Oracle Data Masking and sub-setting in EBS 12.

Manoj Palbabu
Database Security consultant
2016

Copyright 2014 Oracle and/or its affiliates. All rights reserved. |

Program Agenda
1

Concepts (brief)

Demonstration

Questions

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Safe Harbor Statement

The following is intended to outline our general product direction. It is
intended for information purposes only, and may not be incorporated
into any contract. It is not a commitment to deliver any material, code,
or functionality, and should not be relied upon in making purchasing
decisions. The development, release, and timing of any features or
functionality described for Oracles products remains at the sole
discretion of Oracle.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Growing Data Breaches

200M
56M
Depot
ExperianHome
Sep 14
TBs IP
Mar 14

76M
150M + Code JPMC
Adobe
Oct 13

98M
Target
DEC 13

Oct 14

150M
eBay
May 14

Sony
Nov 1/4/18M?
14
US Fed Govt

80M
Anthem

June 15

Carphone
WarehouseVodafone
Aug15 Oct 13
2.4M

2M

4M 2M

Talk Talk
Feb 15

Feb 15

Espionag
e
Kaspersk
y

20M
Credit Bureau

400GHacking Team
Jun15
B Jul 15

Japan

12M

22M

Telecom

Benesse
Education
July 14

IP Theft

Orange
Feb/Apr 14
3.2M

Attack Vectors

Reconnaissance
Phishing/Malware
SA Banks
Password Theft
Insider Access Oct 13
SQL Injection
Privilege Escalation

S. Korea
Jan 14

RBI

Feb 15

Immigration
June14
Personal
Records

Credit
Cards

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Data Masking and

Subsetting

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Oracle Data Masking and Subsetting Pack

Reduces Risk in Sharing by Obfuscating or Removing Sensitive
Data
Discover Sensitive Data
Modeling Application Data
NAME

SALARY

AGUILA
R

501355

BENSON 357898
CHANDR
607652
A
DONNER 103456

01001011001010
10010010010010
01001001001001
00100010010101
0010

Production

Test/Dev

NAME

SALARY

KRIS

356762

RAJESH

765468

Mask Data using Format Library

Subset Based on Goal/Condition
Mask/Subset in Export or on Staging
Mask in Workload Captures & Clones
Pre-installed in Enterprise Manager

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Proliferation of Sensitive Data Increases

Security Risks

Partners
Demo

Development

Production

Testin
g

Resear
ch

Cloud

Training
Analytics
Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Solution Requirements and Challenges

Key Challenges

Main Requirements
Replace sensitive with
fictitious data before sharing
Extract relevant data
Discard unneeded sensitive
data
Meet compliance
requirements

Data
Masking
and
Subsetting

Discover sensitive data

Preserve application
integrity
Provide common masking
formats and goal-based
subsetting
Provide integrated solution

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Data Masking Methodology

Discover
sensitive data
Discover data
relationships

Create Data
Model

Select
Formats &
Criteria
Masking
formats and
templates
Goals &
conditions for
subsetting

Preview
masking
algorithm
results
Preview subset
reduction
Preview &
results
Validate

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Execute
Transformat
ion
In-Database or
In-Export
Rerun with
same data
model

Extensive Masking Format Library

Provides common masking
formats
Supports custom masking
formats
Random numbers/strings/dates
Substitute
User defined PL/SQL function
and more

Generates sample masked

values
Copyright 2014 Oracle and/or its affiliates. All rights reserved.

10

Application Data Modeling

Sensitive Data Discovery
Data
Relationship
s
Sensit
ive
Colum
ns
Metada
ta
Automate
d
Discovery

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

11

Types of Attributes Masked for EBS

Mask PII and other sensitive personal data associated with
users.
Cover all product families shipped with Oracle E-Business Suite.
Run as a whole, since de-identification of a portion of a database
is much less effective.

Sensitive Data Attributes

Compensation
Employment Details
Nationality / Citizenship
Health Information
Personal Information
Mother's Maiden Name
Password
Encryption Keys
Security Vulnerabilities
Audit Information
Session Information

Personally Identifiable Attributes (PII)

Person Name
Maiden Name
Business / Personal Address (street level (or country equivalent) only
Business Telephone Number
Business Email Address
Custom Name
Employee Number
User Global Identifier
Party Number or Customer Number
Account Name
Mail Stop
GPS Location
Student Examination Hall Ticket Number
Club Membership ID
Library Card Number
Identity Card Number
Instant Messaging Address
Web Site
National Identifier
Passport Number
Drivers License Number
Personal Telephone Number
Personal Email Address
Visa Number or Work Permit
Bank Account Number
Card Number (credit or debit card number)
Tax Registration Number or National Taxpayer Identifier
Person Identification Number

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

12

13

Oracle E-Business Suite Template for the Data Masking Pack - Patch 22868456.
Application Data Model (ADM) template - Contains the description of the data model:
ADM_EBS12.2_JG_V2.0.X_EM_13.1_Template.xml
'JE_ES_MODELO_190_ALL')

(select OWNER from all_tables where TABLE_NAME =

or
ADM_EBS12.2_V2.0.X_EM_13.1_Template.xml

Masking template - Contains the masking rules:

Mask_EBS12.2_JG_V2.0.X_EM_13.1_Template.xml
or
Mask_EBS12.2_V2.0.X_EM_13.1_Template.xml
ebs_pre_generate.sql - script to run before the generation phase.
ebs_post_generate.sql - script to clean up after the generation phase.
fndusmaexcr.sql - script that creates the FND_USER_MASKING_EXEMPTIONS table.

fndusmaexpo.sql - script that provides examples of how to populate the

FND_USER_MASKING_EXEMPTIONS table.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

14

EBS Masking Preparation and Setup

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

15

EBS Masking Preparation and Setup

Clone the database you are planning to mask.
Perform an analysis to determine which users to exempt from data masking and whether you need to populate the pre-masked database with additional users.
Create a pre-masking script to specify "exempt users" that will not be masked in the FND User tables.
Generating the mask is a multi-step process that comprises of three main tasks:
Task 1: Importing the ADM template and verifying it.
Task 2: Importing the Data Masking template.
Task 3: Generating the masking script will take some time
It is important to change the credentials associated with the database in your test environments.
Switch the database over to using local users (no LDAP, SSO or Oracle Access Manager (OAM) during or after a mask).
If you have registered Oracle E-Business Suite with Oracle Internet Directory and Oracle Access Manager or Oracle Single Sign-On for access
management integration, you need to deregister the environment prior to deploying data masking.
Ensure there is enough free space in the TEMP and SYSTEM tablespaces to accommodate 1-2 times the largest table being masked. The table that is the
largest will depend on your implementation, but it is often the WF_USER_LOCAL_ROLES, WF_LOCAL_ROLES, or HZ_PERSON_PROFILES table.
Correct (comment * missing) & Run the fndusmaexcr.sql script as the EBS_MASK user to create the FND_USER_MASKING_EXEMPTIONS table so that the
generation step that follows can successfully validate the mask.
Shut down the application tier server processes using the adstpall script.
Within the data masking console in Oracle Enterprise Manager, run the mask for the script generated above using the EBS_MASK user.
Rerun 'Compile the objects in the database'
Start up the middle-tier server processes using the adstrtal script.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

16

EBS Masking Preparation and Setup

Unzip p22868456_R12_GENERIC.zip
cd EBSMaskingPack2.0.4

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

EBS Masking Preparation and Setup

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

EBS Masking Preparation and Setup

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

EBS Masking Preparation and Setup

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

20

Importing the ADM template and verifying it

Navigate to Application Data

Models. Import the XML Application
Data Model (ADM) template. This
template was downloaded with
Patch 22868456

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

21

Importing the ADM template and verifying it

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

22

From the Application Data Models page, perform a Verify action via the
Actions menu on the Application Data Model that you just imported.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

23

Navigate to the Data Masking Definitions page. Import the XML Masking Template,
selecting the Application Data Model (ADM) from the list of available ADMs created earlier
or enter a new name.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

24

Verify the Sensitive Data

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

25

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

26

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

27

Before

After

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

28

Functionality Affected by EBS Masking

Third party integration may not work as masking disables login and disassociates responsibilities for all accounts that are masked. The only
accounts that are not masked are:
Seeded accounts (such as SYSADMIN, GUEST, etc.) and Additional accounts listed as exempt from masking.
Workflows for masked users will not work correctly. Workflows will work only if all participating workflow users are exempt from
masking.
Single Sign-On (SSO), Oracle Access Manager (OAM), and LDAP-synch should be turned off, as they will not work correctly after
masking.
Payroll results will not be in sync with the payroll engine calculations.
Oracle Payments Credit Card functionality will be affected as follows:
Credit card encryption will be turned off after masking.
Processing of payment files by external systems will fail.
Certain Payments functionality (such as searches) will require the IBY_REGENERATE_HASH concurrent program to be run ('Regenerate Payments Hash Data').
Country Specific Bank Account Number validations may fail, the profile option CE_DISABLE_BANK_VAL should be set to Yes.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

29

Factors Affecting Performance

Number of CPU Cores on EM and Target DB.
Primary Memory on EM and Target DB.
SGA settings of EM Repository and Target DB.
EM OMS Heap Size (JAVA_EM_MEM_ARGS).
Degree of parallelism.
Number of parallel threads (In-Export).
Type of masking format.
Numbers of tables, columns, rows, relationships.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

Copyright 2014 Oracle and/or its affiliates. All rights reserved.

31