Your SlideShare is downloading. ×
Bezpieczeństwo chmuryMarcin KozakSecurity Architect1   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Agenda         Podejście „Inside Out”         Bezpieczeństwo Chmury         Bezpieczeństwo na każdym poziomie2   Copyri...
3   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Ryzyka IT są Ryzykami Biznesowymi         Ilość zagrożeń rośnie                                                           ...
Zwiększające się wymogi prawa        Pojawiają się dodatkowe regulacje, bo pojawiają się nowe Ryzyka      CMR 201 COSO    ...
Reaktywność w działaniu        Brak koncentracji na ochronie informacji            “Most security organizations continue t...
Reaktywne podejście NIE działa             Koncentracja na niewłaściwych RyzykachZmiana w postrzeganiu Bezpieczeństwa     ...
Powód istnieje w firmie....        Proste mechanizmy kontrolne zapobiegły by zagrożeniom...           LinkedIn            ...
Bezpieczeństwo w IT         Redukcja Ryzyk oparta o Analizę Kosztową    Rozumienie Ryzyk    Zarządzanie Ryzykiem          ...
Podejście Oracle do Bezpieczeństwa w Chmurze         • ENISA Cloud Computing Security Risk Assessment                     ...
Cloud Controls Matrix (CCM)         Cloud Security Alliance     Controls consolidation baselined and mapped to:     COBIT ...
Optimal & Holistic Compliance                                      1212   Copyright © 2012, Oracle and/or its affiliates. ...
CCM – 11 Domains – 98 Controls                                                                     13       1. Compliance ...
CCM – 98 Controls                                                  1414   Copyright © 2012, Oracle and/or its affiliates. ...
CCM – 98 Controls (cont.)                                          1515   Copyright © 2012, Oracle and/or its affiliates. ...
CCM – 98 Controls (cont.)                                          1616   Copyright © 2012, Oracle and/or its affiliates. ...
CCM – 98 Controls (cont.)                                          1717   Copyright © 2012, Oracle and/or its affiliates. ...
18      Control Matrix >> Guidance >> ISO      27036 Series18   Copyright © 2012, Oracle and/or its affiliates. All rights...
How is Cloud Computing Security Different?                  Consumer-Provider Security ResponsibilitiesDifferent Users    ...
IT Security Layering                                               2020   Copyright © 2012, Oracle and/or its affiliates. ...
21         Oracle Enterprise Security Solutions for the Cloud                                                             ...
Example PCI Responsibility SPLIT//                                                                 22         IaaS PCI    ...
Przepływ informacji23   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Start...         Bezpieczeństwo od środka               Każda warstwa                                                Pomię...
Bezpieczeństwo Informacji         Ochrona informacji w każdym jej miejscu                  System                         ...
Bezpieczeństwo Informacji w Bazie Danych         Repozytorium Informacji                                                  ...
Bezpieczeństwo jest największym problemem w chmurze....Apetyt na Ryzyko....                                               ...
Cztery kluczowe problemy bezpieczeństwa w chmurze        1. Dostęp z urządzeń mobilnych                                   ...
Zarządzanie uprawnieniami (GRC)                                                                               Audyt       ...
30   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
31   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
32   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
33   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Bezpieczeństwo każdej warstwy                                                                            Infrastructure   ...
Koszt versus Benefit                                                                            KOSZTOWO UZASADNIONE MECHA...
Podsumowanie     Zabezpieczanie informacji poprzez Kontrolę każdej warstwy                                                ...
