Balancing Security Investment Against Today's Threat Environment

Transcription

1 <Insert Picture Here> Balancing Security Investment Against Today's Threat Environment Niel Pandya Data Security, Senior Manager, Oracle ASEAN

2 The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remain at the sole discretion of Oracle.

3 When Whom Details September 11, 2010 Cheesecake Factory,New York A waiter used a skimming device to make $100,000 worth of fraudulent charges to customer credit cards. The waiter committed these crimes in late 2008 and was arrested in September of September 9, 2010 Clinic,Phoenix, Arizona An employee was fired after it was learned that the employee accessed patient records without authorization. The employee repeatedly accessed information at a location in Arizona between 2006 and 2010, but the Mayo Clinic system allows employees to access patient records from across the country. September 9, 2010 California Department of Health Care Services The California Department of Health Care Services released confidential and identifying information about HIV positive Medi Cal recipients to a third party service provider. A network of organizations have deemed this action illegal and unauthorized. A letter was sent by the network asking for an explanation of how this happened and reassurance that it will not happen again. September 2, 2010 Sprint, Kansas Between January 2010 and June 2010 nine former employees inappropriately accessed confidential customer account information and used it to make unauthorized calls. Defrauded customers were credited by the company. Around $15 million dollars in authorized calls resulted from the cellphone cloning scheme. September 11, 2010 UK: Fraudster must pay 30,000 A conman from Sheffield who masterminded conspiracies to defraud high street bank customers out of hundreds of thousands of pounds has been ordered to pay back nearly 30,000 to the authorities. September 9, 2010 UK: East Lothian Council exposes cabbies personal info on web site East Lothian Council has apologised over a serious staff error which saw the personal details and previous convictions of taxi licence applicants published on the local authority s website for two hours. September 9, 2010 September 8, 2010 New Zealand business owners dealing with data loss after earthquake UK police officer fined over privacy breach Companies and other agencies in Christchurch, New Zealand have been forced to deal with data loss as a result of the massive earthquake that struck the region last week. The Jersey Evening Post reports that Paul Byrne misused the force s database to look up the address of a woman who is dating his girlfriend s

4 How is Data Compromised? 900+ Breaches, 900+M Records 2010 Data Breach Investigations Report

5 Where Are Attacks Coming From? Key Loggers Spear Phishing Malware Botware SQL Injection Espionage Social Engineering Database Application Users Application Database Administrators Data Must Be Protected at the Source

6 Why is Security Hard? No system can be 100% secure Reality is risk mitigation, not risk avoidance Difficult to prove good security Bad security gets proven for us! No Budget for security Thought it was implicit in the design. Many things to secure People, equipment, OS, network, Application Servers, applications, and databases Threat increasingly becoming internal Data leaks and breaches becoming more common

7 Why is Data Security Important Beyond protecting and securing data... impacts organisations and individuals... Data growth measured at an increased rate (approx 45% per year) due to advances in storage and related solutions Data Data... Every where! Drive to become more efficient requires detailed data value in the use of this data acts as a currency Approach to Data Security influenced from many... Compliance Mandates (Government and Industry regulators,sox etc) Data breach costs both Financial and reputational

8 Key Drivers for Data Security Privacy and Compliance Sarbanes-Oxley (SOX), J-SOX, GLBA Payment Card Industry (PCI) HIPAA, EU Privacy Directives Breach Disclosure Laws Separation of duty, Proof of compliance, Risk Assessment and Monitoring Insider / External Threats Large percentage of threats go undetected Outsourcing and off-shoring trend Customers want to monitor insider & DBA

9

10 44% of Large Enterprises Are Interested In Building An Internal Cloud Source: Cloud Computing, Compute-As-A-Service: Interest And Adoption By Company Size, Forrester Research, Inc., February 27, 2009

11 Why Are Enterprises Interested in Cloud? What Are the Challenges Enterprises Face? Benefits Challenges/Issues Cost Speed Fit Security QoS Source: IDC exchange, "IT Cloud Services User Survey, pt. 2: Top Benefits & Challenges," ( October 2, 2008

12 How: Enterprise Evolution To Cloud Public Clouds Hybrid Public Cloud Evolution SaaS PaaS IaaS SaaS PaaS IaaS Private Cloud Evolution Virtual Private Cloud App1 App2 App3 App1 App2 App3 App1 App2 App3 App1 App2 App3 Private PaaS Private PaaS Private PaaS Private IaaS Private IaaS Private IaaS Silo d Grid Private Cloud Hybrid Physical Dedicated Static Heterogeneous Virtual Shared services Dynamic Standardized appliances Self-service Policy-based resource mgmt Chargeback Capacity planning Federation with public clouds Interoperability Cloud bursting

13 Cloud Stack [Oracle] 11/29/2010 ITS

14 Compliance and Security as an integrated system... To truly protect your data it has to be protected and managed at SOURCE... - Control and audit access within the database - Identify and secure sensitive data - Implement internal Controls - Monitor access and the use of controls.

15 Client Where s my data. Test/ Development Servers RODUCTION NETWORKS TEST PRODUCTION BACKUPS

16 Survey: Enterprise Data at Risk The 2009 IOUG Data Security Report: BUDGET PRESSURES LEAD TO INCREASED RISKS Only 21% uniformly encrypting PII in all databases 50% not aware of all databases with sensitive data Only 20% uniformly encrypt database traffic 48% say database users could access data directly Only 12% uniformly encrypt database backups/exports 70% use native auditing, only 18% automate monitoring 61% cannot prevent DBAs from reading or tampering with sensitive data 67% can not detect if they were Less than 30% monitoring sensitive data reads/writes

17 Oracle Security Inside Out Database Security Encryption and Masking Privileged User Controls Multi-Factor Authorization Activity Monitoring and Audit Secure Configuration Information Infrastructure Identity Management Roles Based User Provisioning Entitlements Management Risk-Based Access Control Virtual Directories Identity as a Service Databases Applications Information Rights Management Content Track and Audit Document Usage Control and Revoke Document Access Secured Inside or Outside Firewall Centralized Policy Administration

18 Database Security Solutions Inside. Outside. Encryption & Masking Advanced Security Secure Backup Data Masking Access Control Database Vault Label Security Identity Management Auditing & Tracking Audit Vault Total Recall Configuration Management Monitoring & Blocking Database Firewall Preventive and detective controls within the Oracle database Database Firewall to prevent threats from reaching databases Transparent no changes to existing applications

19 What to Use and When? Encryption: Guarantee confidentiality of production data At-rest (disk, backups, export files) In-transit Don t use as a means of Access Control! Masking: Representing production data in non-production environments Data needs to look like production data Oracle Confidential 19

20 Oracle Identity Management Access Control Single Sign-On Identity Federation Web Access Control Web Services Security Identity Administration User, Role Management User Provisioning Identity Infrastructure Virtual Directory Directory

21 Single Sign-On to Heterogeneous Applications OracleAS SSO Oracle Internet Directory App Servers Oracle Applications Other Enterprise Applications Access Server SDK Single Sign-On Packaged ebusiness Apps Sun Directory Services Microsoft ADS Oracle COREid Access Virtual Directory Server Portals Static HTML content Mainframe Systems

22 Identity Management Values Trusted and reliable security Efficient regulatory compliance Lower administrative and development costs Enable online business networks Better end-user experience

23 Access Control Identity & Access Management Authentication & Authorization Single Sign-On Federation Web Services Security Audit & Compliance Identity Administration Identity Lifecycle Administration Role & Membership Administration Provisioning & Reconciliation Compliance Automation Directory Services Virtualization Synchronization Storage Audit Data Attestation Segregation of Duties Controls Management Service Levels Configuration Performance Automation

24 Summary Transparent Comprehensive Cost-Effective Oracle Confidential 24

25