on demand cloud services coury
TRANSCRIPT
![Page 1: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/1.jpg)
![Page 2: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/2.jpg)
Oracle On Demand Cloud Services:Security Strategy Mitigates Risk and Enables Compliance
Gail CouryVice President, Global IT Risk Management
![Page 3: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/3.jpg)
Changing Landscape
Copyright ©2011, Oracle. All rights reserved.
Businesses are increasingly dependent on IT in order to deliver products and services
Intellectual property and business records are becoming wholly electronic
Business collaboration is driving a disappearing perimeter
On demand computing requires anywhere & anytime access
Stealth & targeted attacks challenge our defenses
Information has value – hacking is profitable
![Page 4: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/4.jpg)
More Data Than Ever…
Copyright ©2011, Oracle. All rights reserved.
35 Zettabytes(ZB =1 Trillion Gigabytes)
Expected Growth by a Factor of 44
20092020
62% increase over 2008
Source: IDC Digital Universe Study, May 2010
![Page 5: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/5.jpg)
More Breaches Than Ever…
Copyright ©2011, Oracle. All rights reserved.
Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
Total Personally Identifying
Information Records Exposed
(Millions)
Sources: http://datalossdb.org / 2009 Annual Study: US Cost of a Data Breach, Ponemon Institute, 2010
Average cost of a data breach $204 per record
Average total cost exceeds $6.7 million per breach
Data Breach
2005 2006 2007 2008 2009 20100
100
200
300
400
500
600
Cumulative Growth
1084% Increase
![Page 6: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/6.jpg)
More Threats Than Ever…
Copyright ©2011, Oracle. All rights reserved.
On average there are about 6,000,000 new botnet infections per month External breaches are largely the work of organized criminals
Sources: McAfee Threats Report: 3rd Quarter 2010 / 2010 Verizon Data Breach Investigations Report
![Page 7: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/7.jpg)
More Regulations Than Ever…
Copyright ©2011, Oracle. All rights reserved.
• Federal, state, local, industry…adding more mandates every year!
– Health Information Technology for Economic and Clinical Health Act of 2009
– Massachusetts Law 201 CMR 17.00: Standards For The Protection Of Personal Information
• Need to meet AND demonstrate compliance
• Compliance costs are unsustainable Report and Audit
Source: IT Policy Compliance Group, 2007
90% Companies Behind in Compliance
![Page 8: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/8.jpg)
More Demands Than Ever…
Copyright ©2011, Oracle. All rights reserved.
“In the future, policy makers and regulators will probably demand that IT systems capture more and better data in order to gain greater insight into and control over how banks manage risk, pharma companies manage drugs, and industrial companies affect the environment.
Successful CIOs should enhance their relationships with internal legal and corporate-affairs teams and be prepared to engage productively with regulators. They will need to seek solutions that meet government mandates at manageable cost and with minimal disruption.”
Source: Mckinsey, 5 Trends that will Shape Business Technology in 2009
Regulators Demand More from IT
![Page 9: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/9.jpg)
Cloud Service AdoptionSecurity Continues to be the #1 Concern
Copyright ©2011, Oracle. All rights reserved.
It could actually be a benefit…..
Source: www.networkcomputing.com / IDC Survey: Risk In The Cloud, June 16, 2010
“So if you flip that apprehension on its head, there may be benefits in leveraging a cloud offering with the [security] focus and core competence that a cloud
provider brings to the table.” -Michael Pearl, PricewaterhouseCoopers
![Page 10: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/10.jpg)
Oracle On DemandSecurity Strategy
Copyright ©2011, Oracle. All rights reserved.
• People, Process &
Technology
• Compliance services that
can be leveraged
• Disaster recovery services
to cover any requirement
• Security products to
automate the work
IT SECURITY
REQUIREMENTS
• Protect privacy • Protect from intrusion & malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation & reputation of your business
BUSINESSBENEFITS
![Page 11: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/11.jpg)
Oracle On Demand
Copyright ©2011, Oracle. All rights reserved.
Operating System
Database
Middleware
Applications
Infrastructure
• Over 5.5 million users
• 89% of customers on most current releases
• Lower Risk– Proven Best Practices– Unparalleled Oracle
Expertise– Scalable, World Class
Technology Platform and Infrastructure
Benefits of New Software Delivery Models, Minimizing Risk
![Page 12: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/12.jpg)
Oracle On DemandProtects Customer Data & Systems
Copyright ©2011, Oracle. All rights reserved.
Secure Infrastructure & Software Management Service
Security
Policies,
Processes,
Organization
Audit & Compliance
Security
Products &
Services
Disaster Recovery
![Page 13: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/13.jpg)
Oracle Security Organization
Copyright ©2011, Oracle. All rights reserved.
On DemandRisk
Management Government Affairs
Global Public Policy
Product Support, Product
Development, etc.
Legal
Security & Privacy Counsel
Information Security Manager
LINES OF BUSINESS
Security Architect
Information Security
Product Security
Physical Security
ORACLE CORPORATE SECURITY
Oracle Security Oversight Committee
![Page 14: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/14.jpg)
Utilize International Security Standard
Copyright ©2011, Oracle. All rights reserved.
Security Organization
Operations Management
System Acquisition & Maintenance
Security Policy
Legal Compliance
HumanResources
Security
Asset Management
Physical & Environmental
Security Incident
Management
Privileged Access Control
Business Continuity
& DR
On Demand Follows the ISO 27000 Framework
![Page 15: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/15.jpg)
Risk ManagementLayered Defense in Depth
Technologies
Services
Governance
Strategy
Information
Governance
• Secure Web Gateways• End User Security• Intrusion Detection & Prevention• File Integrity Monitoring using Change Control
Console• Full Disk and Tape Encryption • Multi-Factor Authentication for Administrators• Segregated Networks• Power Broker for Privileged Management• Network & Host Data Loss Prevention• Security Configuration Monitoring using EM
Security Services
Security Technologies
• Regular Scheduled Scanning of Hosts• Automated Compliance Testing• Real-time Security Event Correlation & Monitoring
• Auditing and Self-Assessment• Business Continuity Planning & Testing• Regulatory Compliance (SOX, PCI, HIPAA, Federal)• Accessible Services• Partner Security• Governance, Risk & Compliance Documentation
Security Strategy
• Security Technical Design Reviews• Security Technical Assessments• Secure Configuration
Copyright ©2011, Oracle. All rights reserved.
![Page 16: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/16.jpg)
Top 10 Practices to Improve IT Security
Organizations with the best outcomes are prioritizing their top 10 practices very differently from other organizations; and are fully automating most of the top 10 practices:
1. Technical controls are mapped to IT policies, regulatory mandates & legal statutes.
2. Antivirus signatures are updated & applied frequently.
3. Roles and responsibilities of policy owners are defined & maintained.
4. Evidence about IT configurations and technical controls is gathered for evaluation & analysis.
5. Gaps in procedural controls are identified, remediated and tested on a regular basis.
6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular basis.
7. IT assets and audit trails are monitored on a continuous basis.
8. IT assets and software service configurations are tested regularly.
9. Unauthorized access to IT assets is automatically detected or prevented using IT controls.
10. Lists of IT assets and configurations are maintained in central repositories for easy access & analysis.
Source: IT Policy Compliance Group
Copyright ©2011, Oracle. All rights reserved.
![Page 17: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/17.jpg)
Leverage On Demand… Compliance Certifications
Copyright ©2011, Oracle. All rights reserved.
For Commercial Services
• 108 Controls Tested Biannually
ISO 27001Certification
112 Controls Tested Annually
ISO 27002Certificate of Conformity
132 Controls Tested Annually
Department of Defense (DoD) and Agencies
• 700+ Controls Tested Annually
• NIST & DIACAP
ISO Certification
HIPAA Compliance
Compliant Level 1 Service Provider
• 217 Controls Tested Annually
64 Controls Tested Annually
SAS 70 Type II
Federal Certification & Accreditation (C&A)
Payment Card Industry (PCI)
Service Offering Under Development
21 CFR Part 11
![Page 18: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/18.jpg)
Common Controls Fulfill Multiple Requirements
Copyright ©2011, Oracle. All rights reserved.
ISO 270002
SAS 70 (Public Firms)
HIPAA (Health Care)
PCI DSS (FSI,
Retail)
NIST (Federal
Agencies)
21 CFR 11 (Life
Sciences)
Policy Development & Maintenance
Asset Management
Access Control & Mgmt
HR Security Controls
Change Control Procedures
Segregation of Duties
Cryptographic Controls
Backup and Recovery
Media Handling
Monitoring, Auditing & Logging
Standards/ Regs
Process ControlsIndustry
![Page 19: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/19.jpg)
Cloud Security AllianceTo Assist Prospective Cloud Customers in Assessing the Overall Security Risk of a Cloud Provider
Copyright ©2011, Oracle. All rights reserved.
Source: CSA Cloud Controls Matrix http://www.cloudsecurityalliance.org/cm.html
![Page 20: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/20.jpg)
Services Address Security Needs &Leverage Oracle Technology
HIPAA Security Services
PCI Security Services
Enhanced
Security Services
Federal On
Demand
Copyright ©2011, Oracle. All rights reserved.
ORACLE PRODUCTS
Audit Vault
Transparent Data Encryption (TDE)
Change Control Console
Data Masking
Adaptive Access Manager
Configuration Management
![Page 21: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/21.jpg)
Value
HIPAA Security ServicesAdvanced Service Offerings for Health Information
Copyright ©2011, Oracle. All rights reserved.
Base Services
• Annual 3rd Party HIPAA
compliance assessment
• Annual risk assessment
• Quarterly external vulnerability
scan
• ePHI Network Topology
Review
• Host-based Data Loss
Prevention (HDLP)
• HIPAA trained support staff
Advanced Services• Quarterly vulnerability scanning• Database auditing in conjunction with Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Security Maintenance Program• Annual penetration test
• Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle
• Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act
• Service Data Sheet
1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009
![Page 22: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/22.jpg)
PCI Security ServicesAdvanced Service Offerings To Meet Payment Card Industry (PCI) Data Security Standards (DSS)
Copyright ©2011, Oracle. All rights reserved.
Base Services
• PCI DSS Controls
• PCI Self-Assessments
• Annual Security Assessment
• Quarterly Vulnerability Scans
• Quarterly PCI Scans
• Annual Penetration cans
• Oracle Change Control
Console
• Quarterly Firewall Policy Review
Advanced Services• Annual Vulnerability Risks Report• Web Application Firewall• Web Application Security Assessments• Quarterly Network Scans• Dedicated Secure File Transfer Protocol (FTP)• File Encryption Service • Assessor (QSA) Partners
• Oracle On Demand is a Level 1 PCI Compliant Service Provider since 2006
• Oracle can reduce the time and cost associated with PCI compliance
• Customers can gain access to a complete solution using Oracle PCI Partners
• Service Data Sheet
Value
![Page 23: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/23.jpg)
Federal On DemandAdvanced Service Offerings For the US Federal Government
Copyright ©2011, Oracle. All rights reserved.
• Designed to enable our customers to be compliant with federal legislative and executive mandates / directives
• Helping government run business operations more effectively, and at lower costs
•@Customer & @Partner options also available
• Service Data Sheet
ValueFor All Applications Managed @ Oracle
• Physical and Logical Isolation of Operations
• U.S. Citizen 24/7 Service Delivery
• Certification and Accreditation Methodologies
• Ongoing FISMA Security Measurements
• Public and Sensitive but Unclassified (SBU) Data
• Plan of Action and Milestones (POAM)
• Federal Information Processing Standards (FIPS) 140.2 Certified
and Validated
![Page 24: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/24.jpg)
Enhanced Security ServicesAdvanced Service Offerings to Meet Customer Compliance Needs
Copyright ©2011, Oracle. All rights reserved.
Base Services
• Quarterly Vulnerability Scans
• Quarterly Web Application
Vulnerability Scans
• Annual Penetration Test
• Network Diagram
• Quarterly Firewall Policy Review
• Quarterly Network Device
Configuration Review
• Quarterly Security Meetings
Advanced Services• Oracle Adaptive Access Manager• Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Oracle Change Control Console• Security Maintenance Program
• Supplements standard security services
• Facilitates customer’s compliance needs
• Advanced Services are “cafeteria style”
• Service Data Sheet
Value
![Page 25: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/25.jpg)
DR Solutions Two Basic Requirements
Copyright ©2011, Oracle. All rights reserved.
• Deliverable:
– Data (tape, disk, other media, or hot failover system)• In the Event of a Disaster:
– Backup data needs to be shipped to the customer or a customer-specified site or a recovery-site
• Solution Cost Drivers:
– Amount of Data to be Protected– Frequency of Backup (RPO)
• Deliverable:
– Service back up, running & accessible, after a disaster• In the Event of a Disaster:
– Backed-up data is used to bring service back up on an alternate system at a distant site (note that this requires a data protection as a prerequisite)
• Solution Cost Drivers:
– RTO | Service Capacity | Testing Frequency
Data
Protection
“Make sure my data isn’t lost
when my system/site is hit by a
disaster”
Service
Recovery
“Get me back in business after my
system/site is hit by a disaster”
![Page 26: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/26.jpg)
Disaster Recovery Solutions
Copyright ©2011, Oracle. All rights reserved.
Data
Protection
“Make sure my data isn’t lost
when my system/site is hit by a
disaster”
Service
Recovery
“Get me back in business after my
system/site is hit by a disaster”
• Maximum Availability • 24 hours/24 hours• 3 days/3 days• Austin Primary, RMDC
Secondary
Standard Solutions
Custom Solutions• 48 hours/48 hours
![Page 27: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/27.jpg)
Security Capabilities SummaryProtect Customer Data & Systems
Copyright ©2011, Oracle. All rights reserved.
• Processes built to support the
ISO 27000 framework
• Automation to monitor,
correlate, and alert
• Security health checks prior to
and during deployment
• Encryption to protect the data
• Compliance services that can
be leveraged
• Disaster recovery services to
cover any requirement
• Use, host and manage Oracle
security products
IT SECURITY
ENABLERS• Protect privacy • Protect from intrusion and malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation and reputation of your company
BUSINESSBENEFITS
![Page 28: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/28.jpg)
Looking Ahead
Copyright ©2011, Oracle. All rights reserved.
Complex & Stealth Attack Vectors Growing
Commercial Hacking Gaining Ground
‘Due Diligence’ High Water Mark Rising
More & More Legislation
Increased Effort to Prove Compliance
THREATS REGULATION SECURITY BASELINE
![Page 29: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/29.jpg)
Expertise Architecture Technology Demonstrated
Compliance
Final ThoughtsLeverage Oracle On Demand…
Copyright ©2011, Oracle. All rights reserved.
![Page 30: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/30.jpg)
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.
Copyright ©2011, Oracle. All rights reserved.
![Page 31: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/31.jpg)
![Page 32: On Demand Cloud Services Coury](https://reader035.vdocuments.us/reader035/viewer/2022062405/55530490b4c9054e3f8b48a4/html5/thumbnails/32.jpg)