Sw keynote


Published on

Oracle Security Inside Out
Cost-Effective Security and Compliance

Steve Wainwright
Senior Director Information Security
UK, Ireland & Israel

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • We completed a number of interactive session at InfoSec this year, at Oracle Security Café Workshops. We found that the top 4 business drivers were:Cost reduction – providing in controls to reduce cost, example being secure consolidation of IT services and the ability to outsource in a controlled and trusted wayCompliance to regulations - Still a popular topic – we have had SOX, HIPPA and PCI DSS – what is next?Improved customer experience – allowing user to interact with the enterprise in a secure way, and build brand trustProtect organisation for reputation damage – How much is reputation worth to an organisation? Should orgnaisations be worried? – Well a study of US workers found that 59% of people made redundant would steal data, so in this economic climate….Improved efficienciesCollaborative workingIncrease agility and enter new marketsIncrease competitive advantage2 mins
  • Information is at the heart of anything we do.Security is part of all business, process, tecnology and information viewpoints . Risk Appetite and Assessments allows the organisation make decision how they want to approach security.But are also cultural and educational needs, and business governance help to bridge the gaps between business and security. Again remembering that technology is just part of the overall ability of an organisation to deliver the right security controls.2 min
  • Security Frameworks (or Architecture) provide a common chassis for the organisation. This is not a one size fits all approach, the framework can provide multiple baselines and solutions patterns. These patterns can be captured for re-use against the changing threat landscape and different business models i.e.: Managed Fraud ServicesResources Resources are all types of information, data, structured or unstructured – the data is the crown jewels. Ultimately everything that goes in front, process and application, access management is just a way to mediate access to resources.BUILD SLIDESAsk the question: What is the value of resource to the business? What is the associated risk appetite of the your organisation?Summarise:Oracle has been working in the security space pretty much since day 1. The very first Oracle customers were in the government space back in 19778 mins
  • Only as strong as the weakness linkWe must take a joined up and layered approach to our end to end security solutions and patterns.No point in having strong access enforcement if your identity administration (i.e.: recruitment and vetting) is weak. No point in having great application security, if a user or system can access the data directlyNo point in having strong access security if someone can enter a data centre and steal an un-encrypted disk from the server2 mins
  • Look at some of the examples where security has been a positive benefit;The government pensions department used to require 4 forms to be completed for pension enquiries, secure collaboration of information now allows enquiries to be resolved with a single phone call.Amazon have built such a strong brand that they could release Cloud services. Security is a huge part of that, stories in the press about lost credit cards etc would have damaged the brand to an extent where Cloud services might not be trusted. Taking this further Amazon have to be sure about the security of the Cloud itself so as not to damage existing customer perception from their traditional channels.Talk about the principles of security, then the benefits4 mins
  • Sw keynote

    1. 1. <Insert Picture Here> Security Inside Out Cost-Effective Security and Compliance Steve Wainwright Senior Director Information Security UK, Ireland & Israel
    2. 2. More data than ever… Growth Doubles Yearly 1,800 Exabytes 2006 2011 Source: IDC, 2008 Oracle Confidential 3
    3. 3. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES 400 300 630% Increase 200 100 Total Personally Identifying Information Records Exposed 0 (Millions) 2005 2006 2007 2008 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach Source: DataLossDB, Ponemon Institute, 2009 Oracle Confidential 4
    4. 4. More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access Oracle Confidential 5
    5. 5. More regulations than ever… • Federal, state, local, industry…adding more mandates every year! • Need to meet AND demonstrate compliance • Compliance costs are unsustainable ? Report and audit 90% Companies behind in compliance Source: IT Policy Compliance Group, 2007.
    6. 6. Higher Costs Than Ever… • User Management Costs • User Productivity Costs • Compliance & Remediation Costs • Security Breach Remediation Costs $ It Adds Up
    7. 7. Market Overview: IT Security In 2009 Protecting the organization's information assets is the top issue facing security programs: data security (90%) is most often cited as an important or very important issue for IT security organizations. 8
    8. 8. Information Landscape Big Picture The “Wild” Perimeter Internal Resource 9
    9. 9. The Information World Has Changed Organised crime Identity Theft Online Fraud Terrorism Insider Threats Economic Climate Regulatory Pressures Phone, internet and mail order fraud is up 37% on 2006 to £290m in the UK
    10. 10. Business Drivers Reasons for Investment in Security • Cost reduction • Compliance to regulations • Improved customer experience • Protect organisation for reputation damage • Increase agility and enter new markets • Increase competitive advantage • Improved efficiencies • Make security transparent • Improved collaborative working Source: Security Café Workshop at InfoSec 2009 11
    11. 11. How does security align? i 12
    12. 12. Security Framework Domain Approach Physical Security Control Client Perimeter and Security Security Management Access Management Infrastructure Security Employee Resources Documents/Data Applications/Processes Customers Resource Security Partners Security Standards and Policies Process Audit and Report 13
    13. 13. Security - Layered Defence The need for a joined up approach • Identity Administration Access • Access Enforcement • Application/Process Security Application • Data Security • Infrastructure Security Data • Physical Security 14
    14. 14. The Reality of Cloud Computing © 2009 Oracle – Proprietary and Confidential 15
    15. 15. Key Barriers to Cloud Computing 74% 74% rate cloud security issues as “very significant” Source: IDC • Security • Compliance • Control © 2009 Oracle – Proprietary and Confidential 16
    16. 16. Cloud Security Challenges Private Hybrid Public Cloud Cloud Cloud • IT agility • Interoperability • Data breaches • B2B • User • Multi-tenancy collaboration experience • Data location • Access control • Workload complexity • Compliance portability • Privileged user access © 2009 Oracle – Proprietary and Confidential 17
    17. 17. Security with Oracle Cloud Platform Application 1 Application 2 Application 3 Platform as a Service Cloud Management Oracle Enterprise Manager Shared Services Configuration Mgmt: Integration: Process Mgmt: Security: User Interaction: Assembly Builder, SOA Suite BPM Suite Identity Mgmt WebCenter Capacity & Consolidation Planning Application Grid: WebLogic Server, Coherence, Tuxedo, JRockit Lifecycle Automation: Self-Service Provisioning, Database Grid: Oracle Database, RAC, ASM, Partitioning, Policy-Based Resource IMDB Cache, Active Data Guard, Database Security Scheduling, Metering Application Performance Infrastructure as a Service Management: RUEI, SLA Management, Operating Systems: Oracle Enterprise Linux Monitoring, Diagnostics Virtualization: Oracle VM Application Quality Servers Management: Testing, Storage Patch Management © 2009 Oracle – Proprietary and Confidential 18
    18. 18. Service-Oriented Security Identity Services for the Cloud Oracle Identity Management Identity Directory Role Management Authentication Authorization Federation Administration Services Web Services Web Services Web Services Oracle Apps 3rd Party/Custom Apps Cloud Service Providers • Discrete, easily consumable security services • Rapid application security, improved IT agility • Security seamlessly woven into applications © 2009 Oracle – Proprietary and Confidential 19
    19. 19. Identity Management Considerations in the Public Cloud IAM Service Provider Business Service Provider Identity Identity Identity Identity Admin Assurance Assurance Admin Business Service Consumer Identity Identity Federation Assurance • User lifecycle management • Federated authentication • Fraud prevention and risk mitigation © 2009 Oracle – Proprietary and Confidential 20
