Download - On Demand Cloud Services Coury
Oracle On Demand Cloud Services:Security Strategy Mitigates Risk and Enables Compliance
Gail CouryVice President, Global IT Risk Management
Changing Landscape
Copyright ©2011, Oracle. All rights reserved.
Businesses are increasingly dependent on IT in order to deliver products and services
Intellectual property and business records are becoming wholly electronic
Business collaboration is driving a disappearing perimeter
On demand computing requires anywhere & anytime access
Stealth & targeted attacks challenge our defenses
Information has value – hacking is profitable
More Data Than Ever…
Copyright ©2011, Oracle. All rights reserved.
35 Zettabytes(ZB =1 Trillion Gigabytes)
Expected Growth by a Factor of 44
20092020
62% increase over 2008
Source: IDC Digital Universe Study, May 2010
More Breaches Than Ever…
Copyright ©2011, Oracle. All rights reserved.
Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
Total Personally Identifying
Information Records Exposed
(Millions)
Sources: http://datalossdb.org / 2009 Annual Study: US Cost of a Data Breach, Ponemon Institute, 2010
Average cost of a data breach $204 per record
Average total cost exceeds $6.7 million per breach
Data Breach
2005 2006 2007 2008 2009 20100
100
200
300
400
500
600
Cumulative Growth
1084% Increase
More Threats Than Ever…
Copyright ©2011, Oracle. All rights reserved.
On average there are about 6,000,000 new botnet infections per month External breaches are largely the work of organized criminals
Sources: McAfee Threats Report: 3rd Quarter 2010 / 2010 Verizon Data Breach Investigations Report
More Regulations Than Ever…
Copyright ©2011, Oracle. All rights reserved.
• Federal, state, local, industry…adding more mandates every year!
– Health Information Technology for Economic and Clinical Health Act of 2009
– Massachusetts Law 201 CMR 17.00: Standards For The Protection Of Personal Information
• Need to meet AND demonstrate compliance
• Compliance costs are unsustainable Report and Audit
Source: IT Policy Compliance Group, 2007
90% Companies Behind in Compliance
More Demands Than Ever…
Copyright ©2011, Oracle. All rights reserved.
“In the future, policy makers and regulators will probably demand that IT systems capture more and better data in order to gain greater insight into and control over how banks manage risk, pharma companies manage drugs, and industrial companies affect the environment.
Successful CIOs should enhance their relationships with internal legal and corporate-affairs teams and be prepared to engage productively with regulators. They will need to seek solutions that meet government mandates at manageable cost and with minimal disruption.”
Source: Mckinsey, 5 Trends that will Shape Business Technology in 2009
Regulators Demand More from IT
Cloud Service AdoptionSecurity Continues to be the #1 Concern
Copyright ©2011, Oracle. All rights reserved.
It could actually be a benefit…..
Source: www.networkcomputing.com / IDC Survey: Risk In The Cloud, June 16, 2010
“So if you flip that apprehension on its head, there may be benefits in leveraging a cloud offering with the [security] focus and core competence that a cloud
provider brings to the table.” -Michael Pearl, PricewaterhouseCoopers
Oracle On DemandSecurity Strategy
Copyright ©2011, Oracle. All rights reserved.
• People, Process &
Technology
• Compliance services that
can be leveraged
• Disaster recovery services
to cover any requirement
• Security products to
automate the work
IT SECURITY
REQUIREMENTS
• Protect privacy • Protect from intrusion & malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation & reputation of your business
BUSINESSBENEFITS
Oracle On Demand
Copyright ©2011, Oracle. All rights reserved.
Operating System
Database
Middleware
Applications
Infrastructure
• Over 5.5 million users
• 89% of customers on most current releases
• Lower Risk– Proven Best Practices– Unparalleled Oracle
Expertise– Scalable, World Class
Technology Platform and Infrastructure
Benefits of New Software Delivery Models, Minimizing Risk
Oracle On DemandProtects Customer Data & Systems
Copyright ©2011, Oracle. All rights reserved.
Secure Infrastructure & Software Management Service
Security
Policies,
Processes,
Organization
Audit & Compliance
Security
Products &
Services
Disaster Recovery
Oracle Security Organization
Copyright ©2011, Oracle. All rights reserved.
On DemandRisk
Management Government Affairs
Global Public Policy
Product Support, Product
Development, etc.
Legal
Security & Privacy Counsel
Information Security Manager
LINES OF BUSINESS
Security Architect
Information Security
Product Security
Physical Security
ORACLE CORPORATE SECURITY
Oracle Security Oversight Committee
Utilize International Security Standard
Copyright ©2011, Oracle. All rights reserved.
