概述
本研讨会介绍了 Oracle 透明敏感数据保护 (TSDP) 的功能。它为用户提供了一个机会来学习如何配置这些功能,以便通过动态编辑敏感数据来保护对敏感数据的访问。
此实验申请地址在这里,时间为15分钟。
实验帮助在这里。
LL111194-INSTANCE-DBSEC-LAB: 168.138.151.131
目标
- 制定敏感数据 TSDP 政策
- 检查动态敏感数据编辑,以防止其暴露在应用程序之外
整个实验过程就是执行以下的脚本:
## 创建用户和测试表
./tsdp_prepare_env.sh
## 创建敏感类型,就是一个标签而已
./tsdp_create_sensitive_type.sh
## 为敏感类型添加敏感列,估计可以添加多个
./tsdp_add_sensitive_col.sh
## 创建redaction策略
./tsdp_create_policy.sh
## 将敏感类型与redaction策略关联
./tsdp_associate_policy.sh
## 启用敏感类型前,查看数据,此时为明码,Redaction策略未生效
./tsdp_select_data.sh
## 启用敏感类型
./tsdp_enable_policy.sh
## 启用敏感类型后,查看数据,此时为掩码,Redaction策略已生效
./tsdp_select_data.sh
## 复位实验环境,删除策略和用户
./tsdp_reset_env.sh
任务 1:准备 TSDP 环境
sudo su - oracle
cd $DBSEC_LABS/tsdp
./tsdp_prepare_env.sh
tsdp_prepare_env.sh脚本如下:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_prepare_env.sh
#
# Parameter : None
#
# Notes : Prepare the TSDP environment for the labs
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Prepare the TSDP environment for the labs..."
echo "=============================================================================="sqlplus -s ${DBUSR_SYS}/${DBUSR_PWD}@${PDB_NAME} as sysdba <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Create the TSDP Admin user
GRANT CREATE SESSION TO ${DBUSR_TSDPADMIN} IDENTIFIED BY ${DBUSR_PWD};
GRANT CREATE PROCEDURE TO ${DBUSR_TSDPADMIN};
GRANT EXECUTE ON DBMS_TSDP_MANAGE TO ${DBUSR_TSDPADMIN};
GRANT EXECUTE ON DBMS_TSDP_PROTECT TO ${DBUSR_TSDPADMIN};
GRANT EXECUTE ON DBMS_RLS to ${DBUSR_TSDPADMIN};
GRANT EXECUTE ON DBMS_REDACT to ${DBUSR_TSDPADMIN};prompt
prompt . Create the TSDP data owner
GRANT CREATE SESSION, RESOURCE TO ${DBUSR_TSDP} IDENTIFIED BY ${DBUSR_PWD};
GRANT UNLIMITED TABLESPACE TO ${DBUSR_TSDP};
GRANT SELECT ON employeesearch_prod.demo_hr_employees to ${DBUSR_TSDP};conn ${DBUSR_TSDP}/${DBUSR_PWD}@${PDB_NAME}show user;prompt
prompt . Create TSDP labs table
CREATE TABLE tsdp_hr_employees AS SELECT * FROM employeesearch_prod.demo_hr_employees;
COMMIT;exit;
EOFecho
以上过程创建了2个用户,并赋予权限:
- TSDP 管理用户:tsdp_admin
- TSDP 数据拥有者:tsdp_labs
还有一个测试表,有1000条数据:
desc employeesearch_prod.demo_hr_employeesName Null? Type------------------------------------------------------------------------------------------ -------- -------------------------------------------------------------USERID NOT NULL NUMBER(4)FIRSTNAME NOT NULL VARCHAR2(25)LASTNAME NOT NULL VARCHAR2(35)EMAIL NOT NULL VARCHAR2(35)PHONEMOBILE VARCHAR2(15)PHONEFIX VARCHAR2(15)PHONEFAX VARCHAR2(15)EMPTYPE NOT NULL VARCHAR2(15)POSITION NOT NULL VARCHAR2(25)ISMANAGER NOT NULL NUMBER(1)MANAGERID NUMBER(4)DEPARTMENT NOT NULL VARCHAR2(15)CITY NOT NULL VARCHAR2(35)STARTDATE NOT NULL DATEENDDATE DATEACTIVE VARCHAR2(1)ORGANIZATION NOT NULL VARCHAR2(15)CREATIONDATE NOT NULL DATEMODIFICATIONDATE DATECOSTCENTER NUMBER(5)ISHEADOFDEPARTMENT NUMBER(1)DOB NOT NULL DATESSN VARCHAR2(15)SIN VARCHAR2(15)NINO VARCHAR2(15)ADDRESS_1 NOT NULL VARCHAR2(50)ADDRESS_2 VARCHAR2(35)STATE VARCHAR2(5)COUNTRY NOT NULL VARCHAR2(5)POSTAL_CODE NOT NULL VARCHAR2(15)CORPORATE_CARD VARCHAR2(25)CC_PIN NUMBER(4)CC_EXPIRE DATESALARY NUMBER(8,2)select count(*) from employeesearch_prod.demo_hr_employees;COUNT(*)
----------1000
任务 2:创建 TSDP 策略
敏感类型是您认为敏感的一类数据。此处我们为所有信用卡号创建一个“credit_card_type”敏感类型:
./tsdp_create_sensitive_type.sh
脚本tsdp_create_sensitive_type.sh内容如下,核心是DBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_create_sensitive_type.sh
