Software Business Case

Software Business Case

Oracle Security Software

Datamasking & Encryption

Table of Contents

Executive Summary 3

1. Problem Definition 4

2. Addressing Problem with CWU existing tools and products (i.e. PeopleSoft) 4

3. Organizational Impact 4

4. Benefits 6

5. Strategic Alignment 7

6. Cost 8

7. Alternatives (add lines as necessary) 8

8. Timing / Schedule (add lines as necessary) 8

9. Technology Migration/Resource Identification 9

10. Product Life/Application Sunsetting or Decommissioning 9

11. References 9

12. Recommendation 10

13. Approvals 10

Executive Summary

In our current environment, all PeopleSoft data is stored in an unencrypted format on our servers. While we go to great lengths to secure this data while it is in transit (i.e. while being accessed by a user) we currently do not have any encryption for this data while it is at rest. In addition, we currently use production data in our non-production environments that has not been masked or obfuscated. This creates several risks that may result in unauthorized disclosure of sensitive and confidential data. The following is a list of the main security considerations associated with these risks:

1.  Industry Standard: Encrypting and masking sensitive data is a best practice in that it introduces more controls and generally increases the security of our systems and data. It also addresses compliance requirements associated with federal regulations and laws (e.g. PCI and HIPAA).

2.  The Portal: By implementing the Portal we are adding new functionality and increasing the accessibility to our core business systems and associated data. This increases the risk of inadvertent exposure of this data.

3.  External Attackers: In the event an external attacker breaches our perimeter defenses, our core business data is at great risk of unauthorized disclosure because we store it in clear-text (i.e. unencrypted).

4.  Malicious Insider: In the event we encounter a malicious insider, we have to make sure our data remain secure regardless of where it is located. In our current state, data is easily copied to an external device for exploitation or unauthorized disclosure at a later date.

5.  CedarCrestone Recommendation: This business case is consistent with the finding and recommendation in the Applications Portal Configuration and Security Recommendations document, developed by CedarCrestone.

Oracle database systems that include the Advanced Security Option pack provide a turnkey solution named Transparent Data Encryption (TDE) for encrypting confidential PeopleSoft data as it resides on the storage media. While infrastructure and application security mechanisms can protect this data as users and administrators interact with the application, data stored unencrypted on the storage media is vulnerable to exploitation outside of the application framework.

Data masking refers to the process of obfuscating potentially sensitive data in non-production databases. Database administrators (DBAs) will occasionally copy production data into development or test environments to allow developers to perform application development and application testing. The problem with data sharing is that copies of production data contain confidential, sensitive or personally identifiable information, access to which should be controlled.

Both the Data Masking Software Pack and the Advanced Security Option are collectively referred to the Oracle Security Software in this business case. The Advanced Security Option will be used to encrypt our data in all environments, with the exception of DEMO. The Data Masking Software Pack will be used to obfuscate the data in all non-production environments, with the exception of DEMO.

Sponsoring Department(s): Security Services Department

Date of Business Case Preparation: 9/24/13

Contact Person Name/Phone: Andreas Bohman / 2499

New Product/Service

If there is a draft or sample contract, please provide a copy.

Renewal of Existing Product/Service – if checked, include background information.

If there is a site license agreement, existing contract or new contract draft, please provide a copy.

1.  Problem Definition

Central Washington University’s Enterprise Resource Planning (ERP) data is not encrypted while at rest on our storage media. While infrastructure and application security mechanisms can protect sensitive data as users and administrators interact with the application, data stored unencrypted on the storage media is vulnerable to exploitation outside of the application framework. In addition, our data is not obfuscated in any of our databases. This introduces the risk of inadvertent disclosure and exposing confidential and sensitive information when sharing production data with application developers or software quality testers who do not otherwise have access to this data in the production system.

2.  Addressing Problem with CWU existing tools and products (i.e. PeopleSoft)

As the Oracle database environments are proprietary, there are no supported alternative products available for data encryption. Even though there are some open-source products that will encrypt and obfuscate Oracle databases, none of the products are supported by Oracle. Our Campus Solutions PeopleSoft database has a real-time obfuscation process that is currently in use. However, this process only obfuscates that data as it is being used and it does not obfuscate the data at rest. Since this is a real-time process, it is not appropriate as an enterprise solution and it is only available for the Campus Solution PeopleSoft database. It is possible to manually mask the PeopleSoft data but this is a very resource intensive and repetitive task and not recommended.

