30 Managing Enterprise Data Governance

This chapter introduces Enterprise Data Governance and describes how to use the feature to protect sensitive data. The chapter includes the following sections:

Overview of Enterprise Data Governance

This section provides a brief overview of Enterprise Data Governance. The section covers the following topics:

About Enterprise Data Governance

Enterprise Data Governance offers a comprehensive solution for identifying, securing, managing, and tracking sensitive data in the data center. The solution involves a two-pronged approach to provide this protection:

  • Perform user-initiated and automatic discovery on a regular basis of databases that potentially contain sensitive data. This is metadata discovery, also referred to as a shallow scan, so-called because it looks only at metadata involving schema, table, and column name patterns.

  • Perform user-initiated discovery of sensitive data in databases identified by the metadata discovery. This is data discovery, also referred to as a deep scan, so-called because it drills down in the actual data, looking for matches to user-supplied sensitive types and object-level protection details.

Enterprise Data Governance forms the first steps in the recommended workflow to mask sensitive data:

  1. Discover databases that potentially contain sensitive data.

  2. Aided by (but not limited to) the results of discovering database candidates, drill down to the data within the tables and columns of databases to further identify sensitive data.

  3. Armed with the results of this discovery, flag columns as sensitive and identify them within the context of an Application Data Model (ADM).

  4. Select these columns within an ADM and apply masking formats to protect the data in the testing environment.

What Are Protection Policies?

A Protection Policy defines a security mechanism for protecting a sensitive data object. It controls the way a sensitive data object is protected. After a policy is created for a sensitive object, it serves as a template that can be applied to all the sensitive data objects of a similar type and structure. This ensures that a sensitive data object is protected consistently no matter where it is present in the database cloud.

A Protection Policy maps to a security feature available in Oracle Database. Metadata discovery identifies databases that contain objects that are protected via one or more of the following database security features:

  • Transparent Data Encryption (TDE)–A database feature that automatically encrypts data when it is written to the database and automatically decrypts data when accessed.

  • Data Redaction–A database feature that protects data by presenting a masked version of the data to nonprivileged users. The masked version of the data preserves the format and referential integrity of the data, so any application that uses the data continues to work as expected.

  • Virtual Private Database (VPD)–A database feature that enforces data access at the row and column level, using security conditions to protect the data.

  • Oracle Label Security (OLS)–A database feature that provides data classification and control access using security labels.

Metadata discovery checks for each security feature listed. The scan does not, however, collect protection policy details, nor does it necessarily scan for all the policies. Any protection policy found is sufficient to flag the database as potentially sensitive. This strategy keeps the scan fast and lightweight.

What Are Application Signatures?

An application signature is a set of database objects such as schemas, tables, and views that uniquely identifies a specific application. A database that contains these objects is assumed to contain the application and is noted as a sensitive database candidate. Oracle supplies signatures for the following applications:

  • Oracle E-Business Suite

  • Oracle Fusion Applications

  • Oracle PeopleSoft Enterprise

You can also create custom application signatures, see Creating Custom Application Signatures.

Using Enterprise Data Governance

This section covers the following topics:

The Enterprise Data Governance Dashboard

Enterprise Data Governance provides the means to identify databases within the enterprise that potentially contain sensitive data, and then to evaluate the data within these candidates to determine if sensitive data exists.

The Enterprise Data Governance dashboard summarizes discovery activity and provides links to:

You can also manage the Application Data Model (ADM) environment and sensitive column types from the dashboard. See Chapter 2, "Application Data Modeling," in the Oracle Data Masking and Subsetting Guide for information on these activities.

To navigate to the dashboard within the Cloud Control console, select Databases on the Targets menu, then select Enterprise Data Governance on the Security menu. Whenever you navigate away from the dashboard, use the Enterprise Data Governance bread crumb at the top to return.

Working with Sensitive Database Discovery Results

On the Sensitive Database Discovery Summary page, you can perform the following tasks:

  • Review databases discovered to have sensitive data or considered to be sensitive data candidates.

  • Create a metadata discovery job (see Creating a Metadata Discovery Job).

  • Create a data discovery job (see Creating a Data Discovery Job).

  • Click a number in a metadata column to see a pop-up list of items found. For example, click the number in the Data Protections column to see which data protections are in play for the database candidate.

  • Click the database name itself to open the database instance home page.

Working with Metadata Discovery Jobs

On the Metadata Discovery Jobs page, you can perform the following tasks:

Since a metadata discovery job looks only at schema, table, and column name patterns but not at the data itself, there are no database credentials required to execute the job.

Creating a Metadata Discovery Job

Run a metadata discovery job to scan database metadata looking for candidates that potentially contain sensitive data.

Creating a metadata discovery job involves the following steps:

  1. Click Create Metadata Discovery Job.
  2. Set the criteria for sensitive column types, application signatures, and data protections.

    For sensitive column type, select a row and click View Search Criteria to see applicable criteria such as pattern matching, regex formatting and Boolean condition.

    When done, click Next to continue.

  3. Select the targets on which you want to perform metadata discovery. First, select the target type, then click Add to select the targets within a given type. Note that you can include searches from the configuration search library as part of your target search criteria.

    You cannot select targets of a different type. If you select targets of one type and then select targets of a different type, targets of the first selected type are deselected.

    When done, click Select to close the selection dialog, then click Next to continue.

  4. Schedule the job. Provide a meaningful name and description. Set other parameters as appropriate. Note that metadata discovery is a job you would typically want to repeat on a rotating schedule to be vigilant in monitoring your databases for sensitive data.

    When done, click Submit.

