The document provides an agenda and details for a webcast on information security and compliance in the public sector hosted by Oracle. The agenda includes presentations on Oracle's information security and end-to-end security architecture. The document outlines common security issues faced by customers and how Oracle's solutions can help address deficiencies found by auditors through features such as centralized authorization, identity management, and role management.
Introducing the Analogic framework for business planning applications
Best Practice For Public Sector Information Security And Compliance
1. <Insert Picture Here>
Best Practices for Public Sector - Information Security & Compliance
Oracle webcast: 22nd January 2010
Audio details: 08006948154
Conference Code: 6885951
Password: 22012010
2. Housekeeping
• This web conference is being recorded
• All telephone lines are muted until the Q&A
• Use the chat window to register questions during the
presentations
• Registered questions will be raised during the Q&A
3. Agenda
• Information Security & Compliance in the Public
Sector
– Geoff Linton, Business Development Director
• Oracle Information Security
– James Anthony, Technology Director
• Q&A
4. <Insert Picture Here>
Oracle End-to-End Security Architecture
Geoff Linton – Business Development Director
EMEA Public Sector
5. Agenda
• What Security Issues Are Our Customers
Facing?
• Reduce online fraud and simplify user login issues with Single
Sign On
• Automate Employee Onboarding/Offboarding with Identity
Management
• Protect your sensitive database data from unauthorized use
• Simplify management of structured and unstructured content
• Streamline Compliance efforts using automated tools
Oracle Confidential - Do Not Distribute
6. 5 Questions
to ask yourself…
Oracle Confidential - Do Not Distribute
7. 1. Do you always know
when a security breach
has occurred?
Oracle Confidential - Do Not Distribute
8. 2. How many ex-employees
and ex-contractors still
have access to your
systems?
Oracle Confidential - Do Not Distribute
9. 3. Do your DBAs know
your financial results or
costs of project before
the Chief Executive or
the Chief Financial
Officer?
Oracle Confidential - Do Not Distribute
10. 4. Can you guarantee
protection of your
employee and customer
personal information?
Oracle Confidential - Do Not Distribute
11. 5. How much are manual
compliance controls
costing your
organisation?
Oracle Confidential - Do Not Distribute
12. The Evolution
1996 2009
• Script Kiddies • Organised Crime
• Web Site Defacement • Industrial Espionage
• Viruses • Identity Theft
• Denial of Service • Constant Threat
Oracle Confidential - Do Not Distribute
13. The Impact
INTANGIBLE ASSETS
BRAND EQUITY ―21% of enterprises are
worried about a decline in
stock price [resulting from a
CONFIDENCE security breach]‖
—Forrester, April 2006, Aligning
Data Protection Priorities With
Risks
STAKEHOLDER VALUE
Oracle Confidential - Do Not Distribute
14. Delivering the Services
Controlling Cost;
Delivering Service;
Operational Effectiveness;
Safe & Secure;
Oracle Confidential - Do Not Distribute
15. Why Is This Hard? Let’s Look at Today’s “New Normal”
Users, Systems, Globalization and Compliance Have Increased Complexity
Service Level Compliance & IT Records Anti-Money
Compliance Ethics Programs Governance Retention Laundering
Financial Supply Chain
Audit Legal Data Privacy
Reporting Traceability
Management Discovery
Compliance
Users
Finance Suppliers R&D Mfg Sales HR Legal Customers
Systems
Enterprise Data Database Mainframes Mobile Devices Apps
Applications Warehouse Server
Globalization
Mandates SOX JSOX
EU
Directives FDA Basel II HIPAA GLBA Patriot
Act SB1386 PCI…
Oracle Confidential - Do Not Distribute
17. Data is Being Compromised at Record Pace
Oracle Confidential - Do Not Distribute
18. The Goals of Oracle’s Security Strategy
Simplify GRC while Reducing Cost
Safeguard Brand and Reputation
Run Your Business Better and Prove It
Oracle Confidential - Do Not Distribute
19. What Have Our Customers Asked For?
Automate and Centralize Security and Compliance
• Simplify the Sign On process for end users
• Manage ‗Who has access to What, When, How
and Why‘ for SOX, FFIEC, GLBA and PCI
compliance
• Automate On-boarding, Termination and Job
Transfer processes for tighter security
• Detect and remediate fraudulent activities
against both outside and inside threats
• Enforce segregation of duties and Chinese Wall
regulatory mandates
• Protect Data from compromise
Oracle Confidential - Do Not Distribute
20. Common Deficiencies Found by Auditors
• Delay in terminating access:
– Auditors check how long it takes between when an employee leaves a company and when
all his or her access privileges are turned off.