3.  Organizational Impact

This is an enterprise need and it will benefit all users of our PeopleSoft ERP.

Data Masking Stakeholders: The primary stakeholders for the Data Masking software are the Business Analysts/Functional Leads, Security Services Department, and Information Technology Services (ITS). However, since this is an enterprise solution, all functional groups will benefit from the added security.

Data Encryption Stakeholders: The encryption process is a one-time process that is executed on all data – or ‘tablespaces’ - in our Oracle databases. Once the data is encrypted, all subsequent data writes and reads will also be encrypted. The primary stakeholders for the Data Encryption software are the Security Services Department and ITS.

Contributors: The contributors to the requirements for this business case are the Business Analysts/Functional Leads, Security Services, ITS, and CedarCrestone. Within ITS the group with the most impact are the DBAs and they have been involved in the development of this business case.

Resource Impact: There will be an impact on resources from Business Analysts/Functional Leads, Security Service, ITS, and CedarCrestone. In discussing the potential impact and availability of resources, all stakeholders have indicated they are able to support this effort as part of or in addition to the overall iCAT project, with the exceptions and caveats noted in the timeline below.

Changes to Existing Systems: In order to implement the Data Encryption software, changes have to take place in our current environment. The Data Encryption changes are relatively minor in comparison to the Data Masking changes and are seen as the least effort of the two. Below is an overview of the process and changes needed:

1.  Since existing tablespaces cannot be encrypted, it is necessary to move the application data from clear-text tablespaces to encrypted copies of the original tablespaces. The first step in this process is to extract the application data using an Oracle export utility such as data pump. This is the same process used for moving our data to the lab as part of the current upgrade and split.

2.  New, encrypted tablespaces have to be created to mirror the existing clear-text tablespaces. Special considerations have to be made for indexes. The Migration Guide provides detailed instructions and scripts that allow the DBA to perform these activities.

3.  The clear-text tablespaces are dropped and the application data is brought back into the database using an Oracle import utility such as data pump.

4.  Once all of the encryption activities are complete and the application data is stored in the encrypted tablespaces, the PeopleSoft application is capable of running as before with no additional changes.

In order to implement the Data Masking software, changes have to take place in our current environment. Oracle has development a comprehensive 4-step approach to implementing data masking via Oracle Data Masking Pack called: Find, Assess, Secure and Test (F.A.S.T).

These steps are:

1.  Find: This phase involves identifying and cataloging sensitive or regulated data across the entire enterprise. Typically carried out by business or security analysts, the goal of this exercise is to come up with the comprehensive list of sensitive data elements specific to the Data Masking Best Practice organization and discover the associated tables, columns and relationships across enterprise databases that contain the sensitive data.

2.  Assess: In this phase, developers or DBAs in conjunction with business or security analysts identify the masking algorithms that represent the optimal techniques to replace the original sensitive data. Developers can leverage the existing masking library or extend it with their own masking routines.

3.  Secure: This and the next step may be iterative. The security administrator executes the masking process to secure the sensitive data during masking trials. Once the masking process has completed and has been verified, the DBA then hands over the environment to the application testers.

4.  Test: In the final step, the production users execute application processes to test whether the resulting masked data can be turned over to the other non-production users. If the masking routines need to be tweaked further, the DBA restores the database to the remasked state, fixes the masking algorithms and re-executes the masking process.

Training Requirements: There are training requirements associated with both products but they are relatively minor. The security administrator has to be proficient in the use of the data masking solution and the DBAs have to be proficient in the application of the encryption software. The intent is for CedarCrestone to develop the process required for the data masking and encryption with the internal security administrators and DBAs executing the process.

All Stakeholders:

Department / Name /
Security Services / Andreas Bohman
Security Services / Jamie Schademan
Security Services / Barbara Bisson
ITS / Jason Ringer
ITS / Barry Carlson
CedarCrestone / Gene Shoda
CedarCrestone / Daniel Tarango
CedarCrestone / Brennan Folmer
Finance / Tim McGuire
Human Resources / Jill Hernandez
Admissions / Debbie Hunt
Registrar Services / Lidia Anderson

4.  Benefits

Data Encryption Benefits:

·  Data is encrypted on disk, and any backups stored on external tape remain encrypted.