#
# Parameter : None
#
# Notes : Create a TSDP sensitive type for all credit card numbers
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Create a TSDP sensitive type for all credit card numbers..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Create the sensitive type "credit_card_type" to classify the types of columns to protect
BEGINDBMS_TSDP_MANAGE.ADD_SENSITIVE_TYPE (sensitive_type => 'credit_card_type',user_comment => 'Type for Credit Card columns using a Varchar2 data type');
END;
/exit;
EOFecho
确定要保护的敏感列(此处我们将使用“CORPORATE_CARD”列):
./tsdp_add_sensitive_col.sh
脚本tsdp_add_sensitive_col.sh的内容为:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_add_sensitive_col.sh
#
# Parameter : None
#
# Notes : Identify the sensitive columns to protect
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Identify the sensitive columns to protect..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Identify a list of sensitive columns that are associated with the sensitive types
BEGINDBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN(schema_name => 'tsdp_labs',table_name => 'TSDP_HR_EMPLOYEES',column_name => 'CORPORATE_CARD',sensitive_type => 'credit_card_type',user_comment => 'Sensitive column addition of credit_card_type');
END;
/exit;
EOFecho
以上脚本将表的列与前面创建的敏感类型(其实就是个名字,可以认为是一个标签)关联起来。
注意:要根据您定义的敏感类型识别要保护的列,您可以使用 OEM 云控制应用程序数据模型 (ADM) 来识别这些列,也可以使用 DBMS_TSDP_MANAGE.ADD_SENSITIVE_COLUMN 过程。
根据部分修订创建 TSDP 策略“REDACT_PARTIAL_CC”,将前 8 个字符替换为“*”:
./tsdp_create_policy.sh
脚本tsdp_create_policy.sh的内容为:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_create_policy.sh
#
# Parameter : None
#
# Notes : Create the TSDP policy
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Create the TSDP policy..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Create the TSDP policy "redact_partial_cc" with Partial redaction
DECLAREredact_feature_options DBMS_TSDP_PROTECT.FEATURE_OPTIONS;policy_conditions DBMS_TSDP_PROTECT.POLICY_CONDITIONS;
BEGINredact_feature_options ('expression') := 'SYS_CONTEXT(''USERENV'',''SESSION_USER'') =''TSDP_LABS''';redact_feature_options ('function_type') := 'DBMS_REDACT.PARTIAL';redact_feature_options ('function_parameters') := 'VVVVFVVVVFVVVVFVVVV,VVVV-VVVV-VVVV-VVVV,*,1,8';policy_conditions(DBMS_TSDP_PROTECT.DATATYPE) := 'VARCHAR2';DBMS_TSDP_PROTECT.ADD_POLICY ('redact_partial_cc', DBMS_TSDP_PROTECT.REDACT,redact_feature_options, policy_conditions);
END;
/exit;
EOFecho
上面的脚步仅创建Redaction策略,和之前创建的敏感类型没有任何关系。这是一个基于上下文的策略,仅对用户TSDP_LABS有效。
注意:您可以通过定义具有以下组件的匿名块来创建策略:
- 如果您在策略中使用 Oracle 数据编辑,则需要指定要使用的数据编辑类型,例如部分数据编辑
- 如果您在策略中使用 Oracle 虚拟私有数据库,则需要指定要使用的 VPD 设置
- 用于测试启用策略时的条件。例如,在启用策略之前应满足的列的数据类型
- 使用 DBMS_TSDP_PROTECT.ADD_POLICY 过程将这些组件绑定在一起的命名透明敏感数据保护策略
将 TSDP 策略“REDACT_PARTIAL_CC”与之前创建的敏感类型“CREDIT_CARD_TYPE”关联:
./tsdp_associate_policy.sh
脚本tsdp_associate_policy.sh的内容为:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_associate_policy.sh
#
# Parameter : None
#
# Notes : Associate the TSDP policy with a sensitive type
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Associate the TSDP policy with a sensitive type..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Associate the TSDP policy "redact_partial_cc" with the sensitive type "credit_card_type"
BEGINDBMS_TSDP_PROTECT.ASSOCIATE_POLICY(policy_name => 'redact_partial_cc',sensitive_type => 'credit_card_type',associate => true);END;
/exit;
EOFecho
此脚本将 Redaction 策略与敏感类型关联起来,因为之前敏感类型和测试表的列已经关联,因此 Redaction 策略就与表的列关联起来了。
启用 TSDP 策略之前选择敏感数据:
./tsdp_select_data.sh