• Built up privileges over time:
– Auditors know that people often change jobs within the company. They also know that it is
less common to reduce access than to grant it. Auditors check whether employees have
more access than they need to do their current job.
• Access transactions in conflict:
– Auditors are looking for employees who have access to systems that are in conflict with
business rules. A classic example of this is when a user can specify vendors for payment in
one system, and can issue payment to that same vendor in another.
• Uncontrolled access authorizations:
– Auditors look for a controlled business process for granting and denying access privileges. If
your system for provisioning access privileges is a series of random e-mails between
business managers and the IT department, auditors see a red flag
• Lax password policy enforcement:
– Auditors want to see that all key systems are guarded by a manageable, enforceable
password policy.
Oracle Confidential - Do Not Distribute
21. Solve “Deficiencies Found by Auditors”
• Enforce segregation of duties:
– Identity management standardizes user access by role, organization, and geographic location. It
also enables you to state users with Accounts Payable cannot also access Purchasing
• Restrict access
– Identity management centralizes your security policies, including user permissions, privileges,
and profile data, and applies these policies across your entire infrastructure, restricting access to
sensitive data, applications, operating systems, and key infrastructure.
• Automate access management
– Identity management provides an environment where privileges are created, approved, and
issued via an automated workflow process. When a person changes roles or leaves the
company, the workflow process automatically deletes the old set of access privileges
immediately
• Provide automated reports
– Identity management can produce regularly scheduled attestation reports for management
review and detailed reports of access, based on automatically captured and aggregated audit
data
• Demonstrate controls are in place and working
– Identity management provides the detailed audit data and reports you need to prove that you
have the necessary controls in place and that they are working.
Oracle Confidential - Do Not Distribute
22. A Typical “3-Tier” Enterprise Environment
Employees
Customers Web
Partners Services Web
(External) Services
(Internal)
Portal
Web
and App
Servers
Servers
BI and
Content
Email / Management
File
Presentation Servers
Tier
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
22
Oracle Confidential - Do Not Distribute
23. Presentation Tier Issues
Authentication Issues
1. Who is this user?
2. How can I be sure they are
who they say they are?
Employees
Customers Web
Partners Services Authorization Issues Web
(External) Services
How can I control access to my
(Internal)
Web Web Apps and Web Services in
Portal
and App
one place?
Servers
Servers
BI and
Content
User Access Issues Email / Management
How can I simplify access to File
Presentation Servers
ALL of my applications using
Tier Single Sign On?
Packaged Apps
(PSFT, EBS,
• Web-based (Oracle and
Self Service and Account Directories
Hyperion, Siebel,
Non-Oracle apps)
Management SAP)
Mainframe
• Client / Server-based apps
How Can I expose Self- Logic
Unstructured
Content
(Business)
Registration, Self Administration • Across Companies using Data
and Password Reset? Tier Standards
Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
24. Presentation Tier Solutions
Risk-Based Authentication
Deploy Online Fraud Detection
Use stronger forms of
Authentication than a password
like software authenticators
Employees
Customers Web
Partners Services Web
(External)
Centralize Authorization
Services
(Internal)
Centralize the protection of
Portal
your Web Applications AND
Web
and App
Web Services
Servers
Servers
BI and
Content
Single Sign On Email / Management
Simplify User Access with SSO:File
Presentation Servers
Tier 1. Web-based Apps
Packaged Apps
2. Client / Server-based Apps
(PSFT, EBS,
Directories
Self Service Hyperion, Siebel,
3. Partners with Federation
SAP)
Deploy web-based, self-help tools Mainframe
Logic
for Password Reset, Registration
Unstructured
Content
(Business)
and Account Administration Data
Tier Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
25. Logic (Business) Tier Issues
Identity Management
Password Management How can I automate
How can I help my onboarding and offboarding
users manage all these based on my HR system?
Role Management passwords?
How can I create ―Enterprise
Level‖ roles that span my
applications?