    20. 20. Security Framework The value of this approach Principles Benefits • Ensure Principle of “Security First” • Creates agility to meet changing threat • Built-in not Bolt-on Security landscapes and create new models • Enforce controls • Leads to re-useable patterns • Improved management • Provides joined up protection against • Holistic not silo solutions data loss, fraud and theft • Platform for agility and flexibility • Achieves greater compliance for lower cost • Creates better customer experience • Builds “trusted” brand 21
    21. 21. Oracle Security Inside Out Database Security • Encryption and Masking • Privileged User Controls • Multi-Factor Authorization • Activity Monitoring and Audit • Secure Configuration Identity Management • User Provisioning • Role Management • Entitlements Management Information • Risk-Based Access Control Infrastructure • Virtual Directories Databases Information Rights Applications Management Content • Centralized document access control • Digital shredding • Document Activity Monitoring and Audit Oracle Confidential 22
    22. 22. Complete, Open, Integrated Systems • Engineered to work together • Tested together • Certified together • Packaged together • Deployed together • Upgraded together • Managed together • Supported together
    23. 23. Together, We Will Spend $4.3 Billion In R&D In Our First Full Fiscal Year $4.3 R&D Spending USD $Bs $2.7 $2.8 $2.2 $1.9 $1.5 FY05 FY06 FY07 FY08 FY09 … FY11
    24. 24. Industry specific cover image Telco X Identity Management Assessment Oracle Insight Report - Issue 1.0 January 28th 2009 Rob McManus Insight Programme Director, Technology Solutions & Channels Jason Rees Insight Programme Director, Technology Solutions & Channels
    25. 25. Oracle Recommendations – Flight Path Governance User Management Access Management & Architecture Data Increase OpCo adoption Management Implement new Web Access Mgt Increase number of integrated applications IdM Service Management Virtual directory Authorisation & technologies Authentication Management Automation of Enterprise SSO Standards for Rules and application Workflows integration Role Management Principles and Standards Strong Implement Authentication New IdM Replacement of Audit & hardware tokens Institute Reporting Governanc e Board Automate re-certification and Attestation Timescale 1-6 months 6-12 months Year 2 26
    26. 26. Prioritisation of IdM Capability Areas “SECONDARY “TARGETS” TARGETS”   User Management  Audit & Reporting High   Governance  Access Management Primary Focus  Architecture PRIORITY LEVEL Medium Secondary Focus  Authorisation Management   Authentication Management “LONGER TERM” Future Phases Low Performed Planned and Well Mature Industry Locally Tracked Defined Leading OPERATING PERFORMANCE 27
    27. 27. Investment in IdM Should Produce Strong Value for Telco X Oracle Estimates an ROI of 410% based on Conservative Case, Payback in 16 months 5 Year Net Present Value: £12 million £14,000,000 £12,329,802 £12,000,000 £10,000,000 Benefits Achieved £8,654,465 £8,000,000 Total Costs £6,000,000 £4,391,073 £4,000,000 Accumulated discounted cash flow (NPV) £2,000,000 £1,174,242 £0 Year -£639,858 1 Year 2 Year 3 Year 4 Year 5 -£2,000,000 -£4,000,000 Source: Discovery workshops; data provided; Oracle analysis Note: Implementation costs are very approximate at this early stage; discount rate used is 16%; costs do not include all relevant non- Oracle items, e.g. internal Telco Ximplementation costs, hardware costs and training costs; benefits do not include productivity gains 28 28
    28. 28. Benefits of Oracle’s Recommendation Benefit Area/Driver Type FINANCIAL IMPACT Conservative Pragmatic Aggressive 1a. Increase productivity of new hires Productivity £1,239,854 £1,859,781 £2,479,708 1b. Reduce Joiner Administrative effort for Line Managers Productivity £929,891 £1,859,781 £2,789,672 1c. Employee searches Productivity £290,591 £348,709 £406,827 1d. Fewer systems to update Productivity £1,210,795 £2,421,590 £3,632,385 2a. Reduction in Help Desk administration costs for account requests Headcount £1,832,727 £2,618,182 £3,403,636 2b. Incremental Productivity - reduced password reset calls to helpdesk Productivity £6,974,179 £11,623,632 £16,273,085 2c. Reduction in Help Desk Administration costs - Password Resets Headcount £1,846,154 £3,000,000 £3,692,308 3a. Reduction in Administrative Labour Costs for Certification Headcount £660,000 £1,100,000 £1,540,000 3b. Reduction in Attestation Review Effort Headcount £651,375 £1,085,625 £1,519,875 3c. Reduction in Audit Remediation Costs Headcount £250,000 £250,000 £250,000 3e. Replace Hardware Tokens Saving £120,000 £120,000 £120,000 4a. Cost of assisting staff present and past following loss of personal data Saving £337,500 £675,000 £1,012,500 4b. Fraud Avoidance and Reduction Saving £500,000 £500,000 £500,000 4c. Application development savings Saving £1,250,000 £3,000,000 £4,000,000 Total £18,093,066 £30,462,301 £41,619,997 Note 1: Potential annual benefits Note 2: Based on Oracle experiences, analyst reports and information gained through interviews with Telco X Note 3: Includes Productivity savings which have been removed from ROI calculation overleaf 29 29
    29. 29. Complete Open Integrated AND Secure!