CA Tech Forum 16 presentation - The Efficiency of Identity Access Management by Scott Grykowski

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. |

Securing Your Enterprise Anatomy of a Breach

Scott Grykowski Director, Public Sector Security Sales Consulting


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | 3

Mobile Devices

Security

Transformation

Online Services

Mobile Users

Identity Management

Web Services Content Sharing

Exponential Growth of Data

Regulations & Compliance

External Threats

MOST SIGNIFICANT

IN

Cloud Computing


California Breach Report – Feb 2016

In the past four years, the CA Attorney General has reported:

• 657 data breaches

• Affecting over 49 million records of Californians

• In 2015, 178 breaches put over 24 million records at risk

– Three in five Californians were victims of a data breach in 2015 alone.

• Malware and hacking presents the greatest threat, both in the number of breaches (365, 54%) and the number of records breached (44.6 million, 90%)

• Physical breaches, resulting from theft or loss of unencrypted data on electronic devices, came in a distant second – 17%of breaches in 2015

• Breaches caused by errors, predominantly misdelivery and inadvertent exposure on the public Internet, were a close third, and have held steady at around 17%

4

Source: https://oag.ca.gov/breachreport2016

https://oag.ca.gov/breachreport2016


CA State Auditor: High Risk Update - InfoSec 2015 • Many reporting entities do not have sufficient information security controls

– Most reporting entities that responded to the survey indicated that they had yet to achieve full compliance with the security standards.

• 37 of the 41 reporting entities that self-certified to the technology department that they were in compliance with the security standards in 2014, indicated in our survey that they had not actually achieved full compliance in 2014.

• 40% of the reporting entities certified in 2014 that they were not fully compliant, yet the technology department had not established a process to perform follow-up activities with these entities

• More than half of the entities that responded to our survey indicated that the technology department's guidance for complying with security standards was insufficient

5

Source: https://www.bsa.ca.gov/pdfs/reports/2015-611.pdf

https://www.bsa.ca.gov/pdfs/reports/2015-611.pdf






Over 700 Million Records Breached in 2015

6

Frequency of incident classification patterns over time across security incidents

Attackers are able to compromise an organization within minutes

81%

More than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing

69%

2016


SECURING PEOPLE, DEVICES & DATA

Excessive Access

External Hacktivists

Stolen Data

Regulatory Compliance

International Espionage


Social Engineering

Denial of Service

Sophisticated Attacks

Data Theft

Loss to Business

Impacts Reputation

Privilege Abuse

Curiosity

Leakage

From Mistakes to Malicious

Source: Adapted from Kuppinger Cole Presentation, March 2013

Mistakes

Accidental deletes

Unauthorized disclosures

8

Misuse

Malicious


Criminal

Download malware

Phishing attack

XSS or SQL injection attacks

Anatomy of a Data Breach Starts with a phishing scam

Command and control

9


Establish multiple backdoors

Dump passwords Domain controller

Anatomy of a Data Breach Establish a foothold

10


Anatomy of a Data Breach Identify targets, probe for weaknesses

Attack Databases Usually using valid, Privileged accounts

11


Exfiltrate data via staging server

Anywhere in the world

Anatomy of a Data Breach Exfiltrate data and cover tracks

12


N

Anatomy of a Data Breach Entry Points for an Attack

13

Network Server Storage Database Backups & Exports Application


PO

LI

CI

ES

A

ND

P

RO

CE

DU

RE

S

PH

YS

IC

AL

S

EC

UR

IT

Y

EN

CR

YP

TI

ON

MA

SK

IN

G

RE

DA

CT

IO

N

AU

DI

TI

NG

CO

NF

IG

UR

AT

IO

N

M

AN

AG

EM

EN

T

PR

IV

IL

EG

ED

U

SE

R

CO

NT

RO

LS

VI

RT

UA

L

SE

PE

RA

TI

ON

MO

BI

LE

C

ON

TA

IN

ER

IZ

AT

IO

N

ID

EN

TI

TY

M

AN

AG

EM

EN

T

DA

TA

BA

SE

F

IR

EW

AL

L

IN

TE

LL

IG

EN

T

MO

NI

TO

RI

NG

Th

reat

path

s

Defense in Depth Security Strategy

data


ENTERPRISE MOBILE CLOUD

IDENTITY

MANAGEMENT

DIRECTORY

GOVERNANCE

ACCESS


MANAGEMENT

IDENTITY FEDERATION

EXTERNAL AUTHORIZATION

ENTERPRISE & WEB SINGLE

SIGN-ON

MOBILE & SOCIAL SIGN-ON

FRAUD DETECTION

EMPLOYEES CONTRACTORS

& PARTNERS

CUSTOMERS

& PROSPECTS


APPS

APPS

GOVERNANCE

APPS

COMMON REPOSITORY

COMPLETE GOVERNANCE

OPERATING

SYSTEMS

DIRECTORY

SERVICES

ENTERPRISE

APPLICATIONs

DATABASES

ACCESS

ENTITLEMENT

CATALOG

Cloud

Applications/

Services

CUSTOMERS

& PROSPECTS

CONTRACTORS

& PARTNERS

ADMINS

EMPLOYEES

PRIVILEGED

SYSTEMS

EMPLOYEES

Automate and Identify Who Has Access to What


SERVICES

USER

AUTHENTICATION

LOCATION

DATA

EXTREME

SCALE

LOW

TCO

INTEGRATED

INTEROPERABLE

DEVICE

AUTHN

NAMING

SERVICES

HOST

ACCESS

CONTROL

APP

THOUSANDS MILLIONS BILLIONS 10s of BILLIONS

Copyright © 2016 Oracle and/or its affiliates. All rights reserved. | Oracle Confidential – Internal Restricted

Oracle Public Cloud

Apps

Customer Use Case: Cloud SSO

Apps

Customer On-Premise

Oracle IAM or AD

Apps

Synchronized

IDCS

ID Bridge

Cloud applications


GOVERNANCE

MANAGEMENT

SERVICES

USER

AUTHENTICATION

LOCATION

DATA

EXTREME

SCALE

LOW

TCO

INTEGRATED

INTEROPERABLE

DEVICE

AUTHN

NAMING

SERVICES

HOST

ACCESS

CONTROL

AP

P

THOUSANDS MILLIONS BILLIONS 10s of BILLIONS

VIRTUAL DIRECTORY

META DIRECTORY

LDAP DIRECTORY

IDENTITY FEDERATION

EXTERNAL AUTHORIZATION

ENTERPRISE & WEB SINGLE

SIGN-ON

MOBILE & SOCIAL SIGN-ON

FRAUD DETECTION

EMPLOYEES CONTRACTORS

& PARTNERS

CUSTOMERS

& PROSPECTS

OPERATING

SYSTEMS

DIRECTORY

SERVICES

A

P

P

S APPLICATIONS

COMMON REPOSITORY

DATABASES SINGLE

USER

VIEW

ACCESS

REQUEST

ENTITLEMENT

CATALOG PRIVILEGED

ACCOUNT

MANAGEMENT

ACCESS

CERTIFICATION

PRIVILIGED ACCOUNTS

USER PROVISIONING

CERTIFICATION REVIEW

ACCESS REQUEST

INTEGRATED PLATFORM


Critical Security Strategy

• Use Defense-in-Depth for Maximum Security

– Administrative Controls

– Preventive Controls

– Detective Controls

• Don’t let perfection stand in the way of progress

– Look for incremental steps to reduce risk

– Do not accept the status quo – “business as usual” is not an option

21

Government & Nonprofit

CA Tech Forum 16 presentation - The Efficiency of Identity Access Management by Scott Grykowski