Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Similar documents
Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

PCI Compliance. What is it? Who uses it? Why is it important?

Effective Strategies for Managing Cybersecurity Risks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Cyber Security Audit & Roadmap Business Process and

Juniper Vendor Security Requirements

Watson Developer Cloud Security Overview

Complying with RBI Guidelines for Wi-Fi Vulnerabilities

University of Pittsburgh Security Assessment Questionnaire (v1.7)

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Automating the Top 20 CIS Critical Security Controls

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

SECURITY & PRIVACY DOCUMENTATION

Security Readiness Assessment

QuickBooks Online Security White Paper July 2017

Threat Control and Containment in Intelligent Networks. Philippe Roggeband - Product Manager, Security, Emerging Markets

C1: Define Security Requirements

Projectplace: A Secure Project Collaboration Solution

Total Security Management PCI DSS Compliance Guide

Comprehensive Database Security

K12 Cybersecurity Roadmap

AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments

ANATOMY OF AN ATTACK!

Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Security Testing. - a requirement for a secure business. ISACA DAY in SOFIA. Gabriel Mihai Tanase, Director, Cyber Services KPMG in CEE

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

How NOT To Get Hacked

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Security Issues and Best Practices for Water Facilities

Designing and Building a Cybersecurity Program

Look Who s Hiring! AWS Solution Architect AWS Cloud TAM

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Cyber Criminal Methods & Prevention Techniques. By

Keys to a more secure data environment

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Daxko s PCI DSS Responsibilities

Security Terminology Related to a SOC

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

CoreMax Consulting s Cyber Security Roadmap

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Compliance Audit Readiness. Bob Kral Tenable Network Security

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Private Clouds: Opportunity to Improve Data Security and Lower Costs. InfoTRAMS Fusion Tematyczny, Bazy Danych, Kariera I Prywatny Sprzęt t W Pracy

Cyber Fraud What can you do about it?

Cloud-Based Data Security

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

locuz.com SOC Services

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Online Services Security v2.1

align security instill confidence

Teradata and Protegrity High-Value Protection for High-Value Data

Secure Access & SWIFT Customer Security Controls Framework

Locking down a Hitachi ID Suite server

Hacker Explains Privilege Escalation: How Hackers Get Elevated Permissions

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

LBI Public Information. Please consider the impact to the environment before printing this.

Security Policy (EN) v1.3

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

Carbon Black PCI Compliance Mapping Checklist

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

10 FOCUS AREAS FOR BREACH PREVENTION

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Education Network Security

IC32E - Pre-Instructional Survey

MIS5206-Section Protecting Information Assets-Exam 1

Business White Paper. Healthcare IT In The Cloud: Predicting Threats, Protecting Patient Data

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Security Principles for Stratos. Part no. 667/UE/31701/004

CYBERSECURITY RISK LOWERING CHECKLIST

How Breaches Really Happen

Security Architecture

Unlocking the Power of the Cloud

Addressing PCI DSS 3.2

Cloud Security Whitepaper

Chapter 9. Firewalls

Payment Card Industry (PCI) Data Security Standard

Google Cloud Platform: Customer Responsibility Matrix. April 2017

the SWIFT Customer Security

Securing the Smart Grid. Understanding the BIG Picture 11/1/2011. Proprietary Information of Corporate Risk Solutions, Inc. 1.

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Managing and Auditing Organizational Migration to the Cloud TELASA SECURITY

EBOOK 4 TIPS FOR STRENGTHENING THE SECURITY OF YOUR VPN ACCESS

INFORMATION SECURITY-SECURITY INCIDENT RESPONSE

Express Monitoring 2019

HikCentral V1.3 for Windows Hardening Guide

Reinvent Your 2013 Security Management Strategy

SECURITY PRACTICES OVERVIEW

Altius IT Policy Collection Compliance and Standards Matrix

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Understand & Prepare for EU GDPR Requirements

Formulate A Database Security Strategy To Ensure Investments Will Actually Prevent Data Breaches And Satisfy Regulatory Requirements

SECURITY IN MICROSOFT AZURE. Marija Strazdas Sr. Solutions Engineer

Transcription:

Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle

Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary

Connected Government : Provide better services FOR Efficient GOVERNMENT Government

CONNECTED GOVERNMENT MAKES DIFFERENCE IN PEOPLE S LIVES Cloud Computing Analytics and Big Data Mobile Users Social Experience Citizen Services CHANGING THE WAY GOVERNMENT DELIVER SERVICES

Security Threats and Risks Growing Risk FOR GOVERNMENT

GOVERNMENT CHALLENGES HAVE EVOLVED Privacy Quality of Service Data Security & Integrity Regulatory Compliance SSN # Personal Profile Identity Theft Info Security Credit Card Info Tax IDs Denial of Service Fraud Continuous Monitoring Collaboration Privacy HIPAA / HITECH PII NERC PCI DSS IRS 1075 CJIS

Importance of Security Risk to data : Actor and Motivator HACKERS ORGANIZED CRIMINAL NATION STATES Insider Outsider Outsider with help of insider! TERRORISTS INDIVIDUALS

FROM MISTAKES TO ATTACKS BASIC SECURITY IS NOT ENOUGH MISTAKES ACCIDENTAL ERASURE ACCIDENTAL DISCLOSURE MISUSE PRIVILEGE ABUSE DELIBERATE LEAKAGE CURIOSITY MALICIOUS COORDINATED ATTACKS HACKING DATA THEFT DENIAL OF SERVICE BLACKMAIL Adapted from Kuppinger Cole Presentation, March 2013

NIST 800 Series IRS 1075

Security Finding Auditor :Compliance Verification Finding Addressed Finding Addressed Finding Addressed Q1 Audit Finding Q2 Audit Finding Q3 Audit Finding Time Ad-hoc response to Audit Findings is Costly & Insecure Adapted from Kuppinger Cole Presentation, March 2013

Traditional Security Approach Detecting, Preventing or Stopping the threats on the network or devices. Apps User Device 10101 01101 01010 Data USERS ARE ACCESSING APPLICATIONS AND DATA FROM DEVICES VIA NETWORK Network

Traditional Security Approach Detecting, Preventing or Stopping the threats on the network or devices. Device Apps User 10101 01101 01010 Data MAJORITY OF THE SECURITY BUDGET HAS BEEN SPENT ON STOPPING OR DETECTING THE THREATS ON THE NETWORK OR DEVICE. Network

Traditional Security Approach Limited controls to protect data and user Device Apps User 10101 01101 01010 Data LITTLE ATTENTION TO USER ACTIVITY AND DATA PROTECTION. MOST ORGANIZATIONS DON T COMPLETELY UNDERSTAND DATA AND USER ACTIONS. Network

67 % Records breached from servers 76 % 69 % Breached using weak or stolen credentials Discovered by an external party Over 1.1B Served 97 % Preventable with basic controls Most of security budget spent on Firewalls, Anti-virus and IDS, forgetting to secure data

Defense in Depth Approach Multi-Layered

Defense in Depth Architecture Multi-layered Security Integrate : People, Process and Technology Process People Technology Layered Security All security products have inherent weaknesses. It is only a matter of time before an adversary will find a weakness. The environment must be protected by multiple independent and reinforcing controls such that a single failure will have minimal or no impact.

Security Strategy PREVENTIVE PREVENT THE THREAT SECURITY CONTROL STOP ATTACK AUTOMATED REMEDIATION DETECTIVE MANAGE THE RISK IMPROVE DETECTION FASTER RESPONSE MINIMIZE EXPOSURE

Defense in Depth Security Principal Implemented to secure government building Multiple layer of security Guards have visibility to see adversaries approaching from a distance. Guard controls everyone entering and leaving. Security camera monitors activity in the building. Physical access controls protects resources inside the building. Access to business premises is monitored. Multiple layers of preventive and detective controls provide best protection against threats.

Policies, Procedure and Awareness Preventive : Prevent the threat SMART approach to security policy Security Awareness Training Auditor Incident Response Process Develop procedure to follow policy Detective : Manage the Risk Near Real-time Monitoring Security incident dashboard! Alerts Review configuration changes and access report Integrate People, Process and Technology for maximum security

Policies & Procedure Recommendation MAP Security policy to procedure Leverage The CIS* Benchmark configuration to document technical control policies. Develop security configuration standard for all system components. Identify Risk for not implementing technical control policies. Automate configuration verification against benchmark configuration. Leverage IT Service Management ( ITSM ) framework. Incident Management & Service Desk Service-level management ( SLA ) Configuration Management Promote configuration monitoring advantage to unplanned outage to application It is against the security policy!!! but nobody ever explains what the policy is, let alone document or evaluate it. * CIS The Center for Internet Security

Security Awareness Benefits Security Myth Busters Our Firewall Products Protects us from the internet. We Haven t been broken into so far, So We must Be doing great Job of Security. Technology Products Solve the Security Problem. Our Anti-Virus and Anti-Malware Scanner Protects us. Our IDS/NIDS Will Detect Intrusions. We don t do any thing that makes us a target for attack. Awareness training is one of the best Myth Busters

Physical Security Preventive : Prevent the threat Secure building Restrict physical access Security guards Physical barriers Detective : Manage the Risk Closed Circuit TV (CCTV) Real-time surveillance Security Camera Most Security controls can be circumvented, if attacker gains physical access

Perimeter Security Preventive : Prevent the threat DMZ Perimeter Hardened VPN Control outbound connection from server in DMZ zone Permit only required network traffic Detective : Manage the Risk IDS on Perimeter Network Firewall VPN IDS Monitor Access log Associate Alert using ITSM Service request Properly configured Perimeter security protects from large percentage of attacks.

Network Security Preventive : Prevent the threat Series of network segments/zones Least possible software/services USER Internet DMZ Mid Tier Database Firewall Configuration Encryption of Network packets Detective : Manage the Risk Network intruder detection system ( NIDS ) Access log monitoring Secure network devices against information gathering and DoS attacks.

Host,Data and Application Security Objection against additional security control - Strong Perimeter security protects our Application and Database. - Our firewall/nids protects us from the internet. - Web based application requires credential. - Database servers are in most secured zone. - Limited persons have direct production server and database access. - Our Information is public record. Perimeter security unable to protect sensitive data against attack using SQL injection,compromized privilege user access and clear text network traffic.

HOST ( Server ) Security Preventive : Prevent the threat Secure OS Implement compliance framework configuration. Patch management schedule patching IPS Intrusion Protection System Detective : Manage the Risk Centralized audit and log management system Monitor & correct configuration drift Leverage ITSM - Service Desk Secured server protects sensitive information on the server

HOST Security Recommendation Defend the HOST ( Server ) using strong access controls on hosts. Automate configuration verification against benchmark configuration. Proactively apply security patches in timely manner. Grant access to user based on their roles (needs ) rather than enabled by default. Review User's access rights periodically. Monitor Host server access and activity log. Multiple access failure should generate alert. Multi-factor authentication for privileged user access in production environment.

Application Security Preventive : Prevent the threat Secure development practice Single authentication and authorization services. Strong Encryption and Control Data-in-Use Detective : Manage the Risk Application Activity monitoring Privileged user s access review Leverage ITIL Monitoring and Service Desk Minimize application vulnerabilities to prevent attackers exploiting them for unauthorized access to data and complete control of the system

Application Security Recommendation Develop Secure design guidelines for application architects. Security logic must be externalized as much as possible. Application should leverage common security services. Developers must not hard-code security logic into business solutions. Security enforcement, decisions, and management must be performed by dedicated, shared services and infrastructure. Common audit log framework and monitoring should be leveraged. Evaluate application code for vulnerabilities and perform penetration testing.

Data Security Preventive : Prevent the threat Secure data at rest ( Encryption ) Secure data in transit Secure database configuration Prevent SQL injection Control Data-in-Use Mask non- production sensitive data Detective : Manage the Risk Privileged user Control & Analysis Database activity monitoring Verify database configuration Encrypted Data SQL Aware Firewall Masked Data Encrypted internal network communication Encrypted data is protected against by-pass database and server access control attack

Data Security Recommendation Classify Sensitive data stored in the database. Secure Data-at-Rest in database to prevent users from bypassing database security. Protects against theft or loss of disks and backups. Implement data redaction to limit exposure of sensitive data in applications. Rotate encryption key periodically ( Yearly, Quarterly). Prevents developers and testers from seeing the actual production data. Reduce Privileged access to the sensitive data Implement Privileged uses access control ( Emergency Privileged Access Control ) Multi factor privileged access control to access production system.

Defense in Depth Architecture Security Awareness,policies,procedures Security event response strategy Guards, Lock, Security Camera and Access control Firewalls,ACL configured routers, VPN Network based Intrusion Detection system Network segments, Network based Intrusion Detection system Patch Management Security update Intrusion Prevention Prevent attack Secure configuration OS hardening, log management Strong Password, Permission Securely designed Application Secure Communication Path, Encrypt ( Scramble ) data at rest.

DEFENSE IN DEPTH Secure Information and Meet Privacy Requirements SECURITY AT EACH LAYER SECURITY BETWEEN LAYERS SECURITY BETWEEN SYSTEMS S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y

THANK YOU jignesh.j.patel@oracle.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback