Your data is your business... Secure it or lose it!

A Lunch & Learn webinar for IT Management

Brought to you by Performance Tuning Corporationwww.perftuning.com

Panelists

Mark SwanholmChief Strategy OfficerPerformance Tuning Corporationhttps://www.linkedin.com/in/mswanholm

Dan MorganOracle ACE DirectorPerformance Tuning Corporationhttps://www.linkedin.com/pub/dan-morgan/0/aa9/a5

Agenda

Introduction

Getting It Wrong

Selling FUD(fear, uncertainty, and doubt)

Solution Roadmap

Q&A

Conclusion

photo by Scott Schiller

• Founded in 1997– Team spun out of Compaq Performance Lab

– Focused on solving the tough/complex and messy data architecture problems

– Very Senior team of EXPERTS

• Over 1000 clients & counting

• Key industries: Financial Services, Telecom, Oil & Gas, Healthcare

• Oracle Platinum Partner: Oracle Ace Director and Oracle Ace on staff

About PTC Select Clients

• Database & Engineered Sys.• Storage, Server and Network• Consulting, Managed Services &

Training

Focus on: High Performance Architectures

Introduction: Daniel Morgan

• Oracle ACE Director

• Wrote Oracle curriculum and primary program instructor at University of Washington

• Oracle consultant to Harvard University

• The Morgan behind Morgan's Library on the webwww.morganslibrary.org

• 10g, 11g, and 12c Beta tester

• Member: New York Oracle Users Group

• Retired chair Washington Software Assoc. Database SIG

• Co-Founder International GoldenGate Users Group

• Never an employee of Oracle Corp.

Source: http://xkcd.com/936/

Source: http://xkcd.com/538/

Getting It

Wrong!

photo by Miles Tsang

What's The Worst That Can Happen?

Source: http://www.reuters.com/article/2009/08/17/us-crime-identity-idUSTRE57G4GC20090817

What's The Worst That Can Happen?

What's The Worst That Can Happen?

Source: http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/

What's The Worst That Can Happen?

Source: http://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/

What's The Worst That Can Happen?

Source: http://arstechnica.com/security/2014/07/wsj-website-hacked-data-offered-for-sale-for-1-bitcoin/

What's The Worst That Can Happen?The movie was a side show:

Source: http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-stolen-corporate-files/

Why Is This Happening?

IT staff is untrained in security beyond the a superficial level

They do not appreciate the real threat level

They do not have job-specific security training

They do not have sufficient time in their work-day to take on additional tasks

Misdirection and False Positives

Source: https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/

Where Is Your Squeaky Wheel?

Have you validated last

night's backup?

Reports are too slow

We need to have the new system online by next week Has that bug been patched yet?

We need the new data

warehouse online by Wednesday

next week

No one can log into the HR

system

Why does that system keep

going down?

We are moving the QA

systems to new hardwareDevelopment needs

another database refresh

There is a gap in our security threat but so far no one has exploited it

Any warnings in the

alert log?

FUD(Fear, Uncertainty &

Doubt)

Sarbanes Oxley Act (SOX, SarbOx)

• Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002

HIPAA Requirements

• Gives patients access to their information and ability to request change

• Must restrict access to a patients information to others

• Must restrict disclosure of protected information to minimum required for healthcare treatments & transitions

• Establish controls for access to records by researchers

• Assign a privacy officer that will administer the privacy policy programs and enforce compliance

• Maintain confidentiality, integrity and availability of healthcare information

Storage of Broker-Dealer Records

• Electronic records must be preserved exclusively in a non-rewriteable and non-erasable format

• Broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period

FACTA Requirements

• Fair Credit Reporting Act

• Required as of June 1, 2005

• Requirements for consumer reporting agencies and users of consumer report

• Who must comply• Mortgage brokers• Automobile dealers• Attorneys and private investigators • Debt collectors

• Lenders• Insurers• Employers • Landlords• Government agencies

Gramm-Leach-Bliley Requirements (GLB)

• The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule.

• The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports

PCI Requirements

• Payment Card Industry Data Security Standard

• Required by September 2007 if your organization accepts credit cards

• The TJX Companies breach– The TJX Companies Inc. breach is the largest known data theft to date.

Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts

PIPEDA Requirements

• [Canada] A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures

Basel II Requirements

• [EU] To be in compliance with Basel II, a banking institution must deliver appropriate reporting of operational risk exposures and loss data to its board of directors and senior management. These reports must:– Address both company-wide and line of business results

– Summarize operational risk exposure, loss experience, relevant business environment and internal control assessments

– Identify and assess the operational risk inherent in all material products, activities, processes and systems

Expanding Regulatory RequirementsAMERICAS

• HIPAA

• FDA CFR 21 Part 11

• OMB Circular A-123

• SEC and DoD Records Retention

• USA PATRIOT Act

• Gramm-Leach-Bliley Act

• Federal Sentencing Guidelines

• Foreign Corrupt Practices Act

• Market Instruments 52 (Canada)

EMEA

• EU Privacy Directives

• UK Companies Law

• Restriction of Hazardous Substances

(ROHS/WEE)

APAC

• J-SOX (Japan)

• CLERP 9: Audit Reform and Corporate Disclosure

Act (Australia)

• Stock Exchange of Thailand Code on Corporate

Governance

GLOBAL

• International Accounting Standards

• Basel II (Global Banking)

• OECD Guidelines on Corporate Governance

The US Is An Unsafe Harbor

Brussels, 17 August 2007ARTICLE 29 DATA PROTECTION WORKING PARTY

Following the conclusion of the new long-term PNR agreement between the EU and the US, the Art. 29 Data Protection Working Party has issued today an opinion analyzing the privacy impact of the transfer of passenger data to the US on fundamental rights and freedoms and in particular the passengers’ rights to data protection. The opinion concludes that the safeguards of the new agreement are markedly lower than those of the previous deal and serious questions and shortcomings remain unaddressed. The level of data protection of the new agreement must be considered unsatisfactory

Accepted data protection standards such as those enshrined in Convention 108 of the Council of Europe or the EU Data Protection Directive are not fully respected

What They Have In Common

• Establish information security programs to assess and control risks

• Protect against any anticipated threats or hazards to the security or integrity of records

• Protect against unauthorized access or use that could result in harm or inconvenience to any customer

• Install access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals as well as prevent employees from providing

• Document disposal procedures

The Cost

A study conducted by Ponemon Institute estimates an average cost of $14 million per security breach incident, with costs ranging as high as $50 million

Solution

Roadmap

Goals Don’t Always Align

What Management Wants

•Know who did what and when

•Know who accessed what data both generally and under specified conditions

•Protect the audit trail from tampering and be able to prove it is authentic

•Adequately guard against security threats without choking the business

What Auditors Wants

•Separation of duties

•Reporting

•Notification

•Proven audit data integrity

What IT Wants

•Performance and scalability

•Minimal constraints while getting the job done

•Evenings and weekends off

Process? A Good First Step• Most regulatory frameworks require a detailed, documented process or

“controls”– Most companies have these processes in place – but have not done a comprehensive

review of how these impact the overall security of the company

– Gaps between processes are the perfect spot for hackers, corporate espionage and other threats to grow

• An overall security audit needs to be conducted– This needs to be revisited at least annually

• Once an audit is complete processes should be reviewed and updated– Consider using a governance framework as a starting point

– Process change is often the hardest and longest change a company can undertake

Governance, Risk, and Compliance (GRC)Governance

• Set and evaluate performance against objectives

• Authorize business strategy & model to achieve objectives

Risk Management

• Identify, assess, and address potential obstacles to achieving objectives

• Identify / address violation of mandated and voluntary boundaries

Culture

• Establish organizational climate and mindset that promote trust, integrity, & accountability

