Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Securing Citizen Facing Applications Moderated by  Timothy Davis Oracle Enterprise Architect Board Member
Agenda <ul><li>Introductions </li></ul><ul><ul><li>Security EA Panel and Topic Positioning </li></ul></ul><ul><li>4 Compel...
Today’s Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Spec...
What are Secure Citizen Facing Applications?
Citizens More Sophisticated …  Higher Costs Than Ever… It Adds Up Government 2.0 <ul><li>Citizen Self Service </li></ul><u...
More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DAT...
More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged acc...
Issue #1: Are the business and application owners involved in the security decision making process?  Or is it the technolo...
Issue #1: Are the business and application owners involved in the security decision making process?  Or is it the technolo...
Copyright © 2008, Oracle and/or its affiliates. All rights reserved.  Monitoring and Configuration Enterprise Visibility A...
Oracle Architect Development Process for Security Architecture Phase Input Output Architecture Vision <ul><li>Regulations ...
Issue #2: Major issues around proofing and identifying citizens access to systems? This slide is not  to be displayed Pane...
Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute Authority  Internal A...
Issue #3: How can you meet FISMA’s different levels of authentication and identification? This slide is not  to be display...
Risk-based Access Control Device Geography Time Activity Secure Mutual Authentication Risk-Based Authorization Risk Scorin...
Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Panel...
Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Ident...
To Learn More Enterprise Architecture with Oracle <ul><li>People </li></ul><ul><ul><li>Join our EA community – visit the O...
Wrap up:  Guidance to Security Architects Panelists:  These are the questions I will be asking, and the primary respondent...
A final question  to our panel: Guidance to Security Architects ? Edwin Lorenzana Hayri Tarhan Jeremy Forman Timothy Davis...
Questions & Answers
Thank You
Nächste SlideShare
Wird geladen in …5
×

Securing Citizen Facing Applications

947 Aufrufe

Veröffentlicht am

Open World Security Panel

  • My struggles with my dissertation were long gone since the day I contacted Emily for my dissertation help. Great assistance by guys from ⇒⇒⇒WRITE-MY-PAPER.net ⇐⇐⇐
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier
  • Gehören Sie zu den Ersten, denen das gefällt!

