An Oracle White Paper April Oracle Technology for Government Cybersecurity

Similar documents
An Oracle White Paper November Primavera Unifier Integration Overview: A Web Services Integration Approach

Creating Custom Project Administrator Role to Review Project Performance and Analyze KPI Categories

Generate Invoice and Revenue for Labor Transactions Based on Rates Defined for Project and Task

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

Veritas NetBackup and Oracle Cloud Infrastructure Object Storage ORACLE HOW TO GUIDE FEBRUARY 2018

Repairing the Broken State of Data Protection

A Distinctive View across the Continuum of Care with Oracle Healthcare Master Person Index ORACLE WHITE PAPER NOVEMBER 2015

An Oracle White Paper September Security and the Oracle Database Cloud Service

Oracle Data Provider for.net Microsoft.NET Core and Entity Framework Core O R A C L E S T A T E M E N T O F D I R E C T I O N F E B R U A R Y

ORACLE DATABASE LIFECYCLE MANAGEMENT PACK

Cloud Operations for Oracle Cloud Machine ORACLE WHITE PAPER MARCH 2017

Oracle Database Vault

April Understanding Federated Single Sign-On (SSO) Process

Oracle Database Security Assessment Tool

Governance, Risk, and Compliance: A Practical Guide to Points of Entry

Oracle Data Masking and Subsetting

JD Edwards EnterpriseOne Licensing

Tutorial on How to Publish an OCI Image Listing

Oracle WebLogic Portal O R A C L E S T A T EM EN T O F D I R E C T IO N F E B R U A R Y 2016

Leverage the Oracle Data Integration Platform Inside Azure and Amazon Cloud

StorageTek ACSLS Manager Software Overview and Frequently Asked Questions

Migration Best Practices for Oracle Access Manager 10gR3 deployments O R A C L E W H I T E P A P E R M A R C H 2015

An Oracle White Paper December, 3 rd Oracle Metadata Management v New Features Overview

Differentiate Your Business with Oracle PartnerNetwork. Specialized. Recognized by Oracle. Preferred by Customers.

Oracle Exadata Statement of Direction NOVEMBER 2017

August 6, Oracle APEX Statement of Direction

An Oracle White Paper October Deploying and Developing Oracle Application Express with Oracle Database 12c

Oracle Database Vault

Frequently Asked Questions Oracle Content Management Integration. An Oracle White Paper June 2007

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

DATA INTEGRATION PLATFORM CLOUD. Experience Powerful Data Integration in the Cloud

Handling Memory Ordering in Multithreaded Applications with Oracle Solaris Studio 12 Update 2: Part 2, Memory Barriers and Memory Fences

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Oracle CIoud Infrastructure Load Balancing Connectivity with Ravello O R A C L E W H I T E P A P E R M A R C H

TABLE OF CONTENTS DOCUMENT HISTORY 3

Oracle JD Edwards EnterpriseOne Object Usage Tracking Performance Characterization Using JD Edwards EnterpriseOne Object Usage Tracking

Correction Documents for Poland

INTEGRATION CLOUD SERVICE. Accelerate Your Application Integration Across the Cloud and On Premises

Differentiate Your Business with Oracle PartnerNetwork. Specialized. Recognized by Oracle. Preferred by Customers.

Oracle Secure Backup. Getting Started. with Cloud Storage Devices O R A C L E W H I T E P A P E R F E B R U A R Y

October Oracle Application Express Statement of Direction

Oracle API Platform Cloud Service

CONTAINER CLOUD SERVICE. Managing Containers Easily on Oracle Public Cloud

NOSQL DATABASE CLOUD SERVICE. Flexible Data Models. Zero Administration. Automatic Scaling.

An Oracle White Paper May Oracle VM 3: Overview of Disaster Recovery Solutions

Configuring Oracle Business Intelligence Enterprise Edition to Support Teradata Database Query Banding

Technical Upgrade Guidance SEA->SIA migration

Using the Oracle Business Intelligence Publisher Memory Guard Features. August 2013

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Oracle Service Cloud Agent Browser UI. November What s New

Installation Instructions: Oracle XML DB XFILES Demonstration. An Oracle White Paper: November 2011

Load Project Organizations Using HCM Data Loader O R A C L E P P M C L O U D S E R V I C E S S O L U T I O N O V E R V I E W A U G U S T 2018

Extreme Performance Platform for Real-Time Streaming Analytics

Automatic Receipts Reversal Processing

An Oracle White Paper October Release Notes - V Oracle Utilities Application Framework

