The Oracle Lens:First I want to start with some observations about security and place and Oracle Lens on how we see security – Today there are lots of different tools people are deploying to address security. Lots of end point security laptops and we have lots of solutions looking at email security and DLP. We have deployed lots of network scanning and ways of monitoring what’s happening in the enterprise .. ( CLICK THE BUILD) but when we examine what’s actually happening most of the threats are against the applications and the data . In fact 48% of the breaches were caused by insiders – so with all the monitoring 48% of breaches were caused by people who had either excessive access or even legitimate access to the data. 92% of stolen records are from database servers, 89% of records were stolen with simple SQL injection attacks And a whopping 86% of attacks were due to lost or stolen credentials –SO THE ORACLE LENS IS ITS ALL ABOUT THE DATA AND APPLICATIONSWhat does this mean:While this does not mean we should neglect our perimeter or remove our endpoint security – it means that the last mile is about really taking control of access in the enterprise. While we can’t dramatically lower the number of hackers externally we can control and manage user access internally and that would reduce 48% of the problem. Your applications have most of your mission critical data and your private data.So instead of only monitoring the network for attacks – I need to also check that my database is protected from SQL injection attacks and be able to check for anomalous behavior from insiders because remember 48% of it is internalInstead of only using email security to protect data – Look at how I can provide greater access control of insiders . In most cases when we look at breaches by insiders the problem is excessive access.Story We were doing an interesting POC at a healthcare organization – looking for clinicians accessing patient data they were not supposed to have access to and within the first 10 minutes found a clinician who had accessed the data of a family member. The Oracle Lens is – Its about your data and applications and its about Access –Our Security Solutions are focused on Identity management and Database security.
Security is not the same as compliance At the same time – Security is not the same as compliance – And we have to go through lengthy exercises to provide proof of compliance and it can be a barrier to business opportunities because of the legal liability and effort involved. A whopping 40% of IT budgets are spent on compliance and as we try to use IT strategically to reach customers and new markets the compliance becomes a burden.For CSO’s to be effective we have to reduce the cost with automation We can’t afford to continue spending the current amounts on security. – we have to be able to provide proof of compliance continuously and in a repeatable manner. The process has to be sustainable because we have to be able to scale it across the business. If my CEO wants to acquire a new company … )which we do a lot of at Oracle) I have to be able to integrate the new company’s compliance processes into my business quickly and provide reporting in a timely fashion and provide immediate access to resources. If I need to a launch a new application for customers, I need to be able to secure the customer data and provide audit-ability and traceability.To be strategic and Mission Critical – reporting has to be timely and we have to fix or remediate the problem quickly. If we find an excessive access issue or someone separates from the company we can’t wait 3 weeks while the help desk ticket gets processed to remove the access. It has to be immediate. We can’t afford to spend man months certifying user access. We have to find better more intelligent ways of assessing risk.Its About Brand and Reputation – Prevention is the best Cure.With the increasing visibility of the CSO role – security is becoming a question of brand and reputation. When a breach happens or data is lost the CSO is involved in the crisis response. When Sony was breached – the organization had to respond quickly with a new security architecture that would address the gaps and restore confidence. The best approach is to prevent it before it happens. -
The CSO has to be the hero of cloud, mobile and social computing Its about providing convenient access that optimizes the business interactions with the customer and employees. Every Business has to adapt and Security is the Enabler --- Every business wants to take advantage of Cloud computing, mobile computing and social networking – but in order to unlock the opportunity the CSO will have to be the hero. 87% of IT professionals feel security is the key barrier to cloud adoption – most companies have only scratched the surface of cloud potential. While we have made great technical advances in virtualization and multi-tenancy – we can’t put our mission critical LOB apps in the cloud unless we can provide the security forensics, the compliance reporting that goes along with it. As I talk to customers I hear many stories about cloud computing projects that fail because they could not pass the audit burden, Again the opportunity is about the data and the applications If I can consolidate my apps and run my database in the cloud – I can protect all of the data in one place.If I can provision users from the enterprise into my new hybrid cloud then users can be productive If my sales team can access their customer data and generate quotes from their IPADS I can reduce my sales cycle by weeks If my employees can access email on mobile devices then I can be more responsive to customers and improve my Quality of service.I can’t do any of these things without setting the right foundation in place.
The slide shows identity management requirements at different levels of sophistication- At the foundation we have to know who’s who across all of our applications. Providing secure authentication is next typically this is user name and password or strong authentication Slightly more sophisticated is administration because it has to be flexible to handle all of the nuances of moves adds and changes To provide compliance reporting is next in the ladder because this requires intelligence of SOD At the highest level is understanding risk- understanding patterns of behavior so we can step up authentication and authorization – and understanding what access may be risky during a certification review Finally – it has to scale to address the opportunity At the identity level – this means massive scale for numbers of users because we not only have to manage our enterprise users we have to manage our subscribers and customers. NOTE: China mobile has over 600 Million subscribers . Vodaphone in the UK has about 341 million subscribers – If we want to take advantage of opportunities in china we have to more than double our scale. So imagine if you are ATT with 100 million subscribers and you have to merge with T mobile at 34 million subscribers and you have to integrate.The authentication level – The scale is also increasing because of mobile use and social networking – with social networking I am referring to services that allow users to authenticate to get access to applications or data resources via their social networking login. Interesting stat If facebook were a country it would be the 3rd largest with double the population of the US. At the mobile level many customers are building internal application stores to provide applications to their employees. They have to be able to provide single sign on across applications. The administration has to scale to the cloudTo take advantage of the cloud – organizations have to bridge the gap between the security in the enterprise with the security in the cloud. This means delegated administration and managing moves adds and changes directly to the cloud.The audit has to scale Many customers have done their initial projects on certification review – but now need to scale the process to more applications the volume of entitlements is only increasing. Identity management has to evolve to provide
Database security has to evolve as well to become a layered solution with a defense in depth which means multiple overlapping controls Prevent access by non-database users for data at rest, in motion, and storageIncrease database user identity assuranceStrict access control to application data even from privileged usersEnforce multi-factor authorizationAudit database activity, and create reportsMonitor database traffic and prevent threats from reaching the databaseEnsure database production environment is secure and prevent driftMask sensitive data in non-production environments
The problem with Application and Data Security is that it is fragmented:As an example - many organizations will try to lock down root access at the OS level while at the same time granting SQL DBA privileges to developers to access the data base. Most of the audit issues and excessive access is caused by many systems and no automated way to propagate access changes across systems.Example:Lots of first generation identity management solutions or home grown solutions that have stalled or not providing enough coverage. The result is: Poor Reporting and Audit Exposure. It becomes impossible to reconcile who has access to what data and applications without a way to reconcile the information. It hurts forensics since we cant tell which accounts belong to specific users. It Makes the enterprise more vulnerable to breaches Two examples: 1. In the Wiki Leaks Scandal when they examined Bradley Manning’s access they found that his access was excessive and if regular certification reviews were done the excessive access would have been detected.2. Security is about latency of changing access consistently and quickly – and Fragmentation increases the latency of changing access. Most organizations rely on help desks to change access which can take weeks. The UBS banking fraud case describes a rogue inside trader who uses his excessive access to his advantage.The Impact is Missed Opportunities * Without a grasp on security and compliance new business initiatives stall. In many organizations new business initiatives are slowed because they can’t overcome the compliance burdens.
Amit JasujaVice President,Identity Management, Oracle
This document is for informational purposes. It is not a commitmentto deliver any material, code, or functionality, and should not be reliedupon in making purchasing decisions. The development, release,and timing of any features or functionality described in this documentremains at the sole discretion of Oracle. This document in any form,software or printed matter, contains proprietary information that is theexclusive property of Oracle. This document and informationcontained herein may not be disclosed, copied, reproduced ordistributed to anyone outside Oracle without prior written consent ofOracle. This document is not part of your license agreement nor canit be incorporated into any contractual agreement with Oracle or itssubsidiaries or affiliates.
