

  1. Connect to the database (for example, pdb1) as a user who can manage TSDP policies (for example, c##zoran):

    $ sqlplus c##zoran@pdb1

  2. If the policy is enabled, disable it for all columns (for instructions how to disable the TSDP policy, see recipe Enabling, disabling, and dropping policy).

  3. Connect to the database (for example, pdb1) as a user who can view sensitive data (for example, maja). Execute the following queries:

    SELECT EMAIL FROM HR.EMPLOYEES FETCH FIRST 10 ROWS ONLY;

    Figure 21 - Before altering and enabling the policy

           SELECT EMAIL_ADDRESS FROM CHALLENGEZORAN.T1;...
lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 12 of 18
Next Chapter
You have been reading a chapter from
Oracle Database 12c Security Cookbook
Published in: Jun 2016Publisher: PacktISBN-13: 9781782172123
© 2016 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at $15.99/month. Cancel anytime

Authors (2)

author image
Zoran Pavlovic

Zoran Pavlovic is currently working as an Oracle Technical Architect in his company. He works with Oracle technologies (primary Oracle Database) since 2005. Areas of his expertise are Security and Performance Tuning of Oracle Database. Zoran has worked on various complex database environments including RAC, ASM, Data Guard, etc. He has worked as a consultant for Oracle Consulting as well as instructor for Oracle University across EMEA region. Zoran is first member of Oracle ACE Program in Serbia, and a featured speaker/author at many conferences/magazines.
Read more about Zoran Pavlovic

author image
Maja Veselica

Maja Veselica, MSc in software engineering, is currently working for Parallel d.o.o., Belgrade, as an Oracle Database consultant (security, performance tuning, and so on). She has been working as an instructor for Oracle University since 2010. In the last couple of years, she has also been working for Oracle Consulting. Also, Maja is a member of Oracle ACE Program and has more than 20 Oracle certificates. She enjoys (beta) testing Oracle products and participating in other Oracle-related activities.
Read more about Maja Veselica

Personalised recommendations for you

Based on your interests and search pattern

Et al.

Et al.

Ever wonder why speech recognition systems don't understand the Scottish accent, or what would happen if an astronaut only ate mac 'n' cheese, or other spurious reflections you'd have at a bar? We did, then collated those deliberations into absurd research articles with fake figures and methodologies inspired by even more fictionally absurd studies.

BookAug 2023230 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages4
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages1
Generative AI with LangChain

Generative AI with LangChain

This book is a comprehensive introduction to LLMs and LangChain, demystifying the basic mechanics of LangChain, its functionalities, and the myriad of applications it can be integrated into.

BookDec 2023360 pages5
Mastering Tableau 2023

Mastering Tableau 2023

This book is a comprehensive resource to mastering your Tableau skills and becoming a BI expert. As you progress, you will learn how to build advanced dashboards and improve your storytelling to derive key business insight, as well as make you well-versed with advanced functionalities of Tableau in the business intelligence domain.

BookAug 2023684 pages
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages5
Building AI Applications with ChatGPT APIs

Building AI Applications with ChatGPT APIs

This guide covers all ChatGPT API features for effortless creation of robust AI powered apps. With its help, you’ll be able to leverage ChatGPT’s cutting-edge NLP models to take your app development skills to the next level. You’ll also work on ten exciting projects that will give you the practical know-how that you can apply to your existing applications.

BookSep 2023258 pages2
Data Engineering with AWS

Data Engineering with AWS

Embark on a journey to master data engineering pipelines on AWS! Our book offers a hands-on experience of AWS services for ingesting, transforming, and consuming data. Whether you're an absolute beginner or someone with basic data engineering experience, this guide is an indispensable resource.

BookOct 2023636 pages5
Modern Data Architecture on AWS

Modern Data Architecture on AWS

Every organization wants an agile, performant, and cost-effective data platform that meets all their current and future business needs. Purpose-built AWS analytics services and their features play a big part in building such a modern data platform. This book brings to you all the design and architectural patterns that’ll help you achieve this goal.

BookAug 2023420 pages5
Practical Guide to Applied Conformal Prediction in Python

Practical Guide to Applied Conformal Prediction in Python

Discover the power of Conformal Prediction with the "Practical Guide to Applied Conformal Prediction in Python." Master the latest techniques to quantify uncertainty in machine learning and computer vision models, and seamlessly apply them to your industry applications.

BookDec 2023240 pages
TinyML Cookbook

TinyML Cookbook

With over 70 project-based recipes, the TinyML Cookbook is a practical guide that will help you to get the most out of your microcontrollers. It provides a comprehensive understanding of the theoretical foundations while giving you hands-on experience training ML models for deployment on Arduino Nano 33 BLE Sense, Raspberry Pi Pico, and SparkFun RedBoard Artemis Nano microcontrollers.

BookNov 2023664 pages