simon rice, vp enterprise services, cintra jon kobrick...
TRANSCRIPT
![Page 1: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/1.jpg)
ArchitectingyoursuccessSimonRice,VPEnterpriseServices,CintraJonKobrick,COO,STIGroup
ModernDataSecurityCriticalinformationtokeepyourdataplatformsecureagainstcyber-securitythreats
![Page 2: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/2.jpg)
Cintra…DrivingWorldClassOracleArchitectureSolutions,ServicesandSupport
● Oraclearchitectureexpertisedrivingmodernizationandtransformation● OraclearchitectureblueprintsdrivingtheOracleonOracleandcloudsolutions● Oracleproactive24x7expertmanagedservicesforoperationalexcellence● Oraclecommerciallicensingexpertisedrivinggreatervalueandefficiencies
OracleCommercialExpertise
OracleArchitectureExpertise
OracleonOracleArchitecture&CloudSolutions
ProactiveExpertOracleManaged
Services
![Page 3: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/3.jpg)
STIGroup…Balancing Information Security Investment with Risk Mitigation
CyberSecurity Consulting (CSC)
Managed Security Operations (MSO)
● RiskAssessment&PolicyDevelopment● Audit&SecurityPostureAssessment● Architecture,Remediation,&Certification● InformationSecurityManagement
● SecOpsProgramManagement● Alert/EventMonitoring&Response● ManagedBreachDetection● SecurityInfrastructureManagement
![Page 4: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/4.jpg)
InfrastructureSecurity
DataSecurity
ProcessSecurity
AppsSecurity
Design Build Support
BestofBreedEnterpriseSecurityAlliance 12 year partnership
![Page 5: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/5.jpg)
Cintra/STITieredSecurityModel
Level Definition
DEFCON1
Securedinlinewithtopsecurityclearancestandards.Extremeaccesscontrolinlinewithstringentchangemanagementprocesses.AccesstoinformationlockeddownandgovernedbyCISO.
DEFCON2
Securedinlinewithregulatorycompliancerequirements.Centralized,protectedauditlogincludingsuperuseranddata-relatedactivities.Dataencryptedinmotionandatrest.
DEFCON3DefaultstateforallCintra/STImanagedservicescustomers.Infrastructure,OS,DBandAppshardening.Auditingofsuperuser activitiesenabled.
![Page 6: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/6.jpg)
CyberSecurity:IntroductiontotheModernDataSecurityMethodology
![Page 7: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/7.jpg)
SecurityControlsOverviewSurfaceAreaofAttack SecurityControls
![Page 8: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/8.jpg)
CyberSecurity:UnderstandingtheThreatLandscape
![Page 9: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/9.jpg)
OverallBreachTrends
*2016VerizonDataBreachInvestigationsReport*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
$4 million is the average total cost of data breach29% increase in total cost of data breach since 2013
$158 is the average cost per lost or stolen record15% percent increase in per capita cost since 2013
![Page 10: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/10.jpg)
OverallBreachTrends
*2016VerizonDataBreachInvestigationsReport
![Page 11: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/11.jpg)
Rootcausesofdatabreach
*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
![Page 12: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/12.jpg)
Factorsthatreducethecostofadatabreach
*2016CostofDataBreachStudy:GlobalAnalysis,SponsoredbyIBMandConductedbyPonemon InstituteLLC
USDollarssavedpercompromisedrecord
![Page 13: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/13.jpg)
BreachTrends– AssetVarieties
*2016VerizonDataBreachInvestigationsReport
![Page 14: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/14.jpg)
InsiderandPrivilegeMisuse
*2016VerizonDataBreachInvestigationsReport
![Page 15: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/15.jpg)
WannaCry
![Page 16: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/16.jpg)
RealLifeExamples:CintraandSTIGroupCustomers
