Securing Citizen Facing Applications

839 views

Published on

Open World Security Panel

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
839
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
20
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide New industry/federal regulations every few months Enforcing compliance requires central view & management of entire infrastructure and without this, it is difficult to maintain control on an ongoing basis Policy enforcement to avoid toxic roles/approver combination Report and audit on who has access to what and compare with who should have access to what is difficult and costly across various applications & systems Reports attestation should be manageable and efficient – if no structured attestation, then it is mere rubber stamping And compliance costs can go up with processes
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide 03/28/10 Oracle Confidential Source: DataLossDB http://datalossdb.org Note total represents cumulative number since once exposed the data is out there – the bell can’t be unrung. http://online.wsj.com/article/SB123249174099899837.html
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide 03/28/10 Oracle Confidential
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Key Message: Requirements for GRC increase in number and complexity Now that we have a context and definition of the big GRC picture, let’s highlight some of the main drivers in this area. In speaking with our customers, we’ve heard several main drivers or challenges that recur over and over. These drivers are consistent across profit, non-profit, or public sector organizations. The first driver is the notion that GRC is the “new normal”. It is here to stay and the bar has definitely gone up – the expectations for proper governance and oversight, the need for better risk management, and of course the demands of multiple compliance requirements. Forrester research reports that since 1981, the US federal government alone has introduced 114,00 new rules and regulations that affect business. The complexity of GRC is due to the interaction of four dimensions – mandates (or boundaries, whether externally levied or voluntarily undertaken); regions (the need to respond locally to global demands); technology (the fact that technology underpins much of modern business process and is in itself characterized by heterogeneity); and people (the different functions in an organization and the specialization that often results in silos.) <Click> When these four dimensions interact in order to meet GRC requirements, it results in a myriad of initiatives with complex accountabilities. For example, initiatives in the area of financial reporting compliance are typically handled by finance and internal audit. However, business processes rely on IT environments and business software applications, so the audit and testing to ensure the integrity of financial reporting is very much dependent on IT governance procedures around proper change management and separation of duties. While much attention has been placed on the US requirements for financial reporting compliance because of Sarbanes-Oxley, other countries such as Japan and Canada have also adopted similar regulations so global organizations will need to rationalize their efforts across regions as well. In addition, closely related requirements around Compliance and Ethics programs for example, typically falls in the jurisdiction of the legal counsel and HR managers who need to prove that policies have been effectively communicated to the workforce and to provide evidence of employee understanding. <Click> In another example, recent changes in the Federal Rules of Civil Procedure are escalating requirements to improve electronic discovery capabilities. Many firms are therefore paying closer attention to effective records management which can reduce the costs associated with electronic legal discovery by properly applying retention policies to documents. These requirements need to be balanced however with close attention to the rights of employees and customers with regards to data privacy, so again, a single mandate can result in multiple GRC initiatives that need to be addressed in a holistic fashion. GRC is here to stay, and what makes it distinct and unique is the fact that while the operational objective tied to any action is often narrowly focused (for example, “send this email to acknowledge receipt of shipment from subsidiary), the associated GRC objectives invariably address a broader range of accountabilities (provide the basis for quarterly reconciliation, ensure traceability of raw materials, apply proper retention policies for email communications). To paraphrase John Muir, one of the early modern environmentalists of the 20 th century and founder of the Sierra Club, “When we try to pick out anything by itself, we find it hitched to everything else in the Universe.” GRC processes can therefore burden managers with repeated assessments that ask the same questions for multiple GRC initiatives. Organizations that fail to take a platform approach to GRC end up with duplicate technologies and inconsistent approaches, measurement and reporting, resulting in scattered information and poor visibility.
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Inside the business apps!!! Of course, the solutions we cover in this presentation are deployed as part of a wider infrastructure. This diagram shows the scope of the Oracle offerings including applications (Enterprise Resource Planning, Customer Relationship Management, Governance / Risk / Compliance, and vertical industry specific), Fusion Middleware, and database / infrastructure. As illustrated on this slide, Enterprise Security, Management, Development, and Intelligence offerings are applicable and provide important capabilities in all 3 layers of the Oracle software stack.
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide NIST 80018: Guide for Developing Security Plans for Information Technology Systems NIST 80027: Engineering Principles for Information Technology Security (A Baseline for Achieving Security) NIST 80030: Guide for Risk Management for Information Technology Systems 248 Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide Behind the scenes, MGR was using Oracle Access Management Suite. This solution offered them two key layers of defense, over and above what a typical web access management system could provide. First, their users were trained to look for a personalized image at the login page. More than 99% of the users were able to detect that they were not logging into the real MGR site, and many sent e-mails to MGR informing them of this phishing attack. This “Secure Mutual Authentication” piece delivers a crippling blow to these and any other potential hackers. It is also worth noting that MGR could also use virtual keypads at their login page to thwart against other external attacks such as key-logging trojans, etc. The second layer of defense that Access Management Suite offers is highly advanced risk-based authorization. The system can intelligently calculate a risk score based on several factors such as the fingerprint of the device a user is logging in from, their location, time of day, and type of activity. By comparing it to “normal” behavior, the system generates a risk score, and if the score is too high, the system can prompt the user for further validation. This could range from knowledge-based validation to mobile text messaging, and even voiceprint recognition. The system can also alert system administrators immediately of highly suspect activity. What is really exciting and unique about this solution is its ability to “auto-learn” normal behavior for a user so that it can detect anomalies in real-time, thus stopping fraudulent activity in its tracks.
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide EA People – professional, best-in-class people who are solving the most complex EA problems in the world. They have the respect from business and IT EA Processes – standards-based methodology for EA processes including Oracle best practices EA Portfolio – of assets to help the EA.
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
  • Oracle Enterprise Architecture Leader Circle Panel Facilitator Guide and Presentation Forecast for the Data Center: Clouds, but No Rain! June 2009 Copyright 2009 Oracle Corporation Slide OOW2009 Leaders Circle: Cloud Panel 03/28/10 14:15 Copyright 2009 Oracle Corporation Bring business and IT together along alignement based on business value Why is it hard? Goals of business evolved via siloes but now we want end to end business integration – not automate paying invoices but more procure to pay … much more enterprise wholistic apporaches to rationalization and productivitiy. Not just reporting but more collaborative and getting all the data EVERYWHERE and managing preformance around the Citizen and Quality of Service but some things never change like cost savings and innovation. The need of an EA is critical NOW – you can’t go forward without meeting enterprise business goals. This includes business strategies and ojbectives, how you are organizated depending if you are centeralized, hybrid approach or federated – you need a blueprint now. You have to leverage the power of standards when you set your corporate archtiectures. It is about how to guide our customers towards this journey of an EA !!!
  • Securing Citizen Facing Applications