脚本内容为:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_select_data.sh
#
# Parameter : None
#
# Notes : Display the sensitive data from the TSDP table
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Display the sensitive data from the TSDP table..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDP}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 1000
set pages 50
col firstname format a20
col lastname format a30
col email format a35
col phonemobile format a15
col ssn format a15
col salary format 99999999
col corporate_card format a25
col cc_pin format 9999
col cc_expire format a12show con_name
show user;prompt
prompt SQL> SELECT userid, firstname, lastname, corporate_card FROM tsdp_hr_employees WHERE length(corporate_card)=19 order by 1;
-- SELECT firstname, lastname, email, phonemobile, ssn, salary, corporate_card, cc_pin, cc_expire FROM tsdp_hr_employees;
SELECT userid, firstname, lastname, corporate_card FROM tsdp_hr_employees WHERE length(corporate_card)=19 order by 1;exit;
EOFecho
此时,“CORPORATE_CARD”栏中的信用卡号是明文。
SQL> SELECT userid, firstname, lastname, corporate_card FROM tsdp_hr_employees WHERE length(corporate_card)=19 order by 1USERID FIRSTNAME LASTNAME CORPORATE_CARD
---------- -------------------- ------------------------------ -------------------------413 Kathy Allen 6761601157534710000449 Donna Wright 6761601157534710000467 Martin Lawrence 4936211210155040000521 Jonathan Greene 4905720557944970000524 Teresa Morales 5602226919579740000567 Patricia Long 4936211210155040000681 Rebecca Long 5602249443516610000682 Brian Tucker 6709177789649670000689 Jennifer Myers 6334124777282700000797 Timothy Banks 4905720557944970000800 Karen Thomas 5602226919579740000827 Heather Campbell 6759878641253360000988 Phyllis Wright 5602249443516610000989 David Foster 6709177789649670000996 Wayne Wood 6334124777282700000999 Kenneth Marshall 675987864125336000016 rows selected.
启用 TSDP 策略“REDACT_PARTIAL_CC”:
./tsdp_enable_policy.sh
脚本内容为:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_associate_policy.sh
#
# Parameter : None
#
# Notes : Associate the TSDP policy with a sensitive type
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Associate the TSDP policy with a sensitive type..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Enable the TSDP policy protection for a specific column type
BEGINDBMS_TSDP_PROTECT.ENABLE_PROTECTION_TYPE(sensitive_type => 'credit_card_type');
END;
/exit;
EOFecho
启用 TSDP 策略后选择敏感数据:
./tsdp_select_data.sh
现在,您可以看到信用卡号已被编辑,格式为 --9999-9999
如您所见,TSDP 会立即编辑敏感数据,您无需重新启动或重写 SQL 查询!
SQL> SELECT userid, firstname, lastname, corporate_card FROM tsdp_hr_employees WHERE length(corporate_card)=19 order by 1USERID FIRSTNAME LASTNAME CORPORATE_CARD
---------- -------------------- ------------------------------ -------------------------413 Kathy Allen ****-****-5347-0000449 Donna Wright ****-****-5347-0000467 Martin Lawrence ****-****-1550-0000521 Jonathan Greene ****-****-9449-0000524 Teresa Morales ****-****-5797-0000567 Patricia Long ****-****-1550-0000681 Rebecca Long ****-****-5166-0000682 Brian Tucker ****-****-6496-0000689 Jennifer Myers ****-****-2827-0000797 Timothy Banks ****-****-9449-0000800 Karen Thomas ****-****-5797-0000827 Heather Campbell ****-****-2533-0000988 Phyllis Wright ****-****-5166-0000989 David Foster ****-****-6496-0000996 Wayne Wood ****-****-2827-0000999 Kenneth Marshall ****-****-2533-000016 rows selected.
任务 3:重置 TSDP 实验室环境
熟悉 TSDP 概念后,你可以重置环境:
./tsdp_reset_env.sh
此脚本内容如下,就是一个复位的过程:
#!/bin/bash# =========================================================================================
# Script Name : tsdp_reset_env.sh
#
# Parameter : None
#
# Notes : Reset the TSDP labs environment
# -----------------------------------------------------------------------------------------
# Modified by DD/MM/YYYY Change
# Hakim LOUMI 18/03/2021 Creation
# =========================================================================================echo
echo "=============================================================================="
echo " Reset the TSDP labs environment..."
echo "=============================================================================="sqlplus -s ${DBUSR_TSDPADMIN}/${DBUSR_PWD}@${PDB_NAME} <<EOFset lines 210
set pages 999show con_name
show user;prompt
prompt . Disable the TSDP policy
BEGINDBMS_TSDP_PROTECT.DISABLE_PROTECTION_COLUMN(schema_name => 'tsdp_labs',table_name => 'TSDP_HR_EMPLOYEES',column_name => '%');
END;
/prompt
prompt . Drop the sensitive column
BEGINDBMS_TSDP_MANAGE.DROP_SENSITIVE_COLUMN (schema_name => 'tsdp_labs',table_name => 'TSDP_HR_EMPLOYEES',column_name => 'CORPORATE_CARD');
END;
/prompt
prompt . Drop the sensitive type
BEGINDBMS_TSDP_MANAGE.DROP_SENSITIVE_TYPE (sensitive_type => 'credit_card_type');
END;
/prompt
prompt . Drop the TSDP policy
BEGINDBMS_TSDP_PROTECT.DROP_POLICY(policy_name => 'redact_partial_cc');
END;
/conn ${DBUSR_SYS}/${DBUSR_PWD}@${PDB_NAME} as sysdbashow user;prompt
prompt . Drop the TSDP users (Admin and Data Owner)
drop user ${DBUSR_TSDP} cascade;
drop user ${DBUSR_TSDPADMIN} cascade;exit;
EOFecho
附录:关于产品
概述
透明敏感数据保护 (TSPD) 是一种查找和分类包含敏感信息的表列的方法。
此功能使您能够快速找到数据库中包含敏感数据的表列,对这些数据进行分类,然后创建一个策略来保护给定类别的这些数据。此类敏感数据的示例包括信用卡号或社会保险号。
然后,TSDP 策略使用 Oracle 数据编辑或 Oracle 虚拟专用数据库设置来保护这些表列中的敏感数据。TSDP 策略应用于您要保护的表的列级别,针对特定的列数据类型,例如包含信用卡信息的所有 NUMBER 数据类型的列。您可以为所有分类的数据创建统一的 TSDP 策略,然后根据合规性法规的变化根据需要修改此策略。或者,您可以导出 TSDP 策略以用于其他数据库。
TSDP 策略的好处是巨大的:您可以轻松地在拥有众多数据库的大型组织中创建和应用 TSDP 策略。这极大地帮助了审计人员,使他们能够评估 TSDP 策略针对的数据的保护程度。TSDP 对于政府环境特别有用,在政府环境中,您可能拥有大量具有类似安全限制的数据,并且必须对所有这些数据一致地应用策略。策略可以是编辑、加密、控制对数据的访问、审计对数据的访问以及在审计跟踪中屏蔽数据。如果没有 TSDP,您将不得不逐列配置每个编辑策略、列级加密配置和虚拟专用数据库策略。
使用透明敏感数据保护 (TSDP) 的好处
-
**您只需配置一次敏感数据保护,然后根据需要部署此保护。**您可以配置透明敏感数据保护策略来指定必须如何保护一类数据(例如,信用卡列),而无需实际指定目标数据。换句话说,当您创建透明敏感数据保护策略时,您不需要包含对要保护的实际目标列的引用。透明敏感数据保护策略根据数据库中的敏感列列表以及策略与指定敏感类型的关联来查找这些目标列。当您在创建透明敏感数据保护策略后向数据库添加更多敏感数据时,这会很有用。创建策略后,您可以一步启用对敏感数据的保护(例如,基于整个源数据库启用保护)。新数据的敏感类型以及敏感类型和策略关联决定了敏感数据的保护方式。这样,当添加新的敏感数据时,只要满足当前透明敏感数据保护策略的要求,您就无需配置其保护。
-
您可以管理多个敏感列的保护。您可以根据合适的属性(例如标识的源数据库、敏感类型本身或特定的模式、表或列)启用或禁用多个敏感列的保护。这种粒度提供了对数据安全性的高级控制。此功能的设计使您能够根据属于这些合规性法规范围的大型数据集的特定合规性需求来管理数据安全性。您可以根据特定类别而不是每个单独的列配置数据安全性。例如,您可以为信用卡号或社会保险号配置保护,但不需要为数据库中包含此数据的每个列配置保护。
-
**您可以使用 Oracle Enterprise Manager Cloud Control 应用程序数据建模 (ADM) 功能保护已标识的敏感列。**您可以使用 Cloud Control ADM 功能创建敏感类型并发现敏感列列表。然后,您可以将敏感列及其对应的敏感类型列表导入数据库。然后,您可以使用此信息创建和管理透明的敏感数据保护策略。