Intelligent Security Design, Development and Acquisition

Similar documents
Enabling Single Sign-On for Oracle Applications Oracle Applications Users Group PAGE 1

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

The Oracle Mobile Security Suite: Secure Adoption of BYOD

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

Protecting Sensitive Data Reducing Risk with Oracle Database Security

White Paper. What is an Identity Provider, and Why Should My Organization Become One?

Oracle Database Security

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

IBM Security Privileged Identity Manager helps prevent insider threats

Making Database Security an IT Security Priority

Information Security Services

Oracle Privileged Account Manager 11gR2. Karsten Müller-Corbach

Complete Database Security. Thomas Kyte

Teradata and Protegrity High-Value Protection for High-Value Data

Seven Things To Consider When Evaluating Privileged Account Security Solutions

The Cloud App Visibility Blindspot

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Strengthen security with intelligent identity and access management

Enterprise Security Solutions

Stay ahead of insiderthreats with predictive,intelligent security

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

Protecting Your Organisation from Targeted Cyber Intrusion

THE BLUENOSE SECURITY FRAMEWORK

Payment Card Industry Data Security Standard Training. Chris Harper Vice President of Technical Services Secure Enterprise Computing, Inc.

APIs The Next Hacker Target Or a Business and Security Opportunity?

PCI DSS Overview and Solutions. Anwar McEntee

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

WhiteHat Security White Paper. Top 11 PCI DSS 3.0 Changes That Will Affect Your Application Security Program

Franchise Data Compromise Trends and Cardholder. December, 2010

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

2013 AWS Worldwide Public Sector Summit Washington, D.C.

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

How To Manage Security On A Networked Computer System

Enterprise Identity Management Reference Architecture

10 Potential Risk Facing Your IT Department: Multi-layered Security & Network Protection. September 2011

Identity and Access Management Initiatives in the United States Government

Information Security for the Rest of Us

Briefly describe the #1 problem you have encountered with implementing Multi-Factor Authentication.

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

Nine Network Considerations in the New HIPAA Landscape

Penetration Testing //Vulnerability Assessment //Remedy

Cisco Advanced Malware Protection for Endpoints

Overcoming PCI Compliance Challenges

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Making the difference between read to output, and read to copy GOING BEYOND BASIC FILE AUDITING FOR DATA PROTECTION

Security Solution Architecture for VDI

TRIPWIRE NERC SOLUTION SUITE

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

How to Provide Secure Single Sign-On and Identity-Based Access Control for Cloud Applications

Jort Kollerie SonicWALL

Preemptive security solutions for healthcare

Payment Card Industry Data Security Standard

Presented by Evan Sylvester, CISSP

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

<Insert Picture Here> Oracle Identity And Access Management

Oracle Identity Management Securing The New Digital Experience

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

1 Introduction Product Description Strengths and Challenges Copyright... 5

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

CSN38:Tracking Privileged User Access within an ArcSight Logger and SIEM Environment Philip Lieberman, President and CEO

Solving the Security Puzzle

SAP Secure Operations Map. SAP Active Global Support Security Services May 2015

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version 2.0 to 3.0

Splunk Enterprise Log Management Role Supporting the ISO Framework EXECUTIVE BRIEF

Data Security: Fight Insider Threats & Protect Your Sensitive Data

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Critical Controls for Cyber Security.

About SecuPi. Your business runs on applications We secure them. Tel Aviv, Founded

IDENTITY & ACCESS. Providing Cost-Effective Strong Authentication in the Cloud. a brief for cloud service providers

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

The Protection Mission a constant endeavor

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Vulnerability Management

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

Supplier Information Security Addendum for GE Restricted Data

Hands on, field experiences with BYOD. BYOD Seminar

Copyright 2012, Oracle and/or its affiliates. All rights reserved.

I D C A N A L Y S T C O N N E C T I O N

Network and Security Controls

Strong Authentication: Enabling Efficiency and Maximizing Security in Your Microsoft Environment

Mobile, Cloud, Advanced Threats: A Unified Approach to Security

Transcription:

PAGE 1 Intelligent Security Design, Development and Acquisition Presented by Kashif Dhatwani Security Practice Director BIAS Corporation

Agenda PAGE 2 Introduction Security Challenges Securing the New Perimeter Information Security Spectrum Standards & Compliance Threats/Challenges & Industry Best Practices References Q & A

Research and Analysis PAGE 3 67% 90%+ 89% 62% 33% 66% 88% Of CIOs feel the impact of mobile computing is more than the impact of Internet in 90s Of companies provide mobile applications Of users use mobile devices to connect to Corporate networks Of companies will use social networking to connect with customers Of Organizations do not evaluate security while selecting cloud provider Of today s data resides in relational databases Misuse privilege access as per 2014 Verizon Data breach report

Information Security Challenges PAGE 4 SYSTEM SECURITY BREACH THREAT HACKING Financial Public Sector Information Retail TECHNOLOGY

Information Security Challenges PAGE 5 Why Government? California is the eighth largest economy in the world and is prime target for attacks The State s Information Assets are vital resources that contain various types of sensitive data including Social Security Numbers, Tax and Health related information In sufficient resources to implement Security Controls Private and Public Sector integrated IT Solutions Processing Credit Card Data The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000 60% OF INCIDENTS WERE ATTRIBUTED TO ERRORS MADE BY SYSTEM ADMINISTRATORS PRIME ACTORS RESPONSIBLE FOR A SIGNIFICANT VOLUME OF BREACHES AND RECORDS

Transformation of Perimeter The New Perimeter PAGE 6 Traditionally Emphasis on protecting networks People need to collaborate, but they are not always the trusted employees Data being accessed can include Structured and Un-Structured Data (documents, e-mails) Users are continually on the move as is the information bringing in new points of control which require verifying identities & permission to access information Cloud is also creating an additional layer of complexity where data and applications are outside the traditional enterprise boundaries

Securing the New Perimeter Core Principals PAGE 7 Think Inside Out The threats are outside but the risks are largely inside. Develop a Defense-In-Depth strategy Create a framework of overlapping controls to address vulnerabilities. Simplify the user experience When security becomes a productive barrier, controls get remanded. Design for Compliance Security is as important to shareholder value as good accounting. Regulatory controls are on the rise.

Information Security Spectrum PAGE 8 Identity Management Access Management Mobile Security Data Security Governance Compliance Single Source of Truth Provisioning / De-provisioning SoD Separation of Duties Access Control Authentication Authorization Single Sign-On Multi-Factor Authentication Security Container Single Sign-On Application Management Protect your data at Rest and in Transit Data Access - Authentication Data Access Fine Grained Control Auditing

Standards & Compliance NIST SP 800-53 Security Families PAGE 9 Access Control Audit & Accountability Awareness & Training Certification, Accreditation & Security Assessments Configuration Management Contingency Planning Identification & Authentication Incident Response Maintenance Media Protection Personnel Security Physical & Environmental Protection Planning Program Management Risk Assessment System & Communication Protection System & Information Integrity System & Services Acquisition

Assurance Requirements 5-Step Risk Evaluation Process PAGE 10 One. Two. Three. Four. Five. Conduct a risk assessment of the government system. Map identified risks to the appropriate assurance level. Select technology based on e- authentication technical guidance. Validate that the implemented system has met the required assurance level. Periodically reassess the information system to determine technology refresh requirements.

Level of Assurances NIST Special Publication 800-63-2 PAGE 11 Level 4 Level 1 Identity: There is no identity proofing requirement at this level. Authentication: Simple password challengeresponse protocols are allowed. Level 2 Identity: Requires Identity Proofing. Both in-person and remote registration are permitted. Authentication: Provides single factor remote network authentication. Level 3 Identity: At this level, identity proofing procedures require verification of identifying materials and information. Both in-person and remote registration are permitted Authentication: Provides multi-factor authentication and at least two authentication factors are required Identity: Remote registration is not permitted at this level. The applicant must appear in-person before the registration officer. Presentation and verification of two independent ID documents or accounts is required. Authentication: This is intended to provide the highest practical remote network authentication assurance. Authentication is based on proof of possession of a key through a cryptographic protocol. Only hard cryptographic tokens are allowed.

Identity Management Threats / Challenges PAGE 12 PROVISIONING - Proliferation of cloud applications require to provide access and organizational must provide needed access to its partners and customers DE-PROVISIONING - Those services for same users is also very important MOBILE IDENTITY - Now we require identification of not only users but devices as well COMPLIANCE - Organizations also are being challenged with new compliance requirements INTERNET OF THINGS - brings challenges across User, device and Application identities USER REPOSITORIES - across organizations required custom solutions which in turn require individual and custom approaches to consolidation of identities

Identity Management Industry Practices PAGE 13 Identity Management in the new perimeter must address People and Devices Identities must also have lifecycle management (Provisioning, De-provisioning) Organization must have 360 o visibility into identities Organizations must implement controlled access such as Role/Attribute Based Access Identity Management solutions should provide governance and auditing as one factor to identity management Identity Management is also one of the most important factors of mobile computing so the devices and applications are provisioning as part of lifecycle

Access Management Threats / Challenges PAGE 14 A comprehensive solution is required which holistically provides access control across the applications multiple point solutions are vulnerable to threats In addition to user-id and password based authentication, sensitive data must require additional level of assurance Mobile and Social integration is required to provide customers (Citizens) with capabilities to use their social identities to access required resources Platform agnostic solutions are needed to build a common security framework Integration with Cloud providers and achieving Single Sign-On are key requirements Multiple access locations, multiple devices are bringing additional challenges

Access Management Industry Practices Access Management solutions are now providing single policy enforcement and management platform agnostic of applications Federated Solutions using Federated protocols provide a Single Sign-On for Cloud applications using same set of access controls as On- Premise applications Adaptive Access Management systems with completely integrated Contextual and Fraud detection capability are requirement to detect higher risk levels and prompt for additional identification Advance Authentication methods in addition to user-password are common which include One Time Password & Knowledge Based Access PAGE 15 Mobile & Social Identity Integration such as Google, Yahoo, Facebook integrations are now commonly being made available in Access Management Systems Mobile Security capabilities are built and integrated with Access Management systems to provide single framework based platform for access control

Access Management Industry Practices PAGE 16 Administer Configures WAM to Protect applications Administrator configures Trusted connections to cloud provider Web Access Management Federated Authentication Authorization Web Services Entitlements are configured to provide finer control over applications and services Web Services are protected using common set of WS- Security Policies

Mobile Security Threats / Challenges NIST Special Publication 800-124 PAGE 17 Enterprise data and Personal data exists together - Using Personal and enterprise mobile applications from same device How do you apply security controls for same device used in multiple contexts Malware is targeted to mobile platforms because it provides access to credentials Lost or stolen devices is another threat, where corporate data may have been compromised Management of Applications is another challenge which can result in theft of data, due to misuse or abuse of privilege access. Modifying security settings on mobile applications Not understanding Terms and Conditions of how data is used

Mobile Security Industry Practices Identity Providing capability to provision application and resources is key factor A change in users role should trigger change in application access along with location and schedule Containerization Providing separation of business and personal data Single Sign-On for mobile applications with certificate and strong-password based approach Mobile Device & Application Management Provide opportunity to encrypt data and applications within the mobile device No-Cached Credentials and re-use of corporate identity user, roles and policies Secure Containers are required to wipe out data only related to corporate and employees can have freedom of using personal applications on same device Business Application stores are being developed as part of pre-built solutions to provide white-listed apps PAGE 18

Data Security Threats / Challenges PAGE 19 Most enterprises do not have a comprehensive database security strategy According to a study by the IOUG, 71% of organizations have no controls to prevent application bypass attacks Most agree that database security doesn t get the priority and investment that it needs, leaving the organization vulnerable Enterprises tend to focus on detective controls rather than take preventive measures for database security and may not be achieving the outcome expected Privilege Database access is also cause of insider threats How do you detect and prevent attacks at databases How do you make sure that non-dba users do not see data by accessing files directly

Data Security Industry Practices Prevention should be a top priority Although database monitoring is essential to track data access, it doesn t prevent hackers from stealing information. Enterprises need to start looking at making the most of their investments by implementing preventive controls to defend against real-time threats. Focus on an enterprise wide database security strategy A comprehensive database security strategy ensures investments address the three key pillars foundation, detection, and prevention across the critical databases. Don t just focus on one or two critical databases, but on all databases that store sensitive data Discover and classify your databases, noting which ones hold private and sensitive data such as credit card numbers and Social Security Numbers. Make database security part of the database infrastructure. Single vendor solutions offer stronger security and can lower cost When looking for a database security solution, look for vendors that offer a comprehensive set of technologies to support your entire database security strategy and offer capabilities for data masking, encryption, auditing, monitoring, firewall, vulnerability assessment, access control, and patch management. We find that a single vendor solution offers stronger security and lower cost and helps avoid cobbling together point solutions. PAGE 20

Trends and Practices Data Security PAGE 21 MITIGATE Database Bypass PREVENT Application bypass CONSOLIDATE Auditing and Compliance MONITOR database traffic and block threats PROTECT All database environments Prevent access to data at OS, storage, network, media layers Data encryption for data at rest, in transit, on media Separation of duties for key management Privileged user access control to limit access to application data Multi-factor authorization for enforcing enterprise security policies Secure application consolidation database auditing, centralized audit policies Consolidate, secure, analyze audit trail, alert on suspicious activities Report for compliance & security, automate database audit workflow Monitor database traffic over the network Block threats like SQL injection attacks before reaching databases Enforce normal database activity, lightweight monitoring Sensitive data discovery for production Secure database lifecycle management, configuration scanning, patch automation Mask data for nonproduction development & test

Access Control Single Sign-On Reference 1 Identity Management / Federated Access PAGE 22 Fed SSO Cloud Providers examples Federation / SSO External (Citizens) Authentication / SSO On Premise Apps Examples Internal Web Applications Web Applications LDAP Web Applications Identity Operations Identity Proofing Identity Management Provisioning, De-Provisioning, Access Privileges / Approval / Request Role based access

Single User account Single Logon Reference 2 Access Control Homeland Security Presidential Directive (HSPD 12) PAGE 23 Portal Applications Document Management System.NET Java / J2EE Web Applications External Entity Users Internal virtualize RACF LDAP

Thank You PAGE 24 Questions Discussions Comments

About BIAS Corporation Who We Are PAGE 25 Founded in 2000 Distinguished Oracle Leader Technology Momentum Award Portal Blazer Award Titan Award Red Stack + HW Momentum Awards Excellence in Innovation Award Management Team is Ex-Oracle Location(s): Headquartered in Atlanta; Regional office in Washington D.C.; Offshore Hyderabad and Chennai, India ~250 employees with 10+ years of Oracle experience on average Inc.500 5000 Fastest Growing Private Company in the U.S. for the 6th Time Voted Best Place to work in Atlanta for 2nd year 33 Oracle Specializations spanning the entire stack

BIAS Expertise in Security & Identity Management PAGE 26 BIAS Corporation is a recognized leader in Identity & Access Management system assessment, design and implementation. As an Oracle Platinum partner, BIAS Corporation s IDM Practice provides experienced architects who have expertise in assessment of environments, building roadmaps, design systems with deep technical experience and implementing solutions using experienced developers part of BIAS IDM practice.

Oracle created the OPN Specialized Program to showcase the Oracle partners who have achieved expertise in Oracle product areas and reached specialization status through competency development, business results, expertise and proven success. BIAS is proud to be specialized in 33 areas of Oracle products, which include the following: PAGE 27

Contact Us PAGE 28 Kashif Dhatwani Security Practice Director, BIAS Kashif.Dhatwani@biascorp.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information