Skip to body

Enterprise Information System Committee

Executive Summary for Data Masking/Encryption Oracle Security

In our current environment, all PeopleSoft data is stored in an unencrypted format on our servers. While we go to great lengths to secure this data while it is in transit (i.e. while being accessed by a user) we currently do not have any encryption for this data while it is at rest. In addition, we currently use production data in our non-production environments that has not been masked or obfuscated. This creates several risks that may result in unauthorized disclosure of sensitive and confidential data. The following is a list of the main security considerations associated with these risks:

  1. Industry Standard: Encrypting and masking sensitive data is a best practice in that it introduces more controls and generally increases the security of our systems and data. It also addresses compliance requirements associated with federal regulations and laws (e.g. PCI and HIPAA).
  2. The Portal: By implementing the Portal we are adding new functionality and increasing the accessibility to our core business systems and associated data. This increases the risk of inadvertent exposure of this data.
  3. External Attackers: In the event an external attacker breaches our perimeter defenses, our core business data is at great risk of unauthorized disclosure because we store it in clear-text (i.e. unencrypted).
  4. Malicious Insider: In the event we encounter a malicious insider, we have to make sure our data remain secure regardless of where it is located. In our current state, data is easily copied to an external device for exploitation or unauthorized disclosure at a later date.
  5. CedarCrestone Recommendation: This business case is consistent with the finding and recommendation in the Applications Portal Configuration and Security Recommendations document, developed by CedarCrestone.

Oracle database systems that include the Advanced Security Option pack provide a turnkey solution named Transparent Data Encryption (TDE) for encrypting confidential PeopleSoft data as it resides on the storage media. While infrastructure and application security mechanisms can protect this data as users and administrators interact with the application, data stored unencrypted on the storage media is vulnerable to exploitation outside of the application framework.  

Data masking refers to the process of obfuscating potentially sensitive data in non-production databases. Database administrators (DBAs) will occasionally copy production data into development or test environments to allow developers to perform application development and application testing. The problem with data sharing is that copies of production data contain confidential, sensitive or personally identifiable information, access to which should be controlled.

Both the Data Masking Software Pack and the Advanced Security Option are collectively referred to the Oracle Security Software in this business case.  The Advanced Security Option will be used to encrypt our data in all environments, with the exception of DEMO. The Data Masking Software Pack will be used to obfuscate the data in all non-production environments, with the exception of DEMO.