    1. 1. Securing Citizen Facing Applications Moderated by Timothy Davis Oracle Enterprise Architect Board Member
    2. 2. Agenda <ul><li>Introductions </li></ul><ul><ul><li>Security EA Panel and Topic Positioning </li></ul></ul><ul><li>4 Compelling EA Security Issues </li></ul><ul><li>Architect Response </li></ul><ul><ul><li>Key Shareable Artifacts, Lessons Learned </li></ul></ul><ul><li>Audience 10 minutes of Q & A </li></ul>
    3. 3. Today’s Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Specialist Architect Timothy Davis, Oracle Enterprise Architect Board Member Jeremy Forman, Oracle Enterprise Architect CISSP Certified Professional Marc Chanliau, Director, Identity Management Development
    4. 4. What are Secure Citizen Facing Applications?
    5. 5. Citizens More Sophisticated … Higher Costs Than Ever… It Adds Up Government 2.0 <ul><li>Citizen Self Service </li></ul><ul><li>Demand for Government Transparency </li></ul><ul><li>Need for Citizen Context Across the Enterprise </li></ul>Source: IT Policy Compliance Group, 2007. <ul><li>Sophistication of Attacks </li></ul><ul><li>Stolen Credentials and Identities </li></ul><ul><li>Compliance and Remediation Costs </li></ul><ul><li>Security Breach Remediation Costs </li></ul>$
    6. 6. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, Ponemon Institute, 2009 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach 630% Increase
    7. 7. More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access
    8. 8. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? This slide is not to be displayed Panelist Question Jeremy Forman <ul><li>Are the business and application owners involved in the security decision making process? Or is it the technology organization? </li></ul><ul><li>Follow-up : What is the challenge to deliver and why is it so hard to do? </li></ul><ul><li>Discussion Points: </li></ul><ul><li>Complexity across Four Dimensions </li></ul><ul><li>Segregation of Duties </li></ul><ul><li>Data Protection </li></ul><ul><li>Cost of Compliance </li></ul><ul><li>e-Discovery </li></ul><ul><li>How do we enable Business/Application Owners to be involved in the process? </li></ul><ul><ul><ul><ul><li>FEAF </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Govern </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Maintain </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Communicate </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Measure </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>EA Benefits to IdM </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Business Risk </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Security Breaches </li></ul></ul></ul></ul></ul>Edwin Lorenzana <ul><li>What personally have you seen as lessons learned to get the business on-board towards EA Security Model? </li></ul>
    9. 9. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? Why? Today’s “New Normal” Users, Systems, Globalization and Compliance Forced Complexity IT Governance EMR/HIE Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs Audit Management Data Privacy Records Retention Legal Discovery CJIS Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications Systems Globalization Users Legal Taxation HR Public Safety Partners Citizens Healthcare EPA Mandates MFIPPA FOIPPA FDA FISMA NIST HIPAA FDA PCI… Patriot Act SB1386
    10. 10. Copyright © 2008, Oracle and/or its affiliates. All rights reserved. Monitoring and Configuration Enterprise Visibility Automated Controls Security for Applications, Middleware, Data & Infrastructure Comprehensive ‘Defense in Depth’ Approach Policy Enforcement Database & Infrastructure Middleware Applications Access to Business Services Lower Cost of User Lifecycle Data Protection and Privacy Virtualization
    11. 11. Oracle Architect Development Process for Security Architecture Phase Input Output Architecture Vision <ul><li>Regulations </li></ul><ul><li>Security Policies </li></ul><ul><li>Responsibilities </li></ul><ul><li>Architecture Checkpoints </li></ul><ul><li>Security Statements </li></ul><ul><li>Compliance Standards </li></ul>Current State Architecture <ul><li>Threat & Risk Analysis </li></ul><ul><li>Business Policies </li></ul><ul><li>Identified Risks </li></ul><ul><li>Information Classification </li></ul>Future State Architecture <ul><li>Identified Risks </li></ul><ul><li>List of Relevant Regulations </li></ul><ul><li>Information Classification </li></ul><ul><li>GRC Strategy </li></ul><ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul>Strategic Roadmap <ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul><ul><li>GRC Plan </li></ul><ul><li>Data Governance Plan </li></ul><ul><li>Validated Processes </li></ul>EA Governance <ul><li>Continuous Audit of Security: Design, Implementation, & Operations </li></ul>Business Case <ul><li>Identify Reusable Security Services </li></ul><ul><li>What can go wrong? </li></ul>
    12. 12. Issue #2: Major issues around proofing and identifying citizens access to systems? This slide is not to be displayed Panelist Question Hayri Tarhan <ul><li>What are some of the challenges and issues around proofing and identifying citizens for access to systems? </li></ul><ul><li>Follow-up: </li></ul><ul><li>How do the various departments of a government come to agreement on the attributes and data points used to proof users, employees, contractors, etc.? </li></ul><ul><li>What are the perils of not addressing this challenge holistically? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Discuss how Oracle can map business security requirements back to 800-53 </li></ul><ul><li>2. Identity proofing standards </li></ul><ul><li>3. Virtualizing directories </li></ul>Marc or Edwin
    13. 13. Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute Authority Internal Apps Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings Directories Databases Proprietary Identity Attributes Applications
    14. 14. Issue #3: How can you meet FISMA’s different levels of authentication and identification? This slide is not to be displayed Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. Panelist Question Hayri Tarhan <ul><li>How can you Local Governments and the Feds meet FISMA’s different levels of authentication and identification? </li></ul><ul><li>Follow-up: </li></ul><ul><li>Why is would governments look at risk-based authentication solutions over hard tokens, which have been prevalent for quite some time? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Explain the business value of NIST 800-53 levels </li></ul><ul><li>2. Multi-factor solutions to facilitate: </li></ul><ul><ul><li>a. Step-up </li></ul></ul><ul><ul><li>b. Risk Based </li></ul></ul><ul><ul><li>c. Soft 2 nd Factor </li></ul></ul>Jeremy Forman <ul><li>What sorts of success have you seen regarding implementing NIST controls for State & Local Governments ? </li></ul>
    15. 15. Risk-based Access Control Device Geography Time Activity Secure Mutual Authentication Risk-Based Authorization Risk Scoring Issue #3: How can you meet FISMA’s different levels of authentication and identification? Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings <ul><li>NIST 800-63 2 nd Factors </li></ul><ul><li>IP Address </li></ul><ul><li>Domain/Subnet </li></ul><ul><li>Browser Config </li></ul><ul><li>Location </li></ul><ul><li>Time… </li></ul>
    16. 16. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Follow-up : How would a quasi-public/private sector model work for a composite ID? Discussion Points: Composite Ids Who owns the Composite ID, who controls it and who contributes to it? Explain Core, Context and Balance of Identities in the Public Sector Hayri Tarhan <ul><li>What personally have you seen as lessons learned to get the business on-board to a Centralized vs. Federated Security Model? </li></ul>
    17. 17. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Identity Mgmt Future State Architecture
    18. 18. To Learn More Enterprise Architecture with Oracle <ul><li>People </li></ul><ul><ul><li>Join our EA community – visit the Oracle Technology Network (OTN) Architect Center on oracle.com </li></ul></ul><ul><ul><li>Blog with our architects at blogs.oracle.com </li></ul></ul><ul><ul><li>Attend an Oracle EA Roundtable </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Learn more about Oracle’s EA processes and technology best practices with our TOGAF-based architectural methodology </li></ul></ul><ul><li>Portfolio </li></ul><ul><ul><li>Make use of EA resources: reference architectures, planning tools, information </li></ul></ul>Oracle Enterprise Architecture Framework Business Architecture Application Architecture Information Architecture Technology Architecture EA Repository
    19. 19. Wrap up: Guidance to Security Architects Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana <ul><li>Federated Identities are the only way “politically” you can wholistically implement EA Security </li></ul>Hayri Tarhan <ul><li>Organizations need to treat identity as service vs. hard coding security </li></ul>Marc Chanliau <ul><li>Database Security – defense in depth </li></ul>Jeremy Forman <ul><li>To Recommend Security Health Checks </li></ul>
    20. 20. A final question to our panel: Guidance to Security Architects ? Edwin Lorenzana Hayri Tarhan Jeremy Forman Timothy Davis Marc Chanliau
    21. 21. Questions & Answers
    22. 22. Thank You

    ×