37   Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
Upcoming SlideShare
Loading in...5
×

"Securing the Cloud" Marcin Kozak, Software Architect, Oracle Polska

439

Published on

Oracle Cloud Forum, Warszawa 27.02.2013

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
439
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Agenda:Architectural Considerations Outline some of the common challenges that customers face today, the symptoms and root causes of these challenges Describe some of the common pitfalls that customers run into when trying to develop and execute on an Optimized Datacenter strategy Defining the architectural requirements and key planning considerations – defining the key architectural principles for an Optimized Datacenter Components and key characteristics of an Optimized Datacenter
  • Security risk is a strategic concern for business leaders… the impact of regulatory compliance and the cost of breaches is too large to ignore. We can’t simply purchase an insurance policy against it. The stakes are too high. The criminals are after customer data At Linked in hackers stole over 6 million user accounts and passwords. This is not an isolated case. Hackers attacking corporations are not only going after their intellectual property, they are also going after their customer data. In the case of linkedin the biggest exposure is to Linkein’s online users. Because users often use the same passwords in multiple places they are now vulnerable. (http://www.nytimes.com/2012/06/11/technology/linkedin-breach-exposes-light-security-even-at-data-companies.html?pagewanted=allITS EMBARRASING IT DAMAGES THE BRAND The scale of the threat is massiveThe Sony breach highlights the volume of the threat. Instead of small breaches our breaches are no larger. The intruders are now bolder. At Sony taking 12M credit cards. These crimes cascade into more crime as fradulent charges will be made against these credit cards costing the banking industry billions to resolve.The Costs are going up Bottom line it costs a lot and the average cost is going up.. The problem is we can’t just insure against the risk anymore the stakes are too high The estimate is that cybercrime costs about 1 Trillion globally The average breach costs 7.2 Million ITS NOT A MATTER OF IF IT’S A MATTER OF WHEN
  • Businesses are spending up to 40% of their security budgets on compliance alone.Forrester estimates that organizations spend up to 40% of their IT budgets on compliance and internal governance.The spend is only increasing with each state government providing their own privacy laws and privacy regulations Governance is more challenging The controls are now more rigorous and intrusive … its not just a single system check its really cross system * As the perceived risks increase , governments quick to regulate Many of the new regulations are focused on protecting customer data.No vertical industry is immune For more background read ( Forrester the value of corporate secrets online)http://www.google.com/url?sa=t&rct=j&q=forrester%20the%20value%20of%20corporate%20secrets&source=web&cd=1&ved=0CFAQFjAA&url=http%3A%2F%2Fdownload.microsoft.com%2Fdownload%2FF%2F2%2F3%2FF2398E9C-94FE-496C-BFB2-9DEFE1502ABD%2FForrester%2520TLP%2520-%2520The%2520Value%2520of%2520Corporate%2520Secrets.pdf&ei=PTAPULzIKufniwKF1oHQCQ&usg=AFQjCNHUe5KvsSjWtltN8lsg-erxKE1duw
  • The velocity of change and the pressure to comply has made businesses reactive. As an example after the RSA breach a survey of security professionals found that approximately 30% planned to increase security spending as a result of the breach.The media attention on cyber security and hacking has shifted attention away from the real vulnerabilities. At UBS the trader that caused the billion dollar fraud was not a hacker from a rogue nation. This was an insider who was trusted and who gained excessive access because of the trust the bank placed on him When criminals break in they go for the low hanging fruit or they come in with stolen credentials. Users with simple passwords and databases that are un-encrypted create more risk than a team of external hackers. The cost of remediating a breach exceeds the cost of preventing a breach 10X .. And we need to start taking a proactive approach to it.We need to put the right technologies in place so we don’t have to make excuses later to our customers and our upper management.
  • The reactive approach has failed – we have spent a huge sum of money and we don’t feel safer. [First Build]This compares 2007 IT security spend to 2010 – we have practically doubled our spending. Yet the attacks keep increasing and criminals are stealing more of our data. Most of what we have purchased has been focused on protecting the perimeter and away from the applications and data. They have been focused on reacting… [Second Build ]But when you look at where the risks are … 94% of the breaches are against server in your datacenter… not lost laptops or hacked cellphones. 66% of your sensitive data is actually in the database96% of the breaches ,where the company was subject to PCI DSS , were not compliant Privileged accounts – root and service accounts – were being abused in 5% of the cases… simple mistakes like no resetting root passwords32% of hacking involved lost or stolen credentials – criminals can buy these on the black market Yet a large fraction are due to patching errors or not applying patches and misconfigurationWE ARE NOT SAYING TO IGNORE PERIMITER SECURITY BUT RATHER SHFIT SOME ATTENTION BACK TO THE STRATEGIC ASSETS.Even if you could find a way to secure the perimeter and all those end-points, it would be expensive to do it. And costs would keep rising as you add more devices and more applications. Security already accounts for 14% of annual IT budgets (Forrester)The real risks are against the apps and data. The risks are against the core systems. While the number of external attacks are rising, the systems most vulnerable are the applications, thedata and the infrastructure. Attacks like simple SQL injection to retrieve data from databases or extracting data sent in clear text across corporate networks. IDC, "Effective Data Leak Prevention Programs: Start by Protecting Data at the Source — Your Databases", August 2011 http://www.oracle.com/us/products/database/039434.pdf. The fact that that data is doubling every two years is from Gartner.
  • When We examine some of our biggest cases we find the causes are inside When we examine Linkedin they found that the passwords for users was only lightly encrypted When we examine SocieteGenerale it was not a hacker but a trusted employee with excessive access … it was literally an inside Job.At Sony …the customer credit card data was not even encrypted… the hackers didn’t have to try very hard it was just lying around.At RSA – the attack was a phishing attack enabled by an un suspecting end user… while the breach was happening at RSA they could see it happen they did not have the forensics and internal controls in place to stop it.THESE THREATS ALL STARTED OUTSIDE BUT EXPLOITED INTERNAL RISKS
  • So we have to start inside … our opportunity is to transform IT security and secure the business inside out. The most successful businesses will take a proactive approach to safeguarding their intellectual property and the information of their customers [First Build ]We have to start by being proactive and focusing on the risks. Look at your audits and see where your vulnerabilities are. If your organizations have data that is un-encrypted target that first before you lock down every cell phone. If you have accounts on systems for people who have resigned disable or de-provision these. Make sure you can address the bar on compliance and governance standards.[Second Build]Focus on preventing the threats. Look at fraud detection as a PROACTIVE way to prevent breaches before they happen. Protect your data in the applications where they are accessed and created, on the infrastructure & database where it is managed and on the disks where they are archived and stored.[Third Build] Unlock the opportunities. The companies that can make security a competitive advantage can unlock the potential of the cloud and harness mobile and social applications to find new paths to market. Instead of building a wall and hoping it’s strong enough, you need to take control of access in the enterprise – don’t ignore perimeter or endpoint security, but build a security strategy that can prevent, detect and respond to internal as well as external threats.The endpoints will continue to change and new devices will continuously be introduced. By securing the information when it is created, accessed and stored we can better reduce the risk long term. This kind of inside-out approach to security will help you manage the risk, prevent threats and unlock the opportunities that a secure business can bring.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • The cloud controls matrix is progressing through the ISO standardization process
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Optimal and holistic compliance addresses the inter and intra-organizational challenges of persistent information security by clearly delineating control ownership.
  • Responsibility split Merchant is responsible for other PCI DSS controls and assuring that SP is compliant as per 12.8 | provider is responsible for maintaining PCI compliance and implementing Requirement 3.4 and other requirement on merchant data
  • So Oracle’s approach is to start inside… and Engineer for security at every layer of the stackWhile we can’t control how many hackers try to attack our business we can control the configuration of our system internally and the security of our infrastructure from the applications to storage. First – we think about security inside each layer At the apps level this means access to data and business transactions – proactively looking for fraudAt the middleware level it means integrating identity and access management horizontally across all components in middleware At the VM level we incorporate security into Java so that in in memory databases and apps can be built on a foundation of security At the OS layer it means VM isolation directly on Solaris and Trusted extensions for Solaris – trusted by the us military At the Infrastructure later it means security without performance overhead so we include hardware acceleration for encryption At the file system encryption on disk and ZFSAnd in the ILM process we include symmetric encryption across multiple ILM tiers. Second we secure between each later – because data flows up and down the stack… access control and data security is pervasive We provide monitoring and patch management with Oracle Enterprise manager that allows the entire stack to be monitored patched for total controls. Hardware and software optimized together.Third we secure between systems The way data is passed to other systems portals etc. So that data is portable for example data masking that allows data to leave the data center masking private data and preserving relational integrity In collaboration with Federated authentication and adaptive access to detect fraud and prevent intrusion With SOA security at the middleware level to stop payloads from being breachedAt the portal laver with document level security that addresses compliance and data privacy rules
  • What all of this means is secure the information where it resides and throughout its value chain.Looking at the stack from another angle this means Unstructured Data and OS Structured Data Applications and Portal To manage your risk level, you need an approach that focuses on your most strategic assets. You can’t secure your business by hoping to prevent all breaches. Trying only drives large investments in tactical, reactive technologies without securing what matters most. Instead, determine what casualties you can’t afford and tackle those issues first. And for most businesses, that means focusing on applications and data.
  • Since the database contains 2/3’s of your sensitive information Oracle provides a complete database security solution. ( Below captured a blurb about each offering – key message is we take a suite approach and we are comprehensive)Companies don’t intend to lose sensitive data it happens by accident or malicious users take advantage of security loop holes. With a complete solution organizations can take a layered approach.The person who knows a companies financial results first is not the CEO… it’s the DBA… so it provides the ability to manage privileged access.People often think test environments in data centers are safe… but unfortunately being internal behind the firewall does not make these environments safe. Developers typically gain excessive access to tables and data… to make your data portable without spending tons of time filtering it, Organizations utilize masking which secures it and preserves referential integrity.If most organizations just encrypt their data they can significantly reduce risk.--------------------Each offering in case you want to work in different combinations into talking points.Oracle Database FirewallOracle Database Firewall is the first line of defense for both Oracle and non-Oracle databases. It monitors database activity on the network to help prevent unauthorized access, SQL injections, privilege or role escalation, and other external and internal attacks - all in real time. Based on innovative SQL grammar technology that can reduce millions of SQL statements into a small number of SQL characteristics, Oracle Database Firewall offers unmatched accuracy, scalability, and performance.Oracle Audit VaultOracle Audit Vault reduces the cost and complexity of compliance and the risk of insider threats by automating the collection and consolidation of audit data. It provides a secure and highly scalable audit warehouse, enabling simplified reporting, analysis, and threat detection on audit data. In addition, database audit settings are centrally managed and monitored from within Audit Vault, reducing IT security cost.Oracle Advanced SecurityOracle Advanced Security helps organizations comply with privacy and regulatory mandates by transparently encrypting all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information (PII). By encrypting data at rest and whenever it leaves the database over the network or via backups, Oracle Advanced Security provides the most cost-effective solution for comprehensive data protection.Oracle Database VaultOracle Database Vault helps organizations increase the security of existing applications and address regulatory mandates that call for separation-of-duties, least privilege and other preventive controls to ensure data integrity and data privacy. Oracle Database Vault proactively protects application data stored in the Oracle database from being accessed by privileged database users.Oracle Label SecurityOracle Label Security is a powerful and easy-to-use tool for classifying data and mediating access to data based on its classification. Designed to meet public-sector requirements for multi-level security and mandatory access control, Oracle Label Security provides a flexible framework that both government and commercial entities worldwide can use to manage access to data on a "need to know" basis in order to protect data privacy and achieve regulatory compliance.
