Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing Citizen Facing Applications

942 views

Published on

Open World Security Panel

  • Be the first to comment

  • Be the first to like this

Securing Citizen Facing Applications

  1. 1. Securing Citizen Facing Applications Moderated by Timothy Davis Oracle Enterprise Architect Board Member
  2. 2. Agenda <ul><li>Introductions </li></ul><ul><ul><li>Security EA Panel and Topic Positioning </li></ul></ul><ul><li>4 Compelling EA Security Issues </li></ul><ul><li>Architect Response </li></ul><ul><ul><li>Key Shareable Artifacts, Lessons Learned </li></ul></ul><ul><li>Audience 10 minutes of Q & A </li></ul>
  3. 3. Today’s Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Specialist Architect Timothy Davis, Oracle Enterprise Architect Board Member Jeremy Forman, Oracle Enterprise Architect CISSP Certified Professional Marc Chanliau, Director, Identity Management Development
  4. 4. What are Secure Citizen Facing Applications?
  5. 5. Citizens More Sophisticated … Higher Costs Than Ever… It Adds Up Government 2.0 <ul><li>Citizen Self Service </li></ul><ul><li>Demand for Government Transparency </li></ul><ul><li>Need for Citizen Context Across the Enterprise </li></ul>Source: IT Policy Compliance Group, 2007. <ul><li>Sophistication of Attacks </li></ul><ul><li>Stolen Credentials and Identities </li></ul><ul><li>Compliance and Remediation Costs </li></ul><ul><li>Security Breach Remediation Costs </li></ul>$
  6. 6. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, Ponemon Institute, 2009 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach 630% Increase
  7. 7. More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access
  8. 8. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? This slide is not to be displayed Panelist Question Jeremy Forman <ul><li>Are the business and application owners involved in the security decision making process? Or is it the technology organization? </li></ul><ul><li>Follow-up : What is the challenge to deliver and why is it so hard to do? </li></ul><ul><li>Discussion Points: </li></ul><ul><li>Complexity across Four Dimensions </li></ul><ul><li>Segregation of Duties </li></ul><ul><li>Data Protection </li></ul><ul><li>Cost of Compliance </li></ul><ul><li>e-Discovery </li></ul><ul><li>How do we enable Business/Application Owners to be involved in the process? </li></ul><ul><ul><ul><ul><li>FEAF </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Govern </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Maintain </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Communicate </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Measure </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>EA Benefits to IdM </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Business Risk </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Security Breaches </li></ul></ul></ul></ul></ul>Edwin Lorenzana <ul><li>What personally have you seen as lessons learned to get the business on-board towards EA Security Model? </li></ul>
  9. 9. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? Why? Today’s “New Normal” Users, Systems, Globalization and Compliance Forced Complexity IT Governance EMR/HIE Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs Audit Management Data Privacy Records Retention Legal Discovery CJIS Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications Systems Globalization Users Legal Taxation HR Public Safety Partners Citizens Healthcare EPA Mandates MFIPPA FOIPPA FDA FISMA NIST HIPAA FDA PCI… Patriot Act SB1386
  10. 10. Copyright © 2008, Oracle and/or its affiliates. All rights reserved. Monitoring and Configuration Enterprise Visibility Automated Controls Security for Applications, Middleware, Data & Infrastructure Comprehensive ‘Defense in Depth’ Approach Policy Enforcement Database & Infrastructure Middleware Applications Access to Business Services Lower Cost of User Lifecycle Data Protection and Privacy Virtualization
  11. 11. Oracle Architect Development Process for Security Architecture Phase Input Output Architecture Vision <ul><li>Regulations </li></ul><ul><li>Security Policies </li></ul><ul><li>Responsibilities </li></ul><ul><li>Architecture Checkpoints </li></ul><ul><li>Security Statements </li></ul><ul><li>Compliance Standards </li></ul>Current State Architecture <ul><li>Threat & Risk Analysis </li></ul><ul><li>Business Policies </li></ul><ul><li>Identified Risks </li></ul><ul><li>Information Classification </li></ul>Future State Architecture <ul><li>Identified Risks </li></ul><ul><li>List of Relevant Regulations </li></ul><ul><li>Information Classification </li></ul><ul><li>GRC Strategy </li></ul><ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul>Strategic Roadmap <ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul><ul><li>GRC Plan </li></ul><ul><li>Data Governance Plan </li></ul><ul><li>Validated Processes </li></ul>EA Governance <ul><li>Continuous Audit of Security: Design, Implementation, & Operations </li></ul>Business Case <ul><li>Identify Reusable Security Services </li></ul><ul><li>What can go wrong? </li></ul>
  12. 12. Issue #2: Major issues around proofing and identifying citizens access to systems? This slide is not to be displayed Panelist Question Hayri Tarhan <ul><li>What are some of the challenges and issues around proofing and identifying citizens for access to systems? </li></ul><ul><li>Follow-up: </li></ul><ul><li>How do the various departments of a government come to agreement on the attributes and data points used to proof users, employees, contractors, etc.? </li></ul><ul><li>What are the perils of not addressing this challenge holistically? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Discuss how Oracle can map business security requirements back to 800-53 </li></ul><ul><li>2. Identity proofing standards </li></ul><ul><li>3. Virtualizing directories </li></ul>Marc or Edwin
  13. 13. Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute Authority Internal Apps Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings Directories Databases Proprietary Identity Attributes Applications
  14. 14. Issue #3: How can you meet FISMA’s different levels of authentication and identification? This slide is not to be displayed Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. Panelist Question Hayri Tarhan <ul><li>How can you Local Governments and the Feds meet FISMA’s different levels of authentication and identification? </li></ul><ul><li>Follow-up: </li></ul><ul><li>Why is would governments look at risk-based authentication solutions over hard tokens, which have been prevalent for quite some time? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Explain the business value of NIST 800-53 levels </li></ul><ul><li>2. Multi-factor solutions to facilitate: </li></ul><ul><ul><li>a. Step-up </li></ul></ul><ul><ul><li>b. Risk Based </li></ul></ul><ul><ul><li>c. Soft 2 nd Factor </li></ul></ul>Jeremy Forman <ul><li>What sorts of success have you seen regarding implementing NIST controls for State & Local Governments ? </li></ul>
  15. 15. Risk-based Access Control Device Geography Time Activity Secure Mutual Authentication Risk-Based Authorization Risk Scoring Issue #3: How can you meet FISMA’s different levels of authentication and identification? Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings <ul><li>NIST 800-63 2 nd Factors </li></ul><ul><li>IP Address </li></ul><ul><li>Domain/Subnet </li></ul><ul><li>Browser Config </li></ul><ul><li>Location </li></ul><ul><li>Time… </li></ul>
  16. 16. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Follow-up : How would a quasi-public/private sector model work for a composite ID? Discussion Points: Composite Ids Who owns the Composite ID, who controls it and who contributes to it? Explain Core, Context and Balance of Identities in the Public Sector Hayri Tarhan <ul><li>What personally have you seen as lessons learned to get the business on-board to a Centralized vs. Federated Security Model? </li></ul>
  17. 17. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Identity Mgmt Future State Architecture
  18. 18. To Learn More Enterprise Architecture with Oracle <ul><li>People </li></ul><ul><ul><li>Join our EA community – visit the Oracle Technology Network (OTN) Architect Center on oracle.com </li></ul></ul><ul><ul><li>Blog with our architects at blogs.oracle.com </li></ul></ul><ul><ul><li>Attend an Oracle EA Roundtable </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Learn more about Oracle’s EA processes and technology best practices with our TOGAF-based architectural methodology </li></ul></ul><ul><li>Portfolio </li></ul><ul><ul><li>Make use of EA resources: reference architectures, planning tools, information </li></ul></ul>Oracle Enterprise Architecture Framework Business Architecture Application Architecture Information Architecture Technology Architecture EA Repository
  19. 19. Wrap up: Guidance to Security Architects Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana <ul><li>Federated Identities are the only way “politically” you can wholistically implement EA Security </li></ul>Hayri Tarhan <ul><li>Organizations need to treat identity as service vs. hard coding security </li></ul>Marc Chanliau <ul><li>Database Security – defense in depth </li></ul>Jeremy Forman <ul><li>To Recommend Security Health Checks </li></ul>
  20. 20. A final question to our panel: Guidance to Security Architects ? Edwin Lorenzana Hayri Tarhan Jeremy Forman Timothy Davis Marc Chanliau
  21. 21. Questions & Answers
  22. 22. Thank You

×