Your SlideShare is downloading. ×
On Demand Cloud Services   Coury
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

On Demand Cloud Services Coury


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Oracle On Demand Cloud Services:Security Strategy Mitigates Risk and Enables ComplianceGail CouryVice President, Global IT Risk Management
  • 2. Changing Landscape  Businesses are increasingly dependent on IT in order to deliver products and services  Intellectual property and business records are becoming wholly electronic  Business collaboration is driving a disappearing perimeter  On demand computing requires anywhere & anytime access  Stealth & targeted attacks challenge our defenses  Information has value – hacking is profitable Copyright ©2011, Oracle. All rights reserved.
  • 3. More Data Than Ever… 35 Zettabytes (ZB =1 Trillion Gigabytes) 62%increaseover 2008 Source: IDC Digital Universe Study, May 2010 Copyright ©2011, Oracle. All rights reserved.
  • 4. More Breaches Than Ever…Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES 600 500 1084% 400 Increase 300 200 Total Personally 100 Identifying Information 0Records Exposed 2005 2006 2007 2008 2009 2010 (Millions) Cumulative Growth  Average cost of a data breach $204 per record  Average total cost exceeds $6.7 million per breach Sources: / 2009 Annual Study: US Cost of a Data Breach, Ponemon Institute, 2010 Copyright ©2011, Oracle. All rights reserved.
  • 5. More Threats Than Ever… On average there are about 6,000,000 new botnet infections per month External breaches are largely the work of organized criminals Sources: McAfee Threats Report: 3rd Quarter 2010 / 2010 Verizon Data Breach Investigations Report Copyright ©2011, Oracle. All rights reserved.
  • 6. More Regulations Than Ever… • Federal, state, local, industry…adding more mandates every year! – Health Information Technology for Economic and Clinical Health Act of 2009 – Massachusetts Law 201 CMR 17.00: Standards For The Protection Of Personal Information • Need to meet AND demonstrate complianceReport and Audit • Compliance costs are unsustainable 90% Companies Behind in Compliance Source: IT Policy Compliance Group, 2007 Copyright ©2011, Oracle. All rights reserved.
  • 7. More Demands Than Ever… Regulators Demand More from IT“In the future, policy makers and regulators will probably demand that ITsystems capture more and better data in order to gain greater insight intoand control over how banks manage risk, pharma companies managedrugs, and industrial companies affect the environment.Successful CIOs should enhance their relationships with internal legal andcorporate-affairs teams and be prepared to engage productively withregulators. They will need to seek solutions that meet governmentmandates at manageable cost and with minimal disruption.” Source: Mckinsey, 5 Trends that will Shape Business Technology in 2009 Copyright ©2011, Oracle. All rights reserved.
  • 8. Cloud Service Adoption Security Continues to be the #1 ConcernIt could actually be abenefit…..“So if you flip that apprehension on its head,there may be benefits in leveraging a cloud offeringwith the [security] focus and core competence that a cloudprovider brings to the table.” -Michael Pearl, PricewaterhouseCoopers Source: / IDC Survey: Risk In The Cloud, June 16, 2010 Copyright ©2011, Oracle. All rights reserved.
  • 9. Oracle On DemandSecurity Strategy Copyright ©2011, Oracle. All rights reserved.
  • 10. Oracle On DemandBenefits of New Software Delivery Models, Minimizing Risk • Over 5.5 million users • 89% of customers on most current releases Applications • Lower Risk Middleware – Proven Best Practices Database – Unparalleled Oracle Operating System Expertise Infrastructure – Scalable, World Class Technology Platform and Infrastructure Copyright ©2011, Oracle. All rights reserved.
  • 11. Oracle On DemandProtects Customer Data & Systems Copyright ©2011, Oracle. All rights reserved.
  • 12. Oracle Security Organization LINES OF BUSINESS On Demand Risk Government Management Legal Affairs Information Security Manager Product Support, Prod Security & Global uct Privacy Public Policy Development, Counsel etc. Copyright ©2011, Oracle. All rights reserved.
  • 13. Utilize International Security Standard Security Operations System Acquisition Organization Management & Maintenance Security Policy Asset Management Physical & Legal Compliance Environmental Business Privileged Security Human Continuity Access Incident Resources & DR Control Management Security Copyright ©2011, Oracle. All rights reserved.
  • 14. Security Strategy Risk Management • Security Technical Design Reviews Layered Defense in Depth • Security Technical Assessments • Secure Configuration Security Technologies • Secure Web Gateways • End User Security • Intrusion Detection & Prevention • File Integrity Monitoring using Change Control Console • Full Disk and Tape Encryption • Multi-Factor Authentication for Administrators • Segregated Networks • Power Broker for Privileged Management • Network & Host Data Loss Prevention • Security Configuration Monitoring using EM Security ServicesInformation • Regular Scheduled Scanning of Hosts Strategy • Automated Compliance Testing • Real-time Security Event Correlation & Monitoring Technologies Services Governance Governance • Auditing and Self-Assessment • Business Continuity Planning & Testing • Regulatory Compliance (SOX, PCI, HIPAA, Federal) • Accessible Services • Partner Security • Governance, Risk & Compliance Documentation Copyright ©2011, Oracle. All rights reserved.
  • 15. Top 10 Practices to Improve IT SecurityOrganizations with the best outcomes are prioritizing their top 10 practices verydifferently from other organizations; and are fully automating most of the top 10practices: 1. Technical controls are mapped to IT policies, regulatory mandates & legal statutes. 2. Antivirus signatures are updated & applied frequently. 3. Roles and responsibilities of policy owners are defined & maintained. 4. Evidence about IT configurations and technical controls is gathered for evaluation & analysis. 5. Gaps in procedural controls are identified, remediated and tested on a regular basis. 6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular basis. 7. IT assets and audit trails are monitored on a continuous basis. 8. IT assets and software service configurations are tested regularly. 9. Unauthorized access to IT assets is automatically detected or prevented using IT controls. 10. Lists of IT assets and configurations are maintained in central repositories for easy access & analysis. Source: IT Policy Compliance Group Copyright ©2011, Oracle. All rights reserved.
  • 16. Leverage On Demand… Compliance Certifications ISO Certification SAS 70 Type II For Commercial Services • 108 Controls Tested Biannually Federal Certification & Accreditation (C&A) ISO 27001 ISO 27002 Certification Certificate of Department of Defense (DoD) and Agencies Conformity • 700+ Controls Tested Annually112 Controls Tested 132 Controls Tested • NIST & DIACAP Annually Annually HIPAA Compliance Payment Card Industry (PCI) Compliant Level 1 Service Provider • 217 Controls Tested Annually 21 CFR Part 11 Service Offering Under Development 64 Controls Tested Annually Copyright ©2011, Oracle. All rights reserved.
  • 17. Common Controls Fulfill Multiple Requirements Standards/ Regs ISO SAS 70 HIPAA PCI DSS NIST 21 CFR 11 Industry 270002 (Public (Health (FSI, (Federal (LifeProcess Controls Firms) Care) Retail) Agencies) Sciences)Policy Development & MaintenanceAsset ManagementAccess Control & MgmtHR Security ControlsChange Control ProceduresSegregation of DutiesCryptographic ControlsBackup and RecoveryMedia HandlingMonitoring, Auditing & Logging Copyright ©2011, Oracle. All rights reserved.
  • 18. Cloud Security AllianceTo Assist Prospective Cloud Customers in Assessing the OverallSecurity Risk of a Cloud Provider Source: CSA Cloud Controls Matrix Copyright ©2011, Oracle. All rights reserved.
  • 19. Services Address Security Needs & Leverage Oracle Technology ORACLE PRODUCTS Audit Vault HIPAA PCI Transparent Data Security Security Encryption (TDE) Services Services Change Control Console Data Masking Federal Enhanced On Security Demand Services Adaptive Access Manager Configuration Management Copyright ©2011, Oracle. All rights reserved.
  • 20. HIPAA Security ServicesAdvanced Service Offerings for Health Information Value • Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle • Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act • Service Data Sheet 1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009 Copyright ©2011, Oracle. All rights reserved.
  • 21. PCI Security ServicesAdvanced Service Offerings To Meet Payment Card Industry (PCI)Data Security Standards (DSS) Value • Oracle On Demand is a Level 1 PCI Compliant Service Provider since 2006 • Oracle can reduce the time and cost associated with PCI compliance • Customers can gain access to a complete solution using Oracle PCI Partners • Service Data Sheet Copyright ©2011, Oracle. All rights reserved.
  • 22. Federal On DemandAdvanced Service Offerings For the US Federal Government Value • Designed to enable our customers to be compliant with federal legislative and executive mandates / directives • Helping government run business operations more effectively, and at lower costs • @Customer & @Partner options also available • Service Data Sheet Copyright ©2011, Oracle. All rights reserved.
  • 23. Enhanced Security ServicesAdvanced Service Offerings to Meet Customer Compliance Needs Value • Supplements standard security services • Facilitates customer’s compliance needs • Advanced Services are “cafeteria style” • Service Data Sheet Copyright ©2011, Oracle. All rights reserved.
  • 24. DR SolutionsTwo Basic Requirements • Deliverable: – Data (tape, disk, other media, or hot failover system) • In the Event of a Disaster: – Backup data needs to be shipped to the customer or a customer-specified site or a recovery-site • Solution Cost Drivers: – Amount of Data to be Protected – Frequency of Backup (RPO) • Deliverable: – Service back up, running & accessible, after a disaster • In the Event of a Disaster: – Backed-up data is used to bring service back up on an alternate system at a distant site (note that this requires a data protection as a prerequisite) • Solution Cost Drivers: – RTO | Service Capacity | Testing Frequency Copyright ©2011, Oracle. All rights reserved.
  • 25. Disaster RecoverySolutions Standard Solutions • Maximum Availability • 24 hours/24 hours • 3 days/3 days • Austin Primary, RMDC Secondary Custom Solutions • 48 hours/48 hours Copyright ©2011, Oracle. All rights reserved.
  • 26. Security Capabilities SummaryProtect Customer Data & Systems Copyright ©2011, Oracle. All rights reserved.
  • 27. Looking Ahead Complex & Stealth  More & More Legislation  ‘Due Diligence’ High Attack Vectors Growing Water Mark Rising  Increased Effort to Prove Commercial Hacking Compliance Gaining Ground Copyright ©2011, Oracle. All rights reserved.
  • 28. Final ThoughtsLeverage Oracle On Demand…  Expertise  Architecture  Technology  Demonstrated Compliance Copyright ©2011, Oracle. All rights reserved.
  • 29. The preceding is intended to outline our generalproduct direction. It is intended for informationpurposes only, and may not be incorporated intoany contract. It is not a commitment to deliver anymaterial, code, or functionality, and should not berelied upon in making purchasing decisions. Thedevelopment, release, and timing of any featuresor functionality described for Oracles productsremains at the sole discretion of Oracle. Copyright ©2011, Oracle. All rights reserved.