How a Protected Enterprise Reduces Risk

and Liability

How a Protected Enterprise Reduces Risk

and Liability

Mike Mull, CISSPSolution SpecialistOracle Protected Enterprise Group

Oracle Corporation

The Burden is Real

30,704 Average hours company will spend on Section 404 compliance (FEI)

$5.1M Average cost of Sarbanes-Oxley compliance for a large U.S. company (Korn/Ferry)

10 x Cost for compliance by taking one-off versus integrated approach to compliance projects (Gartner)

$11.5 M

Total HIPAA compliance costs for Payor (Gartner)

$10.0 M

Fine against six securities firms for not producing e-mails for SEC (General Counsel Roundtable)

125 Non-frivolous lawsuits for Fortune 500 company at any given time (Butler Group)

Issues & Concerns

Intellectualcapital

BusinessRisks

Financial Losses

Employee &Customer Privacy

Loss of CustomerTrust

Public Image Litigation

Asset Protection

Brand Protection

Compliance

Source: Cybersecurity: It’s Dollars and Cents Business Week 2/11/2005

Protected Enterprise

Business• Address regulatory compliance• Ensure privacy and accountability• Reduce risk and liability• Increase business agility • Maintain operational effectiveness

Challenges

• High Availability • Disaster Recovery• Continuous Operations

Continuity• Identification (who)• Access Controls (what)• Auditing (where, when & how)

Information Security

Applies to ALL applications across ALL industries

Single Sign-on

Single Console Administration

Business Continuity

Disaster Recovery

Data Security

I n t e g r a t e d S e c u r i t yAuditing and

Access Management

Secure Channels

At Rest

In Motion

Security is a System

Policy and Process

SECURITY

Product ConfigurationImplementation

Security Realms

Policies and Processes– Policy makers are not policy implementers or users– Process documentation

Product– Buffer overflows– Resolved by vendor’s development teams– Example: Oracle provides patches by email blasts from

Meta-link

Configuration– Database settings (*.ora)– OS file settings– Network setup– DoE/CIS Benchmark and Oracle Best Practices serve as

guide

Implementation– Technologies (VPD, Auditing, etc.)– Design choices

Why is Security Hard?

No system can be 100% secure– Reality is risk mitigation, not risk avoidance

Difficult to prove good security– Bad security gets proven to/for us

Good security and no security can look the same– How does one know how secure they are?

Many things to secure– People, equipment, OS, network, Application Servers,

applications, and databases

Password Policy Example

Cannot be similar to user’s name Cannot be easily guessable Must be at least 12 characters in length Contains upper and lower case characters Contains at least one special character Contains at least one number Rotated every 14 days Cannot be re-used for 5 years

My current password:

“This1is2Hard!”

Balancing the Business

Usability

PerformanceSecurity

x

Need flexibility to adjust to current situationBest Case: Accommodate all requirements

Security Tenets

Security has to be built in to the system, not bolted on afterwards

Security Tenets

Defense in depth– Security in layers for higher assurance

Security Tenets

Be proactive

Security Tenets

Abide by the least-privilege principle

Create Session

Alter Session

Drop Table

Create Table

Create Procedure

Create View

Create Sequence

Create Synonym

Security Tenets

Not all products are created equal

The Challenge

Data in transit

Get the right data (securely) to the right people in a timely manner that maximizes usability, lowers administrativeburdens, eases application development and maximizes security

1. Applications need to know user2. Databases need to know user

Identity Management

Database security and auditing

Defense in Depth

Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity

Management

Element Level Protections– Database Encryption

Fine-Grained Access Control– Row Level Security

Accountability– Fine-Grained Auditing

3. Database cannot apply proper access controls and auditing at the user level

Typical Authentication Architecture

Oracle DB

2. Middle tier connects toan (anonymous) application account

User Application “A”

User Application “A”User Application “A”

Security cannot be based on anonymity!

1. Users authenticate to middle tier

Connection Pool

3. Database applies authorizations, access control, and auditing for real end user

Identity Preservation – Proxy Authentication

Oracle DB

2. Middle tier proxies user identity to database

Blue User

Red User Yellow User

1. Users authenticate to middle tier

Connection Pool

Identity Preservation – Client Identifiers

Database procedure called by application Client Identifiers convey user’s information

to DB User information used in access control

decisions Value is automatically audited

Oracle DBSet_Identifier(‘Green User’)

Connection PoolSet_Identifier(‘Yellow User’)

Core Identity Management Business Problems

Privacy & Confidentiality

Monitorability & Auditability

Regulatory Compliance

Personalized content

Profile & preference Self-service

Quality of Service

Simplify admin & helpdesk tasks

Identity Lifecycle Management

IT Cost and Complexity

Consistent ID and security policy

Quick enforcement of privilege updates

Streamlined Security

Efficient customer service

Tighter supplier & partner relationships

Globally Integrated E-Business

I d e n t i t y

Federated DirectoryIdentity Integration

Meta-Directory

Directory

Security Monitoring &

AuditingIdentity & Access Management

Secure FederationSSO

DelegatedAdmin

SelfService

Policy Based Access Mgmt

Web Authorizations

Certificate Authority

Role Based Access Mgmt

Account Provisioning

Provisioning Workflow Automation

Securing Cross-Organization Transactions

STATE STATE INSURANCEOffice Intranet

Create New Policy

Check Rates

Client History

DMV HISTORY

CREDIT CHECK

EMPLOYMENTHISTORY

INDEPENDENT INSURANCE BROKER INC.