·  Effective mitigation of risk associated with other attack vectors.

·  No additional storage is required for the encrypted database files; the database size remains the same.

·  The encryption and decryption is transparent to the PeopleSoft applications. No PeopleSoft-level code changes are necessary.

·  No additional triggers, views, or stored procedures have to be implemented or maintained when using TDE.

·  The encryption/decryption overhead added by TDE has been reported by internal Oracle testing to be approximately 2-4%, which should be considered reasonable when compared to the other benefits.

Data Masking Benefits:

·  Data in non-production systems is no longer recognizable as valid personal/sensitive data. CWU would not need to be concerned about unauthorized access or extraction of sensitive data from non-production systems, which are generally available to a much wider development/testing audience.

·  Depending on audit requirements in place at CWU, having sensitive data available to developers/testers in non-production systems may be a violation.

·  Using a tool such as the Oracle Data Masking pack allows data to be masked which still preserving referential integrity of the PeopleSoft application. In other words, the PeopleSoft application will still function as expected with the masked data.

5.  Strategic Alignment

Student success: CWU believes that student success is best achieved by providing supportive learning and living environments that encourage intellectual inquiry, exploration, and application.

Strategic Alignment: By providing for a secure yet highly available environment, we ensure ready access to information will still providing our students with the confidence that we will protect their confidential information.

Access: CWU believes in providing educational opportunities to as many qualified students as possible. CWU believes that restrictions of place, time, and finances can be overcome through the effective use of partnership with community colleges and by effective and efficient use of learning, communication, and social technologies.

Strategic Alignment: As we broaden our enterprise environment too meet this strategic vision, we have to ensure we also maintain the confidentiality and integrity of our customer’s data, regardless of where the data is located. We have to provide for security throughout the life-cycle of the data.

Shared Governance: CWU believes that shared governance is most effective when information systems and decision-making processes are both robust and transparent. CWU believes that communication channels should be open and two-way and that faculty, staff, and students should be empowered to participate in the governance systems.

Strategic Alignment: Securing our customer data is an important part of building and implementing robust and transparent information systems and decision-making processes.

6.  Cost

There is currently no funding for this business case.

Cost Breakdown:

Product and Services / License / Units / List Price / Disc % / Extended
1 / Advanced Security Option / Named User / 12955 / $2,979,650.00 / 96 / $119,186.00
2 / Product Support and Software Updates / $655,523.00 / 96 / $26,220.92
3 / Data Masking Pack / Named User / 12955 / $2,979,650.00 / 96 / $119,186.00
4 / Product Support and Software Updates / $655,523.00 / 96 / $26,220.92
License / $5,959,300.00 / 96 / $238,372.00
Support / $1,311,046.00 / 96 / $52,441.84
$7,270,346.00 / Total / $290,813.84
5-Year Cost / $500,581.20

7.  Alternatives (add lines as necessary)

Alternative / Reasons For Not Selecting Alternative /
Do nothing / High level of risk associated with the confidentiality and integrity of our customer’s information. The risk is primarily associated with a data breach and unauthorized access to our customer’s data. This has the potential to negatively impact the reputation of CWU and it may have an impact on admissions.
Only Use Real-Time CS Obfuscation / This process is not available - nor is it appropriate – for the other databases.

8.  Timing / Schedule (add lines as necessary)

Task / Target Date /
Purchase Data Masking and Data Encryption Software / 10/15/2013
Install Data Encryption Software Solution / 11/01/2013
Develop Data Encryption Procedure / 11/15/2013
Test and Implement Data Encryption Procedure / 12/15/2013
Data Encryption Implementation Completed (Go-Live) / 01/27/2014
Install Data Masking Software Solution / 02/28/2014
Develop Find, Assess, Secure and Test (FAST) Procedure / 03/15/2014
Test and Implement FAST Procedure / 04/01/2014
Data Masking Implementation Completed (Go-Live) / 04/15/2014

9.  Technology Migration/Resource Identification

Data Encryption Software Resources: