1 / 42

How a Protected Enterprise Reduces Risk and Liability

How a Protected Enterprise Reduces Risk and Liability. Oracle Corporation. Mike Mull, CISSP Solution Specialist Oracle Protected Enterprise Group. The Burden is Real. Issues & Concerns. Intellectual capital. Financial Losses. Asset Protection. Brand Protection. Public Image.

denver
Download Presentation

How a Protected Enterprise Reduces Risk and Liability

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How a Protected Enterprise Reduces Risk and Liability Oracle Corporation Mike Mull, CISSP Solution Specialist Oracle Protected Enterprise Group

  2. The Burden is Real

  3. Issues & Concerns Intellectual capital Financial Losses Asset Protection Brand Protection Public Image Litigation Business Risks Compliance Employee & Customer Privacy Loss of Customer Trust Source: Cybersecurity: It’s Dollars and Cents Business Week 2/11/2005

  4. Protected Enterprise Challenges • Address regulatory compliance • Ensure privacy and accountability • Reduce risk and liability • Increase business agility • Maintain operational effectiveness Business Information Security Continuity • Identification (who) • Access Controls (what) • Auditing (where, when & how) • High Availability • Disaster Recovery • Continuous Operations Applies to ALL applications across ALL industries

  5. Business Continuity In Motion At Rest Data Security Auditing and Access Management I n t e g r a t e d S e c u r i t y Single Sign-on Disaster Recovery Single Console Administration Secure Channels

  6. Security is a System SECURITY Product Configuration Implementation Policy and Process

  7. Security Realms • Policies and Processes • Policy makers are not policy implementers or users • Process documentation • Product • Buffer overflows • Resolved by vendor’s development teams • Example: Oracle provides patches by email blasts from Meta-link • Configuration • Database settings (*.ora) • OS file settings • Network setup • DoE/CIS Benchmark and Oracle Best Practices serve as guide • Implementation • Technologies (VPD, Auditing, etc.) • Design choices

  8. Why is Security Hard? • No system can be 100% secure • Reality is risk mitigation, not risk avoidance • Difficult to prove good security • Bad security gets proven to/for us • Good security and no security can look the same • How does one know how secure they are? • Many things to secure • People, equipment, OS, network, Application Servers, applications, and databases

  9. Password Policy Example • Cannot be similar to user’s name • Cannot be easily guessable • Must be at least 12 characters in length • Contains upper and lower case characters • Contains at least one special character • Contains at least one number • Rotated every 14 days • Cannot be re-used for 5 years My current password: “This1is2Hard!”

  10. Balancing the Business Need flexibility to adjust to current situation Best Case: Accommodate all requirements Usability x Security Performance

  11. Security has to be built in to the system, not bolted on afterwards Security Tenets

  12. Security Tenets • Defense in depth • Security in layers for higher assurance

  13. Security Tenets • Be proactive

  14. Security Tenets • Abide by the least-privilege principle Create Session Create Table Alter Session Create Procedure Drop Table Create View Create Synonym Create Sequence

  15. Security Tenets Not all products are created equal

  16. The Challenge Get the right data (securely) to the right people in a timely manner that maximizes usability, lowers administrative burdens, eases application development and maximizes security Identity Management Data in transit Data in transit • Applications need to know user • Databases need to know user Database security and auditing

  17. Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing

  18. Oracle DB User Application “A” User Application “A” User Application “A” 2. Middle tier connects to an (anonymous) application account 1. Users authenticate to middle tier Typical Authentication Architecture Security cannot be based on anonymity! Connection Pool 3. Database cannot apply proper access controls and auditing at the user level

  19. Oracle DB Blue User Red User Yellow User 2. Middle tier proxies user identity to database 1. Users authenticate to middle tier Identity Preservation – Proxy Authentication Connection Pool 3. Database applies authorizations, access control, and auditing for real end user

  20. Oracle DB Identity Preservation – Client Identifiers • Database procedure called by application • Client Identifiers convey user’s information to DB • User information used in access control decisions • Value is automatically audited Connection Pool Set_Identifier(‘Yellow User’) Set_Identifier(‘Green User’)

  21. Globally Integrated E-Business Streamlined Security IT Cost and Complexity Regulatory Compliance Quality of Service Efficient customer service Tighter supplier & partner relationships Consistent ID and security policy Quick enforcement of privilege updates Simplify admin & helpdesk tasks Identity Lifecycle Management Privacy & Confidentiality Monitorability & Auditability Personalized content Profile & preference Self-service Provisioning Workflow Automation Security Monitoring & Auditing Web Authorizations Secure Federation SSO Identity & Access Management Delegated Admin Self Service Policy Based Access Mgmt Role Based Access Mgmt Account Provisioning Certificate Authority Federated Directory Meta-Directory Identity Integration I d e n t i t y Directory Core Identity Management Business Problems

  22. DMV HISTORY STATE STATE INSURANCE Office Intranet CREATE POLICY CREATE POLICY Create New Policy Check Rates CREDIT CHECK Client History BROKER WEB APPS EMPLOYMENT HISTORY Securing Cross-Organization Transactions An example: An independent broker uses Big Insurance Co.’s Web application to issue a new insurance policy for a client. INDEPENDENT INSURANCE BROKER INC. BIG INSURANCE CORP.

  23. Federated Identity Management:According to Burton Group… “What is federated identity management? • Agreements, standards, technologies that make identity and entitlements portable across autonomous domains • Begins at home, within and between organizations • Joined at the hip with Web services • Will grow both in granularity and scale From Burton Group Catalyst Conference

  24. Company A uses SAML to send an identity “trusted ticket” to Company B’s application Company A: Portal Company A’s users authenticate into A’s portal Company B’s systems accept the ticket and grant access to the Company A user, through the Company A portal Federated Identity Company B: Technical Database Application

  25. Web Services Security/Mgmt Concerns • Security • “We have many web services exposed to the internet now” • “Only valid partners may access our web services” • Exception Handling • “Notify operations if a transaction stalls” • “Send any incomplete orders to customer service for fixing” • Compliance and Consistency • “All customer orders must be encrypted with 128 bit keys” • “All XML messages must follow this format” • Service Level Monitoring • “The order system must process transactions in under 2 seconds” • “If uptime falls below 98% we owe contract penalties”

  26. Needs for Web Services Management • Without WsM, policy is hard-coded into each Web Service • Result is silo’d, inconsistent security and management • A change in enterprise standards = rework of every service • Higher cost, more fragile, harder to change • No unified insight into operations across services The goal is to decouple security and management policy from each individual Service’s logic

  27. Oracle WSM Components BUILD Policies ENFORCE Policies MONITOR Policies Policy Gateway Policy Agents Web Service Monitor Policy Manager Web Services

  28. Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing

  29. Encryption – Data at Rest • Regulations that affect you • Value of data • Be selective about what you encrypt • Encryption “in transit” may be required

  30. Patakos Pattakos brown Brown Cho cho 931 123 ellison Ellison Ang ang 973 973 fitzger Fitzgerald Johnson johnso garcia Garcia Els els 666 666 duffy Duffy Nussbaum nussbaum Stored Data Encryption Element level protections • Selective encryption of sensitive data (e.g., SSNs, credit card #s, diagnosis) • Makes interpreting the real data more difficult DBMS_CRYPTO • Encryption • AES128/192/256, 3DES, RC4, DES • Hashing • SHA1, MD5, MD4, HMAC • CLOB, BLOB, and RAW support (no padding required) • On the horizon – Transparent encryption

  31. Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing

  32. 007 Label Based Access Control • Record-level security based on security tags or labels • Simple to understand • Simple to convey • Simple to audit/prove TOP SECRET

  33. Oil and Gas Services Company:Multiple Databases for secure access control BP Amoco Chevron ExxonMobil Conoco

  34. Oracle Solution: Label SecurityCentralized data, secure access, reduced cost Chevron Oracle Label Security ExxonMobil BP Amoco Conoco

  35. Defense in Depth Identification and Identity Preservation • Proxy Authentication, Client Identifiers, Identity Management Element Level Protections • Database Encryption Fine-Grained Access Control • Row Level Security Accountability • Fine-Grained Auditing

  36. Security Processes: Prevention, Detection and Response • Prevention • Authentication, Access Controls • Detection and Response • Database Auditing • Audit by user, by object, by privilege • Ensure that attempts to view, modify, or delete data by unauthorized persons are tracked • Critical attempts should cause immediate response

  37. Flashback Query AUDIT_CONDITION : NAME != USER AUDIT_COLUMN = SALARY Audit Policy Audit Records (FGA_LOG$) Not audited SELECT name, salary FROM emp WHERE name = ‘KING’, <timestamp>, <userid>, etc. SELECT name, job, deptno FROM emp EMP SELECT name, salary FROM emp WHERE name=‘KING’ Send Alert! SCOTT Fine-grained Auditing

  38. What To Look for in Vendor • Look for Trusted Business Advisor • End-to-End Solution Provider • Independent Technical Evaluations • One with strong consulting offerings

  39. Make Security a First-Class Citizen • Security placed in at design • Multi-layered implementation • Proactively act to maintain a strong posture • Mitigate the risks – don’t eliminate the risks • Apply common sense before applying cool technology • Consider the competing factors - balance performance and usability. Be practical

  40. Shameless plug for Boss

  41. Q & Q U E S T I O N S A N S W E R S A

More Related