it security. what you don’t knowwillhurt you....oracle cloud –london –feb 1-2 grc round table,...
TRANSCRIPT
Safeguard Digital EnterpriseIn Cloud & On Premise ™
Risk and Compliance Financial Reporting Internal Audit Process Controls Application Access Advanced Analytics
A Leader in Risk Based Enterprise Controls Management Solutions
Copyright ©. SafePaaS, Inc.Discover hidden risks, use this insight to improve bottom line.
ITSecurity.Whatyoudon’tknow will hurtyou.
www.SafePaaS.comPage 2Copyright © SafePaaS
IT Security. What you don’t know will hurt you.
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda
www.SafePaaS.comPage 3Copyright © SafePaaS
IT Security. What you don’t know will hurt you.
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda
www.SafePaaS.comPage 4Copyright © SafePaaS
SafePaaS InsightGlobal Thought Leadership
Oracle Cloud – London – Feb 1-2 GRC Round Table, London, UKEducational Webinar – Mar 23rd – Continuous Controls Monitoring Collaborate 17 – April 2-6 Las Vegas GRC Open HouseOracle Modern Finance Experience – April 11-13 Boston – FEMSA Oracle Risk Cloud Case Study Educational Webinar – June 21st – Access Controls Monitoring for Multiple Business Systems Oracle Open World – October 1-5 – Mascone West, San Francisco, CAGitex – October 8-12 – GRC Round Table, Dubai UAEOracle UK Users Group – December – GRC Round Table, Birmingham, UKOracle Connect Africa – October – GRC Round Table, South Africa
Proven Expertise
www.SafePaaS.comPage 5Copyright © SafePaaS
FulcrumWay Client Studies Successful Track Record
Government Oil and Gas
Healthcare
Communications
Financial Services
Transportation Natural ResourcesManufacturing
Retail
High TechMedia/Entertainment Life Sciences
Overview
what
DISCOVERACCURATELY
Data
code
users
StructuredData
MONITORCONTINUOUSLY
connections
statements
Db structure
code
BIGData
MASKSEAMLESSLY
static
DYNAMIC - DB
DYNAMIC - APPS
Unstructured DATA
RETIRESECURELY
tokenize
subset
Clouddata
DB FIREWALL
authenticate
protecteffectively
On-premisedata
WHERE
HOW
MENTIS
www.SafePaaS.comPage 7Copyright © SafePaaS
19
TotalNumberofvendorsinlist
10
VendorswithStatic,Dynamic&Redaction
4
VendorswithallaspectsofMaskingandmostmethods
Source: How Data Masking Is Evolving to Protect Data from Insiders and Outsiders Gartner , 28, November 2016 ; Doc ID: G00309376
VendorDiscovery Masking DDM Method
Dictionary Data Relationship SDM DDM Redaction Repository Proxy Application Client API
BlueTalon a a a a a a aCATechnologies a a a a a a a aCamouflage a a a a a a a aCompuware a aDataguise a a a a a a aDelphix a a a a aHexaTier a a a a aHPESecurity a a a a a a a a a aIBM a a a a a a a a a aInformatica a a a a a a a a a aIRI a a a a a a a a aMentis a a a a a a a a a aMicrosoft a a aNet2000 aOracle a a a a a a aPrivacyAnalytics a a a aSecuPi a a a a aSolix a a a aTCS a a a a a a a a
Gartner 2008 – Cool Vendor Gartner 2012, Magic Quadrant -Visionary
2013 - 2016, MENTIS was named as Challenger in Gartner Magic Quadrant
GARTNER MARKET GUIDEMENTIS IS ONE OF TOP FOUR VENDORS : FEB 2017Recognition
www.SafePaaS.comPage 8Copyright © SafePaaS
What’snext?
Competition
MarketLeading
Data Masking Test Data Management
Source: Test Data Management Market Update February 2017
Source: Data Masking Market Update April 2017
Bloor Market Update: Feb 2017
Recommendation
Recognition
www.SafePaaS.comPage 9Copyright © SafePaaS
Modern audit methods based on collaboration, content and analytics
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda
www.SafePaaS.comPage 10Copyright © SafePaaS
Growing IT Security Risks Business Platform Risks
"In 2017, the threat level to enterprise IT continues to be at very high levels, with daily accounts in the media of large breaches and attacks. As attackers improve their capabilities, enterprises must also improve their ability to protect access and protect from attacks," said Neil MacDonald, vice president, distinguished analyst and Gartner Fellow Emeritus. "Security and risk leaders must evaluate and engage with the latest technologies to protect against advanced attacks, better enable digital business transformation and embrace new computing styles such as cloud, mobile and DevOps."
Exploitation of known vulnerabilities poses a great threat to an organization’s security!
www.SafePaaS.comPage 11Copyright © SafePaaS
SafePaaS IT Security FrameworkBusiness Platform Risks
www.SafePaaS.comPage 12Copyright © SafePaaS
Source: *IDC,** Gemalto, BreachLevelIndex
Sensitive Data Exposure
Compliance &
Regulations
Centralized data initiatives
Cross border data sharing
Emergence of Cloud Computing
Data Breaches
Data Explosion
1
2
3
4
6
5
§ Companies are incorporating centralized data initiatives to enable analytics and reporting
§ This leads to increased exposure, necessitating securing of the data
§ New laws like GDPR in Europe, with greater scope and higher penalties are driving the adoption of data masking and increased spend on data security and privacy
§ Stricter enforcement of existing regulation is a key driver
§ Anonymization of sensitive data is a critical requirement for cross border data sharing and migration to the cloud
§ Data needs to freely crosses the prior conceived thresholds that limit business potential
§ Increased data breaches are driving the need for data security techniques like data masking
§ The number of data breach incidents increased by 7% from 2015 to 2016**
§ Increasing amount of data that companies collect to run their business
§ Digital universe is doubling in size every two years, and by 2020 it will reach 44 zettabytes*
§ Sensitive data needs to be protected from unnecessary internal exposure and from external service providers
§ Adoption of cloud computing that pressures companies to rethink where they deploy computing and data resources.
Business Platform Risks
www.SafePaaS.comPage 13Copyright © SafePaaS
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 14Copyright © SafePaaS
Whereis your sensitive data?
2
Whohas access?
4
Howis sensitive data
exposed?
3
Whatdata is sensitive?
1
HOW DO YOU ACHIEVE IT?
Data classifications Datalocations
code userAccess mechanisms
Enterprise Sensitive Data InteligenceSensitive Data Footprint
www.SafePaaS.comPage 15Copyright © SafePaaS
Pathways and Scorecard
dictionaryFind columns and tables for classification by comparing know Table & Columns Names against the data dictionary. + RelationshipsEx, look for columns called “NATIONAL_IDENTIFIER”
patternUsing pattern recognition, search for known patterns of sensitive dataEx, NNNN-NNNN-NNNN-NNNN (Where N is a number) when looking for Credit Cards
EXACT dataTo help eliminate false positives, compare discovered column data against • known column data; • Entered data
codeTo further eliminate false positives, and to document columns that might not contain any data (say, Key-Value temp tables), review DB and Application codeEx, PL/SQL procedures
validationsValidate Data against rules to ensure that the data passes all known validationsLuhn Method for Credit CardsDate of Birth based National Identifier for South Africa
OBJECTIVE : FIND ALL SENSITIVE DATAEasy to find HARD to find Very HARD to find
National Identifier
60
80
60
Credit card
names
33% 50% 17%
MENTIS Discovery
www.SafePaaS.comPage 16Copyright © SafePaaS
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 17Copyright © SafePaaS
Data and Privacy Impact
Data Classifications: results
→ Prioritize applications based on sensitive data held for data protection
→ Single screen to view ALL sensitive data locations in the Enterprise Data Landscape
→ Granular details such as who as access and how it is exposed
Actionable Analytics
www.SafePaaS.comPage 18Copyright © SafePaaS
Data Classification Results
Sensitive data associated with code
Users who access sensitive data.
The location of sensitive data found -Owners, Table names, Column name, Reason type, Pattern, Occurrence and Row count along with other details.
Reports
www.SafePaaS.comPage 19Copyright © SafePaaS
Automate The Protection
ENTERPRISE SENSITIVE DATA INTELLIGENCE
DATA CODE USERS
MASKING RULES/ TEMPLATES
WHO WHAT WHERE WHEN
PRODUCTION
DB Access
Pages Queries Reports
pre-PROD/UAT/HRD
DB Access
Pages Queries Reports
NON-production
TRAIN TEST INTG DEV
Discovery
Dynamic Data Masking Blended Masking Static Data Masking
Our Approach
www.SafePaaS.comPage 20Copyright © SafePaaS
non-PRODUCTIONPRODUCTION
Mentis discovery
DATA CODE USERS
APP1
DECISION & ALERT ENGINE
WHO WHAT HOW WHERE
APP2 APP1 APP2 APP3TYPICAL PROCESS→ Code is reviewed on set interval→ Any code that uses Sensitive Data is
alerted on New or Update→ User Activity is monitored for
Connections & SQLs→ Memory based
BENEFITS→ Protections are embedded into the
database → Monitoring inside the instance → Much better performance→ Higher Security→ No code-based weakness sent into
Production→ Preventative Control + Detective
Control
User Activity Code Changes
Activity and Code ChangesProactive Monitoring
www.SafePaaS.comPage 21Copyright © SafePaaS
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 22Copyright © SafePaaS
Continuously Monitors ALL Security Incidents Closed Loop Remediation
www.SafePaaS.comPage 23Copyright © SafePaaS
Prevent, Mitigate and Remediate all IT Security Risks
Requestor Registration
Request Roles
Add/Update
User
MonitorUser
Access
Employee/Manager
List
Network User
List (AD/IAM)
1.TestAccess Policy
Add/Update
Role
Requesters / ApproversIS Security/
Audit/Compliance
IS Security
ActiveEmployee
UsersiAccess Rules Manager Workflow (5 level)
Application Administrator
Rules ManagerDataProbe ETL
2. Process ApprovalRequest
Dashboard
UserAccess Rules
DataProbe ETL
Closed Loop Remediation
www.SafePaaS.comPage 24Copyright © SafePaaS
The Big PictureSafePaaS
MonitorPaaS
ProcessPaaS/DocumentPaaS Operations Management
RiskPaaSRiskLibrary KRIManagerPolicyManager
ProcessDefinition
Workflow BusinessRules
AuditManager AuditPlanner
ComplianceManager
MasterDataMonitor
Dat
aPro
be In
tegr
atio
n Se
rvic
es
RiskAssessments
AuditPaaS
TransactionMonitor ConfigurationMonitor RulesRepository
AccessMonitor SODPolicyMonitor RolesManager
AccessPaaSiAccessPolicybasedprovisioning
IssueManager
SurveyManager
EnterpriseRiskManagement
ContinuousControlsMonitoring
FinancialGovernance AuditandComplianceAutomation
ITGovernance
DatabaseMonitor
www.SafePaaS.comPage 25Copyright © SafePaaS
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 26Copyright © SafePaaS
• iDiscover (Sensitive Data Discovery)• iScramble (Static Data Masking)
Mentis solution
outcomes
• Find ALL sensitive data• Superior discovery than implemented
solutions • Complex and hard to understand databases
challenges
• Company has presence in wide range of sectors such as oil & gas, Aviation, Digital, Healthcare, Power, etc.
• Audit team highlighted non-compliance as sensitive data was being copied into non production systems
• Implemented home-grown scripts and third party products with partial success
Background Client Quote
• MENTIS found ALL sensitive data which was more than 10% of what SME’s had expected across all applications
• The MENTIS solution performed data discovery and masking in an SAP application where previously sensitive data discovery and masking were not done.
• Successful discovery and masking of 13 data classifications in SAP, PeopleSoft and custom applications• In the process of creating MENTIS capabilities in their IT hub for enterprise wide roll out• MENTIS well positioned for future data and application security requirements
Client ExamplesFortune 50 Global ConglomerateCase Study
“Mentis represents a major step forward in safeguarding sensitive information in Healthcare Global SAP non-productive systems. It allows flexible templates to be applied to mask sensitive data which can easily incorporated into system refresh procedures”
www.SafePaaS.comPage 27Copyright © SafePaaS
IntroductionsBusiness Platform RisksDiscovering Hidden RiskActionable Analytics Closed Loop RemediationCase StudyQ&A
Agenda IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 28Copyright © SafePaaS
Q&A IT Security. What you don’t know will hurt you.
www.SafePaaS.comPage 29Copyright © SafePaaS
Sign-up for FREE 14 Days EvaluationQ & A
Register online to try out SafePaaS