security platform a holistic approach€¦ · security platform – a holistic approach marcin...
TRANSCRIPT
1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 8
Security platform – a holistic approach
Marcin Kozak
Software Architect, Security
Month, Day, Year
Venue
City
2
3
MULTI-DEVICE
SOCIAL MEDIA ALWAYS CONNECTED
PERMANENT DATA COLLECTION
HYBRID CLOUD COMPLIANCE
INFORMATION THEFT
INTELLECTUAL PROPERTY
ACCESS ANYWHERE
DELEGATED ACCESS
COST EFFICIENT
ONE VIEW
360°CUSTOMER VIEW
BIG DATA
ACQUISITIONS
CHANGING BUSINESS PROCESS & IT
CONSOLIDATION
CONVERGENCE
4
FUTURE PROOF FOR EXPANDING
DEPLOYMENT OPTIONS
ON-PREMISE PRIVATE CLOUD PUBLIC CLOUD HYBRID CLOUD
5
FROM PROTECTING
FROM THE
OUTSIDE…
6
TO PROMOTING
COLLABORATION
WHILE ENSURING
INFORMATION
SECURITY &
COMPLIANCE…
7
IN A RAPIDLY
CHANGING IT
LANDSCAPE…
PACKAGED
APPLICATIONS MOBILE
DEVICES
EXTERNAL
PORTALS
INTERNAL
PORTALS DOCUMENT/CONTENT
MANAGEMENT
CLOUD SOLUTIONS
8
Growing and more specific sophisticated attacks
Two Thirds of Sensitive and Regulated Information now Resides in Databases
… and Doubling Every Two Years
Source: IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011
HR Data
Citizen Data
Credit Cards
Customer Data
Financial Data
Classified Govt. Info.
Trade Secrets
Competitive Bids
Corporate Plans
Source Code
Bug Database
Credit Cards
Customer Data
Financial Data
HR Data
Citizen Data
8
9
Database Sprawl Makes Attacking Easier!
Sensitive
Data
Partners DW/Analytics Reports Stand By Test Dev Temp use
9
10
2010 Data Breach Investigations Report
Endpoint
Security
Vulnerability
Management
Network
Security
Authorization Security
DB Security
• How do I control insiders?
• Can I report on
anomalous behavior?
• Can I prevent intrusions?
• Can I ensure proper controls
around privileged access?
INSIDER THREATS ARE REAL
11
IT Security vs Info Risk Management Small change, big difference!
Business issues Technology issues
IT security
• Defensive / Reactive
• Manual
• Threat driven policy development
• Secure Infrastructure
• Information Protection
• Policy Management
• Regulations forced upon org’s
Opera
tionaliz
ing &
outs
ourc
ing
Information risk mgmt
• Proactive
• Automated
• Rules based policy development
• Secure Data
• Information Assurance
• Policy Enforcement
• Embrace risk & see security a business enabler
CIS
O, C
SO
, Ris
k m
gm
t do
main
12
13
14
15
16
Aberdeen Research Brief June 2011
Aberdeen Research Brief June 2011
17
Integration / adapt
speed improved by
64%-73%
Unauthorized access -
-14%
Audit issues -35%
Aberdeen Research Brief June 2011
SECURITY PLATFORM IS BETTER
Platform Approach Reduces Cost by 48%
AGILITY EFFICIENCY COSTS
18
19
Identity Governance
• Password Management
• Self-Service Request & Approval
• Roles based User Provisioning
• Analytics, Policy Monitoring
• Risk-based Access Certification
Access Management
• Single Sign-On & Federation
• Web Services Security
• Authentication & Fraud Prevention
• Authorization & Entitlements
• Access from Mobile Devices
Directory Services
• LDAP Storage
• Virtualized Identity Access
• LDAP Synchronization
• Next Generation (Java) Directory
Platform Security Services - Identity Services for Developers
Roles & Entitlements
Authorization Auditing Authentication User Provisioning
Policy Store Session Data Management
Directory Services
other
20
• User Provisioning Automation
– Supports Adds, Moves and Changes
– Virtualizes user identity
– Reconciles orphaned accounts
• Workflow Driven
– Flexible and change-able processes
– Supports approval processes
• Policy Driven
– Provides account policies and password policies
– Supports Role based entitlement management
Delete
Update
Create
Platform Security: User Provisioning Service
21
• Standards Based Authentication
– Simplifies integration
– Provides federated sign-on
• Self Service Password Management
– Reset forgotten passwords
– Change passwords
– Enforce strong password policy
• Multi-factor Authentication
– Increase trust
– Comply with regulatory mandates
Password
Management
Sign-on
Policy
Platform Security: Sign-On and Authentication
22
• Standards Based
– XACML
– NIST
– ABAC and RBAC
• Separation of Duties
– Preventative and detective
– Function and data security
• ADF Integration
– Reduced development cost
– Reduced complexity
Policy
Enforcement
SOD
Roles
Platform Security: Declarative Security External Authorization
23
• Secures User Information
– Protects private user data
– Provides attribute level security
• Externalizes Identity
– A single user view
– Common user accounts across apps
• Simplifies Audit Compliance
– Single point for access termination
– Single point for access control audit
Virtualized
Identity
Privacy
Data
Platform Security: Identity Provider Service
24
Mobile Access & Enterprise Applications
Native web browser on
the mobile device
Native mobile device clients
acting as a web browser
Native mobile device clients
connecting to gateways or
applications
• Enterprises want enable secure, convenient, efficient access to enterprise
applications, data, and collaboration/communication tools
• Support a workforce anywhere model, using any device
• Mobile applications are built one of the following ways:
25
Mobile & Social Identity Access Challenges
Auth
Servers
Directory
Servers
DB
Servers
IAM
Servers
?
Developer
26
27
Data
Database Security Defense-in-Depth
Prevent access by non-database users for data at
rest, in motion, and storage
Increase database user identity assurance
Strict access control to application data even from
privileged users
Enforce multi-factor authorization
Audit database activity, and create reports
Monitor database traffic and prevent threats from
reaching the database
Ensure database production environment is
secure and prevent drift
Mask sensitive data in non-production
environments
28
Oracle Maximum Security Architecture
Oracle Audit Vault
Oracle Database Firewall
Applications
Multi-factor Authorization
DB Consolidation Security
Unauthorized DBA Activity
Oracle Database Vault
Encrypted Database Encrypted Traffic
Oracle Advanced Security Oracle Data Masking
Mask For Test and Dev
2011 Oracle Corporation – Proprietary and Confidential 28
Enterprise Manager Grid Control
Secure Configuration Scanning
Patch Management
29
BASED ON OPEN
STANDARDS &
MANAGEABILITY &
SCALABILITY
30
Q&A
31
32