What Keeps You Up at Night ? Threats Threats • More Attacks • Insider Fraud • Data Privacy Opportunities Compliance Opportunities
What Keeps You Up at Night ? Threats Threats Compliance • More Attacks Tougher Regulations • Insider Fraud Intrusive Audits • Data Privacy Costly Reporting Opportunities Compliance Opportunities
What Keeps You Up at Night ? Threats Opportunities Threats Compliance • More Attacks Cloud Computing Tougher Regulations • Insider Access Mobile Fraud Intrusive Audits • Data Privacy Globalization Costly Reporting Opportunities Compliance Opportunities
Threats are Against Applications and Data Endpoint Security • How do I control insiders? Other 48% Caused by Insiders Vulnerability • Can I report on IdentitySecurity ManagementRecords 92% Stolen Management anomalous behavior? From Database Servers 89% Records Stolen • Is my data protected against SQL Using SQL Injection Database injection attacks? 86% Hacking Involve Security Stolen Credentials • Can I prevent intrusions? Email Network Security Security 2010 Data Breach Investigations Report
Reduce Audit Exposure • Is access certification timely? • Is audit data collected and retrievable? • Are my security processes sustainable? • Can I remediate audit issues quickly & effectively? 40% Of IT Budgets spent on compliance mandatesSource: The Value of Corporate Secrets by Forrester Consulting (March 2010)
Security Unlocks New Opportunities • Can I deploy new customer facing applications ? • Can I extend my identity infrastructure to the cloud? • Can employees access email & apps on mobile devices ?87% Security main barrier to Cloud Adoption Source: IDC Enterprise Panel, 3Q09 • Can I consolidate my apps and run my database in the cloud?46% Increase in Mobile attacks in 2010 vs. 2009 McAfee Threats Report: Fourth Quarter 2010
Identity Management Evolves Authoritative ID Access Via User Lifecycle In Certify Access Monitor with Massive Mobile & Social Hybrid/Cloud for Millions of Behavior & Scale Channels Environments Users & Detect Improper Entitlements Access Cloud/ Mobile Extranet Risk Management AuditEnterprise Administration Authentication Identity Tools Point Solutions Platform Intelligence
Database Security Evolves Control Encrypt Data Audit User Monitor SQL Privileged Activity Users Mask Test Block Attacks Data Compliance Cloud Enforce SoD ReportsNon-Oracle Databases Database Firewall Auditing OracleDatabases Encryption & Masking Authorization Authentication Defense in Depth
A Patchwork of SolutionsFragmentation Reduces Effectiveness • Audit exposure • Poor reporting, • Limited root cause tracking • Vulnerable to breaches • Multiple points of failure • Missed business opportunities • Inability to develop and deploy applications to users
Taking a Platform Approach Integrated Application and Information Security Oracle Applications Non-Oracle Applications Reduce audit exposure Detect and prevent threats Integrated Security Platform Grow the business Identity Management Database Security Oracle Databases Non-Oracle Databases Savings with an integrated platform 48% vs. point solutionsSource: Aberdeen “Analyzing point solutions vs. platform” 2011
Oracle Identity Management Stack Complete, Innovative and Integrated Identity Governance Access Management Directory Services• Password Management • Single Sign-On & Federation • LDAP Storage• Self-Service Request & Approval • Web Services Security • Virtualized Identity Access• Roles based User Provisioning • Authentication & Fraud • LDAP Synchronization Prevention• Analytics, Policy Monitoring • Authorization & Entitlements• Risk-based Access Certification • Access from Mobile Devices Platform Security Services Identity Services for Developers
Oracle Database Security Complete Defense in Depth and Transparent to Applications Auditing, Monitoring Access Control Transparent Encryption and Protection Management and Masking• Monitor database network activity • Privileged database user controls • Transparently encrypt application data• Accurately detect and block SQL • Fine-grained authorization injection and other threats enforce who, where, when, and • Protect from unauthorized OS how level or network access• Consolidate audit data, alert, report • Securely consolidate databases • Built-in key lifecycle management• Secure configuration • Data classification access control • Mask sensitive data for management non-production Oracle Database Security
Oracle Security Solutions• Complete, Open and Integrated• Innovative, Scalable and Modernized• Simplified and Actionable Compliance