An Oracle White Paper April 2014 Oracle Technology for Government Cybersecurity
Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.
Executive Overview Oracle offers an expansive technology portfolio, engineered and architected with Cybersecurity in mind. By maintaining a cohesive security focus in the innovation, engineering, integration, and support of products, Oracle s holistic Cybersecurity approach enables security capabilities that cannot be achieved with a patchwork of disparate point solutions and approaches. This underlying security structure and focus, allows Oracle to engineer security into new products, enhance existing products security capabilities, eliminate security risks that typically result from integration, and provide broad visibility and management capabilities to even address security concerns that span multiple environments. Oracle s Cybersecurity Outlook For reasons discussed in this document, security tools need to provide much more pervasive and powerful insight as well as enhanced management capabilities and reach. Oracle enables these capabilities throughout the Oracle technology stack with a rationalized security approach to engineering, integration, enhancements, & support. The complexity and stealth of recent high profile security breaches have shown the public sector IT that Cybersecurity spans far beyond the reach of traditional security products into all aspects of IT enterprise architecture. TABLE: SIGNIFICANT PUBLIC SECTOR DATA BREACH REPORTS IN RECENT YEARS (SOURCE: DATALOSSDB.ORG) ORGANIZATION RECORDS DESCRIPTION South Carolina Dept. of Revenue 4,457,000 A coordinated and persistent attack on the Dept. of Revenue systems discovered in October 2012 yields 3.8M Social Security Numbers, 387,000 Credit Card Numbers, and 657,000 Business Tax Information Records Utah Dept. of Health 780,000 In March 2012, hackers suspected to be operating out of Eastern Europe accessed eligibility systems netting information including Social Security numbers, Medicaid coverage history, eligibility data, and other Personally Identifiable Information (PII) Washington State Courts 1,000,000 Hackers attack middle tier infrastructure at the Administrative Office of the Courts in May 2013, pilfering PII of 1M people including 160,000 Social Security Numbers 2
From the point of compromise, to the expansion into an enterprise-wide event, malicious actors leave precious few opportunities to detect and abate an attack. Security must move past attempting to secure the enterprise from the perimeter outward in order to be effective. Today s government IT shop must have visibility into all elements of the technology footprint, both individually and collectively. Organizations must be able to: Provide understanding of what baseline operations normally look like and how potential attacks would manifest in that view Respond to attacks and irregularities immediately to stem the scope and impact of an event anywhere in the enterprise Return systems to their normal, uncompromised state, quickly and completely This set of Cybersecurity abilities cannot emerge from compartmentalized, security in a box style tools or appliances. These capabilities must rely on architectural considerations and components that were designed with the new cyber threat landscape in mind. Oracle s security focused development enables government to manage Cybersecurity risk utilizing the power of each individual Oracle component as well as integrated capabilities across the Oracle stack. Figure: Oracle security framework provides security infused throughout a complete technology stack 3
A History of Protecting From its first customers and the company s very inception, Oracle has a long history of developing and supporting security capabilities, with special attention & emphasis on public sector requirements. 1 As the company has expanded to include all tiers of technology, from hardware, middleware, and engineered systems, up to best-of-breed applications and end user tools, government requirements have influenced a large number of security improvements and capabilities in the Oracle portfolio. Public sector has helped drive key requirements and specifications for Oracle advances in: Privileged User Controls Transparent Data Encryption Consolidated and Secure Audit Data Warehouses Database Firewalls Identity and Access Management, and more Oracle has invested in building an open, integrated technology stack unlike any other offered today. As a result, Oracle is uniquely positioned to provide the security underpinnings of key infrastructure components in the enterprise. Oracle insures this Cybersecurity foundation is an integral part of every phase of the development lifecycle: engineering, design, testing, certification, and support for all products. Oracle s Cybersecurity Strategy Threats grow increasingly capable exposing blind spots in architecture, leveraging gaps in integration, covering up audit trails, finding vulnerabilities in configurations and infrastructure with automated tools. Abating sophisticated threats will depend heavily on comprehensive capabilities to: Protect assets, data, privileges, and access across all environments Manage and enforce security policies and postures in all areas of the organization Detect attacks and anomalous behavior anywhere in the enterprise and understand the organizational risk presented Stem the scope and impact of incidents and recover to normal operating stance 1 Oracle is named after a Central Intelligence Agency funded project the company founders collaborated on to provide a relational database with security functionality. The first customer of the commercially-available Oracle database was Wright-Patterson Air Force Base. 4
Oracle s methodology to address Cybersecurity must involve all tiers of the technology stack to provide these capabilities. Regardless of the technology component, Oracle s security framework focuses on providing tools for 3 sub-disciplines to provide a comprehensive approach to Cybersecurity: Cyber Defense, Continuous Monitoring and Cyber Analytics, and Cyber Compliance. Cybersecurity Domains Due to the increasing complexity of enterprise architecture, the elimination of traditional security perimeters, and the propensity of attackers to expand compromises to be enterprise in scope regardless of initial attack vector, an appropriate approach to Cybersecurity must be layered and resilient. Cyber Defenses and Hardening Defense and hardening refers to reducing threat surface by eliminating vulnerabilities at all stages of software lifecycle: development, implementation, operation & management, and improvement/updates. This is accomplished through a number of different processes: Product security assurance Ensuring that secure coding and development practices are meticulously followed, repeatedly reviewed, and constantly updated to keep Oracle technology prepared for the newest and most prevalent threat vectors. Enhancing security capabilities of Oracle products Oracle continually evaluates customer requirements and updates product functionality to meet the most pressing security needs of public sector IT and users. Secure integration Improving security by closing security gaps in integration projects. Because Oracle offers a full technology stack, it stands in a unique position to address weak spots in enterprise integration commonly leveraged by attackers to gain or expand access in a target environment. Additionally, this same designed integration advantage allows Oracle-to-Oracle implementations to leverage security capabilities and visibility across tiers and boundaries. Security Synergies All of the above processes combine to collectively reduce complexity, improve productivity and performance, and take costs and risks out of the process of building secure architectures. Continuous Monitoring and Cyber Analytics Oracle provides management tools to address entire IT inventories, patching, and secure configuration needs. Responding to new attacks from advanced persistent threats, cybercriminals, hacktivists, and nation states requires the ability to detect all security relevant information across the enterprise and derive actionable intelligence from it. The necessary level of detail to answer key questions about an active attack can drill all the way down to very granular node and end point information from all across 5
the enterprise. Government IT must be able to collect and analyze security data in near real time, with the ability to receive immediate alerts and reports in order to stop and respond to new cyber threats. Oracle technology provides a number of unique security capabilities for Continuous Monitoring and Cyber Analytics: Activity/Event Detection Auditing, reporting, and alerts of comprehensive security information that spans data, systems, tiers, and environments. Today s threats require proactive alerting in response to potential security events. Security Maintenance Comprehensive centralized tools for inventory, patch and configuration management. Cyber Integration The ability to monitor services, sensors, and data together across products and environments. Providing a comprehensive view of cybersecurity inputs outside individual products (viewing security information across IT sub-disciplines. E.g. Identity Management, RBAC, SOA, etc.) Cyber Analytics Providing real time dashboard, analysis, big data/fast data, perspectives on security information across all products and environs. Cyber Compliance Oracle s Cyber defense efforts align to prevalent security standards and frameworks. While product development and integration present key considerations for enhancing security capabilities, the security requirements facing our public sector customers play a large role in the development, support, and enhancement of Oracle technology. This alignment with security standards and methodologies, referred to here as Cyber Compliance, falls into three domains: Product Security Compliance For some areas of IT, certifications and standards already exist to help ensure sound security practices are being used. Oracle goes to great lengths to ensure products comply with established standards for cryptography, hashing, security reporting, secure development practices, and other Cybersecurity standards (e.g. SCAP, FIPS 140, FIPS 180, Common Criteria, etc.) Beyond Oracle s internally driven efforts, the company is committed to adhering to guidance from trusted independent standards organizations and external validation of security products. Solution and Framework Compliance Many Cybersecurity standards go beyond individual IT components and address threat vectors relevant to organizational processes and management. These frameworks (e.g. STIGs, NIST Special Publication 800-53, Risk Management Framework, and Cybersecurity Framework, FedRAMP, etc.) go beyond individual product certifications and are often implementation specific. While no security product can ensure all organizational processes are completely in alignment with these frameworks, the security outcomes and capabilities prescribed by them can be aided and enabled by Oracle products. Oracle aligns Cybersecurity product functionality and development to support government s most important framework compliance requirements. 6
Programmatic Compliance Beyond product specifications and implementation guidance, public sector is often tasked with aligning security to achieve specific business outcomes related to Cybersecurity. These programmatic requirements (e.g. FISMA, HIPAA/HITECH, CJIS, IRS 1075, etc.) often involve product certifications and/or adherence to frameworks, but additionally programmatic compliance must address business outcomes required for participation in government programs and initiatives. Oracle engineers products with these programs, associated security capabilities, and relevant use cases in mind. Summary The sophistication, stealth, and pervasiveness of new cyber threats require an enterprise approach to address. Granular security information must be gathered, rationalized, and analyzed from all levels of the technology stack to provide actionable feedback on potential incidents. Only Oracle offers a complete technology portfolio architected with these new security requirements in mind. Oracle focuses development on hardening products, tightening integration of the Oracle stack, enabling cybersecurity reporting and analytics, and achieving multiple types of security compliance. This architectural approach to cybersecurity provides unparalleled depth, insight, control, and agility in addressing cyber threats that cannot be achieved with a patchwork of disparate systems. 7
Oracle Technology for Government Cybersecurity April 2014 Author: P. Laurent Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2014, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0114