Compliance

• Encourage / require compliance with established policies and boundaries

• Detect non-compliance and respond accordingly

COSO Cube & Compliance Model

Monitoring• Continuous Exception Detection & Monitoring• Periodic Reports and Attestations

Event Identification

• Exception thresholds

Risk Assessment

• Model Risk assessment around

resources with sensitive data –

financial, ePHI, NPI

• Electronic Transactions

• Application, Application Server,

DB, OS

• Predictive Risk Analysis

Information & Communication

• Approval Workflows

• Attestation Workflows

• Exception Notifications

• Delegated Administration

• Automated Provisioning

• Password Reset

Risk Response

• Corrective

Workflows

Control Activities

• Entitlement Policies: RBAC,

ABAC, SoD

• Strong Authentication

• Exception Detection &

Remediation

• Employee termination

• Policy Retrofits & Revocations

What’s Most Important: Getting to Secure

• Process change will take time

• Threats won’t wait for you to get your entire company aligned

• Some (obvious) things can be done immediately

– You’d be surprised how often the aren’t

pho

to

by

photo by Scott Schiller

Getting to Secure: Step 1 – Identify Value

• What do we have that is of value?

• Prioritize the valuables ... determine what needs to be secured first from the standpoint of risk to your organization and customers

• Identify the vectors ... what threats exist in the wild that could put our valuable at risk?

photo by Scott Schiller

Getting to Secure: Step 2 – Evaluate Risks

• Determine what risks have been mitigated ... through an outside, independent, audit

• Determine what risks need to be addressed

• Obtain both internal and external assessments of how to most cost-effectively mitigate remaining threats

photo by Scott Schiller

Getting to Secure: Step 3 - Acquire Resources

• Locate resources to address the priority risks

• Based on a careful balancing of risks and costs build a plan and get the budget approved

• Put actions into your 2015 plan

photo by Scott Schiller

Getting to Secure

Are You As Secure As You Think?

Firewall Rules: Application Access

41

HTTP&HTTPS Allowed from outside “specific Networks” to XXX 192.168.1.247

set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-

443 match source-address HSC_PUBLIC 157.142.0.0/16

set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-

443 match source-address HSC_PRIVATE_SPACE 10.64.0.0/10

set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-

443 match application junos-http

set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-

443 then permit

Firewall Rules: Database Access

42

ICMP Allowed from outside to Business-Data Zone

set security policies from-zone UNTRUST to-zone Business-Data policy BD-

Ping match source-address any

set security policies from-zone UNTRUST to-zone Business-Data policy BD-

Ping match destination-address any

set security policies from-zone UNTRUST to-zone Business-Data policy BD-

Ping match application junos-ping

set security policies from-zone UNTRUST to-zone Business-Data policy BD-

Ping then permit

Getting to Secure

Low Hanging Fruit

What Objects Must Be Secured?

• Segment data– Tables and indexes containing sensitive data

• which tables ... which columns ... what do they contain?

– Views that expose sensitive data

• Backup Files• Redo logs• Archived redo logs• Operating system files• Development, Test, and Staging Systems

What Infrastructure Must Be Secured?

• Primary Databases

• Standby Databases at DR Sites

• Web and Application Servers

• Storage Arrays

• Network Communications

• Data Centers

• Backup Tape Storage

WRAP-UP

Conclusions

• Internal and external threats are multiplying – and getting more sophisticated

• Ignoring security can be extremely costly – it can cost your job or even put your company out of business

• Security happens within an array of regulations and guidelines – that complicate how you approach the task

• You need governance for the long term – but you shouldn’t wait for that process to be complete, the stakes are too high!

• Most companies don’t understand security – and even those that do need a second opinion to make sure they haven’t missed something.

…Get HELP!

Any Questions?

Thank you!

EXPERTS

Expert Data Services team with deep

performance tuning and Oracle

technology backgrounds.

More info:

www.perftuning.com

info@perftuning.com

@perftuning