Oracle Security Architecture for the New Digital Experience E-Book · Security Architecture for the...

Security Architecture for the New Digital Experience


Table of Contents

3

7

13

19

25

29

33

Table of Contents

Chapter 1: Rise of the Security Architect

Chapter 2: Transformation of the Perimeter

Chapter 3: The Great Re-Architecture

Chapter 4: Architecting Security for Mobile

Chapter 5: Cloud Security

Chapter 6: The Oracle Security Taxonomy

Resources

2



Today’s enterprise architects find themselves confrontingfundamental questions where business and technology intersect.How does the company plan to grow? What technology platformswill it use to achieve that growth? What security risks will thecompany face and how can security architects help mitigatethose risks?

Providing knowledgeable answers to questions about securitynecessitates interacting not only with other stakeholders in IT, butalso with experts in finance, HR, marketing, sales, productdevelopment, and risk and compliance. Security architects mustaddress information security standards as well as stay ahead of

an ever-changing array of industry regulations and complianceguidelines.

Enterprise architecture is an IT discipline that helpsorganizations simplify system design, align technicalrequirements with business requirements, and manage thelifecycle of complex systems. Enterprise information securityarchitecture (EISA) has emerged out of enterprise architecture tomanage the security fragmentation of distributed systems, collectrequirements from business stakeholders, and address thegrowing security compliance and internal governancerequirements for information security.

According to the Bureau of Labor Statistics, the demand forsecurity architects is expected to grow 20 percent annuallythrough 2018, driven by an epidemic of data breaches, risingregulatory challenges, and relentless modernization efforts in ITdepartments.

3 4



As Oracle Chief Security Officer Mary Ann Davidson points out,security challenges continue to escalate, yet time, money, andresources are always constrained—particularly the availability ofskilled security people. There are serious consequences forfailing to adequately protect customer and partnerdata—everything from hefty fines to loss of strategic businessrelationships.

Video: With securityspending at an all-timehigh, many CSOs arerethinking their prioritiesand focusing on risk.

Watch the Video (18:29)

5



Before 1995 most companies ran their information systems onnetworks that were largely private. Only a handful of people hadthe capability to cross the network boundary, which keptinformation systems inside the organizations secure from anyoneoutside the company. The emphasis was on protecting thenetwork perimeter, and IT organizations continue to spend morethan 67 percent of their security dollars on network security. Buttoday the new digital economy is dramatically increasing the levelof value-added participation, requiring employees, customers,and partners to cross network boundaries every minute. Forexample, healthcare organizations need to enable doctors andpatients to collaborate online. Manufacturing organizations givesuppliers access to their inventory information and MRP systems.Each search on Google can potentially hit a page that downloadsmalicious malware. Every e-mail message offers the potential ofa new phishing attack.

The people accessing these networks are not only trustedemployees, but also a changing cast of contractors, customers,and partners. The data being accessed can include structuredinformation from corporate databases as well as unstructured

data such as documents, e-mail, and audio files. And users arecontinually on the move—as is the information itself. The newpoints of control entail verifying user identities and permission toaccess information systems, securing the devices connecting tothe network, and protecting data where it resides.

To further blur the perimeter, cloud-computing models often putdata and applications outside of traditional enterpriseboundaries, even as mobile devices represent a continuallyexpanding perimeter. There is growing pressure to set up accessportals for partners and customers, as well as to facilitateemployee collaboration on mobile and social networks. Sensitive

7 8



data that was secured behind a robust enterprise firewall is nowaccessible via low-cost smart phones.

Security architects are faced with a new set of questions: How doyou protect applications, devices, and data in a world without adefined network perimeter? How can you ensure that corporatedata is just as secure on a $100 smart phone as it is on a$100,000 server in an enterprise data center? How can youprovide a consistent experience for users while guaranteeingprotection and privacy for the organization’s trusted informationassets?

The most progressive IT architectures extend security controlsacross all information systems. Security architects utilize a “trustbut verify” approach to both enable productivity and addresssecurity governance requirements. The objective is to establishone consistent security framework underlying all informationsystems. Because users and sensitive data are part of everytransaction, identity management and database security are thecommon denominators of addressing most securityrequirements.

“For security professionals, IoT stands for anexplosion of identities.”

Indus Khaitan, product manager, Oracle Mobile Security

Watch the Webcast

9

White Paper: “Identity is apowerful tool. It can beapplied to people, devices,and data and thereforeplays a vital role insecuring the newperimeter.”

Read the White Paper

10



Think inside out. The threats are outside but the risksare largely inside.

Develop a “defense-in-depth” strategy. Create aframework of overlapping controls to addressvulnerabilities.

Simplify the user experience. When security becomes aproductivity barrier, controls get remanded.

Design for compliance. Security is as important toshareholder value as good accounting. Regulatorycontrols are on the rise.