Employees
Customers Web
Partners Services Web
Identity Audit/Governance (External) Services
1. I don’t know ―Who Has (Internal)
Access to What?‖ Portal
Web
and App
Servers
2. It’s also very hard to Servers
know ―Who Had BI and
Access?‖ Content
3. Recertification of Email / Management
File
Presentation is very
entitlements
Servers
manual
Tier
4. How reduce the time Packaged Apps
required to generate (PSFT, EBS,
Directories
reports for audit? Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
26. Logic (Business) Tier Solutions
Identity Management
Password Management Automate On-Boarding,
Reduce the number of Off-Boarding and User
passwords by Change based HR data
Role Management
synchronizing them
Use a system that can mine, create across systems
and manage roles at an
―Enterprise Level‖ that span many
applications
Employees
Customers Web
Partners Services Web
Identity Audit/Governance (External) Services
Use a integrated, web-based (Internal)
system to: Portal
Web
and App
Servers
• Quickly tell you ―Who Servers
Has (and Had) access BI and
to what?‖ Content
• Includes a Workflow Email / Management
File
engine
Presentation Servers
• Tier
Allows you to
schedule and delegate Packaged Apps
attestation of user (PSFT, EBS,
Directories
entitlements Hyperion, Siebel,
SAP)
Mainframe
• Notifies you about Logic Unstructured
rogue accounts Content
(Business) Data
Tier Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
27. Data Tier Issues
Encryption
How can I secure
my sensitive data
Access Control while
Employees
Customers Web How do you lock • In-motion
Partners Services down access to Web
(External) • At-rest
Services
data
(Internal)
• Backed up
Web Even from the Portal
most privileged and App
Servers
users and audit Servers
Database User Management the events?BI and
How can I leverage my existing Content
directories for database users Email / Management
and passwords? File
Presentation Servers
Tier
Packaged Apps
(PSFT, EBS,
Lots of Data Stores, No Directories
Hyperion, Siebel,
Common View SAP)
Mainframe
We’ve Logic of data in
got lots Unstructured
databases, directories, etc but Content
(Business) Data
can’t get a common view of it?
Tier Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
28. Data Tier Solutions
Access Control Encryption
Lock Down access Secure your data
Employees to ANY Oracle with integrated,
Customers Web tested and
Database data
Partners Services Web
proven database
(External) • Credit cards, Services
options
(Internal)
• Employee Data Portal
Web
and App
Servers
Database User Management from
Servers
unauthorized
Externalize and Centralize access…even the
BI and
users and passwords for DBA Content
database users in existing Email / Management
directories (like AD) File
Presentation Servers
Tier
Packaged Apps
(PSFT, EBS,
Lots of Data Stores, No Common Directories
Hyperion, Siebel,
View SAP)
Mainframe
Logic
Create a single ―Virtual‖ LDAP Unstructured
view of heterogeneous data Content
(Business) Data
stores (Directories, Database
Tables, Web Tier
services) Data Warehouses
Databases
Tier
Oracle Confidential - Do Not Distribute
29. Issues that Span The Tiers
Employees
Customers Web
Partners Spanning The Tiers
Services Web
(External) Services
Most applications are deployed into (Internal)
Web
production with their components Portal
Servers
spanning ALL of the tiers. and App
Servers
BI and
Content
Email / Management
File
Presentation Servers
Tier
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
29
Oracle Confidential - Do Not Distribute
30. Issues that Span The Tiers
Issues Spanning Many Tiers
IT Governance, Risk and Compliance –
How can I document my risks, assign
controls and verify their effectiveness?
Auditing / Reporting - How can I
Employees consolidate my logs and audit data for
Customers Web
reporting and compliance?
Partners Services Web
(External) Services
(Internal)
Systems Management and Data Masking Portal
Web - How can I simplify the management of and App
Servers all components at each of these tiers Servers
and hide sensitive information?
BI and
Content
Email / Management
Content Management - File can I lock
How
Presentation down and manage all Servers structured
of my
Tier and unstructured data on laptops, file
shares and databases?
