Data Scrambling in Business Applications

By Subraya Mallya - April 2008 | Topics - Audit, Compliance, Configuration Management, Data Security

If you are customer having a business application like Oracle E-Business Suite, PeopleSoft or SAP in production I am sure you have constantly run into this need to clone/replicate Production database.

Why would someone need a copy of production instance?

Some of the most common reasons are

  • to create a test environment with representative production data
  • to create a production support environment
  • to create a custom development environment.
  • to do volume testing
  • to perform integration testing
  • and many more

What should we be asking ourselves?

Every time you are faced with this need, besides the entire logistics, the hardware, software and storage needs, you have think about the governance aspects. (If not asked, it better be)

  1. How do we make sure critical/personal data stored in production is not exposed to the unauthorized users of the development environment?
  2. What subset of data should we prune?
  3. Which data do I mask/scramble?  If, I did that how would itmpact the quality of the environment?

What is critical data?

If you consider the entire ERP, Supply Chain and CRM product footprint, there are large number of data points that are considered business critical, personal and legal. Any/All such data points are considered out of bounds when it comes to access by any of the unauthorized users. The user base we need to think about are third party consultants, testers, IT staff, helpdesk, partners, you get the idea.

Here are some of the key entities/data elements that you MUST have in your list of things to scramble

  1. HR Data (employee SSN, Date of Birth, Addresses, phone numbers)
  2. Payroll Information (employee payroll data, bank information)
  3. User Login Information (encrypted password in FND_USER)
  4. Credit Card Information (stored for either Receivables or Payables)
  5. Supplier Bank Information (in case it is stored for automated payments)
  6. Customer Information (contacts, addresses, bank accounts, if any)
  7. Critical Sales Opportunities (could include material information deemed as insider information)

What is Data Scrambling?

Data Scrambling or Data Masking is a technique used to mask critical data sets, attributes so the critical data is not visible to the users of the cloned/non-production database copied from production. Steven Chan has a detailed explanation on the same.  The Application Management Pack in Oracle Application Manager allows administrators to define policies to scramble data on the clone.

You should also check out the Data Sheet Oracle has published on Data Masking.

Plan of action

Any of those replicated/cloned environments are considered open or semi-regulated and hence the pre-requisite for such environments should be data masking, pruning to eliminate any of the critical data.

Work with your corporate counsel to understand the regulatory compliance mandates that you are required to comply with. If you are a public company, most often that not, you will be required to comply with Sarbanes Oxley (SOX) 103,105,404 and 802  and PCI, Graham Billey Leach Act. If you are in the Health Care industry you might have needs to comply with HIPAA and likewise if you are in a Process Manufacturing company you might have CFR Part 11 and other regulations.

All the guidelines that apply on a production database in terms of access control/data security also apply to any copies of the production database.

If you are looking for more detailed information or help with defining Data Scrambling policies send me a note. I will be happy to share.

Thoughts shared by readers (6)

  1. Rajesh Parthasarathy Says:

    Subraya — Good post. The need for data scrambling/masking is just picking up steam. I work for a software solutions provider, http://www.mentisoftware.com, and we have been in the market with data scrambling product (iScramble) for Oracle EBusiness suite, and this is our fifth year in operation. We are seeing an increased attention to this area now, and you are right on topic. Read this article from the Database Trends journal for a little more information on what we provide -> http://www.mentisoftware.com/data/DBTA%20March08.pdf

    Best,
    Rajesh Parthasarathy

  2. Rajesh Parthasarathy Says:

    Subraya – To suggest other areas, the industry based regulations are a good starting point. For example,

    Gramm-Leach Bliley -> non-public financial balances (Banks, Credit Unions, Financial Services, Universities, etc)

    HIPAA -> Healthcare information (Hospitals, Universities, etc)

    And from a best practices perspective, protecting financial balances for the business as a whole is important (so that a developer does not end up analyzing performance and playing the stock market). We also have seen intellectual property stored in Oracle BOM and other manufacturing modules – protecting these is best practice as well.

    Hope that helps.

    Thanks,
    Rajesh

  3. Avinash Shitoley Says:

    Very well explained in laymans language.Best google search.

  4. Subraya Mallya Says:

    Thanks Avinash. Hope the post gave you all the information you were looking for.

  5. Tofunmi Samuel Says:

    I chose my graduate project to be on scrambling, pls i will kindly need materials, tutelage about data scrambling policies
    My topic is Simulation of a 56Kbps Modem signal Scrambler

  6. Tofunmi Samuel Says:

    I chose my graduate project to be on scrambling, pls i will kindly need materials, tutelage about data scrambling policies
    My topic is Simulation of a 56Kbps Modem signal Scrambler

Trackbacks For This Post (1)

  1. PrudentCloud Says:

    #PrudentCloud: Data Scrambling in Business Applications http://bit.ly/zcDXH

We would love to hear your thoughts. Please leave a comment

Note: Please review our Comment Policy

Back to Top
%d bloggers like this: