Information Assurance High Level Presentation

1
How a Protected Enterprise Reduces Risk and
Liability
Oracle Corporation
Mike Mull, CISSP Solution Specialist Oracle
Protected Enterprise Group
2
The Burden is Real
3
Issues Concerns
Intellectual capital
Financial Losses
Asset Protection
Brand Protection
Public Image
Litigation
Business Risks
Compliance
Employee Customer Privacy
Loss of Customer Trust
Source Cybersecurity Its Dollars and Cents
Business Week 2/11/2005
4
Protected Enterprise
Challenges

• Address regulatory compliance
• Ensure privacy and accountability
• Reduce risk and liability
• Increase business agility
• Maintain operational effectiveness

Business
Information
Continuity
Security

• Identification (who)
• Access Controls (what)
• Auditing (where, when how)

• High Availability
• Disaster Recovery
• Continuous Operations

Applies to ALL applications across ALL industries
5
In Motion
At Rest
Data Security
Auditing and Access Management
I n t e g r a t e d S e c u r i t y
Single Sign-on
Disaster Recovery

Single Console Administration
Secure Channels
6
Security is a System
SECURITY
Product
Configuration
Implementation
Policy and Process
7
Security Realms

• Policies and Processes
• Policy makers are not policy implementers or
  users
• Process documentation
• Product
• Buffer overflows
• Resolved by vendors development teams
• Example Oracle provides patches by email blasts
  from Meta-link
• Configuration
• Database settings (.ora)
• OS file settings
• Network setup
• DoE/CIS Benchmark and Oracle Best Practices serve
  as guide
• Implementation
• Technologies (VPD, Auditing, etc.)
• Design choices

8
Why is Security Hard?

• No system can be 100 secure
• Reality is risk mitigation, not risk avoidance
• Difficult to prove good security
• Bad security gets proven to/for us
• Good security and no security can look the same
• How does one know how secure they are?
• Many things to secure
• People, equipment, OS, network, Application
  Servers, applications, and databases

9
Password Policy Example

• Cannot be similar to users name
• Cannot be easily guessable
• Must be at least 12 characters in length
• Contains upper and lower case characters
• Contains at least one special character
• Contains at least one number
• Rotated every 14 days
• Cannot be re-used for 5 years

My current password This1is2Hard!
10
Balancing the Business
Need flexibility to adjust to current situation
Best Case Accommodate all requirements
Usability
x
Performance
Security
11
Security Tenets
12

13
Security Tenets

• Defense in depth
• Security in layers for higher assurance

14
Security Tenets

• Be proactive

15
Security Tenets

• Abide by the least-privilege principle

Create Session
Create Table
Alter Session
Create Procedure
Drop Table
Create View
Create Synonym
Create Sequence
16
Security Tenets
Not all products are created equal
17
The Challenge
Get the right data (securely) to the right people
in a timely manner that maximizes usability,
lowers administrative burdens, eases application
development and maximizes security
Identity Management
Data in transit
Data in transit

• Applications need to know user
• Databases need to know user

Database security and auditing
18
Defense in Depth

• Identification and Identity Preservation
• Proxy Authentication, Client Identifiers,
  Identity Management
• Element Level Protections
• Database Encryption
• Fine-Grained Access Control
• Row Level Security
• Accountability
• Fine-Grained Auditing

19
Typical Authentication Architecture
Security cannot be based on anonymity!
Connection Pool
3. Database cannot apply proper access controls
and auditing at the user level
20
Identity Preservation Proxy Authentication
Connection Pool
3. Database applies authorizations, access
control, and auditing for real end user
21
Identity Preservation Client Identifiers
Connection Pool
Set_Identifier(Yellow User)
Set_Identifier(Green User)

• Database procedure called by application
• Client Identifiers convey users information to
  DB
• User information used in access control decisions
• Value is automatically audited

22
Core Identity Management Business Problems
23
Securing Cross-Organization Transactions
An example An independent broker uses Big
Insurance Co.s Web application to issue a new
insurance policy for a client.
INDEPENDENT INSURANCE BROKER INC.
BIG INSURANCE CORP.
24
Federated Identity ManagementAccording to
Burton Group

