Oracle Data Mask

27
NETAPP TECHNICAL REPORT Oracle Data Masking and Regulatory Compliance Using SnapManager 3.0 for Oracle Kannan Mani and Antonio Jose Rodrigues Neto, NetApp April 2009 | TR-3762 Abstract This document describes how to create a master clone that has sensitive data masked using the Oracle® data masking pack and SnapManager® 3.0 for Oracle postclone option. It also describes how to create multiple clones from the master clone. 1 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Transcript of Oracle Data Mask

Page 1: Oracle Data Mask

NETAPP TECHNICAL REPORT

Oracle Data Masking and Regulatory Compliance Using SnapManager 3.0 for OracleKannan Mani and Antonio Jose Rodrigues Neto, NetApp April 2009 | TR-3762

Abstract This document describes how to create a master clone that has sensitive data masked using the Oracle® data masking pack and SnapManager® 3.0 for Oracle postclone option. It also describes how to create multiple clones from the master clone.

1 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 2: Oracle Data Mask

TABLE OF CONTENTS

1  INTRODUCTION ......................................................................................................................... 3 1.1  PURPOSE AND SCOPE ................................................................................................................................. 3 

1.2  PREREQUISITES FOR USING THIS SOLUTION .......................................................................................... 3 

2  SOLUTION OVERVIEW.............................................................................................................. 4 2.1  SOLUTION ARCHITECTURE ......................................................................................................................... 4 

3  SNAPMANAGER FOR ORACLE AND ORACLE DATA MASKING ......................................... 5 3.1  SNAPMANAGER FOR ORACLE 3.0 .............................................................................................................. 5 

3.2  ORACLE DATA MASKING PACK .................................................................................................................. 6 

4  DEPLOYMENT PROCESS AND SETUP INSTRUCTIONS ....................................................... 7 4.1  DEPLOYMENT PROCESS .............................................................................................................................. 7 

4.2  CREATING SAMPLE DATA ........................................................................................................................... 7 

4.3  CREATING BACKUP FOR GOLDEN IMAGE ................................................................................................ 8 

4.4  DATA MASKING GOLDEN IMAGE USING ORACLE DATA MASKING .................................................... 13 

4.5  CLONE WITH SNAPMANAGER FOR ORACLE 3.0 AND CALL POSTTASK FOR DATA MASKING ...... 14 

4.6  CREATING CLONE FROM GOLDEN IMAGE USING SNAPMANAGER FOR ORACLE ........................... 23 

5  CONCLUSION .......................................................................................................................... 24 

6  ACKNOWLEDGMENTS ........................................................................................................... 24 

APPENDIX A: POSTCLONE SCRIPT ............................................................................................ 25 

APPENDIX B: CHECKING GOLDEN IMAGE ................................................................................ 26 

2 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 3: Oracle Data Mask

1 INTRODUCTION Safeguarding production data and preventing leaks of confidential or sensitive information to nonproduction users have become corporate imperatives for all organizations, thanks to an abundance of global regulations governing data privacy. The Sarbanes Oxley Act of 2002 in the United State or the Financial Instruments Exchange Law (FIEL) of Japan (also called J-SOX) provides enhanced standards on internal controls for corporate information. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 in the United States and the European Union’s Data Protection Directive are a part of the global laws governing the privacy of personal data related to individuals. Even credit card payment processors have adopted Payment Card Industry (PCI) standards regarding the use and sharing of credit card information. Organizations have always maintained confidential, personally identifiable, or sensitive information in their production databases. These organizations must protect the use and sharing of this information in compliance with regulations or risk the fines and penalties that accompany violations of these data privacy laws. These fines and penalties can cost companies thousands of dollars per day. Thus, no organization can afford to break these laws and risk the unsavory publicity caused by unauthorized data breaches. SnapManager for Oracle 3.0 and the Oracle Data Masking Pack can help organizations comply with privacy and confidentiality laws by masking sensitive or confidential data in nonproduction environments that leverage database clones.

