The Enablement of an Identity-Centric SOC in the Regulatory Rumba Era

Editor's Notes

• #2: IT professionals say their top concerns for adopting cloud are related to security As organizations transition from on premises to cloud, they are additionally challenged with maintaining a consistent security posture. Oracle believes a hybrid cloud approach can provide better security, Today, I want to explain how Oracle aligns people, process, and technology to provide better security across the computing stack   You will also hear about Oracle’s Cloud Security Services to protect users and drive digital transformations more securely and quickly.   Security is now a reason to move to the cloud!
• #3: Before presenting, make it clear that NOT all technologies identified are available for all cloud services
• #4: Talk about new world. We have to address various challenges: Protect apps and data in the cloud and on-premises – you need to protect across both environments, because gaps in security between environments opens your company to higher risk. All of the controls you have built up over many years in the on premise environment need to be extended into your cloud. For example if a person leaves your company you need to make sure their accounts are disabled both on premise, and in the cloud. If this is not done you open yourself up to high risk. Imagine a sales person continues to have access to their CRM account even after they have defected to the competition. 2. With users coming in through so many channels today - web browsers, mobile phones, tablets, watches. Access needs to be secured across all these channels. For example, Anna could have used her watch to complete the transaction she started on her mobile. 3. Manage access for customers, partners, and employees It’s not just employees that need access to your systems anymore – customers access your systems online, through their phones. A lot of breaches have been about partners not being properly managed – people have been pretty good about onboarding employees but they tend to be a lot weaker about third parties. 4. Security in addition to automation and management of access & identities. Traditionally, IDM has focussed on
• #11: Key Takeaway: Everyone knows SaaS adoption is increasing, but TONs of lift and shift workloads are also moving to PaaS and IaaS services These workloads need security and don’t want to have to re-write
• #12: A few weeks ago, many websites including the likes of Twitter, Netflix, GitHub and Airbnb, were brought down by a massive number of hijacked Internet-connected devices.. Our own IP-based home security cameras, video recorders and home routers were hijacked by a popular IoT botnet, and carried out a DDoS attack on a major DNS provider, bringing down our own business and consumer applications. That may sound like the script of a Hollywood movie, but the attack was very real. And it was one of the largest modern attacks affecting millions of users in the US.. carried out by exploiting IoT devices. Modern security attacks are unpredictable, hard to detect, and in most cases, don’t fit your classic traditional description of an attack that may be carried out by an intruder on your network. To begin with, many attacks today are not carried out by humans. Many are carried out by bots or hijacked IoT devices. Secondly, the attacks are not carried out within your traditional network perimeter. The attack could be on a DNS server your applications use… or your public-facing applications… or your cloud service provider. And finally, the attacks are not static. They can remain latent for days, waiting for the right opportunity to strike, and are pervasive, instead of affecting a handful of endpoints. Unfortunately, most enterprises rely on traditional Security Operations Centers (or SOCs) to defend themselves against threats. Traditional SOC’s are not designed to detect or respond to such modern attacks, leaving a number of enterprises vulnerable to attacks on applications, data and employee identities. In this modern environment, are you confident that your Identity Management investment is adequately protected by traditional SOCs?
• #15: Cloud Security Challenges Current market trends driving dissolution of network perimeter Users are everywhere, using unmanaged devices and connecting to on prem and cloud apps This has caused network edge solutions such as FW, IPS/IDS, Network Proxy no longer relevant Traditional network-centric security architectures are ineffective in securing the modern work environment where users and applications are everywhere
• #16: I am thrilled to introduce Oracle Identity SOC - the industry's first identity-centric framework for security operation centers. Customers are telling us they want a single pane of glass to manage security threats across their on premises and cloud environments the ability to do this across heterogeneous environments a suite of integrated solutions that work together, and not have to manage multiple solutions. A modern Identity SOC will incorporate threat intelligence feeds from a variety of sources. These feeds would be from a combination of open source and commercial feeds, including IP white/black listing, device reputation, known vulnerability databases, geolocation, and more. Threat intelligence is then imported into a SIEM that is integrated with a cloud access security broker and user behavior analytics. It will accomplish the requirements of an intelligence-driven SOC by spanning identity management across all of these planes. ---Response Automation--GRAPHIC Lastly, automation and incident response orchestration are critical elements that allow for complete closed loop governance. The vast expanses of alerts and data make it impractical for SOCs to rely on manual techniques for response. Automation is key; and an identity-centric SOC can leverage intelligence and human oversight where appropriate, to respond effectively to security incidents. This requires built-in forensic libraries, a flexible orchestration framework and integrations with investments made by the enterprise in incident management.   In addition to its industry leading Identity Management, that is now available in the Cloud, Oracle also offers services for SIEM, CASB, User Behavior Analytics, and Automated Incident Response. These services are the foundational enablers of an IdentitySOC. Now, lets take a deeper look at what makes up an Identity SOC and how Oracle is best suited to support every modern enterprise that is dealing with the challenges discussed earlier. 
• #17: Oracle offers a series of Security Cloud Services that help our customers detect, prevent, predict and respond to today’s challenges we spoke about. The Security Cloud Services also enable our customers to more securely and quickly adopt the Cloud. Oracle provides an integrated set of cloud services that tie together: [IDCS] Identities across systems, people and things (IoT) to help detect, protect and expedite response of security events [Cloud Access Security Broker} Application visibility and controls to understand sanctioned and unsanctioned applications, who uses them and the infrastructures they run on [SMA CS] Security monitoring and analytics that incorporates user behavior analytics and machine learning to enable automation of alert response [APIP CS] Secure software development that protect and give controls over API management; since APIs are where many vulnerabilities in applications are uncovered [CCS] Compliance services to ensure security best practices are adhered [Hybrid Data Security] Hybrid data protection to ensure comprehensive data visibility and protection At Oracle, we absolutely believe Security is now a reason to move to the cloud! The trusted Oracle Cloud and Oracle Security Cloud Services are here to help you
• #18: Growing use of AWS and no expertise in EXTENSIVE security controls required to set up, monitor and maintain a secure IaaS environment. Leveraging CASB Cloud Service to deploy secure and compliant environments, monitor those environments for risky behavior and mis-configuraiton and auto-remediate any violations. Products: CASB Cloud Service (Palerra LORIC). Using for monitoring AWS environments NOT Currently integrated for a complete Identity SOC, but enthusiastic about the concept. They have given an example of how knowing the identities of users will be paramount in the future: Spear phishing and malware – suffering First thing they started to do. Firewalls will trigger if malware detected if you are lucky. We need to correlate that outbound message with the fact that one of their executives is the one who clicked on it. In the past, you would have had a firewall rule that included the IP address or MAC address and with that you would start the forensic analysis. What happened, why? But now with user based analytics as part of an Identity SOC, now the SOC analyst can correlate the malware attack and who received it. You can now connect with the VP and lock down his laptop. This is the practical value of assigning the person to the requisite events that occurred to get an immediate response. Of course, execs are always easy targets. But for every time you save an exeutive, that’s a win. Identity from a data, network, device and application perspective so there are now personas you are taking on when doing your job. A correlation to who are you and why are you there. Levi’s is currently public on their use of Oracle CASB Cloud Service and enthusiastic about the integration for an Identity SOC solution.
• #21: As part of the evaluation phase, customers have identified sensitive data. Now customers need to apply security controls to prevent damage to databases from attacks. First control you apply is Encryption; Encryption applies to both data in motion using Network Encryption and Data-at-rest Encryption using Oracle Advanced Security Transparent Data Encryption. Transparent Data Encryption or TDE protects data if someone tries to read data directly at the operating system or file system level bypassing database controls. When customers deploy TDE for hundreds or thousands of databases, customers face operational and management challenges from proliferation of keys. Customers need to have a centralized key management solution to stream-line these. Oracle Key Vault is centralized key management solution that manages TDE master encryption keys, it can also manage Oracle wallets, Java keystores, ACFS master file encryption keys, it can manage MySQL TDE master keys as well. Encryption locks the back-door access to sensitive data, next step is to protect the front-door. Front-door is where privileged users access the data in databases. Customers need to apply security controls to restrict privileged users access to application data using Database Vault. After encryption and privileged user controls, you need to implement data access controls for application users using row and column level controls along with data redaction. Redaction allows applications to hide or obfuscate sensitive data like SSN or credit card numbers. (Data Redaction is also known as Dynamic data masking in the industry) All the above controls protects data in a production environment, but how do you limit sensitive data exposure when customers move sensitive data to test/dev/partner sites. Customers mitigate this risk with Oracle Data Masking and Subsetting technology.
• #22: -Oracle Audit Vault and Database Firewall provides a first line of defense for databases and consolidates audit data from databases, operating systems, and directories. -A highly accurate SQL grammar-based technology in the Database Firewall monitors and blocks unauthorized SQL traffic before it reaches the database. Information from the network is combined with detailed audit information for easy compliance reporting and alerting. -Oracle Audit Vault and Database Firewall, enables easy implementation of security controls for DBs, and operating systems Features: Database Firewall - Monitoring Information Who, what, where, when Data Sources Network Impact on database Completely independent, negligible performance impact Purpose Prevent SQL-injections and other unauthorized activity, enforce corporate data security policy Audit Vault – Auditing Information Who, what, where, when; Before/After values; Full execution and application context Data Sources All: Audit logs, stored procedures, direct connections, scheduled jobs, operational activities Impact on database Requires native database auditing, minimal performance impact (<5%) Purpose Ensure regulatory compliance, provide guaranteed audit trail to enable control Supported platforms- DBs Oracle, SQL Server, MySql, etc OS – Linux, Solaris, Windows Server etc…
• #23: Security is the most important requirement for cloud customers. Security and availability of keys Keys securely stored and protected Inaccessible by cloud administrators Keys are highly available Customer control of keys Keys can be deleted by customers to remove their data from cloud On-premise control by customers Data is encrypted by default in the Oracle Cloud Databases using Transparent Data Encryption You can use Oracle Key Vault on-premise to centrally collect, manager, and control the encryption keys for both on-prem and cloud databases Data Masking and Subsetting helps to mask and subset data for test, dev, and partner environments on-premise or in the cloud You can restrict Database Administrative access to the sensitive information using Database Vault You can centrally collect, manage, and control database audit activity on-premise using Audit Vault Database security policies are transparently migrated during Database lift and shift operations using Pluggable databases In hybrid cloud deployments, the on-premise Oracle Audit Vault Server (AV Server) collects audit data from both on-premise and Oracle Database Cloud Service (DBCS) instances. On-premise agents retrieve audit data from the DBCS instances over encrypted channels, and then transfer it to the on-premise AV Server. Appropriate port on the DBCS instance needs to be open, but no other networking changes are needed on premise side. Utilizing the same AV Server for both DBCS and on-premise database instances makes it easier to ensure that the same audit policies have been applied across all database instances. Similarly, existing alert configurations and data retention polices can be utilized for cloud ones. Thus the same resources can be utilized for configuration and maintenance tasks across on-premise and cloud.
• #25: 24
• #26: Key Takeaways: Learn more about Oracle Cloud Security and how we can help you Join a local Breakout Sessions Request a Security Assessment with your local sales team Updated Oracle.com/security page