<Insert Picture Here> How to protect sensitive data, challenges & risks Lars Klumpes CISSP Security Strategy Consultant EMEA
Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remain at the sole discretion of Oracle.
Agenda Trends in Security Where to start? What to consider? Summary and Q&A
A brief history of Security Perimeter based defense
Things from the past... Securing the wrong things
Where we are now Struggling to coordinate efforts
Monitoring To being overly ambitious
IT Security vs Info Risk Management Small change, big difference! Operationalizing & outsourcing IT security Defensive / Reactive Manual Threat driven policy development Secure Infrastructure Information Protection Policy Management Regulations forced upon org s Proactive Automated Information risk mgmt Rules based policy development Secure Data Information Assurance Policy Enforcement Embrace risk & see security a business enabler CISO, CSO, Risk mgmt domain Technology issues Business issues
Where to start? Don'ts: Define baseline security levels (bottom up) Do s: Use CIA Rating methodology to rate applications Define Controls per rating Implement & evaluate
CIA Triad the base of Information Security Confidentiality Integrity Availability
How does it work? C-I-A rating: Rating determined by Business Impact 1-3 1 = low, 3 = high Result: C3-I3-A2 = 3-3-2 C2-I2-A1 = 2-2-1
A model used by a large customer today Business Impact Reference Table (BIRT) Business Impact Rating Financial Impact (ALE) Non-Financial Impact Regulatory Reputation Personal Security Low Moderate Major/Catastrophic 1 2 3 4 5 6 <25K <50K <100K <250K <500K <1Mln Little or no impact No publicity & damage No social or political threat & no phiscal harm Risk of increased # of external audits Risk of local bad press & mid term damage Risk of physical threat due to crime, demonstrations, terrorism Risk of suspension of business Sustained International bad press & long term damage Loss of life, catastrophic impact - no business continuity Information classification (CIA rating) 1 2 3
Once classified, let s talk about the controls: Category Logon Control Matrix for Confidentiality & Integrity Public (C-1 & I-1) Confidential (C-2 & I-2) Secret (C3 & I-3) User ID Optional Standard format Password: Optional Yes Multi Factor Ageing Optional Yes Multi Factor Re-Use Optional No No User Authentication Optional One Factor Multi Factor Lock out Optional 3 unsuccessful attempts Unlock Optional Manually Manually Role Based No Least Privilege Access Control Rights Review No Annual Quarterly Automatic Scan Mandatory Mandatory Mandatory Malicious Code Protection Automatic Update Mandatory Mandatory Mandatory Event logging Optional Mandatory Mandatory Security Monitoring Reporting Monthly Daily Real time On-line retention Optional 60 days 90 days Vulnerability Management Patch Management Within 3 months after issue Within 3 months after issue Unstructured Data Email Cleartext Cryptographic Documents/Data Transmission Cleartext Protection Within 3 months after issue Cryptographic Protection
What to consider? Social security # 123.456.789 @jk.lms.rdx Test / Dev Social security # 123.456.789 Production Backup Data Masking 3 rd party testers Outsourced? Application Privileged Users End Users
Solution Overview Test / Dev Social security # 123.456.789 xyz.i@u.q#1 Production Backup Data Masking Advanced Security Option Application Social security # 123.456.789 xyz.i@u.q#1 Privileged Users Social security # 123.456.789 End Users
Solution Overview Test / Dev Social security # 123.456.789 Production Backup Social security # @#(*$#()%)% 123.456.789 Data Masking Advanced Security Option Secure Backup Application Privileged Users End Users
Solution Overview Test / Dev Production Backup CRM Database HR VaultFIN Data Masking Advanced Security Option Secure Backup Application Privileged Users End Users Social security # 123.456.789
Solution Overview Test / Dev Production Backup Database Firewall Data Masking Advanced Security Option Secure Backup Application privileged Users End Users SQL Injection Outsiders/Hackers
Solution Overview Test / Dev Data Masking Production Advanced Security Option CRM Database HR Vault FIN Backup Secure Backup Application Privileged Users Social security # 123.456.789 End Users 19
Database Defense-in-Depth Encryption and Masking Oracle Advanced Security Oracle Secure Backup Oracle Data Masking Access Control Oracle Database Vault Oracle Label Security Auditing and Monitoring Encryption & Masking Access Control Auditing & Monitoring Blocking & Logging Oracle Audit Vault Oracle Configuration Management Oracle Total Recall Blocking and Logging Oracle Database Firewall
For More Information search.oracle.com Security or oracle.com
Lars.Klumpes@oracle.com +31611950134 Oracle Confidential 22