FOUR STEPS TO SECURING THE NEW PERIMETER

“Businesses now invest in security rather thanspend on it. Security architects need to designsecurity systems that complement businesspolicies and processes.”

Chris Gavin, vice president, Information Security, Oracle

11



For many industries the fundamental organizational structurechanged relatively little in the past 20 years. City and stategovernments are organized much as they were in the 1940s.Manufacturing organizations continue to achieve economies ofscale through greater automation of the assembly line.Healthcare providers rely on IT systems to simplify back-officeand front-office tasks, and thereby improve patient care. But nowall of this is changing dramatically. Governments are deliveringmore types of citizen services online. Manufacturing companiesare managing each component’s lifecycle beyond the assemblyline and providing manufacturing services on-line across anentire product lifecycle. Healthcare providers are orchestratingcare among remote providers and sharing medical records forpatients who may never physically visit a hospital.

Many of these services are being performed via softwaresolutions that are architected in the cloud rather thanon-premises. They require technologies that can support thereal-time exchange of accurate information. Organizations rely onidentity management technology to facilitate dynamic trustrelationships and support regulatory compliance requirements.

Security architecture has moved to the forefront of thesetransformative initiatives to enable online interactions and securethe user experience.

One such example of a public utilitiesorganization transforming its services to keep upwith the changing technical landscape, Yarra

Valley Water (YVW) in Australia used Oracle Identity and AccessManagement to implement an easy-access portal that supportsself-registration, self-provisioning, access, and authorization forpartners and citizens. The secure Oracle platform utilizes afederated security model to handle one-off requests from citizensas well as ongoing interactions with partners, with straight-through processing capabilities to streamline the workflow. Anembedded compliance and security framework handles complexattestation controls and processes.

13

Video: YVW uses OracleIdentity and AccessManagement.


14



Beachbody is primeexample of ITtransformation in retail.

The company has embraced a multi-channel customerengagement strategy that includes infomercials in which viewerscan respond to special offers and promotions, a website fore-commerce purchases, a multilevel marketing company thatengages about 100,000 coach affiliates, and a certificationbusiness. These channels focus on different types of consumers,each requiring unique offers and promotions. To enforceconsistency, Beachbody adopted Oracle Identity Management toauthenticate users and track their activities across differentchannels and personas. The operational scale across channelsimproves the volume of participation from coaches, consumers,members and partners. All of this means more affluence forBeachbody. Just as members drive the value of the business,reducing the friction of participation increases business velocity.

“Previously our disparate systems didn’t allowus to maximize conversions or revenue or thelong-term value of each customer.”

Arnaud Robert, CTO, Beachbody

Risk-Aware ArchitecturesSecurity architects are tasked with developing “risk-aware”architectures that factor in legal liabilities, the privacy of partnerand customer data, and regulatory requirements. These securitypolicies ensure that the organization is ready for internal andexternal audits. Oracle Corporate Security Architect SteveDeitrick lauds this approach, advising security architects tobecome fluent in both the language of technology and thebusiness with which they are charged with supporting. “In today’sstrict regulatory environment it is strongly advised for securityarchitects to have solid working relationships with their legaldepartments,” he notes. “Successful security architects managetheir discipline in three directions: upward for executivesponsorship, horizontally for effective strategy establishment,and downward for successful strategy execution and results.Moving beyond IT raises their value as key players in riskprevention.”

Video: Beachbody CTOArnaud Robert explainshow Oracle IdentityManagement allows hiscompany to better servecustomers throughtargeted campaigns andmobile applications.


15 16



The airline industry is poised for a dramatictransformation in the next decade and anticipatesgrowth in the number of both passengers and

new services. In order to simplify its IT environment andmodernize travel applications to meet these new requirements,Sabre is securing its applications by abstracting security policiesin the database.

Video: Sabre Holdingsuses Oracle’s dataredaction solution to maskpersonally identifiableinformation in thousands oftravel databases.


17



“Next-generation security solutions are emerging that enablecompanies to integrate rigorous, identity-based mobileapplication management and containerization capabilities tocontrol and protect corporate data while ensuring that employeeshave private access to the personal apps and services theyenjoy.”1

By 2020, 80 percent of access to the enterprise will be via mobiledevices and other non-PC devices, up from 5 percent today. Inaddition, external providers will authenticate 60 percent of allusers connecting with enterprises.2 Meanwhile, the Internet ofThings (IoT) is redefining the concept of identity to include whatpeople own, share, and use. According to research conducted byCisco Systems, by 2020 there will be more than 50 billionIP-enabled devices in use around the world.

