Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Datamasking/Encryption Oracle Security

advertisement 
SOFTWARE BUSINESS CASE
ORACLE SECURITY SOFTWARE
DATAMASKING & ENCRYPTION
TABLE OF CONTENTS
EXECUTIVE SUMMARY .............................................................................................................................3
1.
Problem Definition ......................................................................................................................4
2.
Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) .................................4
3.
Organizational Impact .................................................................................................................4
4.
Benefits ......................................................................................................................................6
5.
Strategic Alignment .....................................................................................................................7
6.
Cost ............................................................................................................................................8
7.
Alternatives (add lines as necessary) ............................................................................................8
8.
Timing / Schedule (add lines as necessary) ...................................................................................8
9.
Technology Migration/Resource Identification .............................................................................9
10. Product Life/Application Sunsetting or Decommissioning ............................................................9
11. References .................................................................................................................................9
12. Recommendation ..................................................................................................................... 10
13. Approvals................................................................................................................................. 10
Oracle Security Software / Datamasking & Encryption
Page 2 of 10
EXECUTIVE SUMMARY
In our current environment, all PeopleSoft data is stored in an unencrypted format on our servers. While
we go to great lengths to secure this data while it is in transit (i.e. while being accessed by a user) we
currently do not have any encryption for this data while it is at rest. In addition, we currently use
production data in our non-production environments that has not been masked or obfuscated. This
creates several risks that may result in unauthorized disclosure of sensitive and confidential data. The
following is a list of the main security considerations associated with these risks:
1. Industry Standard: Encrypting and masking sensitive data is a best practice in that it introduces
more controls and generally increases the security of our systems and data. It also addresses
compliance requirements associated with federal regulations and laws (e.g. PCI and HIPAA).
2. The Portal: By implementing the Portal we are adding new functionality and increasing the
accessibility to our core business systems and associated data. This increases the risk of
inadvertent exposure of this data.
3. External Attackers: In the event an external attacker breaches our perimeter defenses, our core
business data is at great risk of unauthorized disclosure because we store it in clear-text (i.e.
unencrypted).
4. Malicious Insider: In the event we encounter a malicious insider, we have to make sure our data
remain secure regardless of where it is located. In our current state, data is easily copied to an
external device for exploitation or unauthorized disclosure at a later date.
5. CedarCrestone Recommendation: This business case is consistent with the finding and
recommendation in the Applications Portal Configuration and Security Recommendations
document, developed by CedarCrestone.
Oracle database systems that include the Advanced Security Option pack provide a turnkey solution
named Transparent Data Encryption (TDE) for encrypting confidential PeopleSoft data as it resides on
the storage media. While infrastructure and application security mechanisms can protect this data as
users and administrators interact with the application, data stored unencrypted on the storage media is
vulnerable to exploitation outside of the application framework.
Data masking refers to the process of obfuscating potentially sensitive data in non-production
databases. Database administrators (DBAs) will occasionally copy production data into development or
test environments to allow developers to perform application development and application testing. The
problem with data sharing is that copies of production data contain confidential, sensitive or personally
identifiable information, access to which should be controlled.
Both the Data Masking Software Pack and the Advanced Security Option are collectively referred to the
Oracle Security Software in this business case. The Advanced Security Option will be used to encrypt our
data in all environments, with the exception of DEMO. The Data Masking Software Pack will be used to
obfuscate the data in all non-production environments, with the exception of DEMO.
Oracle Security Software / Datamasking & Encryption
Page 3 of 10
Sponsoring Department(s): Security Services Department
Date of Business Case Preparation: 9/24/13
Contact Person Name/Phone: Andreas Bohman / 2499
New Product/Service
If there is a draft or sample contract, please provide a copy.
Renewal of Existing Product/Service – if checked, include background information.
If there is a site license agreement, existing contract or new contract draft, please provide a
copy.
1. Problem Definition
Central Washington University’s Enterprise Resource Planning (ERP) data is not encrypted
while at rest on our storage media. While infrastructure and application security
mechanisms can protect sensitive data as users and administrators interact with the
application, data stored unencrypted on the storage media is vulnerable to exploitation
outside of the application framework. In addition, our data is not obfuscated in any of our
databases. This introduces the risk of inadvertent disclosure and exposing confidential and
sensitive information when sharing production data with application developers or software
quality testers who do not otherwise have access to this data in the production system.
