Your data is your business: Secure it or Lose it!
-
Upload
performance-tuning-corporation -
Category
Technology
-
view
59 -
download
1
Transcript of Your data is your business: Secure it or Lose it!
Your data is your business... Secure it or lose it!
A Lunch & Learn webinar for IT Management
Brought to you by Performance Tuning Corporationwww.perftuning.com
Panelists
Mark SwanholmChief Strategy OfficerPerformance Tuning Corporationhttps://www.linkedin.com/in/mswanholm
Dan MorganOracle ACE DirectorPerformance Tuning Corporationhttps://www.linkedin.com/pub/dan-morgan/0/aa9/a5
Agenda
Introduction
Getting It Wrong
Selling FUD(fear, uncertainty, and doubt)
Solution Roadmap
Q&A
Conclusion
photo by Scott Schiller
• Founded in 1997– Team spun out of Compaq Performance Lab
– Focused on solving the tough/complex and messy data architecture problems
– Very Senior team of EXPERTS
• Over 1000 clients & counting
• Key industries: Financial Services, Telecom, Oil & Gas, Healthcare
• Oracle Platinum Partner: Oracle Ace Director and Oracle Ace on staff
About PTC Select Clients
• Database & Engineered Sys.• Storage, Server and Network• Consulting, Managed Services &
Training
Focus on: High Performance Architectures
Introduction: Daniel Morgan
• Oracle ACE Director
• Wrote Oracle curriculum and primary program instructor at University of Washington
• Oracle consultant to Harvard University
• The Morgan behind Morgan's Library on the webwww.morganslibrary.org
• 10g, 11g, and 12c Beta tester
• Member: New York Oracle Users Group
• Retired chair Washington Software Assoc. Database SIG
• Co-Founder International GoldenGate Users Group
• Never an employee of Oracle Corp.
Source: http://xkcd.com/936/
Source: http://xkcd.com/538/
Getting It
Wrong!
photo by Miles Tsang
What's The Worst That Can Happen?
Source: http://www.reuters.com/article/2009/08/17/us-crime-identity-idUSTRE57G4GC20090817
What's The Worst That Can Happen?
What's The Worst That Can Happen?
Source: http://arstechnica.com/security/2014/12/iranian-hackers-used-visual-basic-malware-to-wipe-vegas-casinos-network/
What's The Worst That Can Happen?
Source: http://krebsonsecurity.com/2014/12/banks-card-breach-at-some-chick-fil-as/
What's The Worst That Can Happen?
Source: http://arstechnica.com/security/2014/07/wsj-website-hacked-data-offered-for-sale-for-1-bitcoin/
What's The Worst That Can Happen?The movie was a side show:
Source: http://arstechnica.com/security/2014/11/sony-pictures-hackers-release-list-of-stolen-corporate-files/
Why Is This Happening?
IT staff is untrained in security beyond the a superficial level
They do not appreciate the real threat level
They do not have job-specific security training
They do not have sufficient time in their work-day to take on additional tasks
Misdirection and False Positives
Source: https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/
Where Is Your Squeaky Wheel?
Have you validated last
night's backup?
Reports are too slow
We need to have the new system online by next week Has that bug been patched yet?
We need the new data
warehouse online by Wednesday
next week
No one can log into the HR
system
Why does that system keep
going down?
We are moving the QA
systems to new hardwareDevelopment needs
another database refresh
There is a gap in our security threat but so far no one has exploited it
Any warnings in the
alert log?
FUD(Fear, Uncertainty &
Doubt)
Sarbanes Oxley Act (SOX, SarbOx)
• Passed by Congress on January 23rd, 2002 and signed by President Bush on July 30th, 2002
HIPAA Requirements
• Gives patients access to their information and ability to request change
• Must restrict access to a patients information to others
• Must restrict disclosure of protected information to minimum required for healthcare treatments & transitions
• Establish controls for access to records by researchers
• Assign a privacy officer that will administer the privacy policy programs and enforce compliance
• Maintain confidentiality, integrity and availability of healthcare information
Storage of Broker-Dealer Records
• Electronic records must be preserved exclusively in a non-rewriteable and non-erasable format
• Broker-dealers may employ a storage system that prevents alteration or erasure of the records for their required retention period
FACTA Requirements
• Fair Credit Reporting Act
• Required as of June 1, 2005
• Requirements for consumer reporting agencies and users of consumer report
• Who must comply• Mortgage brokers• Automobile dealers• Attorneys and private investigators • Debt collectors
• Lenders• Insurers• Employers • Landlords• Government agencies
Gramm-Leach-Bliley Requirements (GLB)
• The FTC, the federal banking agencies, and the National Credit Union Administration (NCUA) have published final regulations to implement the new FACTA Disposal Rule.