Security Organization
Operations Management
System Acquisition & Maintenance
Security Policy
Legal Compliance
HumanResources
Security
Asset Management
Physical & Environmental
Security Incident
Management
Privileged Access Control
Business Continuity
& DR
On Demand Follows the ISO 27000 Framework
Risk ManagementLayered Defense in Depth
Technologies
Services
Governance
Strategy
Information
Governance
• Secure Web Gateways• End User Security• Intrusion Detection & Prevention• File Integrity Monitoring using Change Control
Console• Full Disk and Tape Encryption • Multi-Factor Authentication for Administrators• Segregated Networks• Power Broker for Privileged Management• Network & Host Data Loss Prevention• Security Configuration Monitoring using EM
Security Services
Security Technologies
• Regular Scheduled Scanning of Hosts• Automated Compliance Testing• Real-time Security Event Correlation & Monitoring
• Auditing and Self-Assessment• Business Continuity Planning & Testing• Regulatory Compliance (SOX, PCI, HIPAA, Federal)• Accessible Services• Partner Security• Governance, Risk & Compliance Documentation
Security Strategy
• Security Technical Design Reviews• Security Technical Assessments• Secure Configuration
Copyright ©2011, Oracle. All rights reserved.
Top 10 Practices to Improve IT Security
Organizations with the best outcomes are prioritizing their top 10 practices very differently from other organizations; and are fully automating most of the top 10 practices:
1. Technical controls are mapped to IT policies, regulatory mandates & legal statutes.
2. Antivirus signatures are updated & applied frequently.
3. Roles and responsibilities of policy owners are defined & maintained.
4. Evidence about IT configurations and technical controls is gathered for evaluation & analysis.
5. Gaps in procedural controls are identified, remediated and tested on a regular basis.
6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular basis.
7. IT assets and audit trails are monitored on a continuous basis.
8. IT assets and software service configurations are tested regularly.
9. Unauthorized access to IT assets is automatically detected or prevented using IT controls.
10. Lists of IT assets and configurations are maintained in central repositories for easy access & analysis.
Source: IT Policy Compliance Group
Copyright ©2011, Oracle. All rights reserved.
Leverage On Demand… Compliance Certifications
Copyright ©2011, Oracle. All rights reserved.
For Commercial Services
• 108 Controls Tested Biannually
ISO 27001Certification
112 Controls Tested Annually
ISO 27002Certificate of Conformity
132 Controls Tested Annually
Department of Defense (DoD) and Agencies
• 700+ Controls Tested Annually
• NIST & DIACAP
ISO Certification
HIPAA Compliance
Compliant Level 1 Service Provider
• 217 Controls Tested Annually
64 Controls Tested Annually
SAS 70 Type II
Federal Certification & Accreditation (C&A)
Payment Card Industry (PCI)
Service Offering Under Development
21 CFR Part 11
Common Controls Fulfill Multiple Requirements
Copyright ©2011, Oracle. All rights reserved.
ISO 270002
SAS 70 (Public Firms)
HIPAA (Health Care)
PCI DSS (FSI,
Retail)
NIST (Federal
Agencies)
21 CFR 11 (Life
Sciences)
Policy Development & Maintenance
Asset Management
Access Control & Mgmt
HR Security Controls
Change Control Procedures
Segregation of Duties
Cryptographic Controls
Backup and Recovery
Media Handling
Monitoring, Auditing & Logging
Standards/ Regs
Process ControlsIndustry
Cloud Security AllianceTo Assist Prospective Cloud Customers in Assessing the Overall Security Risk of a Cloud Provider
Copyright ©2011, Oracle. All rights reserved.
Source: CSA Cloud Controls Matrix http://www.cloudsecurityalliance.org/cm.html
Services Address Security Needs &Leverage Oracle Technology
HIPAA Security Services
PCI Security Services
Enhanced
Security Services
Federal On
Demand
Copyright ©2011, Oracle. All rights reserved.
ORACLE PRODUCTS
Audit Vault
Transparent Data Encryption (TDE)
Change Control Console
Data Masking
Adaptive Access Manager
Configuration Management
Value
HIPAA Security ServicesAdvanced Service Offerings for Health Information
Copyright ©2011, Oracle. All rights reserved.
Base Services
• Annual 3rd Party HIPAA
compliance assessment
• Annual risk assessment
• Quarterly external vulnerability
scan
• ePHI Network Topology
Review
• Host-based Data Loss
Prevention (HDLP)
• HIPAA trained support staff
Advanced Services• Quarterly vulnerability scanning• Database auditing in conjunction with Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Security Maintenance Program• Annual penetration test
• Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle
• Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act
• Service Data Sheet
1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009
PCI Security ServicesAdvanced Service Offerings To Meet Payment Card Industry (PCI) Data Security Standards (DSS)
Copyright ©2011, Oracle. All rights reserved.
Base Services
• PCI DSS Controls
• PCI Self-Assessments
• Annual Security Assessment
• Quarterly Vulnerability Scans
• Quarterly PCI Scans
• Annual Penetration cans
• Oracle Change Control
Console
• Quarterly Firewall Policy Review
Advanced Services• Annual Vulnerability Risks Report• Web Application Firewall• Web Application Security Assessments• Quarterly Network Scans• Dedicated Secure File Transfer Protocol (FTP)• File Encryption Service • Assessor (QSA) Partners
• Oracle On Demand is a Level 1 PCI Compliant Service Provider since 2006
• Oracle can reduce the time and cost associated with PCI compliance
• Customers can gain access to a complete solution using Oracle PCI Partners
• Service Data Sheet
Value
Federal On DemandAdvanced Service Offerings For the US Federal Government
Copyright ©2011, Oracle. All rights reserved.
• Designed to enable our customers to be compliant with federal legislative and executive mandates / directives
• Helping government run business operations more effectively, and at lower costs
•@Customer & @Partner options also available
• Service Data Sheet
ValueFor All Applications Managed @ Oracle
• Physical and Logical Isolation of Operations
• U.S. Citizen 24/7 Service Delivery
• Certification and Accreditation Methodologies
• Ongoing FISMA Security Measurements
• Public and Sensitive but Unclassified (SBU) Data
• Plan of Action and Milestones (POAM)
• Federal Information Processing Standards (FIPS) 140.2 Certified
and Validated
Enhanced Security ServicesAdvanced Service Offerings to Meet Customer Compliance Needs
Copyright ©2011, Oracle. All rights reserved.
Base Services
• Quarterly Vulnerability Scans
• Quarterly Web Application
Vulnerability Scans
• Annual Penetration Test
• Network Diagram
• Quarterly Firewall Policy Review
• Quarterly Network Device
Configuration Review
• Quarterly Security Meetings
Advanced Services• Oracle Adaptive Access Manager• Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Oracle Change Control Console• Security Maintenance Program
• Supplements standard security services
• Facilitates customer’s compliance needs
• Advanced Services are “cafeteria style”
• Service Data Sheet
Value
DR Solutions Two Basic Requirements
Copyright ©2011, Oracle. All rights reserved.
• Deliverable:
– Data (tape, disk, other media, or hot failover system)• In the Event of a Disaster:
– Backup data needs to be shipped to the customer or a customer-specified site or a recovery-site
• Solution Cost Drivers:
– Amount of Data to be Protected– Frequency of Backup (RPO)
• Deliverable:
– Service back up, running & accessible, after a disaster• In the Event of a Disaster:
– Backed-up data is used to bring service back up on an alternate system at a distant site (note that this requires a data protection as a prerequisite)
• Solution Cost Drivers:
– RTO | Service Capacity | Testing Frequency
Data
Protection
“Make sure my data isn’t lost
when my system/site is hit by a
disaster”
Service
Recovery
“Get me back in business after my
system/site is hit by a disaster”
Disaster Recovery Solutions
Copyright ©2011, Oracle. All rights reserved.
Data
Protection
“Make sure my data isn’t lost
when my system/site is hit by a
disaster”
Service
Recovery
“Get me back in business after my
system/site is hit by a disaster”
• Maximum Availability • 24 hours/24 hours• 3 days/3 days• Austin Primary, RMDC
Secondary
Standard Solutions
Custom Solutions• 48 hours/48 hours
Security Capabilities SummaryProtect Customer Data & Systems
Copyright ©2011, Oracle. All rights reserved.
• Processes built to support the
ISO 27000 framework
• Automation to monitor,
correlate, and alert
• Security health checks prior to
and during deployment
• Encryption to protect the data
• Compliance services that can
be leveraged
• Disaster recovery services to
cover any requirement
• Use, host and manage Oracle
security products
IT SECURITY
ENABLERS• Protect privacy • Protect from intrusion and malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation and reputation of your company
BUSINESSBENEFITS
Looking Ahead
Copyright ©2011, Oracle. All rights reserved.
Complex & Stealth Attack Vectors Growing
Commercial Hacking Gaining Ground
‘Due Diligence’ High Water Mark Rising
More & More Legislation
Increased Effort to Prove Compliance
THREATS REGULATION SECURITY BASELINE
Expertise Architecture Technology Demonstrated
Compliance
Final ThoughtsLeverage Oracle On Demand…
Copyright ©2011, Oracle. All rights reserved.
The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.
Copyright ©2011, Oracle. All rights reserved.