what is data redaction
What is Oracle Data Redaction with Examples (Mask your sensitive Data)
Oracle Data Redaction is one of the new features introduced in Oracle Database Oracle 12c .This new feature is part of the Advanced Security option and enables the protection of data shown to the user in real-time, without requiring changes to the application.
Oracle Data Redaction enables you to mask (redact) data that is returned from queries issued by applications.
You can redact column data by using one of the following methods:
Full redaction. You redact all of the contents of the column data. The redacted value returned to the querying application user depends on the data type of the column. For example, columns of the NUMBER data type are redacted with a zero (0), and character data types are redacted with a single space.
Partial redaction. You redact a portion of the column data. For example, you can redact a Social Security number with asterisks (*), except for the last 4 digits.
Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only.
Random redaction. The redacted data presented to the querying application user appears as randomly generated values each time it is displayed, depending on the data type of the column.
No redaction. The None redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment.
Oracle Database applies the redaction at runtime when users access the data . This solution works well in a production system.
How does it works?
We can create redaction policies that specify conditions that must be met before the data gets redacted and returned to the user. During the definition of such policies, the DBA can specify which columns and the type of protection that must be applied.
The package used to create protection rules is called DBMS_REDACT. The package includes five procedures to manage the rules and an additional procedure to change the default value for the full redaction policy.
Oracle Data Redaction is ideal for situations in which you must redact specific characters out of the result set of queries of Personally Identifiable Information returned to certain application users. For example, you may want to present a Social Security number that ends with the numbers 1234 as ***-**-1234.
Important Procedures related to DBMS_REDACT
Procedure Description
DBMS_REDACT.ADD_POLICY-Adds a Data Redaction policy to a table or view
DBMS_REDACT.ALTER_POLICY-Modifies a Data Redaction policy
DBMS_REDACT.APPLY_POLICY_EXPR_TO_COL-Applies a Data Redaction policy expression to a table or view column
DBMS_REDACT.CREATE_POLICY_EXPRESSION-Creates a Data Redaction policy expression
DBMS_REDACT.DISABLE_POLICY-Disables a Data Redaction policy
DBMS_REDACT.DROP_POLICY-Drops a Data Redaction policy
DBMS_REDACT.DROP_POLICY_EXPRESSION-Drops a Data Redaction policy expression
DBMS_REDACT.ENABLE_POLICY-Enables a Data Redaction policy
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES-Globally updates the full redaction value for a given data type. You must restart the database instance before updation
DBMS_REDACT.UPDATE_POLICY_EXPRESSION-Updates a Data Redaction policy expression
It supports the following column data types:
NUMBER, BINARY_FLOAT, BINARY_DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, BLOB, CLOB, and NCLOB.
How to check Redaction policies-select * from redaction_policies;
We need to make sure the respective user (in my case apps user) has access to the DBMS_REDACT package.
Oracle Data Redaction is one of the new features introduced in Oracle Database Oracle 12c .This new feature is part of the Advanced Security option and enables the protection of data shown to the user in real-time, without requiring changes to the application.
Oracle Data Redaction enables you to mask (redact) data that is returned from queries issued by applications.
You can redact column data by using one of the following methods:
Full redaction. You redact all of the contents of the column data. The redacted value returned to the querying application user depends on the data type of the column. For example, columns of the NUMBER data type are redacted with a zero (0), and character data types are redacted with a single space.
Partial redaction. You redact a portion of the column data. For example, you can redact a Social Security number with asterisks (*), except for the last 4 digits.
Regular expressions. You can use regular expressions to look for patterns of data to redact. For example, you can use regular expressions to redact email addresses, which can have varying character lengths. It is designed for use with character data only.
Random redaction. The redacted data presented to the querying application user appears as randomly generated values each time it is displayed, depending on the data type of the column.
No redaction. The None redaction type option enables you to test the internal operation of your redaction policies, with no effect on the results of queries against tables with policies defined on them. You can use this option to test the redaction policy definitions before applying them to a production environment.
Oracle Database applies the redaction at runtime when users access the data . This solution works well in a production system.
How does it works?
We can create redaction policies that specify conditions that must be met before the data gets redacted and returned to the user. During the definition of such policies, the DBA can specify which columns and the type of protection that must be applied.
The package used to create protection rules is called DBMS_REDACT. The package includes five procedures to manage the rules and an additional procedure to change the default value for the full redaction policy.
Oracle Data Redaction is ideal for situations in which you must redact specific characters out of the result set of queries of Personally Identifiable Information returned to certain application users. For example, you may want to present a Social Security number that ends with the numbers 1234 as ***-**-1234.
Important Procedures related to DBMS_REDACT
Procedure Description
DBMS_REDACT.ADD_POLICY-Adds a Data Redaction policy to a table or view
DBMS_REDACT.ALTER_POLICY-Modifies a Data Redaction policy
DBMS_REDACT.APPLY_POLICY_EXPR_TO_COL-Applies a Data Redaction policy expression to a table or view column
DBMS_REDACT.CREATE_POLICY_EXPRESSION-Creates a Data Redaction policy expression
DBMS_REDACT.DISABLE_POLICY-Disables a Data Redaction policy
DBMS_REDACT.DROP_POLICY-Drops a Data Redaction policy
DBMS_REDACT.DROP_POLICY_EXPRESSION-Drops a Data Redaction policy expression
DBMS_REDACT.ENABLE_POLICY-Enables a Data Redaction policy
DBMS_REDACT.UPDATE_FULL_REDACTION_VALUES-Globally updates the full redaction value for a given data type. You must restart the database instance before updation
DBMS_REDACT.UPDATE_POLICY_EXPRESSION-Updates a Data Redaction policy expression
It supports the following column data types:
NUMBER, BINARY_FLOAT, BINARY_DOUBLE, CHAR, VARCHAR2, NCHAR, NVARCHAR2, DATE, TIMESTAMP, TIMESTAMP WITH TIME ZONE, BLOB, CLOB, and NCLOB.
How to check Redaction policies-select * from redaction_policies;
We need to make sure the respective user (in my case apps user) has access to the DBMS_REDACT package.
GRANT EXECUTE ON sys.dbms_redact TO apps;
Comments
Post a Comment