security readiness assessment
TRANSCRIPT
Copyright © 2015 Oracle and/or its affiliates. All rights reserved.
Security Readiness Assessment Jackson Thomas Senior Manager, Sales Consulting
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
SaaS PaaS IaaS
Cloud Era Requires Identity-Centric Security
Mobile
Social Internet of Things
Cloud
Big Data
IDENTITY
2 Copyright © 2016, Oracle and/or its affiliates. All rights reserved. | Oracle Public
Copyright © 2016, Oracle and/or its affiliates. All rights reserved. |
Unified Threat Intelligence
Oracle Public 3
SIEM UEBA CASB
Security Firewall, IDS, IPS, WebProxy, VPN, AV, DLP, DAM, WAF, VA Scanners
Networking Router, Switch, DHCP, DNS, Load Balancer
Host Windows, Linux, Unix
Infrastructure EMM, Middleware, Database, Web Server, Hypervisor
Cloud SaaS, PaaS, IaaS
Applications 3rd Party Apps, Oracle Apps, Custom Workloads
IDM
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 4
Production Data
Archive Data
Dev & Test Data
Database Security: Attack Vectors
SQL Attack
Data at Rest Attack
Insider Threat
App User Snooping
APT or Malware
Attack
Dev Team Snooping
DBA Permission Abuse
Accidental Exposure
Lost or Stolen Device
Lost Disk or Tapes
Numerous attack vectors call for a layered, Defense-in-Depth
security strategy
Exposed Keys
Oracle Confidential. Authorized [customer]
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 5
Security Readiness Assessment
Executive level, strategic engagement focused on aligning an organization’s enterprise security architecture with business objectives
A successful engagement will:
• Document an organization’s current security and compliance posture
• Identify existing key risks and challenges
• Outline a desired future state architecture
• Recommend actionable steps on a strategic roadmap for achieving the future state
• Show how the recommended initiatives can deliver business value
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 6
Security Readiness Assessment – Focus Areas User Lifecycle Management
Authentication and Authorization
Identity Repositories
Cloud Services
Database Security
Operational Manageability
• Identity Lifecycle Management
•Role & Relationship Management
•Access Request, Approval and Fulfillment
• Password Management
•Auditing and Reporting
•Attestation/Certification
• Privileged Account Management
•Authentication & SSO
•Risk-based Authentication and Authorization
• Fraud Detection
• Fine Grained Authorization
• Federation
• Social Sign-On
• Cloud and API Security
•Directories and databases containing Identity data
•Directory Virtualization
•Directory Synchronization
•Application Authentication
•Database Authentication
•Operating System Authentication
• Public cloud services employed and planned (SaaS, PaaS,IaaS)
•Deployment options (Public, Private, Hybrid)
• IAM for Cloud services (provisioning, audit, authentication, authorization, federation)
• Encryption
•Data Redaction
•Data Masking
•Access Discovery and Control
•Multi-Factor Authentication
•Data Classification
• SQL Injection Protection
•Audit and Compliance
• Centralized Authentication and Authorization
(Optional area)
• Security Governance
• Configuration Controls
• Patch Management
•Diagnostics
• SLA Management
• Performance Tuning
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 7
Security Readiness Assessment Engagement Plan
Executive
Invitation
Planning &
Preparation
Onsite
Discovery
Deliverable
Preparation
Executive
Presentation
1 2 3 4 5
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 8
SRA Customer Benefits Objective: Elevate Security Posture
• Focus on most important risks and challenges
• Support proactive planning for the future
• Prioritize needed improvements to reach a desired future state
• Facilitate cooperation on security initiatives
Copyright © 2015 Oracle and/or its affiliates. All rights reserved. | 9
What Investment is Required?
• Strong executive support
• Strong tactical leadership
• Time, attention and candid participation