2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft)
As the Oracle database environments are proprietary, there are no supported alternative
products available for data encryption. Even though there are some open-source products
that will encrypt and obfuscate Oracle databases, none of the products are supported by
Oracle. Our Campus Solutions PeopleSoft database has a real-time obfuscation process that
is currently in use. However, this process only obfuscates that data as it is being used and it
does not obfuscate the data at rest. Since this is a real-time process, it is not appropriate as
an enterprise solution and it is only available for the Campus Solution PeopleSoft database.
It is possible to manually mask the PeopleSoft data but this is a very resource intensive and
repetitive task and not recommended.
3. Organizational Impact
This is an enterprise need and it will benefit all users of our PeopleSoft ERP.
Data Masking Stakeholders: The primary stakeholders for the Data Masking software are
the Business Analysts/Functional Leads, Security Services Department, and Information
Technology Services (ITS). However, since this is an enterprise solution, all functional groups
will benefit from the added security.
Data Encryption Stakeholders: The encryption process is a one-time process that is
executed on all data – or ‘tablespaces’ - in our Oracle databases. Once the data is encrypted,
all subsequent data writes and reads will also be encrypted. The primary stakeholders for
the Data Encryption software are the Security Services Department and ITS.
Oracle Security Software / Datamasking & Encryption
Page 4 of 10
Contributors: The contributors to the requirements for this business case are the Business
Analysts/Functional Leads, Security Services, ITS, and CedarCrestone. Within ITS the group
with the most impact are the DBAs and they have been involved in the development of this
business case.
Resource Impact: There will be an impact on resources from Business Analysts/Functional
Leads, Security Service, ITS, and CedarCrestone. In discussing the potential impact and
availability of resources, all stakeholders have indicated they are able to support this effort
as part of or in addition to the overall iCAT project, with the exceptions and caveats noted in
the timeline below.
Changes to Existing Systems: In order to implement the Data Encryption software, changes
have to take place in our current environment. The Data Encryption changes are relatively
minor in comparison to the Data Masking changes and are seen as the least effort of the
two. Below is an overview of the process and changes needed:
1. Since existing tablespaces cannot be encrypted, it is necessary to move the
application data from clear-text tablespaces to encrypted copies of the original
tablespaces. The first step in this process is to extract the application data using an
Oracle export utility such as data pump. This is the same process used for moving
our data to the lab as part of the current upgrade and split.
2. New, encrypted tablespaces have to be created to mirror the existing clear-text
tablespaces. Special considerations have to be made for indexes. The Migration
Guide provides detailed instructions and scripts that allow the DBA to perform these
activities.
3. The clear-text tablespaces are dropped and the application data is brought back into
the database using an Oracle import utility such as data pump.
4. Once all of the encryption activities are complete and the application data is stored
in the encrypted tablespaces, the PeopleSoft application is capable of running as
before with no additional changes.
In order to implement the Data Masking software, changes have to take place in our current
environment. Oracle has development a comprehensive 4-step approach to implementing
data masking via Oracle Data Masking Pack called: Find, Assess, Secure and Test (F.A.S.T).
These steps are:
1. Find: This phase involves identifying and cataloging sensitive or regulated data
across the entire enterprise. Typically carried out by business or security analysts,
the goal of this exercise is to come up with the comprehensive list of sensitive data
elements specific to the Data Masking Best Practice organization and discover the
associated tables, columns and relationships across enterprise databases that
contain the sensitive data.
2. Assess: In this phase, developers or DBAs in conjunction with business or security
analysts identify the masking algorithms that represent the optimal techniques to
Oracle Security Software / Datamasking & Encryption
Page 5 of 10
replace the original sensitive data. Developers can leverage the existing masking
library or extend it with their own masking routines.
3. Secure: This and the next step may be iterative. The security administrator executes
the masking process to secure the sensitive data during masking trials. Once the
masking process has completed and has been verified, the DBA then hands over the
environment to the application testers.
4. Test: In the final step, the production users execute application processes to test
whether the resulting masked data can be turned over to the other non-production
users. If the masking routines need to be tweaked further, the DBA restores the
database to the remasked state, fixes the masking algorithms and re-executes the
masking process.
Training Requirements: There are training requirements associated with both products but
they are relatively minor. The security administrator has to be proficient in the use of the
data masking solution and the DBAs have to be proficient in the application of the
encryption software. The intent is for CedarCrestone to develop the process required for the
data masking and encryption with the internal security administrators and DBAs executing
the process.
All Stakeholders:
Department
Name
Security Services
Andreas Bohman
Security Services
Jamie Schademan
Security Services
Barbara Bisson
ITS
Jason Ringer
ITS
Barry Carlson
CedarCrestone
Gene Shoda
CedarCrestone
Daniel Tarango
CedarCrestone
Brennan Folmer
Finance
Tim McGuire
Human Resources
Jill Hernandez
Admissions
Debbie Hunt
Registrar Services
Lidia Anderson
4. Benefits
Data Encryption Benefits:


Data is encrypted on disk, and any backups stored on external tape remain
encrypted.
Effective mitigation of risk associated with other attack vectors.
Oracle Security Software / Datamasking & Encryption
Page 6 of 10




No additional storage is required for the encrypted database files; the database size
remains the same.
The encryption and decryption is transparent to the PeopleSoft applications. No
PeopleSoft-level code changes are necessary.
No additional triggers, views, or stored procedures have to be implemented or
maintained when using TDE.
The encryption/decryption overhead added by TDE has been reported by internal
Oracle testing to be approximately 2-4%, which should be considered reasonable
when compared to the other benefits.
Data Masking Benefits:



Data in non-production systems is no longer recognizable as valid personal/sensitive
data. CWU would not need to be concerned about unauthorized access or
extraction of sensitive data from non-production systems, which are generally
available to a much wider development/testing audience.
Depending on audit requirements in place at CWU, having sensitive data available to
developers/testers in non-production systems may be a violation.
Using a tool such as the Oracle Data Masking pack allows data to be masked which
still preserving referential integrity of the PeopleSoft application. In other words,
the PeopleSoft application will still function as expected with the masked data.
5. Strategic Alignment
Student success: CWU believes that student success is best achieved by providing
supportive learning and living environments that encourage intellectual inquiry, exploration,
and application.
Strategic Alignment: By providing for a secure yet highly available environment, we ensure
ready access to information will still providing our students with the confidence that we will
protect their confidential information.
Access: CWU believes in providing educational opportunities to as many qualified students
as possible. CWU believes that restrictions of place, time, and finances can be overcome
through the effective use of partnership with community colleges and by effective and
efficient use of learning, communication, and social technologies.
Strategic Alignment: As we broaden our enterprise environment too meet this strategic
vision, we have to ensure we also maintain the confidentiality and integrity of our
customer’s data, regardless of where the data is located. We have to provide for security
throughout the life-cycle of the data.
Shared Governance: CWU believes that shared governance is most effective when
information systems and decision-making processes are both robust and transparent. CWU
believes that communication channels should be open and two-way and that faculty, staff,
and students should be empowered to participate in the governance systems.
Strategic Alignment: Securing our customer data is an important part of building and
implementing robust and transparent information systems and decision-making processes.
Oracle Security Software / Datamasking & Encryption
Page 7 of 10
6. Cost
There is currently no funding for this business case.
Cost Breakdown:
Product and Services
1 Advanced Security
Option
2 Product Support and
Software Updates
3 Data Masking Pack
License
Named
User
Named
User
Units
12955
12955
4 Product Support and
Software Updates
License
Support
List Price
$2,979,650.00
Disc %
96
Extended
$119,186.00
$655,523.00
96
$26,220.92
$2,979,650.00
96
$119,186.00
$655,523.00
96
$26,220.92
$5,959,300.00
$1,311,046.00
$7,270,346.00
96
96
Total
$238,372.00
$52,441.84
$290,813.84
$500,581.20
5-Year Cost
7. Alternatives (add lines as necessary)
Alternative
Reasons For Not Selecting Alternative
Do nothing
High level of risk associated with the
confidentiality and integrity of our
customer’s information. The risk is primarily
associated with a data breach and
unauthorized access to our customer’s
data. This has the potential to negatively
impact the reputation of CWU and it may
have an impact on admissions.
Only Use Real-Time CS Obfuscation
This process is not available - nor is it
appropriate – for the other databases.