COMPUTE CLOUD SERVICE. Moving to SPARC in the Oracle Cloud

Oracle DIVArchive Storage Plan Manager

Oracle Best Practices for Managing Fusion Application: Discovery of Fusion Instance in Enterprise Manager Cloud Control 12c

VIRTUALIZATION WITH THE SUN ZFS STORAGE APPLIANCE

Benefits of an Exclusive Multimaster Deployment of Oracle Directory Server Enterprise Edition

An Oracle White Paper September, Oracle Real User Experience Insight Server Requirements

Oracle Enterprise Performance Reporting Cloud. What s New in September 2016 Release (16.09)

Subledger Accounting Reporting Journals Reports

Oracle NoSQL Database For Time Series Data O R A C L E W H I T E P A P E R D E C E M B E R

Oracle Service Registry - Oracle Enterprise Gateway Integration Guide

Oracle JD Edwards EnterpriseOne Object Usage Tracking Performance Characterization Using JD Edwards EnterpriseOne Object Usage Tracking

Sun Fire X4170 M2 Server Frequently Asked Questions

An Oracle Technical Article March Certification with Oracle Linux 4

An Oracle White Paper June Enterprise Database Cloud Deployment with Oracle SuperCluster T5-8

An Oracle White Paper October Minimizing Planned Downtime of SAP Systems with the Virtualization Technologies in Oracle Solaris 10

Oracle Fusion Applications Connect Program. Release 11gRelease 2

Oracle Linux Management with Oracle Enterprise Manager 13c O R A C L E W H I T E P A P E R J U L Y

An Oracle White Paper October The New Oracle Enterprise Manager Database Control 11g Release 2 Now Managing Oracle Clusterware

Oracle Database Vault with Oracle Database 12c ORACLE WHITE PAPER MAY 2015

An Oracle White Paper February Comprehensive Testing for Siebel With Oracle Application Testing Suite

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Fabrizio Patriarca. Come creare valore dalla GDPR

Automatic Data Optimization with Oracle Database 12c O R A C L E W H I T E P A P E R S E P T E M B E R

Oracle Cloud Applications. Oracle Transactional Business Intelligence BI Catalog Folder Management. Release 11+

Oracle Utilities Work and Asset Management Integration to Primavera P6 Enterprise Project Portfolio Management

Oracle Database Vault

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Oracle Social Network

Oracle Application Development Framework Overview

Deploy VPN IPSec Tunnels on Oracle Cloud Infrastructure. White Paper September 2017 Version 1.0

Oracle Database 10g Release 2 Database Vault - Restricting the DBA From Accessing Business Data

Oracle Spatial and Graph: Benchmarking a Trillion Edges RDF Graph ORACLE WHITE PAPER NOVEMBER 2016

Bastion Hosts. Protected Access for Virtual Cloud Networks O R A C L E W H I T E P A P E R F E B R U A R Y

See What's Coming in Oracle Taleo Business Edition Cloud Service

TABLE OF CONTENTS DOCUMENT HISTORY 3

Loading User Update Requests Using HCM Data Loader

An Oracle White Paper February Optimizing Storage for Oracle PeopleSoft Applications

An Oracle White Paper September Oracle Integrated Stack Complete, Trusted Enterprise Solutions

Working with Time Zones in Oracle Business Intelligence Publisher ORACLE WHITE PAPER JULY 2014

Automating the Top 20 CIS Critical Security Controls

An Oracle White Paper October Oracle Social Cloud Platform Text Analytics

Bulk Processing with Oracle Application Integration Architecture. An Oracle White Paper January 2009

Security by Default: Enabling Transformation Through Cyber Resilience

Oracle Privileged Account Manager

WebCenter Portal Task Flow Customization in 12c O R A C L E W H I T E P A P E R J U N E

Transcription:

An Oracle White Paper April 2014 Oracle Technology for Government Cybersecurity

Disclaimer The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle s products remains at the sole discretion of Oracle.

Executive Overview Oracle offers an expansive technology portfolio, engineered and architected with Cybersecurity in mind. By maintaining a cohesive security focus in the innovation, engineering, integration, and support of products, Oracle s holistic Cybersecurity approach enables security capabilities that cannot be achieved with a patchwork of disparate point solutions and approaches. This underlying security structure and focus, allows Oracle to engineer security into new products, enhance existing products security capabilities, eliminate security risks that typically result from integration, and provide broad visibility and management capabilities to even address security concerns that span multiple environments. Oracle s Cybersecurity Outlook For reasons discussed in this document, security tools need to provide much more pervasive and powerful insight as well as enhanced management capabilities and reach. Oracle enables these capabilities throughout the Oracle technology stack with a rationalized security approach to engineering, integration, enhancements, & support. The complexity and stealth of recent high profile security breaches have shown the public sector IT that Cybersecurity spans far beyond the reach of traditional security products into all aspects of IT enterprise architecture. TABLE: SIGNIFICANT PUBLIC SECTOR DATA BREACH REPORTS IN RECENT YEARS (SOURCE: DATALOSSDB.ORG) ORGANIZATION RECORDS DESCRIPTION South Carolina Dept. of Revenue 4,457,000 A coordinated and persistent attack on the Dept. of Revenue systems discovered in October 2012 yields 3.8M Social Security Numbers, 387,000 Credit Card Numbers, and 657,000 Business Tax Information Records Utah Dept. of Health 780,000 In March 2012, hackers suspected to be operating out of Eastern Europe accessed eligibility systems netting information including Social Security numbers, Medicaid coverage history, eligibility data, and other Personally Identifiable Information (PII) Washington State Courts 1,000,000 Hackers attack middle tier infrastructure at the Administrative Office of the Courts in May 2013, pilfering PII of 1M people including 160,000 Social Security Numbers 2

From the point of compromise, to the expansion into an enterprise-wide event, malicious actors leave precious few opportunities to detect and abate an attack. Security must move past attempting to secure the enterprise from the perimeter outward in order to be effective. Today s government IT shop must have visibility into all elements of the technology footprint, both individually and collectively. Organizations must be able to: Provide understanding of what baseline operations normally look like and how potential attacks would manifest in that view Respond to attacks and irregularities immediately to stem the scope and impact of an event anywhere in the enterprise Return systems to their normal, uncompromised state, quickly and completely This set of Cybersecurity abilities cannot emerge from compartmentalized, security in a box style tools or appliances. These capabilities must rely on architectural considerations and components that were designed with the new cyber threat landscape in mind. Oracle s security focused development enables government to manage Cybersecurity risk utilizing the power of each individual Oracle component as well as integrated capabilities across the Oracle stack. Figure: Oracle security framework provides security infused throughout a complete technology stack 3

A History of Protecting From its first customers and the company s very inception, Oracle has a long history of developing and supporting security capabilities, with special attention & emphasis on public sector requirements. 1 As the company has expanded to include all tiers of technology, from hardware, middleware, and engineered systems, up to best-of-breed applications and end user tools, government requirements have influenced a large number of security improvements and capabilities in the Oracle portfolio. Public sector has helped drive key requirements and specifications for Oracle advances in: Privileged User Controls Transparent Data Encryption Consolidated and Secure Audit Data Warehouses Database Firewalls Identity and Access Management, and more Oracle has invested in building an open, integrated technology stack unlike any other offered today. As a result, Oracle is uniquely positioned to provide the security underpinnings of key infrastructure components in the enterprise. Oracle insures this Cybersecurity foundation is an integral part of every phase of the development lifecycle: engineering, design, testing, certification, and support for all products. Oracle s Cybersecurity Strategy Threats grow increasingly capable exposing blind spots in architecture, leveraging gaps in integration, covering up audit trails, finding vulnerabilities in configurations and infrastructure with automated tools. Abating sophisticated threats will depend heavily on comprehensive capabilities to: Protect assets, data, privileges, and access across all environments Manage and enforce security policies and postures in all areas of the organization Detect attacks and anomalous behavior anywhere in the enterprise and understand the organizational risk presented Stem the scope and impact of incidents and recover to normal operating stance 1 Oracle is named after a Central Intelligence Agency funded project the company founders collaborated on to provide a relational database with security functionality. The first customer of the commercially-available Oracle database was Wright-Patterson Air Force Base. 4

