Re: Hiding sensitive EBS column data from certain users
Date: Thu, 4 Oct 2018 11:51:56 -0600
Message-ID: <20e90cca-0b85-289b-a2f0-2f0339365379_at_gmail.com>
For production environments, technologies which mask data in-flight, including Oracle's data redaction and SQL Server's dynamic data masking are appropriate solutions when a portion of the user community should not have access to certain data.
In development or testing (a.k.a. non-production) environments, there is no reason for anyone to have access to confidential data, including database administrators and systems administrators, partially because of the movement of development and testing environments to out-sourced, off-shore, or cloud environments. Masking data at-rest is the appropriate solution for non-production environments by permanently and irreversibly obfuscating data in datafiles, thus removing any value to intruders.
Following the implementation of GDPR 
<https://en.wikipedia.org/wiki/General_Data_Protection_Regulation> in 
Europe this past May, CCPA <https://www.caprivacy.org/> in California 
has already been signed into law, with more countries and states to 
follow.  The professional honor code to which all of IT has adhered for 
the past 40-50 years is no longer sufficient to protect confidential 
data.  Essentially, unmasked data in non-production is becoming a 
liability to the DBAs, developers, and testers who work with it, because 
at some point, all these laws may hold individuals (as well as 
organizations) liable for the damages from data breaches.  I expect 
that, like SOX, individual liability will begin at the top of the 
organization (i.e. CEO, CFO, etc) but with examples like Snowden there 
is no reason why those lower in the hierarchy cannot be targeted.
On 10/4/18 11:04, Matthew Parker wrote:
>
> In Production or in Development? Different ways to do things based on 
> the environment.
>
> What version of the database are you running?
>
> In 12.1 there is RAS Security (VPD 2.0) that also does column level 
> data masking at no extra cost, but you have to create/implement the 
> rules yourself.
>
> Normally you control PROD by standard security controls, but you can 
> implement RAS against report users if they are landing on your primary 
> database. Just need to make sure anything you implement it doesn’t 
> affect base EBS apps.
>
> *Matthew Parker*
>
> *Chief Technologist*
>
> *Dimensional DBA*
>
> *Oracle Gold Partner*
>
> *425-891-7934 (cell)*
>
> *D&B *047931344**
>
> *CAGE *7J5S7**
>
> *Dimensional.dba_at_comcast.net <mailto:Dimensional.dba_at_comcast.net>*
>
> *View Matthew Parker's profile on LinkedIn* 
> <http://www.linkedin.com/pub/matthew-parker/6/51b/944/>
>
> www.dimensionaldba.com <http://www.dimensionaldba.com/>
>
> *From:* oracle-l-bounce_at_freelists.org <oracle-l-bounce_at_freelists.org> 
> *On Behalf Of *Syed Jaffar Hussain
> *Sent:* Thursday, October 4, 2018 9:51 AM
> *To:* Oracle-L Freelists <oracle-l_at_freelists.org>
> *Subject:* Hiding sensitive EBS column data from certain users
>
> Hello List,
>
> Is there anyway to hide data of sensitive columns in Oracle EBS 
> (v12.2) to certain users? I thought of VPD, but, it seems, it has 
> different approaches in EBS. Something like, personalizing the form to 
> hide the values of the columns, though not sure.
>
> Appreciate if any EBS expert can shed some light on this.
>
> Thanks in advance,
>
> -- 
>
> Best Regards,
>
> Syed Jaffar Hussain
>
-- http://www.freelists.org/webpage/oracle-lReceived on Thu Oct 04 2018 - 19:51:56 CEST