Packaged Apps
(PSFT, EBS,
Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
30
Oracle Confidential - Do Not Distribute
31. Solutions to Issues that Span
―Monitor and Manage‖
Establish a ―Top Down, Risk-based‖
Approach to Compliance, Risk and
Governance using an automated system
Centralize your log and audit data into
a Secure Audit Data Warehouse for
Employees reporting and compliance purposes
Customers Web
Partners Services Web
(External)
Centrallymonitor your web servers, Services
application servers, databases, through (Internal)
a ―single pane of glass‖ Portal
Web
and App
Servers
Servers
Securely Move Sensitive Data between
Production, Dev and Test
Email /
File
Presentation Servers
Manage and assign rights to ALL of your
Tier secure structured and unstructured
Packaged Apps
data(PSFT, EBS,
with Content Management and
Information Rights Management Directories
Hyperion, Siebel,
SAP)
Mainframe
Logic Unstructured
Content
(Business) Data
Tier Data Warehouses
Databases
Tier
31
Oracle Confidential - Do Not Distribute
32. Enterprise-wide GRC Platform
Oracle delivers a comprehensive platform for
Governance, Risk and Compliance Management
Processes Insight
Risk & Compliance Mgmt Policy Mgmt
Risk & Control
Controls Management Industry Specific Intelligence
Applications
Oracle SAP Custom Legacy Other
Operational
Intelligence
Infrastructure Services
Content Mgmt
Identity &
Access Mgmt Change Mgmt Performance
Management
Data Security Data Audit
Repository
Oracle Confidential - Do Not Distribute
33. Oracle Governance, Risk, and Compliance
Best-in-Class Infrastructure Automates
Enforcement
Processes Insight
• Ensure information
Risk & Compliance Mgmt Policy Mgmt reliability with content
Controls Management Industry Specific Risk & Control security, records
Intelligence retention, and identity
management
Applications
Oracle SAP Custom Legacy Other • Protect information
Operational assets across the entire
Intelligence technology stack
Infrastructure Services
Content Mgmt • Enforce best-practice
Identity &
Change Mgmt segregation of duties,
Access Mgmt configuration and
Performance
Data Security Data Audit Management change management
Repository procedures
Oracle Confidential - Do Not Distribute
34. Oracle Governance, Risk, and Compliance
Comprehensive Applications Control Costs and Risks
Processes Insight • Standardize on
best-practice
Risk & Compliance Mgmt Policy Mgmt frameworks to meet
Controls Management Industry Specific Risk & Control evolving GRC demands
Intelligence
• Automate key GRC
Applications processes for risk
Oracle SAP Custom Legacy Other assessment, control
Operational design, policy creation,
Intelligence hotline intake, control
Infrastructure Services monitoring and case
Content Mgmt management
Identity & Change Mgmt
Access Mgmt • Streamline specialized
Performance
Data Security Data Audit Management
GRC processes for
Repository highly-regulated and
risk-sensitive industries
Oracle Confidential - Do Not Distribute
35. GRC Manager
Robust GRC process and content management
Sign-off and Publish
Certify
ü
ü ü
ü ü üü
ü ü
Remediate
ü ü
Retest Optimize
•End-to-End GRC Process
Respond
Management
Receive Review Investigate
•Integrated robust
Analyze
Alerts Reports Exceptions
process management
Perform Test Monitor
capabilities
Scope
Self Manual Automated
Audits
Assess
Assessment Controls Controls
•Centralized GRC Content
Management
Document
Risk-Control Matrix
COSO/COBIT Frameworks
Policies and Procedures
Evidence & Records Retention
Oracle Confidential - Do Not Distribute
37. The following is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into any
contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions.
The development, release, and timing of any
features or functionality described for Oracle‘s
products remains at the sole discretion of Oracle.
Oracle Confidential
37
39. Business Drivers for Security
Sustaining
Compliance
Managing
EU Directive 95/46/EC, Internal
Risk Audit, Public Confidence
Corporate Malfeasance (IP
theft with layoffs),
Sophisticated Online attacks,
Identity Theft
Increasing
Business Value
Help Desk, Automation, Cost
Savings/RoI, Improved Productivity
45. Oracle Advanced Security
Transparent Data Encryption
Disk
Backups
Exports
Application
Off-Site
Facilities
• Complete encryption for data at rest
• No application changes required
• Efficient encryption of all application data
• Built-in key lifecycle management
Oracle Confidential
45
46. Oracle Advanced Security
Network Encryption & Strong Authentication
• Standard-based encryption for data in transit
• Strong authentication of users and servers
• No infrastructure changes required
• Easy to implement
Oracle Confidential
46
47. Oracle Data Masking
Irreversible De-Identification
Production Non-Production
LAST_NAME SSN SALARY LAST_NAME SSN SALARY
AGUILAR 203-33-3234 40,000 ANSKEKSL 111—23-1111 60,000
BENSON 323-22-2943 60,000 BKJHHEIEDK 222-34-1345 40,000
• Remove sensitive data from non-production databases
• Referential integrity preserved so applications continue to work
• Sensitive data never leaves the database
• Extensible template library and policies for automation
Oracle Confidential
47
49. Enterprise User Security
User authenticates to database with
1
username and password as usual
Client
Database defers authentication to 2
Oracle Directory Services
4 User is mapped to a
physical database user,
with database roles
granted
Oracle Directory Services validates
user credentials 3
50. Central Credential Store
• Login to multiple databases
using the same credentials
HR
CRM
Directory Services
DBA, Developer or provides central
Application User authentication
DEV
51. Oracle Database Vault
Separation of Duties & Privileged User Controls
Procurement
DBA
Application
HR
Finance
select * from
finance.customers
• DBA separation of duties
• Limit powers of privileged users
• Securely consolidate application data
• No application changes required
Oracle Confidential
51
52. Oracle Label Security
Data Classification for Access Control
Sensitive
Transactions
Confidential
Report Data
Public
Reports
Confidential Sensitive
• Classify users and data based on business drivers
• Database enforced row level access control
• Users classification through Oracle Identity Management Suite
• Classification labels can be factors in other policies
Oracle Confidential
52
57. User & Role Administration
Account Provisioning & Role Management
Oracle Identity Manager
Oracle Role Manager
GRANT
REVOKE
GRANT
REVOKE
GRANT
REVOKE
Employee HR System Approval Applications
Joins / Departs Workflows
• Automate Provisioning / De-provisioning
• Automate Role Management
• Report on ―Who has access to what‖
• Self-service account requests
58. Access Control
End-to-end Protection
Entitlements Server Adaptive Access
Manager
• Entitlements • Risk-based
Management Authentication
• Fine Grained • Real-time Fraud
Authorization Prevention
• Web Access • Cross Domain
Control SSO
• Single Sign-On • Identity
Federation
Access Manager Identity Federation
59. Compliance Reporting
Web-Based Attestation
1 Set Up 2 3 Automated Action 4 Report Built
Reviewer Is Notified
Periodic
is taken based on And Results
Goes to Self Service
Review
Periodic Review Stored in DB
Reviewer Selections
Email Result
What Is Certify to User
Reviewed?
Automatically
Reject Terminate User
Who Decline Notify the
Reviews It? Process Owner
Archive
Notify Delegated
Delegate Reviewer Attested
Start When?
Data
How Often? Comments
Attestation
Actions
Delegation
Paths
62. For More Information
Security Master classes Security Summits
27th January, 2010 Edinburgh, 4th Feb
23rd March 2010 Manchester, 11th Mar
London EC2M 2RB London, 18th Mar
Upcoming events-
oracle.com/goto/uk/security
More about solutions-
oracle.com/security
Identity Administration helps solve the provisioning/de-provisioning challenge and many other common issues. Let’s take a look at how this works. Oracle Identity Manager automates all aspects of administering user identities. It’s key capabilities can be broadly broken down into 3 bucketsIt automates provisioning and de-provisioning of users. Typically when an employee joins the company, they are entered into the HR system. OIM can automatically detect this addition/change, and kick off a workflow process for provisioning them with access to the systems they would need. After receiving the necessary approvals, OIM automatically creates accounts for this user in all the relevant applications. Similarly, when an employee departs, since OIM knows everything she has access to, it can quickly revoke access from all systems. Additionally, as folks change roles they are automatically de-provisioned from systems they no longer need, and added to new ones relevant to their new role. This ensures that users do not “collect” privileges over time, another common security vulnerability. Another immediate benefit organizations realize as soon as they implement OIM is they’re quickly able to identify and remediate orphaned accounts – live accounts whose owners are no longer with the organizationOIM also provides much improved visibility across enterprise-wide security controls, quickly able to produce reports such as “who has access to what”. As we’ll discuss later, this also greatly eases the cost of compliance.Finally, another great source of cost savings is through end user self-service. Users can use a web interface to reset forgotten passwords, request new accounts and more, thus eliminating a significant volume of help-desk calls