PAGE
1
Intelligent Security Design, Development and Acquisition
Presented by Kashif Dhatwani | Security Practice Director | BIAS CorporationPAGE
2
Agenda
IntroductionSecurity Challenges
Securing the New Perimeter Information Security Spectrum Standards & Compliance
Threats/Challenges & Industry Best Practices References
PAGE
3
Research and Analysis
• Of CIOs feel the impact of mobile computing is more than the impact of Internet in 90s
67%
• Of companies provide mobile applications
90%+
• Of users use mobile devices to connect to Corporate networks
89%
• Of companies will use social networking to connect with customers
62%
• Of Organizations do not evaluate security while selecting cloud provider
33%
• Of today’s data resides in relational databases
66%
• Misuse privilege access as per 2014 Verizon Data breach report
PAGE
4
SYSTEM
SECURITY
BREACH
THREAT
HACKING
TECHNOLOGY
Information Security Challenges
Financial Information
PAGE
5
Information Security Challenges
•
Why Government?
– California is the eighth largest economy in the world and is prime target for attacks
– The State’s Information Assets are vital resources that contain various types of sensitive data including Social Security Numbers, Tax and Health related information
• In sufficient resources to implement Security Controls
• Private and Public Sector integrated IT Solutions – Processing Credit Card Data
• The forecast average loss for a breach of 1,000 records is between $52,000 and $87,000
60% OF INCIDENTS WERE ATTRIBUTED TO ERRORS MADE BY SYSTEM
ADMINISTRATORS— PRIME ACTORS RESPONSIBLE FOR A SIGNIFICANT VOLUME OF BREACHES AND RECORDS
PAGE
6
Transformation of Perimeter
Cloud is also creating an additional layer of complexity where data and applications are outside the traditional enterprise
boundaries
Users are continually on the move as is the information bringing in new points of control which require verifying identities &
permission to access information
Data being accessed can include Structured and Un-Structured Data (documents, e-mails)
People need to collaborate, but they are not always the trusted employees
Traditionally Emphasis on protecting networks
PAGE
7
Securing the New Perimeter
• The threats are outside but the risks are largely inside.
Think Inside Out
• Create a framework of overlapping controls to address vulnerabilities.
Develop a “Defense-In-Depth” strategy
• When security becomes a productive barrier, controls get remanded.
Simplify the user experience
• Security is as important to shareholder value as good accounting. • Regulatory controls are on the rise.
Design for Compliance
PAGE
8
Information Security Spectrum
Identity Management
• Governance • Compliance
• Single Source of Truth • Provisioning / De-provisioning • SoD – Separation of Duties
Access Management
• Access Control • Authentication • Authorization • Single Sign-On
• Multi-Factor Authentication
Mobile Security
• Security Container • Single Sign-On
• Application Management
Data Security
• Protect your data at Rest and in Transit
• Data Access - Authentication • Data Access – Fine Grained
Control • Auditing
PAGE
9
Standards & Compliance
Access Control Accountability Audit & Awareness & Training
Certification, Accreditation &
Security Assessments
Configuration Management
Contingency
Planning Identification & Authentication Incident Response Maintenance Media Protection
Personnel Security Environmental Physical &
Protection Planning
Program
Management Risk Assessment
System & Communication
Protection
System &
Information Integrity System & Services Acquisition
PAGE
10
Assurance Requirements
Conduct a risk assessment of
the government
system.
Map identified risks to the appropriate assurance
level.
Select technology based on e-authentication technical guidance. Validate that the implemented system has met the required assurance level. Periodically reassess the information system to determine technology refresh requirements.
5-Step Risk Evaluation Process
PAGE
11
Level of Assurances
Level 1
•Identity: There is no identity proofing
requirement at this level. •Authentication: Simple
password challenge-response protocols are allowed.
Level 2
•Identity: Requires Identity Proofing. Both in-person and remote registration are permitted.
•Authentication: Provides single factor remote network authentication.
Level 3
•Identity: At this level, identity proofing procedures require verification of identifying materials and information. Both in-person and remote registration are permitted •Authentication: Provides
multi-factor authentication and at least two authentication factors are required
Level 4
•Identity: Remote registration is not permitted at this level. The applicant must appear in-person before the registration officer.