BIG INSURANCE CORP.

BROKERWEB APPS

CREATE POLICY

CREATE POLICY

An example: An independent broker uses Big Insurance Co.’s Web application to issue a new insurance policy for a client.

Federated Identity Management:According to Burton Group…

“What is federated identity management?– Agreements, standards, technologies that

make identity and entitlements portable across autonomous domains

Begins at home, within and between organizations

Joined at the hip with Web services

Will grow both in granularity and scale

From Burton Group Catalyst Conference

Company A’s usersauthenticate into A’s portal

Company A: PortalCompany A: Portal

Company B: Technical Database ApplicationCompany B: Technical Database Application

Federated Identity

XMLXML

Company A uses SAML to send an identity “trusted ticket” to Company B’s application

Company B’s systems accept the ticket and grant access to the Company A user, through the Company A portal

Web Services Security/Mgmt Concerns Security

– “We have many web services exposed to the internet now”– “Only valid partners may access our web services”

Exception Handling– “Notify operations if a transaction stalls”– “Send any incomplete orders to customer service for fixing”

Compliance and Consistency– “All customer orders must be encrypted with 128 bit keys”– “All XML messages must follow this format”

Service Level Monitoring– “The order system must process transactions in under 2

seconds”– “If uptime falls below 98% we owe contract penalties”

Needs for Web Services Management Without WsM, policy is hard-coded into each Web Service

Result is silo’d, inconsistent security and management

A change in enterprise standards = rework of every service

Higher cost, more fragile, harder to change

No unified insight into operations across services

The goal is to decouple security and management policy from each individual

Service’s logic

Oracle WSM Components

BUILDPolicies

ENFORCEPolicies

MONITORPolicies

PolicyManager

PolicyGateway

PolicyAgents Web Service

Monitor

Web Services

Defense in Depth

Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity

Management

Element Level Protections– Database Encryption

Fine-Grained Access Control– Row Level Security

Accountability– Fine-Grained Auditing

Encryption – Data at Rest

Regulations that affect you Value of data Be selective about what you encrypt Encryption “in transit” may be required

Stored Data EncryptionElement level protections Selective encryption of

sensitive data (e.g., SSNs, credit card #s, diagnosis)

Makes interpreting the real data more difficult

DBMS_CRYPTO Encryption

– AES128/192/256, 3DES, RC4, DES Hashing

– SHA1, MD5, MD4, HMAC CLOB, BLOB, and RAW support (no

padding required) On the horizon – Transparent

encryption

PattakosBrown

Ellison

Nussbaum

Johnson

Duffy

Fitzgerald

Cho 123

Ang 973

Els 666

Garcia

Defense in Depth

Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity

Management

Element Level Protections– Database Encryption

Fine-Grained Access Control– Row Level Security

Accountability– Fine-Grained Auditing

Label Based Access Control

Record-level security based on security tags or labels

Simple to understand Simple to convey Simple to audit/prove

007

Oil and Gas Services Company:Multiple Databases for secure access control

ExxonMobil

Chevron BP Amoco

Conoco

ExxonMobil

BP Amoco

Chevron

Conoco

Oracle Solution: Label SecurityCentralized data, secure access, reduced cost

Oracle Oracle Label SecurityLabel Security

Defense in Depth

Identification and Identity Preservation – Proxy Authentication, Client Identifiers, Identity

Management

Element Level Protections– Database Encryption

Fine-Grained Access Control– Row Level Security

Accountability– Fine-Grained Auditing

Security Processes: Prevention, Detection and Response

Prevention– Authentication, Access Controls

Detection and Response– Database Auditing– Audit by user, by object, by privilege– Ensure that attempts to view, modify,

or delete data by unauthorized persons are tracked

– Critical attempts should cause immediate response

Fine-grained Auditing

Not audited

Audit Records (FGA_LOG$)

SELECT name,

salary FROM emp

WHERE name =

‘KING’, <timestamp>,

<userid>, etc.

SELECT name,

salary FROM emp

WHERE name =

‘KING’, <timestamp>,

<userid>, etc.

EMP

AUDIT_CONDITION :

NAME != USER

AUDIT_COLUMN = SALARY

AUDIT_CONDITION :

NAME != USER

AUDIT_COLUMN = SALARY

Audit Policy

Send Alert!Send Alert!

FlashbackQuery

FlashbackQuery

SELECT name, salary FROM emp WHERE name=‘KING’SCOTT

SELECT name, job, deptno FROM emp

What To Look for in Vendor

Look for Trusted Business Advisor End-to-End Solution Provider Independent Technical Evaluations One with strong consulting offerings

Make Security a First-Class Citizen Security placed in at design Multi-layered implementation Proactively act to maintain a strong posture Mitigate the risks – don’t eliminate the risks Apply common sense before applying cool

technology Consider the competing factors - balance

performance and usability. Be practical

Shameless plug for Boss

AQ&Q U E S T I O N SQ U E S T I O N S

A N S W E R SA N S W E R S