Internet of ThingsWhen it comes to securing the network, IoT and mobiletechnology are on a collision course. Nearly 90 percent ofemployees are using smart phones at work, and half of them1 “The New Perimeter: Keeping Corporate Data Secure in the Mobility

Era,” a white paper by Oracle and IEEE, April 2014.2IAM keynote presentation, “The Future of Managing Identity,” (Gartner2013).19 20



Device Identity

Application Identity

User Identity

are doing so without the permission of their employers.3 Most ofthese employees neglect to follow simple precautions such asreading the terms and conditions before downloading an app,manually adjusting security settings, or verifying that theapplications are trustworthy—not to mention the ever-presentthreat of malware targeting these mobile devices and spywarecapable of stealing personal, financial, and work information.

According to Vadim Lander, chief identity architect at Oracle,there are three types of security concerns associated with theInternet of Things:

“Security architects should look for solutions that includecontextual, real-time, policy-based controls at theservice/application layer to mitigate threats,” Lander notes.“Adaptive authentication and authorization are two techniques forsetting up policy-based security controls for managing who hasaccess to what under what conditions.”

Mobile AccessMobile computing is reshaping the digital economy and changingthe dynamics of corporate computing. According to researchconducted by Forbes, 89 percent of today’s mobile devices arealready connected to corporate networks, 67 percent of workersuse tablets to connect remotely to corporate IT resources, andmobile development projects will soon outnumber native PCprojects four to one.

Read the White Paper: Oracle Mobile Security Suite: SecureAdoption of BYOD3 “Companies Slow to React to Mobile Security Threat,” CSO Online,

Antone Gonsalves, May 2012.21 22



In addition, more than three-fourths of all enterprise databreaches are the result of weak or stolen credentials, accordingto the 2013 Verizon Data Breach Investigations Report. Many ofthe mobile devices that employees use at work include personalcontent. Family members often share these devices. Theemployees who use them also need corporate connectivity,which complicates security and privacy issues. Securityarchitects must now focus on how to secure corporate data whilemaintaining the privacy of personal data.

According to Oracle Vice President of Product Development AmitJasuja, enterprise IT departments face three important bring-your-own-device (BYOD) issues:

Figuring out how to develop mobile apps that support multipleplatforms, from Apple iOS and Google Android to newversions of Microsoft Windows

Creating a mobile architecture to expose back-endapplications in a secure and consistent way

Upholding corporate security policies across mobile, cloud,and enterprise application scenarios

Demo: Marc Boroditsky,Oracle vice president ofproduct management, andAndy Smith, Oracle seniordirector of productmanagement, demonstrateOracle Mobile SecuritySuite.

Watch the Security Demo(9:19)

23

Interview: Amit Jasujachats with Oracle CIOMark Sunday about thestate of mobile security in2014.

Read the ExecutiveInterview

24



Cloud architecture presents significant challenges for securityarchitects. Third-party vendors typically handle useradministration, data management, and network access.According to Graham Palmer, Oracle’s director of informationsecurity, these cloud solutions must be carefully controlled tomanage costs and risks, yet 33 percent of organizations don’tevaluate security when selecting cloud applications. “Enterpriseinformation should not be trusted to companies with no trackrecord, or that lack an auditable security framework based oninternational security standards such as ISO27001 and SAS-70,”Palmer says. “Customers should look at security as a primedriver in vendor selection.”

Oracle Chief Identity Architect Vadim Lander believes that cloudservice providers should demonstrate that they are in compliancewith established audit and security procedures. Customers thatcontract with cloud vendors need to be able to control the identitymanagement process for external applications and on-premisesapps via single-sign-on procedures. These solutions should alsomake it easy to provision and deprovision users and to extendentitlement credentials from on-premises applications to cloud

applications. Such controls are even more important whensecuring databases. According to IDC, 66 percent of today’smost sensitive data resides in relational databases.

Cloud services are the backbone ofT-Mobile’s infrastructure. To secure 35

million subscribers in a business model in which customer datahas to be processed by many applications—and corporatevaluation depends on subscriber growth—T-Mobile is usingtransparent data encryption to secure data in a cost effectiveway.

Adherence to StandardsProviding consistency helps security architects gain economiesof scale and simplify administration. To improve the managementof

25

Video: T-Mobile explainshow it reduced exposure torisk by using OracleDatabase Firewall, OracleAdvanced Security, andOracle Data Masking Packto secure sensitive data inboth Oracle andnon-Oracle databases.


26



hybrid cloud/on-premises environments, security architectsshould ensure that service providers use HTTP-friendly identitymanagement integration patterns. Lander insists that providersuse the SAML protocol as the identity federation mechanism forestablishing single sign-on between corporate identitymanagement (IDM) systems and cloud IDM systems, and usethe SCIM protocol for user provisioning. Adopting thesestandards makes it easier for the corporate IDM system toprovision and deprovision users. Security architects should alsolook for cloud solutions that have a mechanism for importing useridentities from the corporate identity store into the cloudprovider’s identity infrastructure.

SaskTel standardized on Oracle IdentityManagement to consolidate its internal and

external identity management systems on a single platform. Thetelecommunications provider can authorize and authenticateinternal and external users via single-sign-on procedures as partof a cohesive cloud service.

Video: SaskTel offersOracle IdentityManagement in the cloud.


27



Latency and consistency are two variables used to measuregood security design. The objective is to reduce the latency ofchange and increase consistency across systems andapplications. Typically these variables are inversely proportional:as the latency of change increases, the amount of consistencydecreases. In a recent study by CSO Online, 44 percent ofrespondents blamed the fragmentation of IT systems for creatinggaps in security. Attackers are taking advantage of inconsistencyand weak policy controls to gain a foothold in manyorganizations. When users leave a company it can take monthsbefore their access rights are disabled across systems. Thegreatest opportunity for fraud happens during this time frame. Inother cases organizations take months to apply security patchesto their information systems. Hackers don’t wait to exploit theseknown weaknesses.

Oracle engineers hardware and software to work together. Thiscohesive approach reduces the latency of change and increasesconsistency. By embedding security technology into every layerof the technology stack and securing the integration betweenlayers, Oracle not only delivers better performance with a smallerfootprint, it also provides better security at a lower cost.

For example, at the middleware level, Oracle builds in identitymanagement and access control technology to govern how datais used at the application tier. It also provides encryption, firewall,and masking at the database level. Oracle monitors and patchesthe software at the operating system and virtualization tier, andbuilds hardware encryption into the infrastructure. Encryption isprovided across all tiers of storage, and at the application levelOracle offers complete governance and fraud prevention todetect anomalous behavior.

At the database level, Oracle’s preventive controls provideencryption, redaction, and security for privileged users. To

29 30



secure multiple database instances, Oracle provides discovery,data classification, and configuration scanning. Today many ITsolutions are designed without security auditing in mind. OracleAudit Vault and Database Firewall provide alerting, reporting, andconditional auditing.

By securing each layer of the stack, Oracle can ensure that oneset of policies, roles, and controls are applied uniformly. Inaddition, Oracle’s integrated family of security technologies isused to secure third-party applications and databases.

Finally, Oracle “defragments” identities across the enterprise toenforce consistency across systems. That means you can applythe same policies and constraints that protect your core internalsystems to other systems, such as mobile devices and third-partyapplications. Oracle Identity Management Suite lets you createuniversal identities that transcend individual systems and devicesby automatically provisioning user identities to multipleapplications and tools.

White Paper: “The most complete solutionfor managing people, data, and devices isthrough identity. Identity is the centralcomponent of how mobile devices accesscontent, applications, securedcommunications, and more.”

Read the White Paper

Oracle addressessecurity at multiplelayers.

Expand View

31 32


Resources

Webcast: "Securing YourBusiness Inside Out"

White Paper: “Transformationof the Perimeter”

Webcast: “Transformation ofthe Perimeter”

Report: Verizon E3 DataBreach Report

Video: University of Louisville(3:13)

Video: Beachbody (2:37)

Video: Sabre Holdings (1:14) Video: Yarra Valley Water(1:52)

White Paper: Privacy byDesign

The Rise of Security Architecture

Transformation of the Perimeter

The Great Re-Architecture

White Paper: SecureAdoption of BYOD

Executive Interview: AmitJasuja on Mobile Security

Video: Oracle Mobile SecuritySuite (9:19)

Screencast: ManagingSecure Mobile Policies(27:51)

Video: UPMC DiscussesPrivacy / Identity / Security inHealthcare (2:58)

Video: SaskTel Offers OracleIdentity Management in theCloud (2:45)

Video: T-Mobile Talks AboutReducing Exposure and Risk(1:54)

Website: Oracle IdentityManagement Solution Page

E-Book: Oracle IdentityManagement E-Book

Research Brief: AberdeenResearch: IAM PlatformApproach vs Point Solutions

Architecting Security for The Internet of Everythingand Mobile

Cloud Security Architecture

The Oracle Security Taxonomy

33 34


Copyright © 2014, Oracle and/or its affiliates. All rights reserved. Oracle andJava are registered trademarks of Oracle and/or its affiliates. Other names maybe trademarks of their respective owners. Intel and Intel Xeon are trademarks orregistered trademarks of Intel Corporation. All SPARC trademarks are usedunder license and are trademarks or registered trademarks of SPARCInternational, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo aretrademarks or registered trademarks of Advanced Micro Devices. UNIX is aregistered trademark of The Open Group.

Oracle Security Architecture for the New Digital Experience E-Book · Security Architecture for the...

Documents

Transcript of Oracle Security Architecture for the New Digital Experience E-Book · Security Architecture for the...