Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle
Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary
Connected Government : Provide better services FOR Efficient GOVERNMENT Government
CONNECTED GOVERNMENT MAKES DIFFERENCE IN PEOPLE S LIVES Cloud Computing Analytics and Big Data Mobile Users Social Experience Citizen Services CHANGING THE WAY GOVERNMENT DELIVER SERVICES
Security Threats and Risks Growing Risk FOR GOVERNMENT
GOVERNMENT CHALLENGES HAVE EVOLVED Privacy Quality of Service Data Security & Integrity Regulatory Compliance SSN # Personal Profile Identity Theft Info Security Credit Card Info Tax IDs Denial of Service Fraud Continuous Monitoring Collaboration Privacy HIPAA / HITECH PII NERC PCI DSS IRS 1075 CJIS
Importance of Security Risk to data : Actor and Motivator HACKERS ORGANIZED CRIMINAL NATION STATES Insider Outsider Outsider with help of insider! TERRORISTS INDIVIDUALS
FROM MISTAKES TO ATTACKS BASIC SECURITY IS NOT ENOUGH MISTAKES ACCIDENTAL ERASURE ACCIDENTAL DISCLOSURE MISUSE PRIVILEGE ABUSE DELIBERATE LEAKAGE CURIOSITY MALICIOUS COORDINATED ATTACKS HACKING DATA THEFT DENIAL OF SERVICE BLACKMAIL Adapted from Kuppinger Cole Presentation, March 2013
NIST 800 Series IRS 1075
Security Finding Auditor :Compliance Verification Finding Addressed Finding Addressed Finding Addressed Q1 Audit Finding Q2 Audit Finding Q3 Audit Finding Time Ad-hoc response to Audit Findings is Costly & Insecure Adapted from Kuppinger Cole Presentation, March 2013
Traditional Security Approach Detecting, Preventing or Stopping the threats on the network or devices. Apps User Device 10101 01101 01010 Data USERS ARE ACCESSING APPLICATIONS AND DATA FROM DEVICES VIA NETWORK Network
Traditional Security Approach Detecting, Preventing or Stopping the threats on the network or devices. Device Apps User 10101 01101 01010 Data MAJORITY OF THE SECURITY BUDGET HAS BEEN SPENT ON STOPPING OR DETECTING THE THREATS ON THE NETWORK OR DEVICE. Network
Traditional Security Approach Limited controls to protect data and user Device Apps User 10101 01101 01010 Data LITTLE ATTENTION TO USER ACTIVITY AND DATA PROTECTION. MOST ORGANIZATIONS DON T COMPLETELY UNDERSTAND DATA AND USER ACTIONS. Network
67 % Records breached from servers 76 % 69 % Breached using weak or stolen credentials Discovered by an external party Over 1.1B Served 97 % Preventable with basic controls Most of security budget spent on Firewalls, Anti-virus and IDS, forgetting to secure data
Defense in Depth Approach Multi-Layered
Defense in Depth Architecture Multi-layered Security Integrate : People, Process and Technology Process People Technology Layered Security All security products have inherent weaknesses. It is only a matter of time before an adversary will find a weakness. The environment must be protected by multiple independent and reinforcing controls such that a single failure will have minimal or no impact.
Security Strategy PREVENTIVE PREVENT THE THREAT SECURITY CONTROL STOP ATTACK AUTOMATED REMEDIATION DETECTIVE MANAGE THE RISK IMPROVE DETECTION FASTER RESPONSE MINIMIZE EXPOSURE
Defense in Depth Security Principal Implemented to secure government building Multiple layer of security Guards have visibility to see adversaries approaching from a distance. Guard controls everyone entering and leaving. Security camera monitors activity in the building. Physical access controls protects resources inside the building. Access to business premises is monitored. Multiple layers of preventive and detective controls provide best protection against threats.