  5. A confirmation message appears at the top of the page. Click the link to view job details in the Jobs system. Refresh the Metadata Discovery Jobs page to see the completed job.
Managing Automatic Metadata Discovery

Automatic metadata discovery happens independent of user-initiated metadata discovery and ties directly to target discovery. By default, whenever a database is discovered as part of target discovery, the metadata discovery job runs on that database. You can disable this feature by choosing Disable Metadata Discovery During Target Discovery from the Automatic Metadata Discovery drop-down menu. You may want to disable the feature if you want more control over when the metadata discovery job is run and on which databases. When you disable the feature, the menu selection toggles to Enable metadata discovery during target discovery so you have the option of resuming automatic metadata discovery.

You can also choose to retain the feature but with a different set of criteria. Out-of-box criteria for automatic metadata discovery uses Oracle-defined sensitive column types, data protection policies, and application signatures, but you can change the default settings and add user-defined entities as well. Select Edit Automatic Metadata Discovery Parameters from the Automatic Metadata Discovery drop-down menu to edit the criteria.

Managing Metadata Discovery Results

The results of a metadata discovery job help you ascertain which databases actually contain sensitive data and the nature of the sensitivity.

Work with metadata discovery job results by doing the following:

  1. Select a job in the top table to see the discovery results at the bottom.
  2. Use the Show drop-down list to filter the display based on all databases evaluated or only those with or without sensitive data.
  3. Click View Discovery Results Detail to see matching metadata based on specified criteria.
  4. Click a number in a metadata column to see a pop-up list of items found. For example, click the number in the Data Protections column to see which data protections are in play for the database candidate.
  5. Click the database name itself to open the database instance home page.

Working with Data Discovery Jobs

On the Data Discovery Jobs page, you can perform the following tasks:

  • Create a data discovery job

  • Manage job results

Creating a Data Discovery Job

Run a data discovery job to search for sensitive data within a database candidate identified by the metadata discovery job.

Creating a data discovery job involves the following steps:

  1. Click Create Data Discovery Job.
  2. Click the search icon to select the database candidate on which you want to perform data discovery. Note that you can include searches from the configuration search library as part of your target search criteria.

    Click Select to close the selection dialog.

  3. Set the criteria for sensitive column types, application signatures, and data protections.

    For sensitive column type, select a given column row and click View Search Criteria to see applicable criteria such as pattern matching, regex formatting and Boolean condition. Set the number of rows you feel constitutes an adequate sample size. Indicate whether to scan empty tables.

    The data discovery job ignores empty tables on the basis that data is what makes a column sensitive. You may, however, want to include empty tables in the discovery search based on other factors such as column name and comment patterns. While an empty table is defined as a table without data values, the metadata discovery job might report some nonempty tables as empty, if the statistics collection job has yet to run.

    Click Next.

  4. Specify schema and table parameters (those to include or exclude). Use pattern matching to scope the searches. Alternatively, you can opt to include all of either or both entities.

    Click Next.

  5. Schedule the job. Specify a meaningful name and description. Provide credentials to access the database. Set the job schedule.

    Click Submit.

  6. A confirmation message appears at the top of the page. Click the link to view job details in the Jobs system. Refresh the Data Discovery Jobs page to see the completed job.
Managing Data Discovery Results

Use the results of data discovery to identify sensitive columns and associate the database with an Application Data Model.

Work with data discovery job results by doing the following:

  1. Click the database name link in the job row to open the database instance home page; click the job status link to open the job summary page in the Jobs system.

  2. Optionally associate a database with either a new or existing ADM. Select a data discovery job row, then click Assign Application Data Model and choose the appropriate option.

  3. Select a job in the top table to see the discovery results at the bottom. Review job results by clicking the job criteria tabs. Expand tab contents as necessary to drill down to the details.

  4. Click the Sensitive Data Columns tab to see the origin and nature of the data in the sensitive columns. As noted, if there is an ADM assigned, you can interactively set the sensitivity status by selecting a row and choosing a status from the Set Sensitive Status drop-down menu.

    Use the information in the table to inform your decision to declare a column sensitive. For example, the sample data and columns matching the criteria both in name and as a percentage of data are strong indicators of the column's sensitivity.

    If there is no ADM assigned to the data discovery job, sensitivity status is disabled, and the relevant schema is displayed in place of an application.

  5. Click the Application Signatures tab to see database objects that uniquely identify the application.

  6. Click the Objects with Data Protection Policies tab to see the specific objects the job discovered that are protected by supported protection policies.

    Set sensitive column status on the discovered objects:

    1. Click Select Sensitive Columns.

    2. Provide credentials to log in to the database discovered by the job.

    3. Click the List Columns button to display all the columns in the table covered by the protection policy.

    4. Set status to sensitive and select an associated sensitive column type for those columns you consider sensitive within the application.

    5. Click OK when done to confirm your selections.

    The selected columns are identified as sensitive within the assigned ADM.

    If there is no ADM assigned to the data discovery job, the sensitive status feature is disabled, and the relevant schema is displayed in place of an application.

Creating Custom Application Signatures

Customize application signatures to facilitate sensitive data discovery within your business enterprise.

Creating a custom application signature involves the following steps:

  1. Open the Application Signature link from the Enterprise Data Governance dashboard.

    Click Create.The editor page opens.

  2. Specify a name and optional description.
  3. Click Add and select from the available objects to include in the signature. The name provided for any of these object types can be specified explicitly or with a pattern (for example, HR%).

    • Schema–schema name is required

    • Table–schema name is optional; table name is required

    • View–schema name is optional; view name is required

    Click OK. The object appears in the table.

  4. Repeat Step 3 to include additional objects in the signature. Remember that all signature objects must be found in the database for there to be a match.
  5. When done, click OK to complete the signature definition.

    The editor window closes and the signature appears in the table on the Application Signature page. The signature can now be used as search criteria for metadata discovery and data discovery jobs.