Your SlideShare is downloading. ×
Virtualization Lessons: Extreme Data Security for Government and Everyone Else
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Virtualization Lessons: Extreme Data Security for Government and Everyone Else

288
views

Published on

Governmental deployments are at the leading edge of security for desktop virtualization, but the security needs of private sector organizations continue to increase. In this session, Oracle experts …

Governmental deployments are at the leading edge of security for desktop virtualization, but the security needs of private sector organizations continue to increase. In this session, Oracle experts discuss the unique security challenges of deploying desktops with extremely strict security requirements and how all organizations can benefit from following the governmental example when deploying their desktop architectures.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
288
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • DOD tends to have higher security standards than many civil agencies by the nature of what they do, and what information they’re trying to protect. So, we’re going to focus a bit more on the DOD and talk in general terms about some of the technologies they’ve implemented to help combat the more common IT threats.
  • Broad classification of types of threats to organizations, applicable to organizations of all types., But at least in some cases, because of the nature of the assets they control, their risks are greater.
  • These administrative “gaps” create opportunities for hackers to attack your organization.
  • These are some of the technologies being used by our customers to help reduce their exposure. Of course, other than unplugging your computers, there’s no “silver bullet” – security measure must be in-depth and pervasive. So, this is just a high-level list.
  • Before drilling down into some of the most common security threats, I’d like to take a few moments to talk about some technologies our customer are using to help reduce their security risks.
  • Earlier, I mentioned one of the most common vulnerabilities that are being exploited by hackers, that of desktop management, and specifically, the ability to deploy security patches in a timely way. Many of our customers are using desktop virtualization technologies – both “classical” Server Based Computing environments, like RDS/Terminal Services, and shared multi-user operating environments like Solaris, and Virtual Desktop Infrastructure products, such as Oracle’s Virtual Desktop Infrastructure. In both cases, the user environment is moved back to the datacenter, where it can be more easily managed and updated. In the case of VDI infrastructures, a “golden master” or “template” can be updated and deployed in minutes.
  • Ultra thin clients, like Oracle’s Sun Ray, have no operating system to be infected, and so require virtually no maintenance. So if lost or stolen, there’s no exploitable data stored on them. And while they have USB ports, there’s no local operating system to infect. And while they can be mapped to a virtual desktop, this ability is user control of the administrator, not the end-user. And, important to note, the Sun Ray includes a smartcard reader, so customers who require two-factor/PKI authentication can do so without requiring add-ons to the device.
  • There are a lot of technical details regarding SGD and application publishing, but what I want to focus on here is the SSL VPN aspect of SGD. Note that each segment of each connection is authenticated and terminated at each step – no direct app server access. And that, unlike a traditional VPN, the client computer has no presence on the application server network, so that, even if there’s malware on the client, it has no way to reconnoiter or attack the internal network. Note that to protect against keyloggers, two factor authentication is still highly recommended.
  • We’re going to talk a bit about some of the more common types of attacks against corporate networks – by no means a complete list.
  • Application Vulnerabilities - browsers, especially, but plug-ins, etc. These exploits can be used to deliver all kinds of malware - Remote Access Trojans, virii, keyloggers, etc, which can steal sensitive data and user credentials an attacker can use to enter your networks and cause further damage.Mitigation strategies:1. Prevent the damage - ensure all desktops have up-to-date security software and patches. The problem is, in these widely dispersed enterprises, with many different baselines, patching is often ineffective, and not timely.Bear in mind, as threats are emerging all of the time, even the most aggressive patching strategy will trail the threats. By ensuring patches and scanner signatures are updated immediately, you can detect and eliminate these evolving threats sooner, limiting their lifetime. Using virtual desktops, they can be updated and deployed more quickly, and more successfully, than trying to update 100’s or even 1000’s of remote desktops.2. Limit the damage - As new threats emerge, it's difficult to guarantee you'll never be successfully attacked. So, as part of your defense-in-depth, you should ensure that sensitive data is not accessible to an infected pc, nor to a remote attacker. One way to do this is via multi-level security, ensuring that PC's (VM's) that access e-mail and the web have *no* access to sensitive data and applications. With a stateless device like the Sun Ray and multi-level security software, the same device can access VM's on both OA networks and sensitive networks, with no ability for malware on the OA side to access data on the "secure" side.
  • Users not observing security practices. Users can violate security practices, willfully or otherwise, and expose your organization to attack. Education is vitally important help prevent accidental disclosures to phishing or social engineering attacks. Yet you know users will fall victim to them, and education doesn't do anything to those who'd deliberately introduce malware.Mitigation Strategies1. User Education2. Use 2-factor authentication *especially* for remote access, so that even the loss of credentials, to keyloggers or on a lost laptop or written on a yellow sticky note, won't be enough to give attackers access.
  • Use of unauthorized USB devices - that innocuous Flash drive someone used to bring their photos to work may well contain malware that can then attack your network. And "Windows" alone has rather weak controls over USB devices.Mitigation - Using an ultra thin-client like the Sun Ray, USB device mapping is controlled by the administrator - it can simply be disabled, or can be enabled for certain classes of users. Also, consider the use of a fine-grained USB policy manager.
  • Use of Remote Access Software - many organizations allow remote users to use VPN's to connect to their networks when roaming or working at home. This is fine, as far as it goes, however there are risks:1. A remote user may have their device stolen which may contain all of their user credentials, everything a hacker needs to get into and attack your network. 2. Using a VPN on uncontrolled endpoints, which may themselves be infected with keyloggers or Remote Access Trojans, providers hackers the keys to your front door. 3. Bear in mind, VPN technology provides a tunnel into your network, which malware can use to directly perform network reconnaissance and attack other systems.4. Endpoint administration software is often subverted by users, as they find it too intrusive, or too much of a performance burden on their systems.Mitigation strategies1. Use 2-factor authentication, to deny hackers the ability to steal passwords.2. Use an SSL technology like Secure Global Desktop, which doesn't give endpoints access to your application servers - there's no VPN tunnel which malware can exploit.3. Use a thin-client like the Sun Ray, which has a built-in VPN, and cannot be infected with malware.
  • Transcript

    • 1. CON8799 - VirtualizationLessons: Extreme Data Securityfor Government and EveryoneElseMike CharronBusiness Development Manager - Security SolutionsRick ButlandPrincipal Sales Consultant, Desktop Virtualization2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 2. The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 3. Program Agenda  Federal Security Challenges and Strategies  Desktop Virtualization Technologies  Common Security Challenges and Mitigation Strategies4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 4. Federal Security Challenges and Strategies5 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 5. Federal Computing Environments Civil Agencies and DOD often have similar environments – Often geographically dispersed – Large user communities – Multiple generations of desktops and software – Wide range of legacy systems – Desktop administration is problematic6 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 6. IT Security Threats  Information Disclosure & Exploitation – Privacy Act, Classified Material, Financial  Information Loss or Corruption  Denial of Service / Hijacking – Infrastructure – Power and Water distribution – Real-Time - Air Traffic Control, Power Plant controls – Military – Command and Control, UAV’s7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 7. Common Vulnerabilities in Traditional Desktop Environments  Inconsistent / non-timely patching – Non-standard software can make patching ineffective  Sensitive applications not isolated from “office” networks – Email and web browsing are most common infection vectors  Users violating security practices – Both inadvertently and deliberate  Data not adequately backed-up8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 8. Security Strategies Strategies employed include: – Desktop Virtualization – Thin-Client Computing – Two-factor authentication – Isolating sensitive data/networks9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 9. Overview of Desktop Virtualization Technologies10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 10. Virtual Desktop Technologies VDI and/or Server-Based Computing Datacenter RDS VDI VDI SBC11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 11. Thin-Client Computing Centralized Data and Access Control12 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 12. Oracle Secure Global Desktop Secure Remote Access13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 13. Delivering Access to E-Business Suite Oracle Oracle Secure Global Secure Global Desktop Desktop Server Clients  Virtual Microsoft Windows Server 2003 or 2008 “desktop” clients  Internet Explorer 8 or 9 with JRE 1.6.0_32 and later 1.6 releases  Certified with EBS 12.1.3 Environments14 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 14. Common Security Challenges and Mitigation Strategies15 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 15. Common Attack Vectors Application Vulnerability Exploits Social Engineering Phishing / Spearphishing Unauthorized USB Devices VPN’s and other Remote Access Software Malware (“payloads”) include – Keyloggers – Remote Access Trojans – Virii / Worms16 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 16. Application Vulnerability Exploits  Browsers, plug-ins, email, etc.  Can be used to deliver all types of malware  Mitigation Strategies include: – Ensure desktops / scanners are updated routinely – With Desktop Virtualization, update/deploy updated VM’s “instantly” – Isolate “office” PC’s (VM’s) so that those used to access the web have no access to sensitive internal applications/networks17 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 17. Social Engineering Attacks  Users are tricked into disclosing authentication information  Mitigation Strategies include: – User Education – Use 2-factor Authentication – Limit damage, by isolation of sensitive systems and data from external access and OA networks18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 18. Phishing / Spearfishing  Users are tricked into visiting malicious websites, which can steal credentials and/or install malware  Mitigation Strategies include: – User Education – Use 2-factor Authentication – Use up-to-date browsers with anti-phishing plug-in’s; isolate older browsers in controlled domains19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 19. Unauthorized USB Devices  Users insert infected USB devices into PC’s  Users use USB devices to steal IP  Mitigation Strategies include: – User Education – Disable USB device support – With an ultra-thin client like the Sun Ray, restrict USB device mapping, except for specific users – Investigate policy-based USB management tools20 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 20. Remote Access  Loss of user credentials allows remote attacks  VPN tunnels from infected endpoints can have credentials stolen, or provide tunnels for malware to directly attack  Mitigation Strategies include: – Two-Factor Authentication – Use stateless thin-client – Use a technology like Secure Global Desktop, which provides no exploitable tunnels21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 21. Graphic Section Divider
    • 22. Mission Drivers Current Operations The Challenges Direction23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 23. Mission Drivers• Simplify and streamline management • Lower IT operational costs • Improve desktop & application support • Reduce eco footprint• Increase data security • Centralize data • Need a secure information gateway• Improve information access • Access more than just Windows • Access data from anywhere • Control who accesses data • Data must always be available, even in times of disaster 24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 24. Current Operations• Funding levels significantly reducing• Diverse operations require disparate data • GWOT • Natural Disasters and Humanitarian • Counter Drug• Need to share with many partners • Secure collaboration• Cyber Warfighting Domain demands on infrastructure • High Assurance Information Platforms • Operations and Manageability • “Speed of Battle” – Mission Performance25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 25. The Challenges• Operate with trust within the “cloud”• Increase mission effectiveness while reducing operations costs• Support disconnected operations • At home station • In the AOR• Support all mission data requirements • Text • Multi-media (video, 3D graphics, audio) • Collaboration Tools • Analysis• Leverage existing infrastructure as much as possible 26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 26. Directions• President’s FY13 IT Budget Estimate • $37B, 7% of total DoD Budget • Nearly Constant from FY 12 • Significant “cuts” in FY 14 and beyond• DoD Cloud Computing Strategy • Critical to the success of the Joint Information Environment (JIE) • Improve mission effectiveness • Reduce Costs• DISA’s Strategic Plan • Operate Securely in Cyberspace • Seamless Information sharing • Infrastructure Services 27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 27. Learn More: Oracle Desktop Virtualization  Home Page oracle.com/virtualization  Blog blogs.oracle.com/virtualization  Download edelivery.oracle.com  Virtualization Training from Oracle University oracle.com/education/vm28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 28. Join the conversation @ORCL_Virtualize facebook.com/OracleVirtualization youtube.com/OracleVirtualization29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 29. Desktop Virtualization Sessions Monday, Oct. 01 Time Wednesday, Oct. 03 CON8799 – Virtualization Lessons: CON8801 – Bring Your Own Device for Enterprise 10:45 – Extreme Data Security for Government 1:15 – Application Access in 2012 and Beyond 11:45 and Everyone Else 2:15 Moscone South, Room 270 Moscone South – Room 270 GEN8725 – Oracle Virtualization CON8802 – The Desktop Cloud: Simplified, Reliable, 12:15 – Strategy and Roadmap General 5:00 – and Secure Access to Oracle Applications 1:15 Session 6:00 Moscone South, Room 252 Moscone South, Room 103 CON8733 – Oracle VM VirtualBox: The 4:45 – Best Tool I Ever Used 5:45 Marriott Marquis – Golden Gate C230 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    • 30. Desktop Virtualization Product Demonstrations DEMOgrounds  Oracle Virtual Desktop Infrastructure and Sun Ray Clients Moscone South, Center S- 139  Oracle Secure Global Desktop Moscone South, Center S- 140  Oracle VM VirtualBox Moscone South, Center S- 17431 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.