Data Security and Privacy : Compliance to Stewardship

Jignesh Patel Solution Consultant,Oracle

Agenda

Connected Government

Security Threats and Risks

Defense In Depth Approach

Summary

Connected Government : Provide better services

FOR

GOVERNMENTEfficient

Government

Cloud Computing

Analytics and Big Data

Social Experience

CitizenServices

Mobile Users

CONNECTED GOVERNMENT MAKES DIFFERENCE IN PEOPLE’S LIVES

CHANGING THE WAY GOVERNMENT DELIVER SERVICES

Security Threats and Risks

FOR

GOVERNMENTGrowing

Risk

SSN #

Personal Profile

Identity Theft

Info Security

Credit Card Info

Tax IDs

Denial of Service

Fraud

Continuous Monitoring

Collaboration

Privacy

HIPAA / HITECH

PII

NERC

PCI DSS

IRS 1075

CJIS

Privacy Quality of ServiceData Security

& IntegrityRegulatoryCompliance

GOVERNMENT CHALLENGES HAVE EVOLVED

Importance of SecurityRisk to data : Actor and Motivator

Insider

Outsider

Outsider with help of insider !

HACKERS

ORGANIZED CRIMINAL

NATION STATES

TERRORISTS

INDIVIDUALS

Adapted from Kuppinger Cole Presentation, March 2013

MALICIOUSCOORDINATED ATTACKS

HACKING

DATA THEFT

DENIAL OF SERVICE

BLACKMAIL

MISUSE• PRIVILEGE

ABUSE

• DELIBERATE LEAKAGE

• CURIOSITY

MISTAKES

• ACCIDENTAL ERASURE

• ACCIDENTAL DISCLOSURE

FROM MISTAKES TO ATTACKSBASIC SECURITY IS NOT ENOUGH

IRS

1075

NIST 800 Series

Ad-hoc response to Audit Findings is Costly & Insecure

Adapted from Kuppinger Cole Presentation, March 2013

Secu

rity

Fin

din

g

Time

Finding

Addressed

Finding

Addressed

Finding

Addressed

Q1 Audit

Finding

Q2 Audit

Finding

Q3 Audit

Finding

Auditor :Compliance Verification

Detecting, Preventing or Stopping the threats on the network or devices.

Traditional Security Approach

Apps

Device

Network

Data10101

01101

01010

User

USERS ARE

ACCESSING

APPLICATIONS AND

DATA FROM DEVICES

VIA NETWORK

Detecting, Preventing or Stopping the threats on the network or devices.

Traditional Security Approach

Apps

Device

Network

Data10101

01101

01010

UserMAJORITY OF THE

SECURITY BUDGET

HAS BEEN SPENT

ON STOPPING OR

DETECTING THE

THREATS ON THE

NETWORK OR

DEVICE.

Traditional Security ApproachLimited controls to protect data and user

Apps

Device

Network

Data10101

01101

01010

UserLITTLE ATTENTION TO

USER ACTIVITY AND

DATA PROTECTION.

MOST ORGANIZATIONS

DON’T COMPLETELY

UNDERSTAND DATA

AND USER ACTIONS.

Over 1.1B Served

Breached using weak or stolen credentials

Preventable with basic controls

76%

97%

Records breached from servers67%

Discovered by an external party69%

Most of security budget spent on Firewalls, Anti-virus and IDS, forgetting to secure data

Defense in Depth Approach

Multi-Layered

Defense in Depth Architecture

Layered Security

• All security products have inherent

weaknesses.

• It is only a matter of time before an

adversary will find a weakness.

• The environment must be protected

by multiple independent and

reinforcing controls such that a single

failure will have minimal or no impact.

Multi-layered Security Integrate : People, Process and TechnologyTechnology

Process

People

PREVENTIVEPREVENT THE THREAT

DETECTIVEMANAGE THE RISK

• SECURITY CONTROL

• STOP ATTACK

• AUTOMATED REMEDIATION

• IMPROVE DETECTION

• FASTER RESPONSE

• MINIMIZE EXPOSURE

Security Strategy

Defense in Depth – Security Principal Implemented to secure government building

Multiple layer of security • Guards have visibility to see adversaries

approaching from a distance.

• Guard controls everyone entering and leaving.

• Security camera monitors activity in the building.

• Physical access controls protects resources

inside the building.

• Access to business premises is monitored.

• Multiple layers of preventive and detective

controls provide best protection against threats.

Policies, Procedure and Awareness

Preventive : Prevent the threat

SMART approach to security policy

Security Awareness Training

Incident Response Process

Develop procedure to follow policy

Detective : Manage the Risk

Near Real-time Monitoring

Security incident dashboard

Review configuration changes and

access report

Auditor

!Alerts

Integrate People, Process and Technology for maximum security

Policies & Procedure Recommendation

Leverage The CIS* Benchmark configuration to document technical control policies.

• Develop security configuration standard for all system components.

• Identify Risk for not implementing technical control policies.

Automate configuration verification against benchmark configuration.

Leverage IT Service Management ( ITSM ) framework.

Incident Management & Service Desk

Service-level management ( SLA )

Configuration Management

Promote configuration monitoring advantage to unplanned outage to application

It is against the security policy !!! but nobody ever explains what the policy is,

let alone document or evaluate it.

MAP Security policy to procedure

* CIS – The Center for Internet Security

Security Awareness Benefits

Awareness training is one of the best Myth Busters

Security Myth Busters

Our Firewall Products Protects us from the internet.

We Haven’t been broken into so far, So We must Be doing great Job of Security.

Technology Products Solve the Security Problem.

Our Anti-Virus and Anti-Malware Scanner Protects us.

Our IDS/NIDS Will Detect Intrusions.

We don’t do any thing that makes us a target for attack.

Physical Security

Preventive : Prevent the threat

Secure building

Restrict physical access

Security guards

Physical barriers

Detective : Manage the Risk

Closed Circuit TV (CCTV)

Real-time surveillance

Security Camera

Most Security controls can be circumvented, if attacker gains physical access

Perimeter Security

Preventive : Prevent the threat

DMZ Perimeter

Hardened VPN

Control outbound connection from server

in DMZ zone

Permit only required network traffic

Detective : Manage the Risk

IDS on Perimeter Network

Monitor Access log

Associate Alert using ITSM Service request

IDSVPNFirewall

Properly configured Perimeter security protects from large percentage of attacks.

Network Security

Preventive : Prevent the threat

Series of network segments/Zones

Least possible software/services

Firewall Configuration

Encryption of Network packets

Detective : Manage the Risk

Network intruder detection system ( NIDS )

Access log monitoring

Internet

DMZ

Mid Tier Database

Secure network devices against information gathering and DoS attacks.

USER

Host,Data and Application SecurityObjection against additional security control

- Strong Perimeter security protects our Application

and Database.

- Our firewall/NIDS protects us from the internet .

- Web based application requires credential.

- Database servers are in most secured zone.

- Limited persons have direct production server and

database access.

- Our Information is public record.

Perimeter security unable to protect sensitive data against attack using SQL

injection,compromized privilege user access and clear text network traffic.

HOST ( Server ) Security Preventive : Prevent the threat Secure OS – Implement compliance

framework configuration.

Patch management – schedule patching

IPS – Intrusion Protection System

Detective : Manage the Risk

Centralized audit and log management

system

Monitor & correct configuration drift

Leverage ITSM - Service Desk

Secured server protects sensitive information on the server

HOST Security Recommendation

Defend the HOST ( Server ) using strong access controls on hosts .

Automate configuration verification against benchmark configuration.

Proactively apply security patches in timely manner.

Grant access to user based on their roles (needs ) rather than enabled by default.

Review User's access rights periodically.

Monitor Host server access and activity log.

Multiple access failure should generate alert.

Multi-factor authentication for privileged user access in production environment.

Application Security

Preventive : Prevent the threat

Secure development practice

Single authentication and authorization

services.

Strong Encryption and Control Data-in-Use

Detective : Manage the Risk

Application Activity monitoring

Privileged user’s access review

Leverage – ITIL Monitoring and Service Desk

Minimize application vulnerabilities to prevent attackers exploiting them for

unauthorized access to data and complete control of the system

Application Security Recommendation

Develop Secure design guidelines for application architects.

Security logic must be externalized as much as possible.

Application should leverage common security services.

Developers must not hard-code security logic into business solutions.

Security enforcement, decisions, and management must be performed by dedicated, shared

services and infrastructure.

Common audit log framework and monitoring should be leveraged.

Evaluate application code for vulnerabilities and perform penetration testing.

Data Security

Preventive : Prevent the threat

Secure data at rest ( Encryption )

Secure data in transit

Secure database configuration

Prevent SQL injection

Control Data-in-Use

Mask non- production sensitive data

Detective : Manage the Risk

Privileged user Control & Analysis

Database activity monitoring

Verify database configuration

Encrypted Data Masked Data

Encrypted internal network communicationSQL Aware Firewall

Encrypted data is protected against by-pass database and server access control attack

Data Security Recommendation

Classify Sensitive data stored in the database.

Secure Data-at-Rest in database to prevent users from bypassing database security.

Protects against theft or loss of disks and backups.

Implement data redaction to limit exposure of sensitive data in applications.

Rotate encryption key periodically ( Yearly, Quarterly) .

Prevents developers and testers from seeing the actual production data.

Reduce Privileged access to the sensitive data

Implement Privileged uses access control ( Emergency Privileged Access Control )

Multi factor privileged access control to access production system.

Defense in Depth Architecture

Secure Communication Path,

Encrypt ( Scramble ) data at rest.

Strong Password, Permission

Securely designed Application

Patch Management – Security update

Intrusion Prevention – Prevent attack

Secure configuration – OS hardening, log

management

Network segments,

Network based Intrusion Detection

system

Firewalls,ACL configured routers, VPN

Network based Intrusion Detection

system

Security Awareness,policies,procedures

Security event response strategy

Guards, Lock, Security Camera and

Access control

SECURITY

BETWEEN SYSTEMS

SECURITY

AT EACH LAYER

SECURITY

BETWEEN LAYERS

DEFENSE IN DEPTHSecure Information and Meet Privacy Requirements

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

S E C U R I T Y

THANK YOUjignesh.j.patel@oracle.com