Oracle Database Security Diagnostic Service
- 1. <Insert Picture Here> Oracle WE Technology Consulting Database Security Diagnostic Service
- 2. Database Security Diagnostic Service Why ? • Today, organizations increasingly store sensitive data, customer and employee information, strategic plans, research, etc. Keeping this information is a must and an obligation, even to be required by law (LOPD, SOX) • As important as the best protection of data against unauthorized access, is to have the ability to detect unauthorized accesses if they occur. In short, having the security level that allows me to answer questions such as: Who has access to protected data through Information Systems? When ? What data ? 2
- 3. Database Security Diagnostic Service What is it? • The Database Security Diagnostic is a service designed to provide high value in a short time • This service is complementary to other more large term Security Diagnostic (Systems, Communications, Data Protection Act, ISO 27001, etc.). • Identifies the vulnerabilities of the layer closest to the data: the engine of Oracle's Database. • Proposed corrective measures from the almost immediate implementation to others that require a defined action plan as part of the service. 3
- 4. Database Security Diagnostic Service Where are we? • Do I Base Security on Trust and not Facts? • What can I answer if my manager or Director asks me what extent is my system safe ? • How many “back doors" have my system ? • Do I know my system vulnerabilities before the attackers ? • Do I know how to resolve these vulnerabilities ? 4
- 5. Database Security Diagnostic Service Goals • Main goals of the Database Security Diagnostic: Verification that the security measures implemented in the Oracle database meet the needs of integrity, confidentiality and availability of Customer’s information. Verification of compliance of safety measures to the applicable regulations. Identification of the deviation between current and desired situation. 5
- 6. Database Security Diagnostic Service Scope • Database Security Diagnostic focuses on the database in a specific and concrete form. • The Database Security Diagnostic is developed on the following areas: System configuration. Users identification and authentication. Access control measures (monitoring and auditing). Confidentiality and integrity. Security policies, rules and procedures. Applicable law and standards. 6
- 7. Using our best practices and standards, our experts will conduct an assessment of the security of their Oracle systems and provide a report with concrete proposals for improvement, to support the organization in implementing the measures necessary to achieve the goal of “Organization Protected" 7
- 8. Database Security Diagnostic Service Methodology 2. Meetings, Questionnaires and 3. Information Analysis and 1. Presentation and Service Scope Document Preparation Scripts Critically Assets Risk Analysis Diagnostic Technical Qualification We analyze and Planning Presentation DB/OS Scripts Draft Document 4. Document Validation by Customer Final Diagnostic Document: Meeting to get information Resolve doubts -Scorecard Risk Analysis and other -Description of Main Vulnerabilities information -Details of all identified Vulnerabilities -Assessment and -Recommendations -Level of Compliance with Regulation Continuous Improvement Process -Deployment Proposal for Corrective Measures 7. Implementation Security Measures Customer validates the document and we (NOT included in service) modified it if necessary 6. Result Presentation to High Level 5. Document Delivery Deliver it to Different Areas 8
- 9. Database Security Diagnostic Service Deliverables Database Security Diagnostic results: Risk measures Current status Checkpoint analyzed Integrity Integridad 30 Alto High Lacks and vulnerabilities Medio Med 20 Regulatory compliance Low Bajo Propose recommendations 10 Project Proyecto 0 Confidentiality Confidencialidad Disponibilidad Availability Improvement actions Riesgo Global Estimado Global estimated risk 30 10 20 Nivel de Risk level Riesgo 10 0 1 9
- 10. Security Diagnostic Service Deliverables • The effort (thus cost) of the service will be based on customer ‘dimensions’, however a standard approach for only one database has been created: Approach Deliverables Estimate level Questionnaire of Criticality Assessment Questionnaire of Technological Qualification Final Diagnostic Document (between 50 and 70 pages) Scorecard Risk Analysis One Database Description of the Main Vulnerabilities Identified 15 days Details of all identified Vulnerabilities Assessment and Recommendations of corrective measures based on specific solutions for each of the identified vulnerabilities Level of Compliance with Regulation And Deployment Proposal for Corrective Measures Result Presentation to High Level (Depend of Audience Technical or not) 10
- 11. Database Security Diagnostic Service Advantages • Delivered using a complete methodology, including a set of tools: Risk analysis model Document templates Automated tools for risk calculation Technical scripts (PL/SQL) Commercial tools (vulnerability scanners) • Provides a critical view of security risks and needs of your Database 11