On Demand Cloud Services Coury

Oracle On Demand Cloud Services:Security Strategy Mitigates Risk and Enables Compliance

Gail CouryVice President, Global IT Risk Management

Changing Landscape

Copyright ©2011, Oracle. All rights reserved.

Businesses are increasingly dependent on IT in order to deliver products and services

Intellectual property and business records are becoming wholly electronic

Business collaboration is driving a disappearing perimeter

On demand computing requires anywhere & anytime access

Stealth & targeted attacks challenge our defenses

Information has value – hacking is profitable

More Data Than Ever…


35 Zettabytes(ZB =1 Trillion Gigabytes)

Expected Growth by a Factor of 44

20092020

62% increase over 2008

Source: IDC Digital Universe Study, May 2010

More Breaches Than Ever…


Once exposed, the data is out there – the bell can’t be un-rung

PUBLICLY REPORTED DATA BREACHES

Total Personally Identifying

Information Records Exposed

(Millions)

Sources: http://datalossdb.org / 2009 Annual Study: US Cost of a Data Breach, Ponemon Institute, 2010

Average cost of a data breach $204 per record

Average total cost exceeds $6.7 million per breach

Data Breach

2005 2006 2007 2008 2009 20100

100

200

300

400

500

600

Cumulative Growth

1084% Increase

http://datalossdb.org/

More Threats Than Ever…


On average there are about 6,000,000 new botnet infections per month External breaches are largely the work of organized criminals

Sources: McAfee Threats Report: 3rd Quarter 2010 / 2010 Verizon Data Breach Investigations Report

More Regulations Than Ever…


• Federal, state, local, industry…adding more mandates every year!

– Health Information Technology for Economic and Clinical Health Act of 2009

– Massachusetts Law 201 CMR 17.00: Standards For The Protection Of Personal Information

• Need to meet AND demonstrate compliance

• Compliance costs are unsustainable Report and Audit

Source: IT Policy Compliance Group, 2007

90% Companies Behind in Compliance

More Demands Than Ever…


“In the future, policy makers and regulators will probably demand that IT systems capture more and better data in order to gain greater insight into and control over how banks manage risk, pharma companies manage drugs, and industrial companies affect the environment.

Successful CIOs should enhance their relationships with internal legal and corporate-affairs teams and be prepared to engage productively with regulators. They will need to seek solutions that meet government mandates at manageable cost and with minimal disruption.”

Source: Mckinsey, 5 Trends that will Shape Business Technology in 2009

Regulators Demand More from IT

Cloud Service AdoptionSecurity Continues to be the #1 Concern


It could actually be a benefit…..

Source: www.networkcomputing.com / IDC Survey: Risk In The Cloud, June 16, 2010

“So if you flip that apprehension on its head, there may be benefits in leveraging a cloud offering with the [security] focus and core competence that a cloud

provider brings to the table.” -Michael Pearl, PricewaterhouseCoopers

Oracle On DemandSecurity Strategy


• People, Process &

Technology

• Compliance services that

can be leveraged

• Disaster recovery services

to cover any requirement

• Security products to

automate the work

IT SECURITY

REQUIREMENTS

• Protect privacy • Protect from intrusion & malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation & reputation of your business

BUSINESSBENEFITS

Oracle On Demand


Operating System

Database

Middleware

Applications

Infrastructure

• Over 5.5 million users

• 89% of customers on most current releases

• Lower Risk– Proven Best Practices– Unparalleled Oracle

Expertise– Scalable, World Class

Technology Platform and Infrastructure

Benefits of New Software Delivery Models, Minimizing Risk

Oracle On DemandProtects Customer Data & Systems


Secure Infrastructure & Software Management Service

Security

Policies,

Processes,

Organization

Audit & Compliance

Security

Products &

Services

Disaster Recovery

Oracle Security Organization


On DemandRisk

Management Government Affairs

Global Public Policy

Product Support, Product

Development, etc.

Legal

Security & Privacy Counsel

Information Security Manager

LINES OF BUSINESS

Security Architect

Information Security

Product Security

Physical Security

ORACLE CORPORATE SECURITY

Oracle Security Oversight Committee

Utilize International Security Standard


Security Organization

Operations Management

System Acquisition & Maintenance

Security Policy

Legal Compliance

HumanResources

Security

Asset Management

Physical & Environmental

Security Incident

Management

Privileged Access Control

Business Continuity

& DR

On Demand Follows the ISO 27000 Framework

Risk ManagementLayered Defense in Depth

Technologies

Services

Governance

Strategy

Information

Governance

• Secure Web Gateways• End User Security• Intrusion Detection & Prevention• File Integrity Monitoring using Change Control

Console• Full Disk and Tape Encryption • Multi-Factor Authentication for Administrators• Segregated Networks• Power Broker for Privileged Management• Network & Host Data Loss Prevention• Security Configuration Monitoring using EM

Security Services

Security Technologies

• Regular Scheduled Scanning of Hosts• Automated Compliance Testing• Real-time Security Event Correlation & Monitoring

• Auditing and Self-Assessment• Business Continuity Planning & Testing• Regulatory Compliance (SOX, PCI, HIPAA, Federal)• Accessible Services• Partner Security• Governance, Risk & Compliance Documentation

Security Strategy

• Security Technical Design Reviews• Security Technical Assessments• Secure Configuration


Top 10 Practices to Improve IT Security

Organizations with the best outcomes are prioritizing their top 10 practices very differently from other organizations; and are fully automating most of the top 10 practices:

1. Technical controls are mapped to IT policies, regulatory mandates & legal statutes.

2. Antivirus signatures are updated & applied frequently.

3. Roles and responsibilities of policy owners are defined & maintained.

4. Evidence about IT configurations and technical controls is gathered for evaluation & analysis.

5. Gaps in procedural controls are identified, remediated and tested on a regular basis.

6. Vulnerability scanning and penetration testing of IT assets is conducted on a regular basis.

7. IT assets and audit trails are monitored on a continuous basis.

8. IT assets and software service configurations are tested regularly.

9. Unauthorized access to IT assets is automatically detected or prevented using IT controls.

10. Lists of IT assets and configurations are maintained in central repositories for easy access & analysis.

Source: IT Policy Compliance Group


Leverage On Demand… Compliance Certifications


For Commercial Services

• 108 Controls Tested Biannually

ISO 27001Certification

112 Controls Tested Annually

ISO 27002Certificate of Conformity


Department of Defense (DoD) and Agencies

• 700+ Controls Tested Annually

• NIST & DIACAP

ISO Certification

HIPAA Compliance

Compliant Level 1 Service Provider

• 217 Controls Tested Annually


SAS 70 Type II

Federal Certification & Accreditation (C&A)

Payment Card Industry (PCI)

Service Offering Under Development

21 CFR Part 11

Common Controls Fulfill Multiple Requirements


ISO 270002

SAS 70 (Public Firms)

HIPAA (Health Care)

PCI DSS (FSI,

Retail)

NIST (Federal

Agencies)

21 CFR 11 (Life

Sciences)

Policy Development & Maintenance

Asset Management

Access Control & Mgmt

HR Security Controls

Change Control Procedures

Segregation of Duties

Cryptographic Controls

Backup and Recovery

Media Handling

Monitoring, Auditing & Logging

Standards/ Regs

Process ControlsIndustry

Cloud Security AllianceTo Assist Prospective Cloud Customers in Assessing the Overall Security Risk of a Cloud Provider


Source: CSA Cloud Controls Matrix http://www.cloudsecurityalliance.org/cm.html

Services Address Security Needs &Leverage Oracle Technology

HIPAA Security Services

PCI Security Services

Enhanced

Security Services

Federal On

Demand


ORACLE PRODUCTS

Audit Vault

Transparent Data Encryption (TDE)

Change Control Console

Data Masking

Adaptive Access Manager

Configuration Management

Value

HIPAA Security ServicesAdvanced Service Offerings for Health Information


Base Services

• Annual 3rd Party HIPAA

compliance assessment

• Annual risk assessment

• Quarterly external vulnerability

scan

• ePHI Network Topology

Review

• Host-based Data Loss

Prevention (HDLP)

• HIPAA trained support staff

Advanced Services• Quarterly vulnerability scanning• Database auditing in conjunction with Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Security Maintenance Program• Annual penetration test

• Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle

• Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act

• Service Data Sheet

1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009

http://www.oracle.com/us/products/ondemand/collateral/hipaa-security-services-ds-167745.pdf

PCI Security ServicesAdvanced Service Offerings To Meet Payment Card Industry (PCI) Data Security Standards (DSS)


Base Services

• PCI DSS Controls

• PCI Self-Assessments

• Annual Security Assessment

• Quarterly Vulnerability Scans

• Quarterly PCI Scans

• Annual Penetration cans

• Oracle Change Control

Console

• Quarterly Firewall Policy Review

Advanced Services• Annual Vulnerability Risks Report• Web Application Firewall• Web Application Security Assessments• Quarterly Network Scans• Dedicated Secure File Transfer Protocol (FTP)• File Encryption Service • Assessor (QSA) Partners

• Oracle On Demand is a Level 1 PCI Compliant Service Provider since 2006

• Oracle can reduce the time and cost associated with PCI compliance

• Customers can gain access to a complete solution using Oracle PCI Partners


Value

http://www.oracle.com/us/products/ondemand/collateral/pci-compliance-services-ds-069159.pdf

Federal On DemandAdvanced Service Offerings For the US Federal Government


• Designed to enable our customers to be compliant with federal legislative and executive mandates / directives

• Helping government run business operations more effectively, and at lower costs

•@Customer & @Partner options also available


ValueFor All Applications Managed @ Oracle

• Physical and Logical Isolation of Operations

• U.S. Citizen 24/7 Service Delivery

• Certification and Accreditation Methodologies

• Ongoing FISMA Security Measurements

• Public and Sensitive but Unclassified (SBU) Data

• Plan of Action and Milestones (POAM)

• Federal Information Processing Standards (FIPS) 140.2 Certified

and Validated

http://www.oracle.com/us/products/ondemand/collateral/federal-governmentds-069253.pdf

Enhanced Security ServicesAdvanced Service Offerings to Meet Customer Compliance Needs


Base Services

• Quarterly Vulnerability Scans

• Quarterly Web Application

Vulnerability Scans

• Annual Penetration Test

• Network Diagram

• Quarterly Firewall Policy Review

• Quarterly Network Device

Configuration Review

• Quarterly Security Meetings

Advanced Services• Oracle Adaptive Access Manager• Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption (TDE)• Web Application Firewall• Flat File Encryption• Oracle Change Control Console• Security Maintenance Program

• Supplements standard security services

• Facilitates customer’s compliance needs

• Advanced Services are “cafeteria style”


Value

http://www.oracle.com/us/products/ondemand/collateral/enhanced-security-services-ds-171722.pdf

DR Solutions Two Basic Requirements


• Deliverable:

– Data (tape, disk, other media, or hot failover system)• In the Event of a Disaster:

– Backup data needs to be shipped to the customer or a customer-specified site or a recovery-site

• Solution Cost Drivers:

– Amount of Data to be Protected– Frequency of Backup (RPO)

• Deliverable:

– Service back up, running & accessible, after a disaster• In the Event of a Disaster:

– Backed-up data is used to bring service back up on an alternate system at a distant site (note that this requires a data protection as a prerequisite)

• Solution Cost Drivers:

– RTO | Service Capacity | Testing Frequency

Data

Protection

“Make sure my data isn’t lost

when my system/site is hit by a

disaster”

Service

Recovery

“Get me back in business after my

system/site is hit by a disaster”

Disaster Recovery Solutions


Data

Protection

“Make sure my data isn’t lost

when my system/site is hit by a

disaster”

Service

Recovery

“Get me back in business after my

system/site is hit by a disaster”

• Maximum Availability • 24 hours/24 hours• 3 days/3 days• Austin Primary, RMDC

Secondary

Standard Solutions

Custom Solutions• 48 hours/48 hours

Security Capabilities SummaryProtect Customer Data & Systems


• Processes built to support the

ISO 27000 framework

• Automation to monitor,

correlate, and alert

• Security health checks prior to

and during deployment

• Encryption to protect the data

• Compliance services that can

be leveraged

• Disaster recovery services to

cover any requirement

• Use, host and manage Oracle

security products

IT SECURITY

ENABLERS• Protect privacy • Protect from intrusion and malicious acts• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation and reputation of your company

BUSINESSBENEFITS

Looking Ahead


Complex & Stealth Attack Vectors Growing

Commercial Hacking Gaining Ground

‘Due Diligence’ High Water Mark Rising

More & More Legislation

Increased Effort to Prove Compliance

THREATS REGULATION SECURITY BASELINE

Expertise Architecture Technology Demonstrated

Compliance

Final ThoughtsLeverage Oracle On Demand…


The preceding is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle's products remains at the sole discretion of Oracle.


Documents

On Demand Cloud Services Coury