This content is part of the Essential Guide: Guide to Oracle 12c database features and upgrades

Oracle has a new security tool for Database 12c, data redaction

Oracle Database 12c adds a new security tool, data redaction. Here are step-by-step processes for using data redaction for data masking.

Oracle has added data redaction as a new security feature in Oracle Database 12c. Oracle Data Redaction provides an effective and easy-to-implement way to mask sensitive information. The feature works in real time, and the query results from the data redaction are returned to their original application.

Data redaction is useful when you want to hide all or part of a column's values while still providing users with the information they need to see. Personal identifiers, such as Social Security numbers, credit card numbers and client IP addresses cannot be released legally without permission. By allowing you to conceal personal information while still allowing access to key files, data redaction helps you comply with industry standards and regulations such as the Sarbanes-Oxley Act without interrupting the regular flow of business.

Before Data Redaction was introduced in Oracle Database, data masking had to be implemented at the application layer, within the database or through third-party software. However, you can now redact data without taking these invasive steps. Instead, you can create policies specific to redaction that target the columns containing sensitive information, hiding them without altering any other part of the application.

Data redaction in Oracle Database 12c

Once you've configured the redaction policies, Oracle Database applies the masking at runtime, based on the policy specifications. The redaction process operates at the database kernel level and is performed in-memory to ensure maximum security and query performance.

Oracle Database caches all policy information, so policy expressions need to be evaluated only once per execution. As a result, redaction incurs no per-row overhead, making it well suited for constantly changing data. Oracle limits its redaction capabilities to data types that are easy to successfully redact, such as character and numerical types. Oracle Data Redaction does not work for raw, graphic or large object types.

When query results are redacted, the underlying data remains the same. The only thing that changes is which information is displayed in the application. At the same time, Oracle Database preserves the column's data type so redaction doesn't impact the application. In addition, Data Redaction has no impact on other database operations, such as those carried out by Oracle Data Pump or Recovery Manager. Policies can even be defined to preserve basic formatting in the application, such as the hyphenation in Social Security numbers. During redaction, all data is processed normally, triggers fire as configured and referential integrity is preserved.

If you are using views, functions, or stored procedures that reference redacted columns, the data itself remains redacted. However, columns referenced in the WHERE clause are never redacted. Redaction applies only to columns within the SELECT list. In addition, if your SELECT list contains an expression that includes redacted columns, the data is redacted before the expression is evaluated.

Implementing data redaction

Oracle now offers the DBMS_REDACT package to support data redaction in Oracle Database 12c Enterprise Edition. You implement redaction by creating policies for the desired database. The DBMS_REDACT package includes the procedures necessary to add, alter, disable, enable and drop redaction policies.

The main procedure, ADD_POLICY, lets you create a policy that targets a specific column and defines how data in that column should be redacted. Oracle Database begins redacting the queried data as soon as the policy is enabled.

Another useful procedure, ALTER_POLICY, lets you modify a policy definition. With ALTER_POLICY, you can perform such tasks as changing the redaction type on a column or adding a column to the policy. Oracle Database also includes predefined column templates for masking common types of data, such as Social Security or credit card numbers.

When configuring a policy to redact column data, you can specify one of the following five redaction options:

  • FULL: Redacts all data in the targeted column. For character data types, the query returns a single space for each value. For numerical types, the query returns a zero (0). For datetime types, the query returns 01-JAN-01. You can use the UPDATE_FULL_REDACTION_VALUES procedure to specify which of the different values you want to have returned. The FULL option is the default redaction type and is used when no other type is specified.
  • PARTIAL: Redacts only a portion of each value in the targeted column. For example, you can mask the first 12 digits of a credit card number so that the only data the user sees is the last four numbers. When configuring the policy, you can set the position to start the redaction, the number of characters to redact from that position and which redaction character to use in place of the masked data. The target column must be a fixed width to use PARTIAL redaction.
  • REGEXP: Redacts a portion of the targeted column data based on a specified regular expression. This type is useful when redacting a variable-length column. For example, you can use the REGEXP type to redact the last names in a column that contains full names. You can then replace the redacted portion with placeholder text that indicates which portion has been redacted.
  • RANDOM: Redacts all data in the targeted column and replaces it with random values consistent with the column's data type. For example, the last name Smith might be returned as x{\)E. Because the results are random, the redacted value will be different each time the application retrieves that data.
  • NONE: No redaction is performed. This option is useful for testing your redaction policies before applying them to a production environment. You can also use this option for providing a user with access to data in a table configured to be redacted. To do this, define a special view and then apply a policy that uses the NONE option.

The Data Redaction feature is intended primarily for applications returning sensitive data to their users. It does not prevent privileged users from connecting directly to the database and issuing ad hoc queries to view the actual data. However, data redaction can be used in conjunction with other security measures, such as data encryption, Oracle Database Vault or Oracle Audit Vault and Database Firewall.

Data masking in Oracle Database

Data redaction can provide you with a valuable tool for preventing sensitive data from leaking out of an organization. Because masking occurs at query runtime, data is not put at risk as a result of application vulnerabilities. The data is redacted directly in the database kernel, which offers tighter security and better performance without affecting other operations. Data redaction helps to ensure privacy and compliance so you can better manage the data exposed through your applications.

Dig Deeper on Oracle database security