Policies, Procedure and Awareness Preventive : Prevent the threat SMART approach to security policy Security Awareness Training Auditor Incident Response Process Develop procedure to follow policy Detective : Manage the Risk Near Real-time Monitoring Security incident dashboard! Alerts Review configuration changes and access report Integrate People, Process and Technology for maximum security
Policies & Procedure Recommendation MAP Security policy to procedure Leverage The CIS* Benchmark configuration to document technical control policies. Develop security configuration standard for all system components. Identify Risk for not implementing technical control policies. Automate configuration verification against benchmark configuration. Leverage IT Service Management ( ITSM ) framework. Incident Management & Service Desk Service-level management ( SLA ) Configuration Management Promote configuration monitoring advantage to unplanned outage to application It is against the security policy!!! but nobody ever explains what the policy is, let alone document or evaluate it. * CIS The Center for Internet Security
Security Awareness Benefits Security Myth Busters Our Firewall Products Protects us from the internet. We Haven t been broken into so far, So We must Be doing great Job of Security. Technology Products Solve the Security Problem. Our Anti-Virus and Anti-Malware Scanner Protects us. Our IDS/NIDS Will Detect Intrusions. We don t do any thing that makes us a target for attack. Awareness training is one of the best Myth Busters
Physical Security Preventive : Prevent the threat Secure building Restrict physical access Security guards Physical barriers Detective : Manage the Risk Closed Circuit TV (CCTV) Real-time surveillance Security Camera Most Security controls can be circumvented, if attacker gains physical access
Perimeter Security Preventive : Prevent the threat DMZ Perimeter Hardened VPN Control outbound connection from server in DMZ zone Permit only required network traffic Detective : Manage the Risk IDS on Perimeter Network Firewall VPN IDS Monitor Access log Associate Alert using ITSM Service request Properly configured Perimeter security protects from large percentage of attacks.
Network Security Preventive : Prevent the threat Series of network segments/zones Least possible software/services USER Internet DMZ Mid Tier Database Firewall Configuration Encryption of Network packets Detective : Manage the Risk Network intruder detection system ( NIDS ) Access log monitoring Secure network devices against information gathering and DoS attacks.
Host,Data and Application Security Objection against additional security control - Strong Perimeter security protects our Application and Database. - Our firewall/nids protects us from the internet. - Web based application requires credential. - Database servers are in most secured zone. - Limited persons have direct production server and database access. - Our Information is public record. Perimeter security unable to protect sensitive data against attack using SQL injection,compromized privilege user access and clear text network traffic.
HOST ( Server ) Security Preventive : Prevent the threat Secure OS Implement compliance framework configuration. Patch management schedule patching IPS Intrusion Protection System Detective : Manage the Risk Centralized audit and log management system Monitor & correct configuration drift Leverage ITSM - Service Desk Secured server protects sensitive information on the server
HOST Security Recommendation Defend the HOST ( Server ) using strong access controls on hosts. Automate configuration verification against benchmark configuration. Proactively apply security patches in timely manner. Grant access to user based on their roles (needs ) rather than enabled by default. Review User's access rights periodically. Monitor Host server access and activity log. Multiple access failure should generate alert. Multi-factor authentication for privileged user access in production environment.
Application Security Preventive : Prevent the threat Secure development practice Single authentication and authorization services. Strong Encryption and Control Data-in-Use Detective : Manage the Risk Application Activity monitoring Privileged user s access review Leverage ITIL Monitoring and Service Desk Minimize application vulnerabilities to prevent attackers exploiting them for unauthorized access to data and complete control of the system
Application Security Recommendation Develop Secure design guidelines for application architects. Security logic must be externalized as much as possible. Application should leverage common security services. Developers must not hard-code security logic into business solutions. Security enforcement, decisions, and management must be performed by dedicated, shared services and infrastructure. Common audit log framework and monitoring should be leveraged. Evaluate application code for vulnerabilities and perform penetration testing.
Data Security Preventive : Prevent the threat Secure data at rest ( Encryption ) Secure data in transit Secure database configuration Prevent SQL injection Control Data-in-Use Mask non- production sensitive data Detective : Manage the Risk Privileged user Control & Analysis Database activity monitoring Verify database configuration Encrypted Data SQL Aware Firewall Masked Data Encrypted internal network communication Encrypted data is protected against by-pass database and server access control attack
Data Security Recommendation Classify Sensitive data stored in the database. Secure Data-at-Rest in database to prevent users from bypassing database security. Protects against theft or loss of disks and backups. Implement data redaction to limit exposure of sensitive data in applications. Rotate encryption key periodically ( Yearly, Quarterly). Prevents developers and testers from seeing the actual production data. Reduce Privileged access to the sensitive data Implement Privileged uses access control ( Emergency Privileged Access Control ) Multi factor privileged access control to access production system.
Defense in Depth Architecture Security Awareness,policies,procedures Security event response strategy Guards, Lock, Security Camera and Access control Firewalls,ACL configured routers, VPN Network based Intrusion Detection system Network segments, Network based Intrusion Detection system Patch Management Security update Intrusion Prevention Prevent attack Secure configuration OS hardening, log management Strong Password, Permission Securely designed Application Secure Communication Path, Encrypt ( Scramble ) data at rest.
DEFENSE IN DEPTH Secure Information and Meet Privacy Requirements SECURITY AT EACH LAYER SECURITY BETWEEN LAYERS SECURITY BETWEEN SYSTEMS S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y S E C U R I T Y
THANK YOU jignesh.j.patel@oracle.com