Data Masking

Oracle Data Masking:

Oracle released the Applications Management Pack (AMP) for Enterprise Manager. One of the interesting features about the AMP is that it provides the ability to do data masking when cloning data from a production environment to a secondary environment where testing is done. This data masking ensures that confidential information such as SSN, compensation and health information is not revealed to those with access to testing environments.

What is confusing is that Oracle has also released a Data Masking Pack (DMP) for Enterprise Manager, however the data masking capabilities are different from those in AMP. DMP was announced in November 07. With this confusion in mind, here is some information about the data masking capabilities of DMP and a comparison of the two later in the article.

The Data Masking Pack ships with several mask primitives out of the box, such as Fixed values, Array of Values, Random Digits (zero padded), Random numbers, Random alphabetic characters of specified lengths, Random dates within a date range, Substring of original value, External table columns containing replacement mask data, and Shuffle within same table. If these options are not enough, it also supports user-defined functions written in PL/SQL to provide unlimited flexibility in creating mask formats. All of these mentioned primitives can be combined to create unlimited numbers of mask formats needed for masking any type of sensitive data. One note about Shuffling. The shuffling algorithm shuffles the data in the column, i.e. retains the data histogram, but removes the association of the original column data to the row.

The Data Masking Pack (DMP) supports only masking of Oracle database tables and columns and does not work on other data formats like Excel or plain text files. DMP generates logs of the masking process and Enterprise Manager has a built-in reporting engine that can be used to generate reports. It also provides the ability to preview the sample masked data prior to the masking process.

The key feature with any data masking solution is whether it maintains relational integrity. This requires that any data masking cannot break the relationship between one or tables. An example would be when masking is done for SSN and the SSN is used as a foreign key to another table. For this reason DMP supports database enforced and application enforced referential integrity. It also supports the definition of any application relationships, including Oracle Financials and is certified for use with them.

Lastly, the Enterprise Manager has a built in scheduler that can be used to run the database cloning and the data masking processes. The script generated by the tool can be registered and run as a concurrent manager job.