Securing Citizen Facing Applications

  • View
    608

  • Download
    2

Embed Size (px)

DESCRIPTION

Open World Security Panel

Text of Securing Citizen Facing Applications

  • 1. Securing Citizen Facing Applications Moderated byTimothy Davis Oracle Enterprise Architect Board Member

2. Agenda

  • Introductions
    • Security EA Panel and Topic Positioning
  • 4 Compelling EA Security Issues
  • Architect Response
    • Key Shareable Artifacts, Lessons Learned
  • Audience 10 minutes of Q & A

3. Todays Panel Edwin Lorenzana, Enterprise Security Architect, City of Boston Hayri Tarhan, Oracle Enterprise Security Specialist Architect Timothy Davis, Oracle Enterprise Architect Board Member Jeremy Forman, Oracle Enterprise Architect CISSP Certified Professional Marc Chanliau, Director, Identity Management Development 4. What are Secure Citizen Facing Applications? 5. Citizens More Sophisticated Higher Costs Than Ever It Adds Up Government 2.0

  • Citizen Self Service
  • Demand for Government Transparency
  • Need for Citizen Context Across the Enterprise

Source: IT Policy Compliance Group, 2007.

  • Sophistication of Attacks
  • Stolen Credentialsand Identities
  • Compliance and Remediation Costs
  • Security Breach Remediation Costs

$ 6. More breaches than ever Data Breach Once exposed, the data is out there the bell cant be un-rung PUBLICLY REPORTED DATA BREACHES Total Personally Identifying Information Records Exposed (Millions) Source: DataLossDB, Ponemon Institute, 2009 Average cost of a data breach $202 per record Average total cost exceeds $6.6 million per breach 630%Increase 7. More threats than ever 70% attacks originate inside the firewall 90% attacks perpetrated by employees with privileged access 8. Issue #1: Are the business and application owners involved in the security decision making process?Or is it the technology organization? This slide is notto be displayed Panelist Question Jeremy Forman

  • Are the business and application owners involved in the security decision making process?Or is it the technology organization?
  • Follow-up : What is the challenge to deliver and why is it so hard to do?
  • Discussion Points:
  • Complexity across Four Dimensions
  • Segregation of Duties
  • Data Protection
  • Cost of Compliance
  • e-Discovery
  • How do we enable Business/Application Owners to be involved in the process?
        • FEAF
          • Govern
          • Maintain
          • Communicate
          • Measure
        • EA Benefits to IdM
          • Reduced Business Risk
          • Reduced Security Breaches

Edwin Lorenzana

  • What personally have you seen as lessons learned to get the business on-board towards EA Security Model?

9. Issue #1: Are the business and application owners involved in the security decision making process?Or is it the technology organization? Why? Todays New Normal Users, Systems, Globalization and Compliance Forced Complexity ITGovernance EMR/HIE Service Level Compliance Financial Reporting Compliance Compliance & Ethics Programs AuditManagement Data Privacy Records Retention Legal Discovery CJIS AppsServer DataWarehouse Database Mainframes Mobile Devices Enterprise Applications Systems Globalization Users Legal Taxation HR PublicSafety Partners Citizens Healthcare EPA Mandates MFIPPA FOIPPA FDA FISMA NIST HIPAA FDA PCI Patriot Act SB1386 10. Copyright 2008, Oracle and/or its affiliates. All rights reserved.Monitoring and Configuration Enterprise Visibility Automated Controls Security for Applications, Middleware, Data & Infrastructure Comprehensive Defense in Depth ApproachPolicy Enforcement Database & Infrastructure Middleware Applications Access to Business Services Lower Cost of User Lifecycle Data Protection and Privacy Virtualization 11. Oracle Architect Development Process for Security Architecture Phase Input Output Architecture Vision

  • Regulations
  • Security Policies
  • Responsibilities
  • Architecture Checkpoints
  • Security Statements
  • Compliance Standards

Current State Architecture

  • Threat & Risk Analysis
  • Business Policies
  • Identified Risks
  • Information Classification

Future State Architecture

  • Identified Risks
  • List of Relevant Regulations
  • Information Classification
  • GRC Strategy
  • Security Reference Architecture
  • Data Governance Strategy

Strategic Roadmap

  • Security Reference Architecture
  • Data Governance Strategy
  • GRC Plan
  • Data Governance Plan
  • Validated Processes

EA Governance

  • Continuous Audit of Security: Design, Implementation, & Operations

Business Case

  • Identify Reusable Security Services
  • What can go wrong?

12. Issue #2: Major issues around proofing and identifying citizens access to systems? This slide is notto be displayed Panelist Question Hayri Tarhan

  • What are some of the challenges and issues around proofing and identifying citizens for access to systems?
  • Follow-up:
  • How do the various departments of a government come to agreement on the attributes and data points used to proof users, employees, contractors, etc.?
  • What are the perils of not addressing this challenge holistically?
  • Key Concepts to hit on:
  • 1.Discuss how Oracle can map business security requirements back to 800-53
  • 2.Identity proofing standards
  • 3.Virtualizing directories

Marc or Edwin 13. Issue #2: Major issues around proofing and identifying citizens access to systems? Virtual Attribute AuthorityInternal Apps Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings Directories Databases Proprietary Identity Attributes Applications 14. Issue #3: How can you meet FISMAs different levels of authentication and identification? This slide is notto be displayed Panelists:These are the questions I will be asking, and the primary respondent.The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes.When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. Panelist Question Hayri Tarhan

  • How can you Local Governments and the Feds meet FISMAs different levels of authentication and identification?
  • Follow-up:
  • Why is would governments look at risk-based authentication solutions over hard tokens, which have been prevalent for quite some time?
  • Key Concepts to hit on:
  • 1. Explain the business value of NIST 800-53 levels
  • 2. Multi-factor solutions to facilitate:
    • a.Step-up
    • b.Risk Based
    • c.Soft 2 ndFactor

Jeremy Forman

  • What sorts of success have you seen regarding implementing NIST controls for State & Local Governments ?

15. Risk-based Access Control Device Geography Time Activity Secure Mutual Authentication Risk-Based Authorization Risk Scoring Issue #3: How can you meet FISMAs different levels of authentication and identification? Virtual Attribute Authority Rules Virtual Identities Hierarchies, Mappings

  • NIST 800-63 2 ndFactors
  • IP Address
  • Domain/Subnet
  • Browser Config
  • Location
  • Time

16. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Panelists:These are the questions I will be asking, and the primary respondent.The primary respondent should take from 1 to 5 minutes answering in as much detail as he wishes.When the primary respondent has finished, other panelist may make additional comments of 1 minute or less. This slide is notto be displayed Panelist Question Edwin Lorenzana Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Follow-up :How would a quasi-public/private sector model work for a composite ID? Discussion Points: Composite Ids Who owns the Composite ID, who controls it and who contributes to it? Explain Core, Context and Balance of Identities in the Public Sector Hayri Tarhan

  • What personally have you seen as lessons learned to get the business on-board to a Centralized vs. Federated Security Model?

17. Issue #4: Is a centralized or decentralized approach to authentication and authorization the more feasible approach? Identity Mgmt Future State Ar