1.1 PURPOSE AND SCOPE This report details how to create a masked golden clone using SnapManager for Oracle 3.0 and Oracle Data Masking. SnapManager 3.0 for Oracle postclone option is used to call Oracle Data Masking to mask sensitive data.

1.2 PREREQUISITES FOR USING THIS SOLUTION This report is intended for Oracle Database administrators, storage administrators, and architects who are designing and implementing Oracle development and testing solutions using Oracle Databases running on NetApp® and third-party data and storage management solutions requiring regulatory compliance. Readers should have a solid understanding of the architecture and administration of Oracle Databases. We recommend reviewing the following documentation:

• Data ONTAP 7.2 or 7.3 System Administration Guide • SnapManager 3.0 for Oracle Installation and Administration Guide • SnapManager 3.0 for Oracle Release Notes • SnapDrive 4.1 for UNIX Installation and Administration Guide (for Oracle on UNIX) • NetApp Best Practice Guidelines for Oracle • NetApp Best Practice Guidelines for Oracle Database 11g • Oracle Enterprise Manager 10g Data Masking Pack

3 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 4: Oracle Data Mask

2 SOLUTION OVERVIEW

2.1 SOLUTION ARCHITECTURE Following are the use cases used with SnapManager for Oracle 3.0 and Oracle Data Masking to provide this solution. The deployment process is shown in Figure 1.

• Generate production database schema using the Swingbench oewizard tool • Create a production database clone using SMO 3.0 • Use postclone scripts to call Oracle Data Masking to mask Oracle data within the clone • Masking columns (foreign keys) to demonstrate integrity of the masking process

NetAppstorage

SnapManager 3.0for Oracle

Dev/Test Site

Any Non‐NetAppStorage(HP‐EVA)

Production Site

Database Data FilesDatabase Log Files 

FlexClone®

Read / Write

Figure 1) Architecture of a Non-NetApp to NetApp Oracle environment that was set up to create data-masked clones.

4 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 5: Oracle Data Mask

NetAppstorage

SnapManager 3.0for Oracle

Mirror SiteProduction Site

NetAppstorage

Database Data FilesDatabase Log Files 

Read / Write

FlexClone®

Figure 2) Architecture of a NetApp to NetApp Oracle environment that was set up to create data-masked clones.

3 SNAPMANAGER FOR ORACLE AND ORACLE DATA MASKING

3.1 SNAPMANAGER FOR ORACLE 3.0 SnapManager for Oracle is a data management tool that leverages NetApp Snapshot™, SnapRestore®, and FlexClone® to provide near instantaneous and space-efficient backup, restore, and cloning for Oracle Databases. SnapManager for Oracle provides a graphical user interface (GUI) or command-line interface (CLI) to enable DBAs to perform frequent backups, enable rapid restores, and quickly create space-efficient Oracle Database clones for use in development, test, QA, training, and other processes. SnapManager integrates with native Oracle technology and allows IT organizations to scale their storage infrastructure to meet increasingly stringent SLA commitments while improving the productivity of database and storage administrators across the enterprise.

5 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 6: Oracle Data Mask

MirrorProduction

Master Masked Clone

Dev 1 Dev 2 Dev N

Test 1 Test 2 Test N

Figure 3) Data masking in a master clone so that multiple clones can be created for both development and testing environments.

3.2 ORACLE DATA MASKING PACK Organizations routinely share production application data for a variety of reasons. For example, database administrators copy production data into testing environments for realistic and accurate application testing, or businesses share nonspecific consumer information with market research organizations. This requires most organizations to mask sensitive parts of its production data to protect against inadvertent or intentional discovery. Today, these processes are manual and error-prone and can lead to exposing sensitive data to unauthorized users.

The Oracle Data Masking Pack enables regulatory compliance through consistent and rule-based application of masking formats across enterprise-wide databases. The Oracle Data Masking Pack supports a rich and extensible format library that can support a variety of mask formats and needs only to be defined once. This helps make sure of consistent enforcement of information security policies and allows organizations to share data quickly and broadly without violating privacy regulations.