8. Timing / Schedule (add lines as necessary)
Task
Target Date
Purchase Data Masking and Data Encryption Software
10/15/2013
Install Data Encryption Software Solution
11/01/2013
Develop Data Encryption Procedure
11/15/2013
Oracle Security Software / Datamasking & Encryption
Page 8 of 10
Task
Target Date
Test and Implement Data Encryption Procedure
12/15/2013
Data Encryption Implementation Completed (Go-Live)
01/27/2014
Install Data Masking Software Solution
02/28/2014
Develop Find, Assess, Secure and Test (FAST) Procedure
03/15/2014
Test and Implement FAST Procedure
04/01/2014
Data Masking Implementation Completed (Go-Live)
04/15/2014
9. Technology Migration/Resource Identification
Data Encryption Software Resources:
Resource
Personnel
Requirements
CedarCrestone Consultant
ITS DBAs
Security Administrator/CISO
Timeframe
11/01/2013 – 12/15/203
12/15/2013 – 01/27/2014
10/15/2013 – 01/27/2014
Data Masking Software Resources:
Resource
Personnel
Requirements
CedarCrestone Consultant
Business Analysts
ITS DBAs
Security Administrator/CISO
Resource
Jan
Feb
Mar
Apr
Security Admin
10
10
15
15
5
5
Business Analysts
May
Timeframe
02/28/2014 – 03/15/2014
03/15/2014 – 04/01/2014
04/01/2014 – 04/15/2014
02/28/2014 – 04/15/2014
June
July
Aug
Sept
Oct
Nov
Dec
10
10
5
10
ITS DBA
10
CedarCrestone
10
5
10
5
5
5
5
Total Hours
30
15
30
25
5
20
25
10. Product Life/Application Sunsetting or Decommissioning
Both the Data Encryption and Data Masking software is tied to the product life of our
PeopleSoft environment.
11. References
Oracle – Implementation Guidance
Oracle Security Software / Datamasking & Encryption
Page 9 of 10
CedarCrestone – Pricing Information and Feasibility Study
ITS DBAs – Availability and buy-in for initiative.
Business Analysts - Availability and buy-in for initiative.
12. Recommendation
Oracle database systems that include the Advanced Security Option pack provide a turnkey
solution named Transparent Data Encryption (TDE) for encrypting potentially sensitive
PeopleSoft data as it resides on the storage media. While infrastructure (firewalls, nonaddressable network zones, ACLs) and application security mechanisms (PeopleSoft roles,
permission lists, row-level security) can protect sensitive personally identifiable information
as user and administrators interact with the application, data stored unencrypted on the
storage media is vulnerable to exploitation outside of the application framework.
Data masking refers to the process of obfuscating potentially sensitive data in nonproduction databases. Database administrators (DBAs) will occasionally copy production
data into staging or test environments to allow developers to perform application
development and application testing. The problem with data sharing is that copies of
production data often contain confidential, sensitive or personally identifiable information,
access to which may be restricted by government regulations. Therefore, CWU runs the risk
of exposing sensitive information when sharing production data with application developers
or software quality testers who may not otherwise have access to this data in the
production system.
It is recommended that CWU purchase and implements the Advanced Security Option and
Data Masking feature of the Oracle database system and obfuscates and encrypts all
PeopleSoft tablespaces for all applications.
13. Approvals
The following actions have been taken by the appropriate Sub-Council (ATAC or NonAcademic Sub-Council) and Enterprise Information Systems Committee (EISC):
Date
Action
By
9/26/13
Approved to be Reviewed by EISC
Non-Academic Sub-Council
9/30/2013
Presented to EISC
Andreas Bohman, CISO
9/30/2013
Approved to be Reviewed by Cabinet
EISC
Upon approval by the Enterprise Information Systems Committee (EISC) or one of the two SubCouncils (Academic or Non-Academic), CWU procurement policies and procedures should be
used to initiate a purchase. Please contact the Purchasing office at x1001 with any questions
regarding the procurement process.
If you have any questions, please contact Sue Noce 963-2927 or Tina Short 963-2910.
Oracle Security Software / Datamasking & Encryption
Page 10 of 10
Related documents
Hwk #11
Hwk #11
Course Topics Form - Stony Brook University
Course Topics Form - Stony Brook University
2_23
2_23
For More Information Please Review Our PPT
For More Information Please Review Our PPT
PARCC - Access for All
PARCC - Access for All
JOB PROFILE: Database Administrator Company: BankservAfrica
JOB PROFILE: Database Administrator Company: BankservAfrica
Electronic Data Encryption Policy 2015
Electronic Data Encryption Policy 2015
Download
advertisement