![Page 17: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/17.jpg)
Customer1:HospitalPatientDataLoss• TheScenario
• Largehospitalnetwork• Patientdataisencrypted,runningonOracleEnterpriseEdition• For18monthsanurseprintedoffrecordsandsoldthemtoan
entityinRussia
• Whydidthishappen?• Lackofprocessesinplacetovalidateunusualbehavior• Lackofmanagementoversight
• HowdidCintra/STIhelp?• Deploymentofcentralizedauditingsoftware• AutomaticauditalertsinlinewithHIPAAregulations• Tighterstaffsecuritytrainingandcontrols
![Page 18: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/18.jpg)
Customer2:WebsiteHacked• TheScenario
• Populareditorialcontentwebsite• Awebapplicationvulnerabilitywasexploited• Theywereafterthetarget’scustomers
• Whydidthishappen?• Lackofapplicationsecuritydevelopmentprocesses• Insufficientproductionchangemanagementandintegrity
monitoring
• HowdidCintra/STIhelp?• Coordinatedandexecutedincidentresponseplan• Conductedloganalysisandcodereview• Implementedenhancedintegritymonitoring
![Page 19: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/19.jpg)
Customer3:RetailPOSBreach• TheScenario
• RetailsiteswithhundredsofPOSmachines• Compromisethroughinsecureremoteaccessconfiguration• Attackerlateralmovement
• Whydidthishappen?• Poorsecurityconfigurationhardening• Excessiveprivilegeassignment
• HowdidCintra/STIhelp?• Developedsecureconfigurationstandard• Implementedmorerobustaccessmanagementsolution
![Page 20: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/20.jpg)
CyberSecurity:ArchitectingforSecurity
![Page 21: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/21.jpg)
TheModernArchitectureJourneyRequiresModernSecurity
21
StandardizeVersions
ConsolidateSystems
SecureModernPlatform
ManageData
EnableAgility
AdoptCloud
TraditionalSecuritymodelsarenolongersufficientintoday’smodernlandscape
LowerCosts
FasterTimeToMarket
BusinessFocus
InnovationFocus
![Page 22: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/22.jpg)
AssessingAgainstModernCyberSecurityStandardsWeperformhonestassessmentsofdatabasearchitectures
ArchitectureElement Indicator
CurrentCapabilityScore Reasoning
People:Training Securitytraininginplace 7 AdequatesecuritytrainingPeople:Org Appropriateorganizationalstructure 5 MissingCISOroleandgovernancebodyPeople:Staff Adequatestafftomanagesecurity 3 RecruitmentrequiredtofillsecurityrolesProcess:Assess Periodicassessmentscarriedout 9 DetailedquarterlyassessmentsinplaceProcess:Start/Leave Newstarter/leaverpoliciesinplace 9 DocumentedandsecurepoliciesinplaceProcess:Monitor Securitymonitoredandupdated 5 SomegapsnotedinsecuritymonitoringProcess:Patch Patchingproceduresimplemented 5 DatabasetierpatchedregularlyTechnology:Access Appropriateaccesscontrols 2 ExcessiveprivilegeallocationnotedTechnology:Encrypt Encryptionimplemented 2 NoencryptionofPIIdatainplaceTechnology:Audit Auditingimplementedwithalerting 5 AuditingofnetworkassetsonlyTechnology:Detect Intrusiondetection 6 Someintrusiondetection,withgapsTechnology:Network Networkhardened 3 SignificantgapsinnetworksecurityTechnology:OS OperatingSystemhardened 9 OShardenedinlinewithPCIregulationsTechnology:DB Databasetierhardened 9 DBtierhardenedinlinewithPCIregulationsTechnology:Apps Applicationtierhardened 9 AppstierhardenedinlinewithPCIregulations
![Page 23: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/23.jpg)
Physicalarchitecturediagram
![Page 24: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/24.jpg)
TheCloudJourneyStartswithASecureFoundation
PrivateCloud PublicCloud
HYBRIDENTERPRISECLOUD
• CloudMaturity• NoSecurityCompromises
• MatchedorGreaterControls
• MatchedorGreaterCapabilities
• Notallcloudsarecreatedequal!
PUBLIC CLOUDYOUR CLOUD
![Page 25: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/25.jpg)
CyberSecurity:GeneralRecommendations
![Page 26: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/26.jpg)
SecurityConsiderations:People
People
Training– Commercial,inhouse,onthejob,etc.
SecurityAccountability– formallyassignedresponsibilities
SufficientResources– sufficient timeforsecuritytasks
PerformanceMetrics– measure,measure, measure
![Page 27: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/27.jpg)
CyberSecurity:NetworkSecurity
![Page 28: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/28.jpg)
NetworkSecurityConsiderations:ProcessBestPractices
Processes
ChangeControl
ConfigurationManagement
VulnerabilityManagement
Configuration Hardening
SecurityMonitoring
![Page 29: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/29.jpg)
NetworkSecurityConsiderations:TechnologyBestPractices
Technology
Firewalls,ACLs,NetworkSegmentation,PrivateVLANs
SignatureIPS/AV,Threat Emulation,NetworkBehaviorMonitoring
DataLossPrevention
Encryption,TLS,IPSec,GRE,SSH
NetworkAccessControl,PortSecurity
SecureRemote Access/Multi-FactorAuthentication
![Page 30: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/30.jpg)
CyberSecurity:OperatingSystemSecurity
![Page 31: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/31.jpg)
OperatingSystemSecurityConsiderations:Processes
Processes
SecurityOperationsAssessment
Security Monitoring
VulnerabilityManagement
SecurityAdministration
Device andSoftwareInventory
Privilege/RBAC Review
![Page 32: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/32.jpg)
OperatingSystemSecurityConsiderations:Technology
Technology
Endpoint Security(Anti-malware/AV,EDR,DLP,etc.)
DiskandFile SystemEncryption
MandatoryAccess ControlSystem,ApplicationWhitelisting
System andProcessAccounting,Logging,EDR
FileIntegrity Management
PrivilegeEscalationManagement
![Page 33: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/33.jpg)
OperatingSystemSecurityConsiderations
1. Initialsetup1. Filesystemconfiguration2. Configuresoftwareupdates3. Filesystemintegritychecking4. Securebootsettings5. Additionalbootsettings6. Mandatoryaccesscontrol7. Warningbanners
2. Services1. Inetd services2. Specialpurposeservices3. Serviceclients
3. Networkconfiguration1. Networkparameters(hostonly)2. Networkparameters(hostand
router)3. IPv64. TCPwrappers5. Uncommonnetworkprotocols6. Firewallconfiguration
4. LoggingandAuditing1. Configuresystemaccounting(auditd)2. Configurelogging
5. Access,AuthenticationandAuthorization1. Configurecron2. SSHserverconfiguration3. ConfigurePAM4. Useraccountsandenvironment
6. SystemMaintenance1. Systemfilepermissions2. UserandGroupSettings
![Page 34: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/34.jpg)
CyberSecurity:DatabaseSecurity
![Page 35: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/35.jpg)
DatabaseSecurityConsiderations:TechnologyTechnology
Encryption – personallyidentifiableinformationisencryptedatrestandintransitandthatdatabaselogonsareencrypted.
Auditing – superuseraccessoraccesstosensitivedataisaudited, withtriggeredalerts.
Patch Procedures– databaseclustersandinstancesarepatchedwiththelatestsecurityfixesatleastquarterly.
AccessControls– least-privilegedaccess,withdeactivationontermination.
IntelligentFirewalls– SQLinjectionattackprotectionfromsoftwarefirewalls.
CompleteVaulting– Totallockdownofadministrativeanddatabaseaccessusingvaulttechnology.
OracleListeners – Non-standardports,white-listsofallowedhosts,passwordprotection
![Page 36: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/36.jpg)
TransparentDataEncryptionFeatureSummary
Disks
Exports
Off-SiteFacilities
§ Encryptscolumnsorentireapplicationtablespaces§ Protectsthedatabasefilesondiskandonbackups§ Transparenttoapplications,nochangesrequired§ High-speedperformance,lowoverhead§ OptimizedforExadata
Applications
EncryptedData
Backups
ClearData
36
![Page 37: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/37.jpg)
OracleAuditVaultandDatabaseFirewall
APPS
Users
AUDITVAULT
FirewallEvents
DatabaseFirewall
AUDITDATA
OperatingSystemsFileSystemsDirectories
CustomAuditData
Reports
!Alerts
Policies
Auditor
SecurityManager
![Page 38: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/38.jpg)
DatabaseSecurityConsiderations
3.0OracleDatabaseHardening– Oracle11gR23.1UserAccountsSecurity:GeneralBestPractices3.2DataAccessfromNon-ProdDatabases3.3Non-defaultDatabaseNamingisinplace3.4DatabaseConfigurationParameters3.5Implementprofilestoenforceusersecurityandcompliance3.5.1AssignProfilesAppropriately3.6Emptycachesduringdatabaseshutdown3.7StorageissufficienttopreventDoS attacks3.8Usershaveappropriateprivilegesandtablespacequota3.9Publicaccesstosensitivepackageshasbeenremoved3.10Regularlyreviewchangestodatabaseobjects3.11Productionexportsandbackupsaresecure3.12Largeobjects(LOBs)arestoredsecurely3.13AuditJavaaccesstotheO/S3.14OracleTextOption
4.0OracleAuditing4.1ImplementAuditingtoDedicatedTablespace4.1.1AuditTablespaceDefinedwithASSM4.2Databaseauditingisconfiguredappropriately4.3EnsureAuditInformationisRegularlyReviewed4.4EnsureAuditTrailRecordsareRegularlyPurged
5.0OracleWalletManagementfor11gR25.1UsingOracleTransparentDataEncryption5.1.1UsingDifferentEncryptionAlgorithms5.1.2EncryptingExternalTables5.1.3RemovingEncryption5.1.4TablespaceEncryption5.2RestrictedAccesstoOracleWallets5.3Walletpasswordsandkeysarecycledatregularintervals5.4OracleWalletsareconfiguredoptimallyforRAC
![Page 39: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/39.jpg)
CyberSecurity:ApplicationSecurity
![Page 40: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/40.jpg)
ApplicationTierSecurityConsiderations:TechnologyTechnology
Encryption – oftrafficbetweenthedatabaseandappserverandoftrafficbetweenthewebtierandapptier.
Auditing – monitoring ofperformancebaselinesandsuspiciousactivity.
Patch Procedures– fulltechnologystackpatchingeveryquarter.Moreaggressivepatchingofpublic-facingassets.
AccessControls– integrationwithcontrolledLDAPdirectorieswherepossible.Adoptionofleast-requiredprivileges.
HardwareSecurity Modules– adoptionofHSMtolockdownwebandapptiertraffic.
Dedicated,securedomains– Javacontainer designtoensurenocommonalitybetweenclients/apps/environments.
MobileSecurity– ensurethatmobileaccesspointsarelockeddownandaccessedappropriately.
![Page 41: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/41.jpg)
CyberSecurity:WrappingUp
![Page 42: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/42.jpg)
CyberSecurity:HowcanCintraandSTIGrouphelp?Assessment Design&Planning Configuration Deployment Management
SecureDatabaseandApplicationUpgrades
SecurityRoadmapandBusinessCase
DetailedSecureArchitectureDesign
SecureArchitectureImplementation
SecureDatabaseBuildsandInitialMigrations
Proactive24x7DatabaseSupport
SecureDataMigrationServices
EncryptedRMANDatabaseBackups
BenchmarkingofEncryptionOverheads
SecureMonitoringServer
EncryptedDataGuardforDRSiteProtection
OngoingHardwareSupport
DeploymentofCentralizedAuditing
SecurityTraining
OngoingPatchingSupport
SecurityHealthChecks
MaskingofDataforNon-Production
QuarterlySecurityAssessments
![Page 43: Simon Rice, VP Enterprise Services, Cintra Jon Kobrick ...nyoug.org/wp-content/uploads/2017/07/CINTRA-Webinar-Modern-Dat… · Simon Rice, VP Enterprise Services, Cintra Jon Kobrick,](https://reader034.vdocument.in/reader034/viewer/2022042316/5f0514c17e708231d4112aa4/html5/thumbnails/43.jpg)
What’sNext:DatabaseSecurityAssessment/Design• Contactustoday: [email protected]
• AssessthesecurityofyourcurrentDatabaseplatformandidentifyanygaps
• Buildabusinesscaseforamodern,secureDatabasearchitecture
• MaximizeyourinvestmentinOracleSoftwareandadoptsecurityoptions
• EstablishaCintraandSTIGrouppartnershipforexpertOraclearchitectureguidance
• BenefitfromSecurity-FocusedProactiveExpert24x7ManagedServicesSupport