6 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 7: Oracle Data Mask

4 DEPLOYMENT PROCESS AND SETUP INSTRUCTIONS

4.1 DEPLOYMENT PROCESS

Figure 4) Five-step deployment process for data masking using SnapManager 3.0 for Oracle.

4.2 CREATING SAMPLE DATA Sample data can be created by installing the sample schemas that come with Oracle Enterprise Edition, or it can be generated using Swingbench. Swingbench is used in this solution to create sample production data, which in a customer deployment is the actual production data.

7 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 8: Oracle Data Mask

4.3 CREATING BACKUP FOR GOLDEN IMAGE

Repository: SMOMASTER

Host: atl46001

Profile: SPANKY3

8 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 9: Oracle Data Mask

On Profile: SPANKY3 select Backup option

On Backup option, click Next

9 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 10: Oracle Data Mask

Label: Snap-Golden Image

Comment: Golden Image NetApp Snapshot Copy

Type: Auto (Online Backup)

Retention Class: Hourly

Select Full Backup

10 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 11: Oracle Data Mask

Click Backup

Backup is running…

11 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 12: Oracle Data Mask

Backup has finished with success

Backup creating successful

12 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 13: Oracle Data Mask

4.4 DATA MASKING GOLDEN IMAGE USING ORACLE DATA MASKING

Oracle Enterprise Grid Control

Follow Replacing Sensitive Data Using the Data Masking Pack steps for creating Oracle Data Masking script.

Database: Spanky3

Select Full Script button and Copy and Paste to clipboard or a file.

13 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 14: Oracle Data Mask

4.5 CLONE WITH SNAPMANAGER FOR ORACLE 3.0 AND CALL POSTTASK FOR DATA MASKING

Select Clone from previous backup on SnapManager for Oracle

14 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 15: Oracle Data Mask

Click Next

New SID: golden

Label: GoldenImage4DataMasking

Comment: Golden Image for Data Masking

Add SQL statement

alter tablespace TEMP add tempfile ‘+DATA_GOLDEN/SPANKY3/temp4datamasking.dbf’ size 1000m

Click Next

15 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 16: Oracle Data Mask

Data Masking Alert: Selecting "Define Format and Add" Results in "An Internal Error Has Occurred"

On this script it is necessary to add a tempfile on the TEMP tablespace for the cloning.

Doc ID: 728850.1

Applies to:

Enterprise Manager for RDBMS - Version: 10.2.0.4.0: This problem can occur on any platform.

Symptoms:

-- Problem Statement: On 10.2.0.4, on the "Masking Definition: Add Columns" page, when the link "Define Format and Add" is clicked, the following error is received: ERROR "Internal Error has occurred. Check the log file for details."

-- Steps to Reproduce: In "Masking Definition: Add Columns," select any table or column and click "Define Format and Add.”

Cause

Data Masking was unable to execute a SELECT statement due to receiving: ORA-25153: Temporary Tablespace is Empty (This was not in the log file.)

Solution:

First verify that there are no tempfiles: SQL> select tablespace_name, file_name from dba_temp_files; If there are no tempfiles associated with the temporary tablespace, add one using syntax like the following:

SQL> alter tablespace temp SQL> add tempfile '/oracle/oradata/V901/temp2_01.tmp' size 5m; See Note 178992.1 and Note 160426.1 for more information on this topic.

16 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 17: Oracle Data Mask

Click Post-Tasks and select Data Masking script (check Appendix A)

17 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 18: Oracle Data Mask

Select Data Masking Script and Press >> button

Click Next

Call the postscript for data masking the golden clone – refer to appendix A for postscript Location: /opt/NetApp/smo/plugins/clone/create/post

18 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 19: Oracle Data Mask

Click Clone

19 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 20: Oracle Data Mask

Cloning database spanky3 generating a clone called “golden” that will have columns masked.