Securing Citizen Facing Applications

  1. 1. Securing Citizen Facing Applications Moderated by Timothy Davis Oracle Enterprise Architect Board Member
  2. 2. Agenda <ul><li>Introductions </li></ul><ul><ul><li>Security EA Panel and Topic Positioning </li></ul></ul><ul><li>4 Compelling EA Security Issues </li></ul><ul><li>Architect Response </li></ul><ul><ul><li>Key Shareable Artifacts, Lessons Learned </li></ul></ul><ul><li>Audience 10 minutes of Q & A </li></ul>
  3. 3. Today’s Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Specialist Architect Timothy Davis, Oracle Enterprise Architect Board Member Jeremy Forman, Oracle Enterprise Architect CISSP Certified Professional Marc Chanliau, Director, Identity Management Development
  4. 4. What are Secure Citizen Facing Applications?
  5. 5. Citizens More Sophisticated … Higher Costs Than Ever… It Adds Up Government 2.0 <ul><li>Citizen Self Service </li></ul><ul><li>Demand for Government Transparency </li></ul><ul><li>Need for Citizen Context Across the Enterprise </li></ul>Source: IT Policy Compliance Group, 2007. <ul><li>Sophistication of Attacks </li></ul><ul><li>Stolen Credentials and Identities </li></ul><ul><li>Compliance and Remediation Costs </li></ul><ul><li>Security Breach Remediation Costs </li></ul>$
  6. 6. More breaches than ever… Data Breach Once exposed, the data is out there – the bell can’t be un-rung PUBLICLY REPORTED DATA BREACHES Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, Ponemon Institute, 2009 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach 630% Increase
  7. 7. More threats than ever… 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access
  8. 8. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? This slide is not to be displayed Panelist Question Jeremy Forman <ul><li>Are the business and application owners involved in the security decision making process? Or is it the technology organization? </li></ul><ul><li>Follow-up : What is the challenge to deliver and why is it so hard to do? </li></ul><ul><li>Discussion Points: </li></ul><ul><li>Complexity across Four Dimensions </li></ul><ul><li>Segregation of Duties </li></ul><ul><li>Data Protection </li></ul><ul><li>Cost of Compliance </li></ul><ul><li>e-Discovery </li></ul><ul><li>How do we enable Business/Application Owners to be involved in the process? </li></ul><ul><ul><ul><ul><li>FEAF </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Govern </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Maintain </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Communicate </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Measure </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>EA Benefits to IdM </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Business Risk </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Reduced Security Breaches </li></ul></ul></ul></ul></ul>Edwin Lorenzana <ul><li>What personally have you seen as lessons learned to get the business on-board towards EA Security Model? </li></ul>
  9. 9. Issue #1: Are the business and application owners involved in the security decision making process? Or is it the technology organization? Why? Today’s “New Normal” Users, Systems, Globalization and Compliance Forced Complexity IT Governance EMR/HIE Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs Audit Management Data Privacy Records Retention Legal Discovery CJIS Apps Server Data Warehouse Database Mainframes Mobile Devices Enterprise Applications Systems Globalization Users Legal Taxation HR Public Safety Partners Citizens Healthcare EPA Mandates MFIPPA FOIPPA FDA FISMA NIST HIPAA FDA PCI… Patriot Act SB1386
  10. 10. Copyright © 2008, Oracle and/or its affiliates. All rights reserved. Monitoring and Configuration Enterprise Visibility Automated Controls Security for Applications, Middleware, Data & Infrastructure Comprehensive ‘Defense in Depth’ Approach Policy Enforcement Database & Infrastructure Middleware Applications Access to Business Services Lower Cost of User Lifecycle Data Protection and Privacy Virtualization
  11. 11. Oracle Architect Development Process for Security Architecture Phase Input Output Architecture Vision <ul><li>Regulations </li></ul><ul><li>Security Policies </li></ul><ul><li>Responsibilities </li></ul><ul><li>Architecture Checkpoints </li></ul><ul><li>Security Statements </li></ul><ul><li>Compliance Standards </li></ul>Current State Architecture <ul><li>Threat & Risk Analysis </li></ul><ul><li>Business Policies </li></ul><ul><li>Identified Risks </li></ul><ul><li>Information Classification </li></ul>Future State Architecture <ul><li>Identified Risks </li></ul><ul><li>List of Relevant Regulations </li></ul><ul><li>Information Classification </li></ul><ul><li>GRC Strategy </li></ul><ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul>Strategic Roadmap <ul><li>Security Reference Architecture </li></ul><ul><li>Data Governance Strategy </li></ul><ul><li>GRC Plan </li></ul><ul><li>Data Governance Plan </li></ul><ul><li>Validated Processes </li></ul>EA Governance <ul><li>Continuous Audit of Security: Design, Implementation, & Operations </li></ul>Business Case <ul><li>Identify Reusable Security Services </li></ul><ul><li>What can go wrong? </li></ul>
  12. 12. Issue #2: Major issues around proofing and identifying citizens access to systems? This slide is not to be displayed Panelist Question Hayri Tarhan <ul><li>What are some of the challenges and issues around proofing and identifying citizens for access to systems? </li></ul><ul><li>Follow-up: </li></ul><ul><li>How do the various departments of a government come to agreement on the attributes and data points used to proof users, employees, contractors, etc.? </li></ul><ul><li>What are the perils of not addressing this challenge holistically? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Discuss how Oracle can map business security requirements back to 800-53 </li></ul><ul><li>2. Identity proofing standards </li></ul><ul><li>3. Virtualizing directories </li></ul>Marc or Edwin
  13. 13. Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute Authority Internal Apps Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings Directories Databases Proprietary Identity Attributes Applications
  14. 14. Issue #3: How can you meet FISMA’s different levels of authentication and identification? This slide is not to be displayed Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. Panelist Question Hayri Tarhan <ul><li>How can you Local Governments and the Feds meet FISMA’s different levels of authentication and identification? </li></ul><ul><li>Follow-up: </li></ul><ul><li>Why is would governments look at risk-based authentication solutions over hard tokens, which have been prevalent for quite some time? </li></ul><ul><li>Key Concepts to hit on: </li></ul><ul><li>1. Explain the business value of NIST 800-53 levels </li></ul><ul><li>2. Multi-factor solutions to facilitate: </li></ul><ul><ul><li>a. Step-up </li></ul></ul><ul><ul><li>b. Risk Based </li></ul></ul><ul><ul><li>c. Soft 2 nd Factor </li></ul></ul>Jeremy Forman <ul><li>What sorts of success have you seen regarding implementing NIST controls for State & Local Governments ? </li></ul>
  15. 15. Risk-based Access Control Device Geography Time Activity Secure Mutual Authentication Risk-Based Authorization Risk Scoring Issue #3: How can you meet FISMA’s different levels of authentication and identification? Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings <ul><li>NIST 800-63 2 nd Factors </li></ul><ul><li>IP Address </li></ul><ul><li>Domain/Subnet </li></ul><ul><li>Browser Config </li></ul><ul><li>Location </li></ul><ul><li>Time… </li></ul>
  16. 16. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Follow-up : How would a quasi-public/private sector model work for a composite ID? Discussion Points: Composite Ids Who owns the Composite ID, who controls it and who contributes to it? Explain Core, Context and Balance of Identities in the Public Sector Hayri Tarhan <ul><li>What personally have you seen as lessons learned to get the business on-board to a Centralized vs. Federated Security Model? </li></ul>
  17. 17. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Identity Mgmt Future State Architecture
  18. 18. To Learn More Enterprise Architecture with Oracle <ul><li>People </li></ul><ul><ul><li>Join our EA community – visit the Oracle Technology Network (OTN) Architect Center on oracle.com </li></ul></ul><ul><ul><li>Blog with our architects at blogs.oracle.com </li></ul></ul><ul><ul><li>Attend an Oracle EA Roundtable </li></ul></ul><ul><li>Process </li></ul><ul><ul><li>Learn more about Oracle’s EA processes and technology best practices with our TOGAF-based architectural methodology </li></ul></ul><ul><li>Portfolio </li></ul><ul><ul><li>Make use of EA resources: reference architectures, planning tools, information </li></ul></ul>Oracle Enterprise Architecture Framework Business Architecture Application Architecture Information Architecture Technology Architecture EA Repository
  19. 19. Wrap up: Guidance to Security Architects Panelists: These are the questions I will be asking, and the primary respondent. The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes. When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is not to be displayed Panelist Question Edwin Lorenzana <ul><li>Federated Identities are the only way “politically” you can wholistically implement EA Security </li></ul>Hayri Tarhan <ul><li>Organizations need to treat identity as service vs. hard coding security </li></ul>Marc Chanliau <ul><li>Database Security – defense in depth </li></ul>Jeremy Forman <ul><li>To Recommend Security Health Checks </li></ul>
  20. 20. A final question to our panel: Guidance to Security Architects ? Edwin Lorenzana Hayri Tarhan Jeremy Forman Timothy Davis Marc Chanliau
  21. 21. Questions & Answers
  22. 22. Thank You

×