• What is federated identity management?
• Agreements, standards, technologies that make
  identity and entitlements portable across
  autonomous domains
• Begins at home, within and between organizations
• Joined at the hip with Web services
• Will grow both in granularity and scale

From Burton Group Catalyst Conference
25
Federated Identity
Company B Technical Database Application
26
Web Services Security/Mgmt Concerns

• Security
• We have many web services exposed to the
  internet now
• Only valid partners may access our web services
• Exception Handling
• Notify operations if a transaction stalls
• Send any incomplete orders to customer service
  for fixing
• Compliance and Consistency
• All customer orders must be encrypted with 128
  bit keys
• All XML messages must follow this format
• Service Level Monitoring
• The order system must process transactions in
  under 2 seconds
• If uptime falls below 98 we owe contract
  penalties

27
Needs for Web Services Management

• Without WsM, policy is hard-coded into each Web
  Service
• Result is silod, inconsistent security and
  management
• A change in enterprise standards rework of
  every service
• Higher cost, more fragile, harder to change
• No unified insight into operations across
  services
• The goal is to decouple security and management
  policy from each individual Services logic

28
Oracle WSM Components
BUILD Policies
ENFORCE Policies
MONITOR Policies
Policy Gateway
Policy Agents
Web Service Monitor
Policy Manager
Web Services
29
Defense in Depth

• Identification and Identity Preservation
• Proxy Authentication, Client Identifiers,
  Identity Management
• Element Level Protections
• Database Encryption
• Fine-Grained Access Control
• Row Level Security
• Accountability
• Fine-Grained Auditing

30
Encryption Data at Rest

• Regulations that affect you
• Value of data
• Be selective about what you encrypt
• Encryption in transit may be required

31
Stored Data Encryption

• Element level protections
• Selective encryption of sensitive data (e.g.,
  SSNs, credit card s, diagnosis)
• Makes interpreting the real data more difficult
• DBMS_CRYPTO
• Encryption
• AES128/192/256, 3DES, RC4, DES
• Hashing
• SHA1, MD5, MD4, HMAC
• CLOB, BLOB, and RAW support (no padding required)
• On the horizon Transparent encryption

32
Defense in Depth

• Identification and Identity Preservation
• Proxy Authentication, Client Identifiers,
  Identity Management
• Element Level Protections
• Database Encryption
• Fine-Grained Access Control
• Row Level Security
• Accountability
• Fine-Grained Auditing

33
Label Based Access Control

• Record-level security based on security tags or
  labels
• Simple to understand
• Simple to convey
• Simple to audit/prove

TOP SECRET
34
Oil and Gas Services CompanyMultiple Databases
for secure access control
BP Amoco
Chevron
ExxonMobil
Conoco
35
Oracle Solution Label SecurityCentralized data,
secure access, reduced cost
Chevron
Oracle Label Security
ExxonMobil
BP Amoco
Conoco
36
Defense in Depth

• Identification and Identity Preservation
• Proxy Authentication, Client Identifiers,
  Identity Management
• Element Level Protections
• Database Encryption
• Fine-Grained Access Control
• Row Level Security
• Accountability
• Fine-Grained Auditing

37
Security Processes Prevention, Detection and
Response

• Prevention
• Authentication, Access Controls
• Detection and Response
• Database Auditing
• Audit by user, by object, by privilege
• Ensure that attempts to view, modify, or delete
  data by unauthorized persons are tracked
• Critical attempts should cause immediate response

38
Fine-grained Auditing
39
What To Look for in Vendor

• Look for Trusted Business Advisor
• End-to-End Solution Provider
• Independent Technical Evaluations
• One with strong consulting offerings

40
Make Security a First-Class Citizen

• Security placed in at design
• Multi-layered implementation
• Proactively act to maintain a strong posture
• Mitigate the risks dont eliminate the risks
• Apply common sense before applying cool
  technology
• Consider the competing factors - balance
  performance and usability. Be practical

41
Shameless plug for Boss
42
A