Best Practice For Public Sector Information Security And Compliance

<Insert Picture Here>

Best Practices for Public Sector - Information Security & Compliance
Oracle webcast: 22nd January 2010
Audio details: 08006948154
Conference Code: 6885951
Password: 22012010

Housekeeping

• This web conference is being recorded
• All telephone lines are muted until the Q&A
• Use the chat window to register questions during the
presentations
• Registered questions will be raised during the Q&A

Agenda

• Information Security & Compliance in the Public
Sector
– Geoff Linton, Business Development Director
• Oracle Information Security
– James Anthony, Technology Director
• Q&A


Oracle End-to-End Security Architecture

Geoff Linton – Business Development Director
EMEA Public Sector

Agenda

• What Security Issues Are Our Customers
Facing?
• Reduce online fraud and simplify user login issues with Single
Sign On
• Automate Employee Onboarding/Offboarding with Identity
Management
• Protect your sensitive database data from unauthorized use
• Simplify management of structured and unstructured content
• Streamline Compliance efforts using automated tools

Oracle Confidential - Do Not Distribute

5 Questions
to ask yourself…


1. Do you always know
when a security breach
has occurred?


2. How many ex-employees
and ex-contractors still
have access to your
systems?


3. Do your DBAs know
your financial results or
costs of project before
the Chief Executive or
the Chief Financial
Officer?

4. Can you guarantee
protection of your
employee and customer
personal information?


5. How much are manual
compliance controls
costing your
organisation?


The Evolution

1996 2009
• Script Kiddies • Organised Crime

• Web Site Defacement • Industrial Espionage

• Viruses • Identity Theft

• Denial of Service • Constant Threat


The Impact

INTANGIBLE ASSETS

BRAND EQUITY ―21% of enterprises are
worried about a decline in
stock price [resulting from a
CONFIDENCE security breach]‖
—Forrester, April 2006, Aligning
Data Protection Priorities With
Risks
STAKEHOLDER VALUE


Delivering the Services

Controlling Cost;

Delivering Service;

Operational Effectiveness;

Safe & Secure;


Why Is This Hard? Let’s Look at Today’s “New Normal”
Users, Systems, Globalization and Compliance Have Increased Complexity

Service Level Compliance & IT Records Anti-Money
Compliance Ethics Programs Governance Retention Laundering

Financial Supply Chain
Audit Legal Data Privacy
Reporting Traceability
Management Discovery
Compliance

Users
Finance Suppliers R&D Mfg Sales HR Legal Customers

Systems
Enterprise Data Database Mainframes Mobile Devices Apps
Applications Warehouse Server

Globalization

Mandates SOX JSOX
EU
Directives FDA Basel II HIPAA GLBA Patriot
Act SB1386 PCI…


Corporate Identity Challenges
PSFT EPM Unix AD SecurID Oracle

Need Tools for:
• Account Discovery
Jberry Bbanks A49320 Cooperl Skeeti Sequensh
Esiegel Lsulley A39943 Tinleyj Frenetc Welchj • Account Mapping
Jrowland Lbitmore A49454 Harrisd Smileys Pettyr • Account Provisioning
Mfriedel Ltimble A93934 wooc Entrald Robertsj
Sbenson Aboyle A39485 Rowlandr Novacho Julianr
• Account Risk Analysis
Thanks Bcoldwel A49382 Bensons Alvarag Nantpre • Account Disable / Removal
Jwayne Dparis A48382 Quinleys Narlersh Enaget
Tcarrol Clriot A49382 Harminb Woodst Jhancock
Sharris
Bwhite
Etear
Smackay
A39485
A29483
Travolta
Francek
Nicklausj
Hoganb
Johnh
Hanwayv
Need solutions to provide
Ddailey Mturner A49583 Lipperd Palmera Composi • Central audit
Eheiden Mmclain A49382 Skatee Dimarcoc Initalialy
Clayton trail/accountability
Lball Mcpasch A49302 Marinoe Perryk cwoo
Hwiggins Jpasch A42845 Flamingo Beards Stickler Woo • Secure delegation of admin.
Cjohnson claytonw A20184 Russiak cw33 Bourne • Automated workflow/approvals
Cwillis Tdean A49284 Crowd Fusar Fusar
c_woo Jtorville A49248 Pazzaz Poli Margoliao
• Security policy enforcement
Mthomas Cdean A50824 Daoudc Margaglio Navka • Standards-based interfaces
Browland Nreagan A42948 Louf Lithowan Koskoma
Mprehn Rnixon A49274 Peizerat Vanagas Hackinsa
Ggoodnow Gbush A37520 Anissina Lightes Newjers
Slake Jvance A49294 Ferrisb Naugano Shara
Bblake Jcarpent A03749 Lupers Footman Alexander
Fjohnson Mstewart A49274 Lobach Figureas Sasha
Galonso Lchristia A33993 Frenchj Lupesh Reuben
Slippes Jbenley A38288 Navratol Arganish Struedl
salger jmackay A48228 dellm Delegant tangor
ralnc493 ralnc493 ralnc493 ralnc493 ralnc493 ralnc493


Data is Being Compromised at Record Pace


The Goals of Oracle’s Security Strategy

Simplify GRC while Reducing Cost

Safeguard Brand and Reputation

Run Your Business Better and Prove It


What Have Our Customers Asked For?
Automate and Centralize Security and Compliance

• Simplify the Sign On process for end users

• Manage ‗Who has access to What, When, How
and Why‘ for SOX, FFIEC, GLBA and PCI
compliance

• Automate On-boarding, Termination and Job
Transfer processes for tighter security

• Detect and remediate fraudulent activities
against both outside and inside threats

• Enforce segregation of duties and Chinese Wall
regulatory mandates

• Protect Data from compromise


Common Deficiencies Found by Auditors

• Delay in terminating access:
– Auditors check how long it takes between when an employee leaves a company and when
all his or her access privileges are turned off.

• Built up privileges over time:
– Auditors know that people often change jobs within the company. They also know that it is
less common to reduce access than to grant it. Auditors check whether employees have
more access than they need to do their current job.

• Access transactions in conflict:
– Auditors are looking for employees who have access to systems that are in conflict with
business rules. A classic example of this is when a user can specify vendors for payment in
one system, and can issue payment to that same vendor in another.

• Uncontrolled access authorizations:
– Auditors look for a controlled business process for granting and denying access privileges. If
your system for provisioning access privileges is a series of random e-mails between
business managers and the IT department, auditors see a red flag

• Lax password policy enforcement:
– Auditors want to see that all key systems are guarded by a manageable, enforceable
password policy.

Solve “Deficiencies Found by Auditors”
• Enforce segregation of duties:
– Identity management standardizes user access by role, organization, and geographic location. It
also enables you to state users with Accounts Payable cannot also access Purchasing

• Restrict access
– Identity management centralizes your security policies, including user permissions, privileges,
and profile data, and applies these policies across your entire infrastructure, restricting access to
sensitive data, applications, operating systems, and key infrastructure.

• Automate access management
– Identity management provides an environment where privileges are created, approved, and
issued via an automated workflow process. When a person changes roles or leaves the
company, the workflow process automatically deletes the old set of access privileges
immediately

• Provide automated reports
– Identity management can produce regularly scheduled attestation reports for management
review and detailed reports of access, based on automatically captured and aggregated audit
data

• Demonstrate controls are in place and working
– Identity management provides the detailed audit data and reports you need to prove that you
have the necessary controls in place and that they are working.

A Typical “3-Tier” Enterprise Environment

Employees
Customers Web
Partners Services Web
(External) Services
(Internal)
Portal
Web
and App
Servers
Servers
BI and
Content
Email / Management
File
Presentation Servers
Tier
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
22


Presentation Tier Issues

Authentication Issues
1. Who is this user?
2. How can I be sure they are
who they say they are?

Employees
Customers Web
Partners Services Authorization Issues Web
(External) Services
How can I control access to my
(Internal)
Web Web Apps and Web Services in
Portal
and App
one place?
Servers
Servers
BI and
Content
User Access Issues Email / Management
How can I simplify access to File
ALL of my applications using
Tier Single Sign On?
Packaged Apps
(PSFT, EBS,
• Web-based (Oracle and
Self Service and Account Directories
Hyperion, Siebel,
Non-Oracle apps)
Management SAP)
Mainframe
• Client / Server-based apps
How Can I expose Self- Logic
Unstructured
Content
(Business)
Registration, Self Administration • Across Companies using Data
and Password Reset? Tier Standards
Data Warehouses
Databases
Tier


Presentation Tier Solutions

Risk-Based Authentication
 Deploy Online Fraud Detection
 Use stronger forms of
Authentication than a password
like software authenticators
Employees
Customers Web
(External)
Centralize Authorization
Services
(Internal)
Centralize the protection of
Portal
your Web Applications AND
Web
and App
Web Services
Servers
Servers
BI and
Content
Single Sign On Email / Management
Simplify User Access with SSO:File
Tier 1. Web-based Apps
Packaged Apps
2. Client / Server-based Apps
(PSFT, EBS,
Directories
Self Service Hyperion, Siebel,
3. Partners with Federation
SAP)
Deploy web-based, self-help tools Mainframe
Logic
for Password Reset, Registration
Unstructured
Content
(Business)
and Account Administration Data
Databases
Tier


Logic (Business) Tier Issues
Identity Management
Password Management How can I automate
How can I help my onboarding and offboarding
users manage all these based on my HR system?
Role Management passwords?
How can I create ―Enterprise
Level‖ roles that span my
applications?