20 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 21: Oracle Data Mask

Check the log with the info about: Executing user-defined SQL statement…

21 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 22: Oracle Data Mask

Check the log with the info about: Plugin “Data Masking (NetApp and Oracle) – Golden Image” successfully completed

22 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 23: Oracle Data Mask

4.6 CREATING CLONE FROM GOLDEN IMAGE USING SNAPMANAGER FOR ORACLE Creating Clone from Golden Image

Refer to SnapManager 3.0 for Oracle Installation and Administration Guide for creating backup and cloning the Master clone.

Cloned Database: dev with masked data

23 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 24: Oracle Data Mask

Cloned Database: dev with masked data shown in SnapManager for Oracle 3.0

5 CONCLUSION NetApp storage solutions provide robust, high-performance data storage for Oracle Database environments. NetApp SnapManager for Oracle, in combination with data masking tools such as Oracle Data Masking, Solix, and Applimation, simplifies and automates clone creation with masked data by leveraging NetApp Snapshot and FlexClone technologies to provide fast, space-efficient, disk-based backups and rapid provisioning of Oracle environments. This solution helps organizations comply with privacy and confidentiality laws by masking sensitive or confidential data in staging a variety of clone database environments.

6 ACKNOWLEDGMENTS

Michael Doherty – Consulting System Engineer, NetApp

Greg Loughmiller - Professional Services Consultant, NetApp

Steven Schuettinger - Technical Alliance Manager, NetApp

Lynne Thieme - Sr. Mgr. Oracle Alliances Engineering, NetApp

Bill Heffelfinger - Database and Business Apps Global Field Technology Lead, NetApp Tom Shields - Sr. Manager Solutions Marketing, NetApp

Gary Franks – MTS, NetApp

Anand Ranganathan - Technical Marketing Engineer, NetApp

24 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 25: Oracle Data Mask

APPENDIX A: POSTCLONE SCRIPT #!/bin/bash # Data Masking (NetApp and Oracle) - Golden Image (SMO) # Version 1.0 # Copyright (c) 2009 NetApp, Inc. # All rights reserved. # Authors: # - Kannan Mani # - Antonio Jose Rodrigues Neto (neto from Brazil) # - Anand Ranganathan # - Gary Franks # - Mike Doherty # - Greg Loughmiller name="Data Masking (NetApp and Oracle) - Golden Image" description="Data Masking (NetApp and Oracle) - Golden Image" context=$SM_TARGET_OS_USER timeout="0" parameter=() EXIT=0 function _exit { rc=$1 echo "Command complete." exit $rc } function usage { echo "usage: $(basename $0) { -check | -describe | -execute }" _exit 99 } function describe { echo "SM_PI_NAME:$name" echo "SM_PI_DESCRIPTION:$description" echo "SM_PI_CONTEXT:$context" echo "SM_PI_TIMEOUT:$timeout" IFS=^ for entry in ${parameter[@]}; do echo "SM_PI_PARAMETER:$entry" done _exit 0 } function check { _exit 0 } function execute { sqlplus / as sysdba <<EOF @/opt/NetApp/smo/plugins/clone/create/post/data-masking.sql exit EOF _exit $? }

25 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 26: Oracle Data Mask

case $(echo $1 | tr [A-Z] [a-z]) in -check) check ;; -execute) execute ;; -describe) describe ;; *) echo "unknown option $1" usage ;; esac Note: Data Masking Script (data-masking.sql) is called from this postclone script.

APPENDIX B: CHECKING GOLDEN IMAGE Original Database with sensitive data

26 Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

Page 27: Oracle Data Mask

Golden Image with masked data

For the golden image (Golden database) a possibility could be to execute a “volume split” to create an independent copy and image with data masking applied.

Oracle Data Masking and regulatory compliance using SnapManager for Oracle 3.0

© 2009 NetApp. All rights reserved. Specifications are subject to change without notice. NetApp, the NetApp logo, Go further, faster, Data ONTAP, FlexClone, SnapDrive, SnapManager, SnapRestore, and Snapshot are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Oracle is a registered trademark of Oracle Corporation. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such.