More Related Content
Similar to On Demand Cloud Services Coury
Similar to On Demand Cloud Services Coury (20)
On Demand Cloud Services Coury
- 2. Oracle On Demand Cloud Services:
Security Strategy Mitigates Risk and Enables Compliance
Gail Coury
Vice President, Global IT Risk Management
- 3. Changing Landscape
Businesses are increasingly dependent on IT
in order to deliver products and services
Intellectual property and business records are
becoming wholly electronic
Business collaboration is driving a
disappearing perimeter
On demand computing requires anywhere &
anytime access
Stealth & targeted attacks
challenge our defenses
Information has value –
hacking is profitable
Copyright ©2011, Oracle. All rights reserved.
- 4. More Data Than Ever…
35 Zettabytes
(ZB =1 Trillion Gigabytes)
62%
increase
over 2008
Source: IDC Digital Universe Study, May 2010
Copyright ©2011, Oracle. All rights reserved.
- 5. More Breaches Than Ever…
Data Breach Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
600
500 1084%
400 Increase
300
200
Total Personally 100
Identifying
Information 0
Records Exposed 2005 2006 2007 2008 2009 2010
(Millions) Cumulative Growth
Average cost of a data breach $204 per record
Average total cost exceeds $6.7 million per breach
Sources: http://datalossdb.org / 2009 Annual Study: US Cost of a Data Breach, Ponemon Institute, 2010
Copyright ©2011, Oracle. All rights reserved.
- 6. More Threats Than Ever…
On average there are about 6,000,000 new botnet infections per month
External breaches are largely the work of organized criminals
Sources: McAfee Threats Report: 3rd Quarter 2010 / 2010 Verizon Data Breach Investigations Report
Copyright ©2011, Oracle. All rights reserved.
- 7. More Regulations Than Ever…
• Federal, state, local, industry…adding
more mandates every year!
– Health Information Technology for
Economic and Clinical Health Act of
2009
– Massachusetts Law 201 CMR 17.00:
Standards For The Protection Of
Personal Information
• Need to meet AND demonstrate
compliance
Report and Audit • Compliance costs are unsustainable
90% Companies Behind in Compliance
Source: IT Policy Compliance Group, 2007
Copyright ©2011, Oracle. All rights reserved.
- 8. More Demands Than Ever…
Regulators Demand
More from IT
“In the future, policy makers and regulators will probably demand that IT
systems capture more and better data in order to gain greater insight into
and control over how banks manage risk, pharma companies manage
drugs, and industrial companies affect the environment.
Successful CIOs should enhance their relationships with internal legal and
corporate-affairs teams and be prepared to engage productively with
regulators. They will need to seek solutions that meet government
mandates at manageable cost and with minimal disruption.”
Source: Mckinsey, 5 Trends that will Shape Business Technology in 2009
Copyright ©2011, Oracle. All rights reserved.
- 9. Cloud Service Adoption
Security Continues to be the #1 Concern
It could actually be a
benefit…..
“So if you flip that apprehension on its head,
there may be benefits in leveraging a cloud offering
with the [security] focus and core competence that a cloud
provider brings to the table.”
-Michael Pearl, PricewaterhouseCoopers
Source: www.networkcomputing.com / IDC Survey: Risk In The Cloud, June 16, 2010
Copyright ©2011, Oracle. All rights reserved.
- 11. Oracle On Demand
Benefits of New Software Delivery Models, Minimizing Risk
• Over 5.5 million users
• 89% of customers on
most current releases
Applications
• Lower Risk Middleware
– Proven Best Practices Database
– Unparalleled Oracle Operating System
Expertise Infrastructure
– Scalable, World Class
Technology Platform
and Infrastructure
Copyright ©2011, Oracle. All rights reserved.
- 13. Oracle Security Organization
LINES OF BUSINESS
On Demand
Risk
Government
Management Legal Affairs
Information
Security Manager
Product
Support, Prod Security & Global
uct Privacy Public Policy
Development, Counsel
etc.
Copyright ©2011, Oracle. All rights reserved.
- 14. Utilize International Security Standard
Security Operations System Acquisition
Organization Management & Maintenance
Security Policy Asset Management
Physical &
Legal Compliance
Environmental
Business Privileged Security Human
Continuity Access Incident Resources
& DR Control Management Security
Copyright ©2011, Oracle. All rights reserved.
- 15. Security Strategy
Risk Management • Security Technical Design Reviews
Layered Defense in Depth • Security Technical Assessments
• Secure Configuration
Security Technologies
• Secure Web Gateways
• End User Security
• Intrusion Detection & Prevention
• File Integrity Monitoring using Change Control Console
• Full Disk and Tape Encryption
• Multi-Factor Authentication for Administrators
• Segregated Networks
• Power Broker for Privileged Management
• Network & Host Data Loss Prevention
• Security Configuration Monitoring using EM
Security Services
Information • Regular Scheduled Scanning of Hosts
Strategy • Automated Compliance Testing
• Real-time Security Event Correlation & Monitoring
Technologies
Services
Governance
Governance • Auditing and Self-Assessment
• Business Continuity Planning & Testing
• Regulatory Compliance (SOX, PCI, HIPAA, Federal)
• Accessible Services
• Partner Security
• Governance, Risk & Compliance Documentation
Copyright ©2011, Oracle. All rights reserved.
- 16. Top 10 Practices to Improve IT Security
Organizations with the best outcomes are prioritizing their top 10 practices very
differently from other organizations; and are fully automating most of the top 10
practices:
1. Technical controls are mapped to IT policies, regulatory mandates & legal statutes.
2. Antivirus signatures are updated & applied frequently.
3. Roles and responsibilities of policy owners are defined & maintained.
4. Evidence about IT configurations and technical controls is gathered for evaluation &
analysis.
5. Gaps in procedural controls are identified, remediated and tested on a regular basis.
6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular
basis.
7. IT assets and audit trails are monitored on a continuous basis.
8. IT assets and software service configurations are tested regularly.
9. Unauthorized access to IT assets is automatically detected or prevented using IT
controls.
10. Lists of IT assets and configurations are maintained in central repositories for easy
access & analysis.
Source: IT Policy Compliance Group
Copyright ©2011, Oracle. All rights reserved.
- 17. Leverage On Demand…
Compliance Certifications
ISO Certification SAS 70 Type II
For Commercial Services
• 108 Controls Tested Biannually
Federal Certification & Accreditation (C&A)
ISO 27001 ISO 27002
Certification Certificate of Department of Defense (DoD) and Agencies
Conformity • 700+ Controls Tested Annually
112 Controls Tested 132 Controls Tested • NIST & DIACAP
Annually Annually
HIPAA Compliance Payment Card Industry (PCI)
Compliant Level 1 Service Provider
• 217 Controls Tested Annually
21 CFR Part 11
Service Offering Under Development
64 Controls Tested Annually
Copyright ©2011, Oracle. All rights reserved.
- 18. Common Controls
Fulfill Multiple Requirements
Standards/ Regs ISO SAS 70 HIPAA PCI DSS NIST 21 CFR 11
Industry 270002 (Public (Health (FSI, (Federal (Life
Process Controls Firms) Care) Retail) Agencies) Sciences)
Policy Development & Maintenance
Asset Management
Access Control & Mgmt
HR Security Controls
Change Control Procedures
Segregation of Duties
Cryptographic Controls
Backup and Recovery
Media Handling
Monitoring, Auditing & Logging
Copyright ©2011, Oracle. All rights reserved.
- 19. Cloud Security Alliance
To Assist Prospective Cloud Customers in Assessing the Overall
Security Risk of a Cloud Provider
Source: CSA Cloud Controls Matrix http://www.cloudsecurityalliance.org/cm.html
Copyright ©2011, Oracle. All rights reserved.
- 20. Services Address Security Needs &
Leverage Oracle Technology
ORACLE PRODUCTS
Audit Vault
HIPAA PCI
Transparent Data Security Security
Encryption (TDE) Services Services
Change Control Console
Data Masking Federal Enhanced
On Security
Demand Services
Adaptive Access Manager
Configuration Management
Copyright ©2011, Oracle. All rights reserved.
- 21. HIPAA Security Services
Advanced Service Offerings for Health Information
Value
• Designed to protect
Customer’s electronic
protected health
information (ePHI) in
environments managed by
Oracle
• Assists the Customer to
meet its legal obligations
under the HIPAA1 as
amended by the HITECH2
Act
• Service Data Sheet
1 Health Insurance Portability and Accountability Act of 1996
2 Health Information Technology for Economic and Clinical Health Act of 2009
Copyright ©2011, Oracle. All rights reserved.
- 22. PCI Security Services
Advanced Service Offerings To Meet Payment Card Industry (PCI)
Data Security Standards (DSS)
Value
• Oracle On Demand is a
Level 1 PCI Compliant
Service Provider since
2006
• Oracle can reduce the
time and cost
associated with PCI
compliance
• Customers can gain
access to a complete
solution using Oracle
PCI Partners
• Service Data Sheet
Copyright ©2011, Oracle. All rights reserved.
- 23. Federal On Demand
Advanced Service Offerings For the US Federal Government
Value
• Designed to enable our
customers to be
compliant with federal
legislative and executive
mandates / directives
• Helping government run
business operations
more effectively, and at
lower costs
• @Customer &
@Partner options also
available
• Service Data Sheet
Copyright ©2011, Oracle. All rights reserved.
- 24. Enhanced Security Services
Advanced Service Offerings to Meet Customer Compliance Needs
Value
• Supplements standard
security services
• Facilitates customer’s
compliance needs
• Advanced Services are
“cafeteria style”
• Service Data Sheet
Copyright ©2011, Oracle. All rights reserved.
- 25. DR Solutions
Two Basic Requirements
• Deliverable:
– Data (tape, disk, other media, or hot failover system)
• In the Event of a Disaster:
– Backup data needs to be shipped to the customer or
a customer-specified site or a recovery-site
• Solution Cost Drivers:
– Amount of Data to be Protected
– Frequency of Backup (RPO)
• Deliverable:
– Service back up, running & accessible, after a disaster
• In the Event of a Disaster:
– Backed-up data is used to bring service back up on an
alternate system at a distant site (note that this
requires a data protection as a prerequisite)
• Solution Cost Drivers:
– RTO | Service Capacity | Testing Frequency
Copyright ©2011, Oracle. All rights reserved.
- 26. Disaster Recovery
Solutions
Standard Solutions
• Maximum Availability
• 24 hours/24 hours
• 3 days/3 days
• Austin Primary, RMDC
Secondary
Custom Solutions
• 48 hours/48 hours
Copyright ©2011, Oracle. All rights reserved.
- 28. Looking Ahead
Complex & Stealth More & More Legislation ‘Due Diligence’ High
Attack Vectors Growing Water Mark Rising
Increased Effort to Prove
Commercial Hacking Compliance
Gaining Ground
Copyright ©2011, Oracle. All rights reserved.
- 29. Final Thoughts
Leverage Oracle On Demand…
Expertise
Architecture
Technology
Demonstrated
Compliance
Copyright ©2011, Oracle. All rights reserved.
- 30. The preceding is intended to outline our general
product direction. It is intended for information
purposes only, and may not be incorporated into
any contract. It is not a commitment to deliver any
material, code, or functionality, and should not be
relied upon in making purchasing decisions. The
development, release, and timing of any features
or functionality described for Oracle's products
remains at the sole discretion of Oracle.
Copyright ©2011, Oracle. All rights reserved.