In March 07, Oracle released the Applications Management Pack (AMP) for Enterprise Manager. One of the interesting features about the AMP is that it provides the ability to do data masking when cloning data from a production environment to a secondary environment where testing is done. This data masking ensures that confidential information such as SSN, compensation and health information is not revealed to those with access to testing environments.
What is confusing is that Oracle has also released a Data Masking Pack (DMP) for Enterprise Manager, however the data masking capabilities are different from those in AMP. DMP was announced in November 07. With this confusion in mind, here is some information about the data masking capabilities of DMP and a comparison of the two later in the article.
The Data Masking Pack ships with several mask primitives out of the box, such as Fixed values, Array of Values, Random Digits (zero padded), Random numbers, Random alphabetic characters of specified lengths, Random dates within a date range, Substring of original value, External table columns containing replacement mask data, and Shuffle within same table. If these options are not enough, it also supports user-defined functions written in PL/SQL to provide unlimited flexibility in creating mask formats. All of these mentioned primitives can be combined to create unlimited numbers of mask formats needed for masking any type of sensitive data. One note about Shuffling. The shuffling algorithm shuffles the data in the column, i.e. retains the data histogram, but removes the association of the original column data to the row.
The Data Masking Pack (DMP) supports only masking of Oracle database tables and columns and does not work on other data formats like Excel or plain text files. DMP generates logs of the masking process and Enterprise Manager has a built-in reporting engine that can be used to generate reports. It also provides the ability to preview the sample masked data prior to the masking process.
The key feature with any data masking solution is whether it maintains relational integrity. This requires that any data masking cannot break the relationship between one or tables. An example would be when masking is done for SSN and the SSN is used as a foreign key to another table.
For this reason DMP supports database enforced and application enforced referential integrity. It also supports the definition of any application relationships, including Oracle Financials and is certified for use with them.
Lastly, the Enterprise Manager has a built in scheduler that can be used to run the database cloning and the data masking processes. The script generated by the tool can be registered and run as a concurrent manager job.
Now that we’ve looked at the Data Masking Pack, let’s finish with a comparison of its features with that of the Application Management Pack (AMP).
|
Category |
Data Masking Pack |
Application Mgmt Pack |
|
|
Referential integrity enforcement |
Yes |
No |
|
|
Consistent masking values for all tables across databases (deterministic masking) |
Yes |
No |
|
|
Pre-defined masking configuration for E-Business Suite |
No, requires creation of EBS mask definition |
Yes |
|
|
User defined masking formats |
Yes |
No |
|
|
High performance |
Yes, uses Create Table As Select to generate masked copy of replacement table |
Possibly, uses multiple workers to update tables. |
|
|
RapidClone integrated |
No |
Yes |
|
|
Supports other cloning methods, e.g. RMAN |
Yes |
No |
|
|
Can run masking standalone |
Yes |
No |
|
|
Masking configuration UI |
Enterprise Manager |
EBS |
|
|
Masking execution |
Enterprise Manager |
Enterprise Manager (Clone+Mask) |
|
|
Purge table support |
No |
Yes |
|
|
Supports tables other than EBS |
Yes |
No |
|
|
Supports applications other than EBS |
Yes |
No |
|
|
Pricing |
$10,000 per CPU of the server where data is being masked |
$6,000 per CPU or $120 per Named User Plus. |
|