security platform a holistic approach€¦ · security platform – a holistic approach marcin...

1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8

Security platform – a holistic approach

Marcin Kozak

Software Architect, Security

Month, Day, Year

Venue

City

2

3

MULTI-DEVICE

SOCIAL MEDIA ALWAYS CONNECTED

PERMANENT DATA COLLECTION

HYBRID CLOUD COMPLIANCE

INFORMATION THEFT

INTELLECTUAL PROPERTY

ACCESS ANYWHERE

DELEGATED ACCESS

COST EFFICIENT

ONE VIEW

360°CUSTOMER VIEW

BIG DATA

ACQUISITIONS

CHANGING BUSINESS PROCESS & IT

CONSOLIDATION

CONVERGENCE

4

FUTURE PROOF FOR EXPANDING

DEPLOYMENT OPTIONS

ON-PREMISE PRIVATE CLOUD PUBLIC CLOUD HYBRID CLOUD

5

FROM PROTECTING

FROM THE

OUTSIDE…

6

TO PROMOTING

COLLABORATION

WHILE ENSURING

INFORMATION

SECURITY &

COMPLIANCE…

7

IN A RAPIDLY

CHANGING IT

LANDSCAPE…

PACKAGED

APPLICATIONS MOBILE

DEVICES

EXTERNAL

PORTALS

INTERNAL

PORTALS DOCUMENT/CONTENT

MANAGEMENT

CLOUD SOLUTIONS

8

Growing and more specific sophisticated attacks

Two Thirds of Sensitive and Regulated Information now Resides in Databases

… and Doubling Every Two Years

Source: IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011

HR Data

Citizen Data

Credit Cards

Customer Data

Financial Data

Classified Govt. Info.

Trade Secrets

Competitive Bids

Corporate Plans

Source Code

Bug Database

Credit Cards

Customer Data

Financial Data

HR Data

Citizen Data

8

9

Database Sprawl Makes Attacking Easier!

Sensitive

Data

Partners DW/Analytics Reports Stand By Test Dev Temp use

9

10

2010 Data Breach Investigations Report

Endpoint

Security

Vulnerability

Management

Network

Security

Authorization Security

DB Security

• How do I control insiders?

• Can I report on

anomalous behavior?

• Can I prevent intrusions?

• Can I ensure proper controls

around privileged access?

INSIDER THREATS ARE REAL

11

IT Security vs Info Risk Management Small change, big difference!

Business issues Technology issues

IT security

• Defensive / Reactive

• Manual

• Threat driven policy development

• Secure Infrastructure

• Information Protection

• Policy Management

• Regulations forced upon org’s

Opera

tionaliz

ing &

outs

ourc

ing

Information risk mgmt

• Proactive

• Automated

• Rules based policy development

• Secure Data

• Information Assurance

• Policy Enforcement

• Embrace risk & see security a business enabler

CIS

O, C

SO

, Ris

k m

gm

t do

main

12

13

14

15

16

Aberdeen Research Brief June 2011

Aberdeen Research Brief June 2011

17

Integration / adapt

speed improved by

64%-73%

Unauthorized access -

-14%

Audit issues -35%

Aberdeen Research Brief June 2011

SECURITY PLATFORM IS BETTER

Platform Approach Reduces Cost by 48%

AGILITY EFFICIENCY COSTS

18

19

Identity Governance

• Password Management

• Self-Service Request & Approval

• Roles based User Provisioning

• Analytics, Policy Monitoring

• Risk-based Access Certification

Access Management

• Single Sign-On & Federation

• Web Services Security

• Authentication & Fraud Prevention

• Authorization & Entitlements

• Access from Mobile Devices

Directory Services

• LDAP Storage

• Virtualized Identity Access

• LDAP Synchronization

• Next Generation (Java) Directory

Platform Security Services - Identity Services for Developers

Roles & Entitlements

Authorization Auditing Authentication User Provisioning

Policy Store Session Data Management

Directory Services

other

20

• User Provisioning Automation

– Supports Adds, Moves and Changes

– Virtualizes user identity

– Reconciles orphaned accounts

• Workflow Driven

– Flexible and change-able processes

– Supports approval processes

• Policy Driven

– Provides account policies and password policies

– Supports Role based entitlement management

Delete

Update

Create

Platform Security: User Provisioning Service

21

• Standards Based Authentication

– Simplifies integration

– Provides federated sign-on

• Self Service Password Management

– Reset forgotten passwords

– Change passwords

– Enforce strong password policy

• Multi-factor Authentication

– Increase trust

– Comply with regulatory mandates

Password

Management

Sign-on

Policy

Platform Security: Sign-On and Authentication

22

• Standards Based

– XACML

– NIST

– ABAC and RBAC

• Separation of Duties

– Preventative and detective

– Function and data security

• ADF Integration

– Reduced development cost

– Reduced complexity

Policy

Enforcement

SOD

Roles

Platform Security: Declarative Security External Authorization

23

• Secures User Information

– Protects private user data

– Provides attribute level security

• Externalizes Identity

– A single user view

– Common user accounts across apps

• Simplifies Audit Compliance

– Single point for access termination

– Single point for access control audit

Virtualized

Identity

Privacy

Data

Platform Security: Identity Provider Service

24

Mobile Access & Enterprise Applications

Native web browser on

the mobile device

Native mobile device clients

acting as a web browser

Native mobile device clients

connecting to gateways or

applications

• Enterprises want enable secure, convenient, efficient access to enterprise

applications, data, and collaboration/communication tools

• Support a workforce anywhere model, using any device

• Mobile applications are built one of the following ways:

25

Mobile & Social Identity Access Challenges

Auth

Servers

Directory

Servers

DB

Servers

IAM

Servers

?

Developer

26

27

Data

Database Security Defense-in-Depth

Prevent access by non-database users for data at

rest, in motion, and storage

Increase database user identity assurance

Strict access control to application data even from

privileged users

Enforce multi-factor authorization

Audit database activity, and create reports

Monitor database traffic and prevent threats from

reaching the database

Ensure database production environment is

secure and prevent drift

Mask sensitive data in non-production

environments

28

Oracle Maximum Security Architecture

Oracle Audit Vault

Oracle Database Firewall

Applications

Multi-factor Authorization

DB Consolidation Security

Unauthorized DBA Activity

Oracle Database Vault

Encrypted Database Encrypted Traffic

Oracle Advanced Security Oracle Data Masking

Mask For Test and Dev

2011 Oracle Corporation – Proprietary and Confidential 28

Enterprise Manager Grid Control

Secure Configuration Scanning

Patch Management

29

BASED ON OPEN

STANDARDS &

MANAGEABILITY &

SCALABILITY

30

Q&A

31

32