Employees
Customers Web
Identity Audit/Governance (External) Services
1. I don’t know ―Who Has (Internal)
Access to What?‖ Portal
Web
and App
Servers
2. It’s also very hard to Servers
know ―Who Had BI and
Access?‖ Content
3. Recertification of Email / Management
File
Presentation is very
entitlements
Servers
manual
Tier
4. How reduce the time Packaged Apps
required to generate (PSFT, EBS,
Directories
reports for audit? Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Databases
Tier


Logic (Business) Tier Solutions
Identity Management
Password Management Automate On-Boarding,
Reduce the number of Off-Boarding and User
passwords by Change based HR data
Role Management
synchronizing them
Use a system that can mine, create across systems
and manage roles at an
―Enterprise Level‖ that span many
applications
Employees
Customers Web
Identity Audit/Governance (External) Services
Use a integrated, web-based (Internal)
system to: Portal
Web
and App
Servers
• Quickly tell you ―Who Servers
Has (and Had) access BI and
to what?‖ Content
• Includes a Workflow Email / Management
File
engine
• Tier
Allows you to
schedule and delegate Packaged Apps
attestation of user (PSFT, EBS,
Directories
entitlements Hyperion, Siebel,
SAP)
Mainframe
• Notifies you about Logic Unstructured
rogue accounts Content
(Business) Data
Databases
Tier


Data Tier Issues

Encryption
How can I secure
my sensitive data
Access Control while
Employees
Customers Web  How do you lock • In-motion
Partners Services down access to Web
(External) • At-rest
Services
data
(Internal)
• Backed up
Web  Even from the Portal
most privileged and App
Servers
users and audit Servers
Database User Management the events?BI and
How can I leverage my existing Content
directories for database users Email / Management
and passwords? File
Tier
Packaged Apps
(PSFT, EBS,
Lots of Data Stores, No Directories
Hyperion, Siebel,
Common View SAP)
Mainframe
We’ve Logic of data in
got lots Unstructured
databases, directories, etc but Content
(Business) Data
can’t get a common view of it?
Databases
Tier


Data Tier Solutions

Access Control Encryption
Lock Down access Secure your data
Employees to ANY Oracle with integrated,
Customers Web tested and
Database data
proven database
(External) • Credit cards, Services
options
(Internal)
• Employee Data Portal
Web
and App
Servers
Database User Management from
Servers
unauthorized
Externalize and Centralize access…even the
BI and
users and passwords for DBA Content
database users in existing Email / Management
directories (like AD) File
Tier
Packaged Apps
(PSFT, EBS,
Lots of Data Stores, No Common Directories
Hyperion, Siebel,
View SAP)
Mainframe
Logic
Create a single ―Virtual‖ LDAP Unstructured
view of heterogeneous data Content
(Business) Data
stores (Directories, Database
Tables, Web Tier
services) Data Warehouses
Databases
Tier


Issues that Span The Tiers

Employees
Customers Web
Partners Spanning The Tiers
Services Web
(External) Services
Most applications are deployed into (Internal)
Web
production with their components Portal
Servers
spanning ALL of the tiers. and App
Servers
BI and
Content
Email / Management
File
Tier
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Databases
Tier
29


Issues that Span The Tiers

Issues Spanning Many Tiers
 IT Governance, Risk and Compliance –
How can I document my risks, assign
controls and verify their effectiveness?

 Auditing / Reporting - How can I
Employees consolidate my logs and audit data for
Customers Web
reporting and compliance?
(External) Services
(Internal)
 Systems Management and Data Masking Portal
Web - How can I simplify the management of and App
Servers all components at each of these tiers Servers
and hide sensitive information?
BI and
Content
Email / Management
 Content Management - File can I lock
How
Presentation down and manage all Servers structured
of my
Tier and unstructured data on laptops, file
shares and databases?
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Databases
Tier
30


Solutions to Issues that Span
―Monitor and Manage‖
 Establish a ―Top Down, Risk-based‖
Approach to Compliance, Risk and
Governance using an automated system

 Centralize your log and audit data into
a Secure Audit Data Warehouse for
Employees reporting and compliance purposes
Customers Web
 (External)
Centrallymonitor your web servers, Services
application servers, databases, through (Internal)
a ―single pane of glass‖ Portal
Web
and App
Servers
Servers

 Securely Move Sensitive Data between
Production, Dev and Test
Email /
File
 Manage and assign rights to ALL of your
Tier secure structured and unstructured
Packaged Apps
data(PSFT, EBS,
with Content Management and
Information Rights Management Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Databases
Tier
31


Enterprise-wide GRC Platform

Oracle delivers a comprehensive platform for
Governance, Risk and Compliance Management

Processes Insight

Risk & Compliance Mgmt Policy Mgmt
Risk & Control
Controls Management Industry Specific Intelligence

Applications
Oracle SAP Custom Legacy Other
Operational
Intelligence

Infrastructure Services
Content Mgmt
Identity &
Access Mgmt Change Mgmt Performance
Management
Data Security Data Audit
Repository


Oracle Governance, Risk, and Compliance
Best-in-Class Infrastructure Automates
Enforcement

Processes Insight
• Ensure information
Risk & Compliance Mgmt Policy Mgmt reliability with content
Controls Management Industry Specific Risk & Control security, records
Intelligence retention, and identity
management
Applications
Oracle SAP Custom Legacy Other • Protect information
Operational assets across the entire
Intelligence technology stack
Infrastructure Services
Content Mgmt • Enforce best-practice
Identity &
Change Mgmt segregation of duties,
Access Mgmt configuration and
Performance
Data Security Data Audit Management change management
Repository procedures


Oracle Governance, Risk, and Compliance
Comprehensive Applications Control Costs and Risks

Processes Insight • Standardize on
best-practice
Risk & Compliance Mgmt Policy Mgmt frameworks to meet
Controls Management Industry Specific Risk & Control evolving GRC demands
Intelligence
• Automate key GRC
Applications processes for risk
Oracle SAP Custom Legacy Other assessment, control
Operational design, policy creation,
Intelligence hotline intake, control
Infrastructure Services monitoring and case
Content Mgmt management
Identity & Change Mgmt
Access Mgmt • Streamline specialized
Performance
Data Security Data Audit Management
GRC processes for
Repository highly-regulated and
risk-sensitive industries


GRC Manager
Robust GRC process and content management

Sign-off and Publish
Certify

ü
ü ü
ü ü üü
ü ü

Remediate
ü ü
Retest Optimize
•End-to-End GRC Process
Respond

Management
Receive Review Investigate
•Integrated robust
Analyze

Alerts Reports Exceptions

process management
Perform Test Monitor
capabilities
Scope
Self Manual Automated
Audits
Assess

Assessment Controls Controls
•Centralized GRC Content
Management
Document

Risk-Control Matrix
COSO/COBIT Frameworks
Policies and Procedures
Evidence & Records Retention



Database Centric Information Security
James Anthony / Technology Director – Core Technology

The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle‘s
products remains at the sole discretion of Oracle.

Oracle Confidential
37

Agenda

• Database-Centric Information Security
• Database Security
• Oracle Database Security Solutions
• Defense-in-Depth
• Q&A

Oracle Confidential
38

Business Drivers for Security

Sustaining
Compliance
Managing
EU Directive 95/46/EC, Internal
Risk Audit, Public Confidence

Corporate Malfeasance (IP
theft with layoffs),
Sophisticated Online attacks,
Identity Theft

Increasing
Business Value
Help Desk, Automation, Cost
Savings/RoI, Improved Productivity

Managing Risk
Threats Faced Business Impact Mitigate with

$
• Centralized
• Security • Data Policy
Silos breaches Management

• Orphaned • Fraud • Alerting
Accounts

• Remediation • Risk-Based
• Phishing, Costs Security
Keylogging,
MITM
• Brand • Entitlements
Damage Management
• Insider
Threats
• Customer • Privileged
Loyalty User
Management

More data than ever…

Growth
Doubles
Yearly

1,800 Exabytes

2006 2011

Source: IDC, 2008
Oracle Confidential
41

Information or Data Security?

Information = Data

Oracle Confidential
42

Database Defense-in-Depth

Monitoring
• Configuration Management
• Audit Vault

Access Control
• Database Vault
• Label Security

Encryption & Masking
• Advanced Security
Access Control • Data Masking
Monitoring

Oracle Confidential
43


Monitoring
• Audit Vault

Access Control
• Database Vault
• Label Security

Monitoring

Oracle Confidential
44

Oracle Advanced Security
Transparent Data Encryption

Disk

Backups

Exports

Application
Off-Site
Facilities

• Complete encryption for data at rest
• No application changes required
• Efficient encryption of all application data
• Built-in key lifecycle management

Oracle Confidential
45

Oracle Advanced Security
Network Encryption & Strong Authentication

• Standard-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement

Oracle Confidential
46

Oracle Data Masking
Irreversible De-Identification

Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY

AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000

BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000

• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to work
• Sensitive data never leaves the database
• Extensible template library and policies for automation

Oracle Confidential
47


Monitoring
• Audit Vault

Access Control
• Database Vault
• Label Security

Monitoring

Oracle Confidential
48

Enterprise User Security

User authenticates to database with
1
username and password as usual

Client

Database defers authentication to 2
Oracle Directory Services

4 User is mapped to a
physical database user,
with database roles
granted

Oracle Directory Services validates
user credentials 3

Central Credential Store

• Login to multiple databases
using the same credentials

HR

CRM

Directory Services
DBA, Developer or provides central
Application User authentication
DEV

Oracle Database Vault
Separation of Duties & Privileged User Controls

Procurement
DBA
Application
HR
Finance
select * from
finance.customers

• DBA separation of duties
• Limit powers of privileged users
• Securely consolidate application data
• No application changes required

Oracle Confidential
51

Oracle Label Security
Data Classification for Access Control

Sensitive
Transactions

Confidential
Report Data
Public
Reports
Confidential Sensitive

• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies

Oracle Confidential
52


Monitoring
• Audit Vault

Access Control
• Database Vault
• Label Security

Monitoring

Oracle Confidential
53

Oracle Audit Vault
Automated Activity Monitoring & Audit Reporting

HR Data ! Alerts

Built-in
CRM Data
Audit Reports

Data Custom
ERP Data
Reports

Databases Policies
Auditor

• Consolidate audit data into secure repository
• Detect and alert on suspicious activities
• Out-of-the box compliance reporting
• Centralized audit policy management

Oracle Confidential

Oracle Configuration Management
Vulnerability Assessment & Secure Configuration

Monitor

Discover Classify Assess Prioritize Fix Monitor

Asset Configuration
Policy Vulnerability Analysis &
Management Management
Management
Management Analytics
& Audit

• Database discovery
• Continuous scanning against 375+ best practices and
industry standards, extensible
• Detect and prevent unauthorized configuration changes
• Change management compliance reports

Oracle Confidential
55


Monitoring
• Audit Vault

Access Control
• Database Vault
• Label Security

Monitoring

Oracle Confidential
56

User & Role Administration
Account Provisioning & Role Management

Oracle Identity Manager
Oracle Role Manager

GRANT
REVOKE

GRANT
REVOKE

GRANT
REVOKE

Employee HR System Approval Applications
Joins / Departs Workflows

• Automate Provisioning / De-provisioning
• Automate Role Management
• Report on ―Who has access to what‖
• Self-service account requests

Access Control
End-to-end Protection

Entitlements Server Adaptive Access
Manager

• Entitlements • Risk-based
Management Authentication
• Fine Grained • Real-time Fraud
Authorization Prevention

• Web Access • Cross Domain
Control SSO
• Single Sign-On • Identity
Federation

Access Manager Identity Federation

Compliance Reporting
Web-Based Attestation
1 Set Up 2 3 Automated Action 4 Report Built
Reviewer Is Notified
Periodic
is taken based on And Results
Goes to Self Service
Review
Periodic Review Stored in DB

Reviewer Selections
Email Result
What Is Certify to User
Reviewed?

Automatically
Reject Terminate User

Who Decline Notify the
Reviews It? Process Owner

Archive
Notify Delegated
Delegate Reviewer Attested
Start When?
Data
How Often? Comments
Attestation
Actions
Delegation
Paths

Summary

• Transparent
• Integrated
• Comprehensive
• Cost-Effective

Oracle Confidential
60

Oracle Confidential
61

For More Information

Security Master classes Security Summits
27th January, 2010 Edinburgh, 4th Feb
23rd March 2010 Manchester, 11th Mar
London EC2M 2RB London, 18th Mar

Upcoming events-
oracle.com/goto/uk/security

More about solutions-
oracle.com/security

Best Practice For Public Sector Information Security And Compliance

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (16)

Similaire à Best Practice For Public Sector Information Security And Compliance

Similaire à Best Practice For Public Sector Information Security And Compliance (20)

Dernier

Dernier (20)

Best Practice For Public Sector Information Security And Compliance

Notes de l'éditeur