2010 06 gartner avoiding audit fatigue in nine steps 1d
Securing Citizen Facing Applications
1. Securing Citizen Facing Applications Moderated by Timothy Davis Oracle Enterprise Architect Board Member
2.
3. Today’s Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Specialist Architect Timothy Davis, Oracle Enterprise Architect Board Member Jeremy Forman, Oracle Enterprise Architect CISSP Certified Professional Marc Chanliau, Director, Identity Management Development
6. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, Ponemon Institute, 2009 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach 630% Increase
7. More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access
8.
9. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? Why? Today’s “New Normal” Users, Systems, Globalization and Compliance Forced Complexity IT Governance EMR/HIE Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs Audit Management Data Privacy Records Retention Legal Discovery CJIS Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications Systems Globalization Users Legal Taxation HR Public Safety Partners Citizens Healthcare EPA Mandates MFIPPA FOIPPA FDA FISMA NIST HIPAA FDA PCI… Patriot Act SB1386
13. Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute Authority Internal Apps Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings Directories Databases Proprietary Identity Attributes Applications
14.
15.
16.
17. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Identity Mgmt Future State Architecture
18.
19.
20. A final question to our panel: Guidance to Security Architects ? Edwin Lorenzana Hayri Tarhan Jeremy Forman Timothy Davis Marc Chanliau
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide New industry/federal regulations every few months Enforcing compliance requires central view & management of entire infrastructure and without this, it is difficult to maintain control on an ongoing basis Policy enforcement to avoid toxic roles/approver combination Report and audit on who has access to what and compare with who should have access to what is difficult and costly across various applications & systems Reports attestation should be manageable and efficient – if no structured attestation, then it is mere rubber stamping And compliance costs can go up with processes
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide 03/28/10 Oracle Confidential Source: DataLossDB http://datalossdb.org Note total represents cumulative number since once exposed the data is out there – the bell can’t be unrung. http://online.wsj.com/article/SB123249174099899837.html
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide 03/28/10 Oracle Confidential
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Key Message: Requirements for GRC increase in number and complexity Now that we have a context and definition of the big GRC picture, let’s highlight some of the main drivers in this area. In speaking with our customers, we’ve heard several main drivers or challenges that recur over and over. These drivers are consistent across profit, non-profit, or public sector organizations. The first driver is the notion that GRC is the “new normal”. It is here to stay and the bar has definitely gone up – the expectations for proper governance and oversight, the need for better risk management, and of course the demands of multiple compliance requirements. Forrester research reports that since 1981, the US federal government alone has introduced 114,00 new rules and regulations that affect business. The complexity of GRC is due to the interaction of four dimensions – mandates (or boundaries, whether externally levied or voluntarily undertaken); regions (the need to respond locally to global demands); technology (the fact that technology underpins much of modern business process and is in itself characterized by heterogeneity); and people (the different functions in an organization and the specialization that often results in silos.) <Click> When these four dimensions interact in order to meet GRC requirements, it results in a myriad of initiatives with complex accountabilities. For example, initiatives in the area of financial reporting compliance are typically handled by finance and internal audit. However, business processes rely on IT environments and business software applications, so the audit and testing to ensure the integrity of financial reporting is very much dependent on IT governance procedures around proper change management and separation of duties. While much attention has been placed on the US requirements for financial reporting compliance because of Sarbanes-Oxley, other countries such as Japan and Canada have also adopted similar regulations so global organizations will need to rationalize their efforts across regions as well. In addition, closely related requirements around Compliance and Ethics programs for example, typically falls in the jurisdiction of the legal counsel and HR managers who need to prove that policies have been effectively communicated to the workforce and to provide evidence of employee understanding. <Click> In another example, recent changes in the Federal Rules of Civil Procedure are escalating requirements to improve electronic discovery capabilities. Many firms are therefore paying closer attention to effective records management which can reduce the costs associated with electronic legal discovery by properly applying retention policies to documents. These requirements need to be balanced however with close attention to the rights of employees and customers with regards to data privacy, so again, a single mandate can result in multiple GRC initiatives that need to be addressed in a holistic fashion. GRC is here to stay, and what makes it distinct and unique is the fact that while the operational objective tied to any action is often narrowly focused (for example, “send this email to acknowledge receipt of shipment from subsidiary), the associated GRC objectives invariably address a broader range of accountabilities (provide the basis for quarterly reconciliation, ensure traceability of raw materials, apply proper retention policies for email communications). To paraphrase John Muir, one of the early modern environmentalists of the 20 th century and founder of the Sierra Club, “When we try to pick out anything by itself, we find it hitched to everything else in the Universe.” GRC processes can therefore burden managers with repeated assessments that ask the same questions for multiple GRC initiatives. Organizations that fail to take a platform approach to GRC end up with duplicate technologies and inconsistent approaches, measurement and reporting, resulting in scattered information and poor visibility.
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Inside the business apps!!! Of course, the solutions we cover in this presentation are deployed as part of a wider infrastructure. This diagram shows the scope of the Oracle offerings including applications (Enterprise Resource Planning, Customer Relationship Management, Governance / Risk / Compliance, and vertical industry specific), Fusion Middleware, and database / infrastructure. As illustrated on this slide, Enterprise Security, Management, Development, and Intelligence offerings are applicable and provide important capabilities in all 3 layers of the Oracle software stack.
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide NIST 80018: Guide for Developing Security Plans for Information Technology Systems NIST 80027: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST 80030: Guide for Risk Management for Information Technology Systems 248 Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Behind the scenes, MGR was using Oracle Access Management Suite. This solution offered them two key layers of defense, over and above what a typical web access management system could provide. First, their users were trained to look for a personalized image at the login page. More than 99% of the users were able to detect that they were not logging into the real MGR site, and many sent e-mails to MGR informing them of this phishing attack. This “Secure Mutual Authentication” piece delivers a crippling blow to these and any other potential hackers. It is also worth noting that MGR could also use virtual keypads at their login page to thwart against other external attacks such as key-logging trojans, etc. The second layer of defense that Access Management Suite offers is highly advanced risk-based authorization. The system can intelligently calculate a risk score based on several factors such as the fingerprint of the device a user is logging in from, their location, time of day, and type of activity. By comparing it to “normal” behavior, the system generates a risk score, and if the score is too high, the system can prompt the user for further validation. This could range from knowledge-based validation to mobile text messaging, and even voiceprint recognition. The system can also alert system administrators immediately of highly suspect activity. What is really exciting and unique about this solution is its ability to “auto-learn” normal behavior for a user so that it can detect anomalies in real-time, thus stopping fraudulent activity in its tracks.
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide EA People – professional, best-in-class people who are solving the most complex EA problems in the world. They have the respect from business and IT EA Processes – standards-based methodology for EA processes including Oracle best practices EA Portfolio – of assets to help the EA.
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!