  • As enterprises think about embracing various cloud applications and services, it is worthwhile to take a look at various cloud deployment scenarios from a security perspective.The on-premise enterprise is at the lowest end of the spectrum that we refer to as the cloud continuum. In the typical enterprise, IT can lock down security and can exert a lot of control on security policies. Consequently risk is low and latency to respond to threats is low as well.As we move up the spectrum, from private on premise cloud to private hosted cloud and finally to the public cloud, IT’s control and visibility into security policies decreases. In the public cloud, policies are managed by an outside 3rd party which is the cloud service provider. As we move through the spectrum, security policies get more and more fragmented as we duplicate policy data in multiple places. Consequently, latency also increases and risk explodes.
  • Security is top of mind for anyone embracing cloud. Companies worry about who can see their data and they worry about how to restore the control to applications they had while apps were on premise.The top 5 security concerns all relate to data and access – in addition providing the audit assurance to address governance. The top questions being asked are .How do I provide access and fraud detection for apps off premise ? If you are a financial institution your cloud has to provide reporting to address the BASEL 2 requirements or you will and some large financial penalties. If your cloud hosts your General ledger – your cloud has to provide sarbanesoxley certification.How do organizations provide timely compliance reporting and remediation – many organizations have gone down the path of building out cloud infrastructure only to stumble on the reporting and compliance challenge. If your customers are in Europe your cloud has to comply with the European data privacy directive. At the same time everyone is worried about multi tenancy and data isolation. How do I secure data in the cloud if my data is co-mingled. And beyond this how to patch and manage the infrastructure and provide complete visibility across the stack. In other words see the cloud beyond the vapor for the infrastructure it resides on.
  • Slide Transition: Oracle provides multiple layers of security to ensure that only authorized users have appropriate access to your systems.Security at the application layer includes comprehensive compliance management and centralized policy administration to support multiple compliance requirements. Middleware security provides role-based access controls and identity management, including rights management and identity governance. At the database layer, data is secured while in motion via SSL 256 bit encryption, and at rest using Oracle’s Transparent Data Encryption. You can transparently encrypt all application data or specific sensitive columns, such as credit cards, social security numbers, or personally identifiable information (PII), without making any changes to existing applications. Data Vault prevents privileged users from accessing application data. Other security measures include tracking configuration and information changes and auditing all database activity.Finally, security at the infrastructure layer includes hardware level encryption in order to protect data at rest from unauthorized disclosure, alteration and deletion – without impacting performance. Tamper resistant key storage protects cryptographic keys from theft. This is undoubtedly the most secure software and hardware stack available on the market from a single vendor today. Lastly we provide services to deploy and manage the stack securely.Infrastructre Security Tusted OS ExtensionsVirtualization SecurityCryptographic Acceleration Key Storage Built-InSecure StorageIdentity Management Privilege Account ManagementUser and Role ManagementEntitlements Management Risk-Based Access Control Directory ServicesRisk & complianceAuditing &AttestationSegregation of DutiesProcess ControlsTransaction ControlsDatabase Security Encryption and MaskingPrivileged User ControlsDatabase Firewall
  • With up to 14% of your IT budget at stake, The opportunity is to take a more cost effective approach. We cant afford to be reactive.We take a defense in depth approach which means multiple layered controls. This applies to how we secure databases and how we secure at every layer of the stack – every layer of security adds an overlapping control to address stringent audit and compliance requirements. The focus is securing the strategic assets Second approach is to secure the most valuable assets- by moving the controls closer to the systems and data we protect the solution is more effective.
  • The threats are outside but the risks are inside – so we have to secure the business at the core.Because the risks are inside we focus on the core systems and secure every layer, between layers and between systems. This provides a foundation for extending security to cloud mobile and social environments.Because we are experts at the entire stack only Oracle can take a comprehensive approach that is holistic and secures data through out the lifecycle.Because we are experts at every layer we can provide petter performance at every level.
  • Transcript of ""Securing the Cloud" Marcin Kozak, Software Architect, Oracle Polska"

    1. 1. Bezpieczeństwo chmuryMarcin KozakSecurity Architect1 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    2. 2. Agenda  Podejście „Inside Out”  Bezpieczeństwo Chmury  Bezpieczeństwo na każdym poziomie2 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    3. 3. 3 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    4. 4. Ryzyka IT są Ryzykami Biznesowymi Ilość zagrożeń rośnie 6M skradzionychLinkedIn haseł $1Miliard Przestępczość Internetowa 12M skradzionych kart (całościowo) Sony kredytowych SEGA 1.3M kont on-line $7.2 Miliona Koszt średniej kradzieży danychSecurity Week Dec 15, 2011Seven Significant Hacks of 2011BetaNews June 6, 2012McAfee 2010Ponemon 2011 4 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    5. 5. Zwiększające się wymogi prawa Pojawiają się dodatkowe regulacje, bo pojawiają się nowe Ryzyka CMR 201 COSO SEC HITECH PCAOB PIPEDA DSBN FISMA EU DPD J-SOX Directive 95/46/ECHIPAA CA 541KASB Source: The Value of Corporate Secrets by Forrester Consulting (March 2010) ISO27001 CJIS NERC FERC FIPSSOX FSA GLBA PCI DSS CFTC BASEL 25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    6. 6. Reaktywność w działaniu Brak koncentracji na ochronie informacji “Most security organizations continue to focus inappropriate attention on network vulnerabilities and reactive network security tools rather than on proactive application security practices”. Forrester The Evolution of IT Security 2010 to 20116 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    7. 7. Reaktywne podejście NIE działa Koncentracja na niewłaściwych RyzykachZmiana w postrzeganiu Bezpieczeństwa 2010 94% Serwery Endpoint Security 66% Wrażliwe Dane Vulnerability Management 2007 14% Budżet IT 96% Niezgodności PCI-DSS Network Security 5% Uprawnienia Email Security tożsamości 32% Kradzież 8.2% Other Security Budżet IT IDC 2011 :Effective Data Leak Prevention Programs Verizon DBIR 2012 & IDC 2011 7 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    8. 8. Powód istnieje w firmie.... Proste mechanizmy kontrolne zapobiegły by zagrożeniom... LinkedIn Societe Generale Słabe algorytmy Zbyt duże uprawnienia Sony RSA Brak szyfrowania kart .... kredytowych8 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    9. 9. Bezpieczeństwo w IT Redukcja Ryzyk oparta o Analizę Kosztową Rozumienie Ryzyk Zarządzanie Ryzykiem INSIDE-OUT Wykorzystanie zasobów w inny sposób9 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    10. 10. Podejście Oracle do Bezpieczeństwa w Chmurze • ENISA Cloud Computing Security Risk Assessment „Cloud Computing, Benefits, risks and recommendations for information security” • Cloud Security Alliance Security Trust and Assurance (STAR) „Cloud Controls Matrix”10 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    11. 11. Cloud Controls Matrix (CCM) Cloud Security Alliance Controls consolidation baselined and mapped to: COBIT HIPAA/HITECH Act ISO/IEC 27001-2005 NISTSP800-53 FedRAMP PCI DSSv2.0 BITS Shared Assessments Jericho Forum NERC CIP11 Copyright © 2012, Oracle and/or its affiliates. All rights reserved. 11
    12. 12. Optimal & Holistic Compliance 1212 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    13. 13. CCM – 11 Domains – 98 Controls 13 1. Compliance (CO) 7. Operations Management (OM) 2. Data Governance (DG) 8. Risk Management (RI) 3. Facility Security (FS) 9. Release Management (RM) 4. Human Resources (HR) 10. Resiliency (RS) 5. Information Security (IS) 11.Security Architecture (SA) 6. Legal (LG)13 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    14. 14. CCM – 98 Controls 1414 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    15. 15. CCM – 98 Controls (cont.) 1515 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    16. 16. CCM – 98 Controls (cont.) 1616 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    17. 17. CCM – 98 Controls (cont.) 1717 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    18. 18. 18 Control Matrix >> Guidance >> ISO 27036 Series18 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    19. 