Presentation and verification of two independent ID documents or accounts is required.
•Authentication: This is intended to provide the highest practical remote network authentication assurance. Authentication is based on proof of possession of a key through a
cryptographic protocol. Only “hard” cryptographic tokens are allowed.
PAGE
12
Identity Management – Threats / Challenges
→ PROVISIONING - Proliferation of cloud applications require to provide access and organizational must provide needed access to its partners and customers
→ DE-PROVISIONING - Those services for same users is also very important
→ MOBILE IDENTITY - Now we require identification of not only users but devices as well → COMPLIANCE - Organizations also are being challenged with new compliance
requirements
→ INTERNET OF THINGS - brings challenges across User, device and Application identities → USER REPOSITORIES - across organizations required custom solutions which in turn
PAGE
13
Identity Management – Industry Practices
Identity Management in the new perimeter must address “People” and “Devices”Identities must also have lifecycle management (Provisioning, De-provisioning) Organization must have 360o visibility into identities
Organizations must implement controlled access such as Role/Attribute Based Access
Identity Management solutions should provide governance and auditing as one factor to identity management
Identity Management is also one of the most important factors of mobile computing so the devices and applications are provisioning as part of lifecycle
PAGE
14
Access Management – Threats / Challenges
→ A comprehensive solution is required which holistically provides access control across the applications – multiple point solutions are vulnerable to threats
→ In addition to user-id and password based authentication, sensitive data must require additional level of assurance
→ Mobile and Social integration is required to provide customers (Citizens) with capabilities to use their social identities to access required resources
→ Platform agnostic solutions are needed to build a common security framework
→ Integration with Cloud providers and achieving Single Sign-On are key requirements → Multiple access locations, multiple devices are bringing additional challenges
PAGE
15
Access Management – Industry Practices
Access Management
• solutions are now providing single policy enforcement and management platform agnostic of applications
Federated Solutions
• using Federated protocols provide a Single Sign-On for Cloud applications using same set of access controls as On-Premise applications
Adaptive Access Management
• systems with completely integrated Contextual and Fraud detection capability are requirement to detect higher risk levels and prompt for additional identification
Advance Authentication
• methods in addition to user-password are common which include One Time Password & Knowledge Based Access
Mobile & Social Identity Integration
• such as Google, Yahoo, Facebook integrations are now commonly being made available in Access Management Systems
Mobile Security
• capabilities are built and integrated with Access Management systems to provide single framework based platform for access control
PAGE
16
Access Management – Industry Practices
• Web Services are protected using common set of WS-Security Policies • Entitlements are
configured to provide finer control over applications and services
• Administrator configures Trusted connections to cloud provider
• Administer
Configures WAM to Protect applications
Web Access
Management Authentication Federated
Web Services Authorization
PAGE
17
Mobile Security – Threats / Challenges
→ Enterprise data and Personal data exists together
- Using Personal and enterprise mobile applications from same device → How do you apply security controls for same device used in multiple contexts → Malware is targeted to mobile platforms because it provides access to credentials → Lost or stolen devices is another threat, where corporate data may have been
compromised
→ Management of Applications is another challenge which can result in theft of data, due to misuse or abuse of privilege access.
→ Modifying security settings on mobile applications
→ Not understanding Terms and Conditions of how data is used
PAGE
18
Mobile Security – Industry Practices
Identity
• Providing capability to provision application and resources is key factor
• A change in users’ role should trigger change in application access along with location and schedule
Containerization
• Providing separation of business and personal data
Single Sign-On
• for mobile applications with certificate and strong-password based approach
Mobile Device & Application Management
• Provide opportunity to encrypt data and applications within the mobile device • No-Cached Credentials and re-use of corporate identity user, roles and policies
Secure Containers
• are required to wipe out data only related to corporate and employees can have freedom of using personal applications on same device
Business Application
PAGE
19
Data Security – Threats / Challenges
→ Most enterprises do not have a comprehensive database security strategy
→ According to a study by the IOUG, 71% of organizations have no controls to prevent application bypass attacks
→ Most agree that database security doesn’t get the priority and investment that it needs, leaving the organization vulnerable
→ Enterprises tend to focus on detective controls rather than take preventive measures for database security and may not be achieving the outcome expected
→ Privilege Database access is also cause of insider threats → How do you detect and prevent attacks at databases
PAGE
20
Data Security – Industry Practices
Prevention should be a top priority
• Although database monitoring is essential to track data access, it doesn’t prevent hackers from stealing information.
• Enterprises need to start looking at making the most of their investments by implementing preventive controls to defend against real-time threats.
Focus on an enterprise wide database security strategy
• A comprehensive database security strategy ensures investments address the three key pillars — foundation, detection, and prevention across the critical databases.
• Don’t just focus on one or two critical databases, but on all databases that store sensitive data
• Discover and classify your databases, noting which ones hold private and sensitive data such as credit card numbers and Social Security Numbers.
• Make database security part of the database infrastructure.
Single vendor solutions offer stronger security and can lower cost
• When looking for a database security solution, look for vendors that offer a comprehensive set of technologies to support your entire database security strategy and offer capabilities for data masking, encryption, auditing, monitoring, firewall, vulnerability assessment, access control, and patch management.
• We find that a single vendor solution offers stronger security and lower cost and helps avoid cobbling together point solutions.
PAGE
21
Trends and Practices – Data Security
MITIGATE Database Bypass
• Prevent access to data at OS, storage, network, media layers
• Data encryption for data at rest, in transit, on media • Separation of duties for key
management
PREVENT Application
bypass
• Privileged user access control to limit access to application data
• Multi-factor authorization for enforcing enterprise security policies
• Secure application consolidation
CONSOLIDATE Auditing and
Compliance
• database auditing, centralized audit policies
• Consolidate, secure, analyze audit trail, alert on suspicious activities
• Report for compliance & security, automate database audit workflow
MONITOR database traffic and block threats
• Monitor database traffic over the network
• Block threats like SQL injection attacks before reaching databases • Enforce normal database
activity, lightweight monitoring
PROTECT All database environments
• Sensitive data discovery for production
• Secure database lifecycle management, configuration scanning, patch automation • Mask data for nonproduction
PAGE
22
Reference 1 – Identity Management / Federated Access
Cloud Providers examples
On Premise Apps Examples Internal External (Citizens) Web Applications LDAP Web Applications Web Applications Ac ce ss C ont ro l Si ng le S ig n-On
Authentication / SSO Federation / SSO
Identity Proofing
Role based access
Identity Management
Provisioning, De-Provisioning, Access Privileges / Approval / Request
Fed SSO
PAGE
23
Reference 2 – Access Control
External Entity Users .NET LDAP Si ng le U se r a cc ou nt Si ng le L og on
Java / J2EE Web Applications Internal RACF Document Management System Portal Applications virtualize
PAGE
24
Thank You
Comments
Discussions
PAGE
25
About BIAS Corporation
• Founded in 2000
• Distinguished Oracle Leader
– Technology Momentum Award
– Portal Blazer Award
– Titan Award – Red Stack + HW Momentum Awards
– Excellence in Innovation Award
• Management Team is Ex-Oracle
• Location(s): Headquartered in Atlanta; Regional office in Washington
D.C.; Offshore – Hyderabad and Chennai, India
• ~250 employees with 10+ years of Oracle experience on
average
• Inc.500|5000 Fastest Growing Private Company in the U.S.
for the 6th Time
• Voted Best Place to work in Atlanta for 2nd year
• 33 Oracle Specializations spanning the entire stack
PAGE
26
BIAS Corporation is a recognized leader in Identity & Access Management system assessment, design and implementation. As an Oracle Platinum partner, BIAS Corporation’s IDM Practice provides experienced architects who have expertise in assessment of environments, building roadmaps, design systems with deep technical experience and implementing solutions using experienced developers part of BIAS IDM practice.
PAGE
27
Oracle created the OPN Specialized Program to showcase the Oracle partners who have achieved expertise in Oracle product areas and reached specialization status through competency development, business results, expertise and proven success. BIAS is proud to be specialized in 33 areas of Oracle products, which include the following:
