securing citizen facing applications
DESCRIPTION
Open World Security PanelTRANSCRIPT
Securing Citizen Facing Applications
Moderated by Timothy DavisOracle Enterprise Architect Board Member
Agenda
• Introductions– Security EA Panel and Topic
Positioning
• 4 Compelling EA Security Issues
• Architect Response– Key Shareable Artifacts, Lessons
Learned
• Audience 10 minutes of Q & A
Today’s Panel
Edwin Lorenzana, Enterprise Security Architect, City of Boston
Hayri Tarhan, Oracle Enterprise Security Specialist Architect
Timothy Davis, Oracle Enterprise Architect Board Member
Jeremy Forman, Oracle Enterprise Architect
CISSP CertifiedProfessional
Marc Chanliau, Director, Identity Management Development
What are Secure Citizen Facing Applications?
It Adds Up
Citizens More Sophisticated … Higher Costs Than Ever…
Government 2.0
• Citizen Self Service
• Demand for Government Transparency
• Need for Citizen Context Across the Enterprise
Source: IT Policy Compliance Group, 2007.
• Sophistication of Attacks
• Stolen Credentials and Identities
• Compliance and Remediation Costs
• Security Breach Remediation Costs
$$
6
Data BreachData Breach
More breaches than ever…
Once exposed, the data is out there – the bell can’t be un-rung
0
100
200
300
400
2005 2006 2007 2008
PUBLICLY REPORTED DATA BREACHESPUBLICLY REPORTED DATA BREACHES
630% Increase
Total Personally Identifying Information
Records Exposed (Millions)
Source: DataLossDB, Ponemon Institute, 2009
Average cost of a data breach $202 per recordAverage total cost exceeds $6.6 million per breach
Average cost of a data breach $202 per recordAverage total cost exceeds $6.6 million per breach
7
More threats than ever…
70% attacks originate inside the firewall90% attacks perpetrated by employees with privileged access70% attacks originate inside the firewall90% attacks perpetrated by employees with privileged access
Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization?
IT Governance
EMR/HIEEMR/HIE
Service LevelService LevelComplianceCompliance
FinancialReporting
Compliance
Compliance &Compliance &Ethics ProgramsEthics Programs
Audit Audit ManagementManagement
Data Privacy
RecordsRetention
LegalLegalDiscoveryDiscovery
CJISCJIS
Apps Server
Data WarehouseDatabase Mainframes Mobile DevicesEnterprise
Applications
Systems
Globalization
Users
LegalTaxatio
nHRPublic
Safety
Partners CitizensHealthcare EPA
Mandates
MFIPPAMFIPPA FOIPPAFOIPPA FDAFDA FISMAFISMANIST
NIST HIPAAHIPAA FDAFDA PCI…PCI…Patriot
ActPatriot
Act SB1386SB1386
Why? Today’s “New Normal”Users, Systems, Globalization and Compliance Forced Complexity
Copyright © 2008, Oracle and/or its affiliates. All rights reserved. 10
Database &Infrastructure
Middleware
Applications
Monito
ring a
nd C
onfigura
tion
Monito
ring a
nd C
onfigura
tion
Ente
rprise
Visib
ilityEnte
rprise
Visib
ilityAutomated ControlsAutomated Controls
Access to Business ServicesAccess to Business Services
Lower Cost of User LifecycleLower Cost of User Lifecycle
Data Protection and PrivacyData Protection and Privacy
VirtualizationVirtualization
Security for Applications, Middleware, Data & InfrastructureComprehensive ‘Defense in Depth’ Approach
Policy EnforcementPolicy Enforcement
Oracle Architect Development Processfor Security Architecture
Phase Input Output
Architecture Vision
• Regulations• Security Policies• Responsibilities
• Architecture Checkpoints• Security Statements• Compliance Standards
Current State Architecture
• Threat & Risk Analysis• Business Policies
• Identified Risks• Information Classification
Future State Architecture
• Identified Risks• List of Relevant Regulations• Information Classification
• GRC Strategy• Security Reference Architecture• Data Governance Strategy
Strategic Roadmap
• Security Reference Architecture
• Data Governance Strategy
• GRC Plan• Data Governance Plan• Validated Processes
EA Governance • Continuous Audit of Security: Design, Implementation, & Operations
Business Case• Identify Reusable Security Services• What can go wrong?
Issue #2: Major issues around proofing and identifying citizens access to systems?
Virtual Attribute Authority
InternalApps
Virtual Attribute Authority
Rules Virtual Identities Hierarchies, Mappings
Directories Databases Proprietary
Identity Attributes
Applications
Risk-based Access Control
Device
Geography
Time
Activity
Secure Mutual Authentication
Risk-Based AuthorizationRisk Scoring
Issue #3: How can you meet FISMA’s different levels of authentication and identification?
Virtual Attribute Authority
Rules Virtual Identities Hierarchies, Mappings
NIST 800-63 2nd Factors IP Address Domain/Subnet Browser Config Location Time…
Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach?
Identity Mgmt Future State Architecture
To Learn MoreEnterprise Architecture with Oracle
• People– Join our EA community – visit the Oracle
Technology Network (OTN) Architect Center on oracle.com
– Blog with our architects at blogs.oracle.com
– Attend an Oracle EA Roundtable
• Process– Learn more about Oracle’s EA
processes and technology best practices with our TOGAF-based architectural methodology
• Portfolio– Make use of EA resources: reference
architectures, planning tools, information
Oracle Enterprise Architecture Framework
Business ArchitectureBusiness Architecture
Application ArchitectureApplication Architecture
Information ArchitectureInformation Architecture
Technology ArchitectureTechnology Architecture
EA RepositoryEA Repository
Edwin Lorenzana
Hayri Tarhan
Jeremy Forman
Timothy Davis
Marc Chanliau
A final question to our panel:
Guidance to Security Guidance to Security Architects ?Architects ?
Questions & Answers
Thank You