Oracle Database 12c Security
Session 2 - Tutorial Agenda
John: Thank you. Thank you, David. Good afternoon, good morning, depending on the time zone, everybody. I'll run through now what I want to cover in this short session.
First, I'm going to go through the Virtual Private Database. Virtual Private Database also known by several other acronyms, some people actually refer to it as Row-Level Security. Other people use Fine Grained Access Control. So, VPD RLS FGAC.
A powerful facility. It's also bundled up by the way as Label Security. It was first introduced in release 8i and it's just about works. But back then it's had serious performance problems. Furthermore, it wasn't really suitable at all for a web environment. I think many people - myself included - tried it back with 8i and thought this doesn't work and gave up. However, in the later releases, particularly with changes that came in with 10g, it's become a very powerful capability indeed which I strongly advice everybody to look at.
VPD - we'll have a look at VPD - I should point out, it's Enterprise Edition. Then we'll move on to a 12c feature, your data redaction newly released 12.1. Positioning data redaction against VPD there is, as far as users are concerned, considerable functional overlap. But the underlying technology is in fact completely different. The protection you get with data redaction is not as comprehensive as that provided by the VPD.
In some cases, my attempt to reverse engineer it found it may be possible circumvented in certain circumstances if the user 1:58 inaudible privilege position. But compared to VPD, it is not simple to implement and I don't believe they're only performance issues. Redaction is licensed as part of the advanced security option from 12c onwards.
Thirdly, a brief mention of data masking. I don't think I'm going to have time to demonstrate data masking but for completeness I do want to mention it, because again there's an overlap with data redaction, with Virtual Private Databases, all in the same sort of area. But I won't have time to demonstrate that, I don't think.
The data masking briefly then, unlike the other two, data masking actually changes data. Virtual Private Database restricts the data that people see. Data redaction conceals or hides the data. A subtle difference there. Data masking actually changes the data in the database and it's a permanent change. That makes it suitable for long production systems. All those clones you'd make.
When you clone your databases to test systems, the development systems, the DSS query systems and so on, you have to clean the data. You have to remove all the personal references so that people can't see any of the personal indicators as you move your data from production to the warehouse for redaction development. That's where data masking comes in. A permanent change makes the data typically on cloned systems it's generated from your production boxes.
The reason I won't have time to demonstrate it is that with 12c it is pretty awkward. One data masking came in with 11g. There was a very nice graphical interface provided with 11g database control and no PL/SQL interface. With release 12c, database control no longer exists and there's not a data masking interface provided with database express. So to get data masking functioning nowadays, you need either grid control or cloud control. I don't think I'm going to have time to switch over to that environment. But, remember, it's there and those overlap with the other two functions.
Then lastly, we'll move on to Transparent Sensitive Data Protection, TSDP.
TSDP is a very good frontend, simplified the pain of implementing VPD or data redaction. So what I'll run through is VPD, redaction, and then Transparent Sensitive Data Protection, which will make it so much easier to configure.