19. How is Cloud Computing Security Different? Consumer-Provider Security ResponsibilitiesDifferent Users IT Professional Developer Business End User Consumer Customizations Customizations Customizations Consumer Application Application Service Provider Platform SaaS Cloud PaaS Cloud Provider Service IaaS Cloud19 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    20. 20. IT Security Layering 2020 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    21. 21. 21 Oracle Enterprise Security Solutions for the Cloud Governance, Risk and Fraud Prevention Identity Governance and Access Management Compliance Multi-factor Authorization and Data Encryption and Activity Monitoring Privileged User Management Masking Strong Authentication Role-based Access Control Auditing Server Hard Partitions Secure Virtualization Hardware Cryptographic Acceleration Network, Disk and Tape Encryption21 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    22. 22. Example PCI Responsibility SPLIT// 22 IaaS PCI MERCHANT (Consumer) PROVIDER Application security Physical Scoping Network Monitoring Encryption Key management System security Parts of application security22 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    23. 23. Przepływ informacji23 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    24. 24. Start... Bezpieczeństwo od środka Każda warstwa Pomiędzy warstwami Pomiędzy Systemami Usługi i konsulting24 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    25. 25. Bezpieczeństwo Informacji Ochrona informacji w każdym jej miejscu System Dane Aplikacje Operacyjny  Szyfrowanie  Firewall  Kontrola Dostępu  Izolacja  Szyfrowanie  Zgodność z regulacjami  Kontrola dostępu  Anonimizacja  Detekcja Fraudów  Monitoring  Audyt i Monitoring  Bezpieczeństwo SOA  Kontrola Dostępu25 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    26. 26. Bezpieczeństwo Informacji w Bazie Danych Repozytorium Informacji Szyfrowanie komunikacjiDatabase Audit Database Firewall Vault Vault Szyfrowanie danych w bazie (w tym backup) Anonimizacja środowisk testowych i developerskich Label Advanced DataSecurity Security Masking Kontrola kont uprawnionych Klasyfikacja informacji26 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    27. 27. Bezpieczeństwo jest największym problemem w chmurze....Apetyt na Ryzyko.... Public Off Premise Private Hosted RISK External Audit No Visibility Private In-house Off Premise External Audit Partial Visibility On Premise Internally Audited Complete Visibility High Control Low27 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    28. 28. Cztery kluczowe problemy bezpieczeństwa w chmurze 1. Dostęp z urządzeń mobilnych TOP CONCERNS 2. Kontrola uprawnień DRIVEN BY ACCESS & 3. GRC DATA SECURITY 4. Standardy bezpieczeństwaCSO Online Survey Feb 2011 28 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    29. 29. Zarządzanie uprawnieniami (GRC) Audyt • Weryfikacja niezgodności w całym przekroju uprawnień Zarządzanie Rolami • Raportowanie niezgodności • Zrozumiały opis uprawnień • Weryfikacja uprawnień w • Techniki grupowania uprawnień przypadku dowolnej zmiany • Konsolidacja Ról • Wersjonowanie Ról • Historia RólCertyfikacja• Certyfikacja Właściciela Informacji (tzw. Information Owner)• Certyfikacja Kierownictwa• Certyfikacja Roli 29 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    30. 30. 30 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    31. 31. 31 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    32. 32. 32 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    33. 33. 33 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    34. 34. Bezpieczeństwo każdej warstwy Infrastructure Governance & Security Compliance Identity Management Database Services & Security Consulting34 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    35. 35. Koszt versus Benefit KOSZTOWO UZASADNIONE MECHANIZMY KONTROLNE RYZYKO IT JAKO RYZYKO BIZNESOWE35 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    36. 36. Podsumowanie Zabezpieczanie informacji poprzez Kontrolę każdej warstwy SECURITY Kontrolę obszaru między warstwami INSIDE-OUTBezpieczeństwo informacji to biznes36 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.
    37. 37. 37 Copyright © 2012, Oracle and/or its affiliates. All rights reserved.

    ×