• The FTC's disposal rule applies to consumer reporting agencies as well as individuals and any sized business that uses consumer reports
PCI Requirements
• Payment Card Industry Data Security Standard
• Required by September 2007 if your organization accepts credit cards
• The TJX Companies breach– The TJX Companies Inc. breach is the largest known data theft to date.
Hackers invaded the TJX systems resulting in at least 45.7 million credit and debit card numbers stolen over an 18-month period. As well as the stolen personal data, including driver's license numbers of another 455,000 customers who returned merchandise without receipts
PIPEDA Requirements
• [Canada] A multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures
Basel II Requirements
• [EU] To be in compliance with Basel II, a banking institution must deliver appropriate reporting of operational risk exposures and loss data to its board of directors and senior management. These reports must:– Address both company-wide and line of business results
– Summarize operational risk exposure, loss experience, relevant business environment and internal control assessments
– Identify and assess the operational risk inherent in all material products, activities, processes and systems
Expanding Regulatory RequirementsAMERICAS
• HIPAA
• FDA CFR 21 Part 11
• OMB Circular A-123
• SEC and DoD Records Retention
• USA PATRIOT Act
• Gramm-Leach-Bliley Act
• Federal Sentencing Guidelines
• Foreign Corrupt Practices Act
• Market Instruments 52 (Canada)
EMEA
• EU Privacy Directives
• UK Companies Law
• Restriction of Hazardous Substances
(ROHS/WEE)
APAC
• J-SOX (Japan)
• CLERP 9: Audit Reform and Corporate Disclosure
Act (Australia)
• Stock Exchange of Thailand Code on Corporate
Governance
GLOBAL
• International Accounting Standards
• Basel II (Global Banking)
• OECD Guidelines on Corporate Governance
The US Is An Unsafe Harbor
Brussels, 17 August 2007ARTICLE 29 DATA PROTECTION WORKING PARTY
Following the conclusion of the new long-term PNR agreement between the EU and the US, the Art. 29 Data Protection Working Party has issued today an opinion analyzing the privacy impact of the transfer of passenger data to the US on fundamental rights and freedoms and in particular the passengers’ rights to data protection. The opinion concludes that the safeguards of the new agreement are markedly lower than those of the previous deal and serious questions and shortcomings remain unaddressed. The level of data protection of the new agreement must be considered unsatisfactory
Accepted data protection standards such as those enshrined in Convention 108 of the Council of Europe or the EU Data Protection Directive are not fully respected
What They Have In Common
• Establish information security programs to assess and control risks
• Protect against any anticipated threats or hazards to the security or integrity of records
• Protect against unauthorized access or use that could result in harm or inconvenience to any customer
• Install access controls on customer information systems, including controls to authenticate and permit access only to authorized individuals as well as prevent employees from providing
• Document disposal procedures
The Cost
A study conducted by Ponemon Institute estimates an average cost of $14 million per security breach incident, with costs ranging as high as $50 million
Solution
Roadmap
Goals Don’t Always Align
What Management Wants
•Know who did what and when
•Know who accessed what data both generally and under specified conditions
•Protect the audit trail from tampering and be able to prove it is authentic
•Adequately guard against security threats without choking the business
What Auditors Wants
•Separation of duties
•Reporting
•Notification
•Proven audit data integrity
What IT Wants
•Performance and scalability
•Minimal constraints while getting the job done
•Evenings and weekends off
Process? A Good First Step• Most regulatory frameworks require a detailed, documented process or
“controls”– Most companies have these processes in place – but have not done a comprehensive
review of how these impact the overall security of the company
– Gaps between processes are the perfect spot for hackers, corporate espionage and other threats to grow
• An overall security audit needs to be conducted– This needs to be revisited at least annually
• Once an audit is complete processes should be reviewed and updated– Consider using a governance framework as a starting point
– Process change is often the hardest and longest change a company can undertake
Governance, Risk, and Compliance (GRC)Governance
• Set and evaluate performance against objectives
• Authorize business strategy & model to achieve objectives
Risk Management
• Identify, assess, and address potential obstacles to achieving objectives
• Identify / address violation of mandated and voluntary boundaries
Culture
• Establish organizational climate and mindset that promote trust, integrity, & accountability
Compliance
• Encourage / require compliance with established policies and boundaries
• Detect non-compliance and respond accordingly
COSO Cube & Compliance Model
Monitoring• Continuous Exception Detection & Monitoring• Periodic Reports and Attestations
Event Identification
• Exception thresholds
Risk Assessment
• Model Risk assessment around
resources with sensitive data –
financial, ePHI, NPI
• Electronic Transactions
• Application, Application Server,
DB, OS
• Predictive Risk Analysis
Information & Communication
• Approval Workflows
• Attestation Workflows
• Exception Notifications
• Delegated Administration
• Automated Provisioning
• Password Reset
Risk Response
• Corrective
Workflows
Control Activities
• Entitlement Policies: RBAC,
ABAC, SoD
• Strong Authentication
• Exception Detection &
Remediation
• Employee termination
• Policy Retrofits & Revocations
What’s Most Important: Getting to Secure
• Process change will take time
• Threats won’t wait for you to get your entire company aligned
• Some (obvious) things can be done immediately
– You’d be surprised how often the aren’t
pho
to
by
photo by Scott Schiller
Getting to Secure: Step 1 – Identify Value
• What do we have that is of value?
• Prioritize the valuables ... determine what needs to be secured first from the standpoint of risk to your organization and customers
• Identify the vectors ... what threats exist in the wild that could put our valuable at risk?
photo by Scott Schiller
Getting to Secure: Step 2 – Evaluate Risks
• Determine what risks have been mitigated ... through an outside, independent, audit
• Determine what risks need to be addressed
• Obtain both internal and external assessments of how to most cost-effectively mitigate remaining threats
photo by Scott Schiller
Getting to Secure: Step 3 - Acquire Resources
• Locate resources to address the priority risks
• Based on a careful balancing of risks and costs build a plan and get the budget approved
• Put actions into your 2015 plan
photo by Scott Schiller
Getting to Secure
Are You As Secure As You Think?
Firewall Rules: Application Access
41
HTTP&HTTPS Allowed from outside “specific Networks” to XXX 192.168.1.247
set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-
443 match source-address HSC_PUBLIC 157.142.0.0/16
set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-
443 match source-address HSC_PRIVATE_SPACE 10.64.0.0/10
set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-
443 match application junos-http
set security policies from-zone UNTRUST to-zone Business-App policy UN-BA-
443 then permit
Firewall Rules: Database Access
42
ICMP Allowed from outside to Business-Data Zone
set security policies from-zone UNTRUST to-zone Business-Data policy BD-
Ping match source-address any
set security policies from-zone UNTRUST to-zone Business-Data policy BD-
Ping match destination-address any
set security policies from-zone UNTRUST to-zone Business-Data policy BD-
Ping match application junos-ping
set security policies from-zone UNTRUST to-zone Business-Data policy BD-
Ping then permit
Getting to Secure
Low Hanging Fruit
What Objects Must Be Secured?
• Segment data– Tables and indexes containing sensitive data
• which tables ... which columns ... what do they contain?
– Views that expose sensitive data
• Backup Files• Redo logs• Archived redo logs• Operating system files• Development, Test, and Staging Systems
What Infrastructure Must Be Secured?
• Primary Databases
• Standby Databases at DR Sites
• Web and Application Servers
• Storage Arrays
• Network Communications
• Data Centers
• Backup Tape Storage
WRAP-UP
Conclusions
• Internal and external threats are multiplying – and getting more sophisticated
• Ignoring security can be extremely costly – it can cost your job or even put your company out of business
• Security happens within an array of regulations and guidelines – that complicate how you approach the task
• You need governance for the long term – but you shouldn’t wait for that process to be complete, the stakes are too high!
• Most companies don’t understand security – and even those that do need a second opinion to make sure they haven’t missed something.
…Get HELP!
Any Questions?
Thank you!
EXPERTS
Expert Data Services team with deep
performance tuning and Oracle
technology backgrounds.
More info:
www.perftuning.com
@perftuning