Oracle s methodology to address Cybersecurity must involve all tiers of the technology stack to provide these capabilities. Regardless of the technology component, Oracle s security framework focuses on providing tools for 3 sub-disciplines to provide a comprehensive approach to Cybersecurity: Cyber Defense, Continuous Monitoring and Cyber Analytics, and Cyber Compliance. Cybersecurity Domains Due to the increasing complexity of enterprise architecture, the elimination of traditional security perimeters, and the propensity of attackers to expand compromises to be enterprise in scope regardless of initial attack vector, an appropriate approach to Cybersecurity must be layered and resilient. Cyber Defenses and Hardening Defense and hardening refers to reducing threat surface by eliminating vulnerabilities at all stages of software lifecycle: development, implementation, operation & management, and improvement/updates. This is accomplished through a number of different processes: Product security assurance Ensuring that secure coding and development practices are meticulously followed, repeatedly reviewed, and constantly updated to keep Oracle technology prepared for the newest and most prevalent threat vectors. Enhancing security capabilities of Oracle products Oracle continually evaluates customer requirements and updates product functionality to meet the most pressing security needs of public sector IT and users. Secure integration Improving security by closing security gaps in integration projects. Because Oracle offers a full technology stack, it stands in a unique position to address weak spots in enterprise integration commonly leveraged by attackers to gain or expand access in a target environment. Additionally, this same designed integration advantage allows Oracle-to-Oracle implementations to leverage security capabilities and visibility across tiers and boundaries. Security Synergies All of the above processes combine to collectively reduce complexity, improve productivity and performance, and take costs and risks out of the process of building secure architectures. Continuous Monitoring and Cyber Analytics Oracle provides management tools to address entire IT inventories, patching, and secure configuration needs. Responding to new attacks from advanced persistent threats, cybercriminals, hacktivists, and nation states requires the ability to detect all security relevant information across the enterprise and derive actionable intelligence from it. The necessary level of detail to answer key questions about an active attack can drill all the way down to very granular node and end point information from all across 5

the enterprise. Government IT must be able to collect and analyze security data in near real time, with the ability to receive immediate alerts and reports in order to stop and respond to new cyber threats. Oracle technology provides a number of unique security capabilities for Continuous Monitoring and Cyber Analytics: Activity/Event Detection Auditing, reporting, and alerts of comprehensive security information that spans data, systems, tiers, and environments. Today s threats require proactive alerting in response to potential security events. Security Maintenance Comprehensive centralized tools for inventory, patch and configuration management. Cyber Integration The ability to monitor services, sensors, and data together across products and environments. Providing a comprehensive view of cybersecurity inputs outside individual products (viewing security information across IT sub-disciplines. E.g. Identity Management, RBAC, SOA, etc.) Cyber Analytics Providing real time dashboard, analysis, big data/fast data, perspectives on security information across all products and environs. Cyber Compliance Oracle s Cyber defense efforts align to prevalent security standards and frameworks. While product development and integration present key considerations for enhancing security capabilities, the security requirements facing our public sector customers play a large role in the development, support, and enhancement of Oracle technology. This alignment with security standards and methodologies, referred to here as Cyber Compliance, falls into three domains: Product Security Compliance For some areas of IT, certifications and standards already exist to help ensure sound security practices are being used. Oracle goes to great lengths to ensure products comply with established standards for cryptography, hashing, security reporting, secure development practices, and other Cybersecurity standards (e.g. SCAP, FIPS 140, FIPS 180, Common Criteria, etc.) Beyond Oracle s internally driven efforts, the company is committed to adhering to guidance from trusted independent standards organizations and external validation of security products. Solution and Framework Compliance Many Cybersecurity standards go beyond individual IT components and address threat vectors relevant to organizational processes and management. These frameworks (e.g. STIGs, NIST Special Publication 800-53, Risk Management Framework, and Cybersecurity Framework, FedRAMP, etc.) go beyond individual product certifications and are often implementation specific. While no security product can ensure all organizational processes are completely in alignment with these frameworks, the security outcomes and capabilities prescribed by them can be aided and enabled by Oracle products. Oracle aligns Cybersecurity product functionality and development to support government s most important framework compliance requirements. 6

Programmatic Compliance Beyond product specifications and implementation guidance, public sector is often tasked with aligning security to achieve specific business outcomes related to Cybersecurity. These programmatic requirements (e.g. FISMA, HIPAA/HITECH, CJIS, IRS 1075, etc.) often involve product certifications and/or adherence to frameworks, but additionally programmatic compliance must address business outcomes required for participation in government programs and initiatives. Oracle engineers products with these programs, associated security capabilities, and relevant use cases in mind. Summary The sophistication, stealth, and pervasiveness of new cyber threats require an enterprise approach to address. Granular security information must be gathered, rationalized, and analyzed from all levels of the technology stack to provide actionable feedback on potential incidents. Only Oracle offers a complete technology portfolio architected with these new security requirements in mind. Oracle focuses development on hardening products, tightening integration of the Oracle stack, enabling cybersecurity reporting and analytics, and achieving multiple types of security compliance. This architectural approach to cybersecurity provides unparalleled depth, insight, control, and agility in addressing cyber threats that cannot be achieved with a patchwork of disparate systems. 7

Oracle Technology for Government Cybersecurity April 2014 Author: P. Laurent Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright 2014, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group. 0114

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback