data security and privacy : compliance to stewardship ... · defense in depth architecture layered...
TRANSCRIPT
Data Security and Privacy : Compliance to Stewardship
Jignesh Patel Solution Consultant,Oracle
Agenda
Connected Government
Security Threats and Risks
Defense In Depth Approach
Summary
Connected Government : Provide better services
FOR
GOVERNMENTEfficient
Government
Cloud Computing
Analytics and Big Data
Social Experience
CitizenServices
Mobile Users
CONNECTED GOVERNMENT MAKES DIFFERENCE IN PEOPLE’S LIVES
CHANGING THE WAY GOVERNMENT DELIVER SERVICES
Security Threats and Risks
FOR
GOVERNMENTGrowing
Risk
SSN #
Personal Profile
Identity Theft
Info Security
Credit Card Info
Tax IDs
Denial of Service
Fraud
Continuous Monitoring
Collaboration
Privacy
HIPAA / HITECH
PII
NERC
PCI DSS
IRS 1075
CJIS
Privacy Quality of ServiceData Security
& IntegrityRegulatoryCompliance
GOVERNMENT CHALLENGES HAVE EVOLVED
Importance of SecurityRisk to data : Actor and Motivator
Insider
Outsider
Outsider with help of insider !
HACKERS
ORGANIZED CRIMINAL
NATION STATES
TERRORISTS
INDIVIDUALS
Adapted from Kuppinger Cole Presentation, March 2013
MALICIOUSCOORDINATED ATTACKS
HACKING
DATA THEFT
DENIAL OF SERVICE
BLACKMAIL
MISUSE• PRIVILEGE
ABUSE
• DELIBERATE LEAKAGE
• CURIOSITY
MISTAKES
• ACCIDENTAL ERASURE
• ACCIDENTAL DISCLOSURE
FROM MISTAKES TO ATTACKSBASIC SECURITY IS NOT ENOUGH
IRS
1075
NIST 800 Series
Ad-hoc response to Audit Findings is Costly & Insecure
Adapted from Kuppinger Cole Presentation, March 2013
Secu
rity
Fin
din
g
Time
Finding
Addressed
Finding
Addressed
Finding
Addressed
Q1 Audit
Finding
Q2 Audit
Finding
Q3 Audit
Finding
Auditor :Compliance Verification
Detecting, Preventing or Stopping the threats on the network or devices.
Traditional Security Approach
Apps
Device
Network
Data10101
01101
01010
User
USERS ARE
ACCESSING
APPLICATIONS AND
DATA FROM DEVICES
VIA NETWORK
Detecting, Preventing or Stopping the threats on the network or devices.
Traditional Security Approach
Apps
Device
Network
Data10101
01101
01010
UserMAJORITY OF THE
SECURITY BUDGET
HAS BEEN SPENT
ON STOPPING OR
DETECTING THE
THREATS ON THE
NETWORK OR
DEVICE.
Traditional Security ApproachLimited controls to protect data and user
Apps
Device
Network
Data10101
01101
01010
UserLITTLE ATTENTION TO
USER ACTIVITY AND
DATA PROTECTION.
MOST ORGANIZATIONS
DON’T COMPLETELY
UNDERSTAND DATA
AND USER ACTIONS.
Over 1.1B Served
Breached using weak or stolen credentials
Preventable with basic controls
76%
97%
Records breached from servers67%
Discovered by an external party69%
Most of security budget spent on Firewalls, Anti-virus and IDS, forgetting to secure data
Defense in Depth Approach
Multi-Layered
Defense in Depth Architecture
Layered Security
• All security products have inherent
weaknesses.
• It is only a matter of time before an
adversary will find a weakness.
• The environment must be protected
by multiple independent and
reinforcing controls such that a single
failure will have minimal or no impact.
Multi-layered Security Integrate : People, Process and TechnologyTechnology
Process
People
PREVENTIVEPREVENT THE THREAT
DETECTIVEMANAGE THE RISK
• SECURITY CONTROL
• STOP ATTACK
• AUTOMATED REMEDIATION
• IMPROVE DETECTION
• FASTER RESPONSE
• MINIMIZE EXPOSURE
Security Strategy
Defense in Depth – Security Principal Implemented to secure government building
Multiple layer of security • Guards have visibility to see adversaries
approaching from a distance.
• Guard controls everyone entering and leaving.
• Security camera monitors activity in the building.
• Physical access controls protects resources
inside the building.
• Access to business premises is monitored.
• Multiple layers of preventive and detective
controls provide best protection against threats.
Policies, Procedure and Awareness
Preventive : Prevent the threat
SMART approach to security policy
Security Awareness Training
Incident Response Process
Develop procedure to follow policy
Detective : Manage the Risk
Near Real-time Monitoring
Security incident dashboard
Review configuration changes and
access report
Auditor
!Alerts
Integrate People, Process and Technology for maximum security
Policies & Procedure Recommendation
Leverage The CIS* Benchmark configuration to document technical control policies.
• Develop security configuration standard for all system components.
• Identify Risk for not implementing technical control policies.
Automate configuration verification against benchmark configuration.
Leverage IT Service Management ( ITSM ) framework.
Incident Management & Service Desk
Service-level management ( SLA )
Configuration Management
Promote configuration monitoring advantage to unplanned outage to application
It is against the security policy !!! but nobody ever explains what the policy is,
let alone document or evaluate it.
MAP Security policy to procedure
* CIS – The Center for Internet Security
Security Awareness Benefits
Awareness training is one of the best Myth Busters
Security Myth Busters
Our Firewall Products Protects us from the internet.
We Haven’t been broken into so far, So We must Be doing great Job of Security.
Technology Products Solve the Security Problem.
Our Anti-Virus and Anti-Malware Scanner Protects us.
Our IDS/NIDS Will Detect Intrusions.
We don’t do any thing that makes us a target for attack.
Physical Security
Preventive : Prevent the threat
Secure building
Restrict physical access
Security guards
Physical barriers
Detective : Manage the Risk
Closed Circuit TV (CCTV)
Real-time surveillance
Security Camera
Most Security controls can be circumvented, if attacker gains physical access
Perimeter Security
Preventive : Prevent the threat
DMZ Perimeter
Hardened VPN
Control outbound connection from server
in DMZ zone
Permit only required network traffic
Detective : Manage the Risk
IDS on Perimeter Network
Monitor Access log
Associate Alert using ITSM Service request
IDSVPNFirewall
Properly configured Perimeter security protects from large percentage of attacks.
Network Security
Preventive : Prevent the threat
Series of network segments/Zones
Least possible software/services
Firewall Configuration
Encryption of Network packets
Detective : Manage the Risk
Network intruder detection system ( NIDS )
Access log monitoring
Internet
DMZ
Mid Tier Database
Secure network devices against information gathering and DoS attacks.
USER
Host,Data and Application SecurityObjection against additional security control
- Strong Perimeter security protects our Application
and Database.
- Our firewall/NIDS protects us from the internet .
- Web based application requires credential.
- Database servers are in most secured zone.
- Limited persons have direct production server and
database access.
- Our Information is public record.
Perimeter security unable to protect sensitive data against attack using SQL
injection,compromized privilege user access and clear text network traffic.
HOST ( Server ) Security Preventive : Prevent the threat Secure OS – Implement compliance
framework configuration.
Patch management – schedule patching
IPS – Intrusion Protection System
Detective : Manage the Risk
Centralized audit and log management
system
Monitor & correct configuration drift
Leverage ITSM - Service Desk
Secured server protects sensitive information on the server
HOST Security Recommendation
Defend the HOST ( Server ) using strong access controls on hosts .
Automate configuration verification against benchmark configuration.
Proactively apply security patches in timely manner.
Grant access to user based on their roles (needs ) rather than enabled by default.
Review User's access rights periodically.
Monitor Host server access and activity log.
Multiple access failure should generate alert.
Multi-factor authentication for privileged user access in production environment.
Application Security
Preventive : Prevent the threat
Secure development practice
Single authentication and authorization
services.
Strong Encryption and Control Data-in-Use
Detective : Manage the Risk
Application Activity monitoring
Privileged user’s access review
Leverage – ITIL Monitoring and Service Desk
Minimize application vulnerabilities to prevent attackers exploiting them for
unauthorized access to data and complete control of the system
Application Security Recommendation
Develop Secure design guidelines for application architects.
Security logic must be externalized as much as possible.
Application should leverage common security services.
Developers must not hard-code security logic into business solutions.
Security enforcement, decisions, and management must be performed by dedicated, shared
services and infrastructure.
Common audit log framework and monitoring should be leveraged.
Evaluate application code for vulnerabilities and perform penetration testing.
Data Security
Preventive : Prevent the threat
Secure data at rest ( Encryption )
Secure data in transit
Secure database configuration
Prevent SQL injection
Control Data-in-Use
Mask non- production sensitive data
Detective : Manage the Risk
Privileged user Control & Analysis
Database activity monitoring
Verify database configuration
Encrypted Data Masked Data
Encrypted internal network communicationSQL Aware Firewall
Encrypted data is protected against by-pass database and server access control attack
Data Security Recommendation
Classify Sensitive data stored in the database.
Secure Data-at-Rest in database to prevent users from bypassing database security.
Protects against theft or loss of disks and backups.
Implement data redaction to limit exposure of sensitive data in applications.
Rotate encryption key periodically ( Yearly, Quarterly) .
Prevents developers and testers from seeing the actual production data.
Reduce Privileged access to the sensitive data
Implement Privileged uses access control ( Emergency Privileged Access Control )
Multi factor privileged access control to access production system.
Defense in Depth Architecture
Secure Communication Path,
Encrypt ( Scramble ) data at rest.
Strong Password, Permission
Securely designed Application
Patch Management – Security update
Intrusion Prevention – Prevent attack
Secure configuration – OS hardening, log
management
Network segments,
Network based Intrusion Detection
system
Firewalls,ACL configured routers, VPN
Network based Intrusion Detection
system
Security Awareness,policies,procedures
Security event response strategy
Guards, Lock, Security Camera and
Access control
SECURITY
BETWEEN SYSTEMS
SECURITY
AT EACH LAYER
SECURITY
BETWEEN LAYERS
DEFENSE IN DEPTHSecure Information and Meet Privacy Requirements
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
S E C U R I T Y
THANK [email protected]