How a Protected Enterprise Reduces Risk and Liability Mike Mull, CISSP Solution Specialist Oracle...
-
Upload
marian-martina-flowers -
Category
Documents
-
view
215 -
download
0
Transcript of How a Protected Enterprise Reduces Risk and Liability Mike Mull, CISSP Solution Specialist Oracle...
How a Protected Enterprise Reduces Risk
and Liability
How a Protected Enterprise Reduces Risk
and Liability
Mike Mull, CISSPSolution SpecialistOracle Protected Enterprise Group
Oracle Corporation
The Burden is Real
30,704 Average hours company will spend on Section 404 compliance (FEI)
$5.1M Average cost of Sarbanes-Oxley compliance for a large U.S. company (Korn/Ferry)
10 x Cost for compliance by taking one-off versus integrated approach to compliance projects (Gartner)
$11.5 M
Total HIPAA compliance costs for Payor (Gartner)
$10.0 M
Fine against six securities firms for not producing e-mails for SEC (General Counsel Roundtable)
125 Non-frivolous lawsuits for Fortune 500 company at any given time (Butler Group)
Issues & Concerns
Intellectualcapital
BusinessRisks
Financial Losses
Employee &Customer Privacy
Loss of CustomerTrust
Public Image Litigation
Asset Protection
Brand Protection
Compliance
Source: Cybersecurity: It’s Dollars and Cents Business Week 2/11/2005
Protected Enterprise
Business• Address regulatory compliance• Ensure privacy and accountability• Reduce risk and liability• Increase business agility • Maintain operational effectiveness
Challenges
• High Availability • Disaster Recovery• Continuous Operations
Continuity• Identification (who)• Access Controls (what)• Auditing (where, when & how)
Information Security
Applies to ALL applications across ALL industries
Single Sign-on
Single Console Administration
Business Continuity
Disaster Recovery
Data Security
I n t e g r a t e d S e c u r i t yAuditing and
Access Management
Secure Channels
At Rest
In Motion
Security Realms
Policies and Processes– Policy makers are not policy implementers or users– Process documentation
Product– Buffer overflows– Resolved by vendor’s development teams– Example: Oracle provides patches by email blasts from
Meta-link
Configuration– Database settings (*.ora)– OS file settings– Network setup– DoE/CIS Benchmark and Oracle Best Practices serve as
guide
Implementation– Technologies (VPD, Auditing, etc.)– Design choices
Why is Security Hard?
No system can be 100% secure– Reality is risk mitigation, not risk avoidance
Difficult to prove good security– Bad security gets proven to/for us
Good security and no security can look the same– How does one know how secure they are?
Many things to secure– People, equipment, OS, network, Application Servers,
applications, and databases
Password Policy Example
Cannot be similar to user’s name Cannot be easily guessable Must be at least 12 characters in length Contains upper and lower case characters Contains at least one special character Contains at least one number Rotated every 14 days Cannot be re-used for 5 years
My current password:
“This1is2Hard!”
Balancing the Business
Usability
PerformanceSecurity
x
Need flexibility to adjust to current situationBest Case: Accommodate all requirements
Security Tenets
Abide by the least-privilege principle
Create Session
Alter Session
Drop Table
Create Table
Create Procedure
Create View
Create Sequence
Create Synonym
The Challenge
Data in transit
Get the right data (securely) to the right people in a timely manner that maximizes usability, lowers administrativeburdens, eases application development and maximizes security
1. Applications need to know user2. Databases need to know user
Identity Management
Database security and auditing
Defense in Depth
Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity
Management
Element Level Protections– Database Encryption
Fine-Grained Access Control– Row Level Security
Accountability– Fine-Grained Auditing
3. Database cannot apply proper access controls and auditing at the user level
Typical Authentication Architecture
Oracle DB
2. Middle tier connects toan (anonymous) application account
User Application “A”
User Application “A”User Application “A”
Security cannot be based on anonymity!
1. Users authenticate to middle tier
Connection Pool
3. Database applies authorizations, access control, and auditing for real end user
Identity Preservation – Proxy Authentication
Oracle DB
2. Middle tier proxies user identity to database
Blue User
Red User Yellow User
1. Users authenticate to middle tier
Connection Pool
Identity Preservation – Client Identifiers
Database procedure called by application Client Identifiers convey user’s information
to DB User information used in access control
decisions Value is automatically audited
Oracle DBSet_Identifier(‘Green User’)
Connection PoolSet_Identifier(‘Yellow User’)
Core Identity Management Business Problems
Privacy & Confidentiality
Monitorability & Auditability
Regulatory Compliance
Personalized content
Profile & preference Self-service
Quality of Service
Simplify admin & helpdesk tasks
Identity Lifecycle Management
IT Cost and Complexity
Consistent ID and security policy
Quick enforcement of privilege updates
Streamlined Security
Efficient customer service
Tighter supplier & partner relationships
Globally Integrated E-Business
I d e n t i t y
Federated DirectoryIdentity Integration
Meta-Directory
Directory
Security Monitoring &
AuditingIdentity & Access Management
Secure FederationSSO
DelegatedAdmin
SelfService
Policy Based Access Mgmt
Web Authorizations
Certificate Authority
Role Based Access Mgmt
Account Provisioning
Provisioning Workflow Automation
Securing Cross-Organization Transactions
STATE STATE INSURANCEOffice Intranet
Create New Policy
Check Rates
Client History
DMV HISTORY
CREDIT CHECK
EMPLOYMENTHISTORY
INDEPENDENT INSURANCE BROKER INC.
BIG INSURANCE CORP.
BROKERWEB APPS
CREATE POLICY
CREATE POLICY
An example: An independent broker uses Big Insurance Co.’s Web application to issue a new insurance policy for a client.
Federated Identity Management:According to Burton Group…
“What is federated identity management?– Agreements, standards, technologies that
make identity and entitlements portable across autonomous domains
Begins at home, within and between organizations
Joined at the hip with Web services
Will grow both in granularity and scale
From Burton Group Catalyst Conference
Company A’s usersauthenticate into A’s portal
Company A: PortalCompany A: Portal
Company B: Technical Database ApplicationCompany B: Technical Database Application
Federated Identity
XMLXML
Company A uses SAML to send an identity “trusted ticket” to Company B’s application
Company B’s systems accept the ticket and grant access to the Company A user, through the Company A portal
Web Services Security/Mgmt Concerns Security
– “We have many web services exposed to the internet now”– “Only valid partners may access our web services”
Exception Handling– “Notify operations if a transaction stalls”– “Send any incomplete orders to customer service for fixing”
Compliance and Consistency– “All customer orders must be encrypted with 128 bit keys”– “All XML messages must follow this format”
Service Level Monitoring– “The order system must process transactions in under 2
seconds”– “If uptime falls below 98% we owe contract penalties”
Needs for Web Services Management Without WsM, policy is hard-coded into each Web Service
Result is silo’d, inconsistent security and management
A change in enterprise standards = rework of every service
Higher cost, more fragile, harder to change
No unified insight into operations across services
The goal is to decouple security and management policy from each individual
Service’s logic
Oracle WSM Components
BUILDPolicies
ENFORCEPolicies
MONITORPolicies
PolicyManager
PolicyGateway
PolicyAgents Web Service
Monitor
Web Services
Defense in Depth
Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity
Management
Element Level Protections– Database Encryption
Fine-Grained Access Control– Row Level Security
Accountability– Fine-Grained Auditing
Encryption – Data at Rest
Regulations that affect you Value of data Be selective about what you encrypt Encryption “in transit” may be required
Stored Data EncryptionElement level protections Selective encryption of
sensitive data (e.g., SSNs, credit card #s, diagnosis)
Makes interpreting the real data more difficult
DBMS_CRYPTO Encryption
– AES128/192/256, 3DES, RC4, DES Hashing
– SHA1, MD5, MD4, HMAC CLOB, BLOB, and RAW support (no
padding required) On the horizon – Transparent
encryption
PattakosBrown
Ellison
Nussbaum
Johnson
Duffy
Fitzgerald
Cho 123
Ang 973
Els 666
Garcia
Defense in Depth
Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity
Management
Element Level Protections– Database Encryption
Fine-Grained Access Control– Row Level Security
Accountability– Fine-Grained Auditing
Label Based Access Control
Record-level security based on security tags or labels
Simple to understand Simple to convey Simple to audit/prove
007
Oil and Gas Services Company:Multiple Databases for secure access control
ExxonMobil
Chevron BP Amoco
Conoco
ExxonMobil
BP Amoco
Chevron
Conoco
Oracle Solution: Label SecurityCentralized data, secure access, reduced cost
Oracle Oracle Label SecurityLabel Security
Defense in Depth
Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity
Management
Element Level Protections– Database Encryption
Fine-Grained Access Control– Row Level Security
Accountability– Fine-Grained Auditing
Security Processes: Prevention, Detection and Response
Prevention– Authentication, Access Controls
Detection and Response– Database Auditing– Audit by user, by object, by privilege– Ensure that attempts to view, modify,
or delete data by unauthorized persons are tracked
– Critical attempts should cause immediate response
Fine-grained Auditing
Not audited
Audit Records (FGA_LOG$)
SELECT name,
salary FROM emp
WHERE name =
‘KING’, <timestamp>,
<userid>, etc.
SELECT name,
salary FROM emp
WHERE name =
‘KING’, <timestamp>,
<userid>, etc.
EMP
AUDIT_CONDITION :
NAME != USER
AUDIT_COLUMN = SALARY
AUDIT_CONDITION :
NAME != USER
AUDIT_COLUMN = SALARY
Audit Policy
Send Alert!Send Alert!
FlashbackQuery
FlashbackQuery
SELECT name, salary FROM emp WHERE name=‘KING’SCOTT
SELECT name, job, deptno FROM emp
What To Look for in Vendor
Look for Trusted Business Advisor End-to-End Solution Provider Independent Technical Evaluations One with strong consulting offerings
Make Security a First-Class Citizen Security placed in at design Multi-layered implementation Proactively act to maintain a strong posture Mitigate the risks – don’t eliminate the risks Apply common sense before applying cool
technology Consider the competing factors - balance
performance and usability. Be practical