Security inside out

Information security has become a top priority for any CIO today. The need for businesses to share information, deliver higher value services and differentiate their offerings without exposing critical data to the increasing sophistication and frequency of threats has made it a pressing business issue, propelling the task of addressing it to board level.

SECURITY INSIDE OUT: ENSURING COST-EFFECTIVE SECURITY AND COMPLIANCEExECUTIVE SUMMARYInformation security has become a top priority for any CIO today. The need for businesses to share information, deliver higher value services and differentiate their offerings without exposing critical data to the increasing sophistication and frequency of threats has made it a pressing business issue, propelling the task of addressing it to board level.In the current environment a security breach has the potential to impact a business s bottom line damaging its reputation, customer loyalty and profitability. Here s the primary reason we believe IT risk is a concern for LOB executives: the many public and painful disclosures, especially security breaches that have dramatically affected brand image and the financial health of many public companies. IT risk, specifically data security, has truly become a board-level discussion. (1) Furthermore, compliance with governance and privacy regulations has put an unprecedented board-level focus on the need for strong security controls.A business inadequately protected from the constant barrage of threats and attacks risks losing a lot more than data. In short, information security is no longer just a technology issue: it has also become a critical business issue.This paper argues that managing security risks in today s environment requires an enterprise security framework, one that extends beyond traditional network perimeter measures to protect applications, middleware, and data infrastructures.We will show that proven, cost-effective solutions are now available offering the most comprehensive and best-in-class security framework for access control, data privacy and compliance management.CONTENTSExecutive summary 1Challenges 2Correct responses 3Conclusion 4Questions to ask a prospective supplier 4(1) AMR Research, Governance, Risk and Compliance Spending Report 2008-2009, 2008Untitled DocumentSECURITY INSIDE OUT: ENSURING COST-EFFECTIVE SECURITY AND COMPLIANCEProtecting the organisation s information assets has become one of the most pressing issues facing the board. In a recent report on IT Security priorities for 2009, Forrester Research found that 90 percent of the organisations surveyed cited data security as their top priority. Information security has changed radically in the last decade, making it more visible as a business issue across all industries and affecting organisations of all sizes. The fact that a security breach today makes front-page news has made C-levels increasingly sensitive to the security of their IT systems. According to Forrester Research, more than one in five (21 percent) enterprises are worried about a decline in stock price [resulting from a publicised security breach] . (2) The press, meanwhile, compete for the biggest data breach scoop: from government departments to credit-card processing companies, the media has come to see information security as a rich source of news. Organisations are facing a double-edged sword. While the rate of data growth continues inexorably, more breaches than ever are occurring and once exposed, the data is out there the bell can t be un-rung. According to industry experts the average cost of a data breach is 202 ( 122) per record while the average total cost exceeds 6.6 million ( 4 million) per breach. (3)There is also an increasing awareness of the enemy within , with the majority of attacks originating from inside the firewall often perpetrated by employees with privileged access.In addition, there are more regulations than ever: a bewildering array of state, local and industry requirements are forcing companies to not only meet compliance requirements but also to actively demonstrate they have met them. Under the circumstances it is unsurprising that some 90 percent of organisations have fallen behind in their efforts to address compliance challenges. (4)The pressure to comply with regulations is extreme, and the consequences of failing to do so are dire. Most compliance requirements are rooted in preventive controls. This makes information security the most strategic technical consideration for compliance issues. (5) Automating key tasks based on business policies not only improves security but also lowers the cost of meeting compliance requirements. These tasks include granting and revoking user access, enforcing separation of duties, generating audit reports, and periodically reviewing and attesting to the validity of user privileges.Meanwhile a combination of spiralling costs associated with user management, user productivity, compliance and remediation, and security breach remediation are exerting unbearable pressure on financial directors. Upgrading to Oracle Database 11g Enterprise Edition and deploying Oracle s advanced database management tools has improved performance and security in addition to mitigating risk for this key system, holding highly sensitive data. Robin Moore, senior research officer, National Offender Management Service, Ministry of JusticeCHALLENGES2(2) Forrester Research, Aligning Data Protection Priorities With Risks, April 2006(3) DataLossDB(4) IT Policy Compliance Group, 2007(5) AMR Research, 2005Untitled DocumentSECURITY INSIDE OUT: ENSURING COST-EFFECTIVE SECURITY AND COMPLIANCEProven security tools from leading vendors are now available that allow organisations to tackle security issues sooner rather than later. Industry-leading comprehensive best-in-class security solutions enable a common security framework for applications as well as data. Security solutions include:Identity and access management solutions. Industry-leading  identity and access management solutions that span directory services, user provisioning, authentication, authorisation, fine-grained entitlements, separation of duties, enterprise single sign-on, web services security, and identity federation. The enforcement of security policies restricting who has access to what, when, and from where constitutes the primary goal of any security architecture. A centralised framework ensures such policies are consistently applied across all applications and systems, whether contemporary web-based, client/server, or legacy systems.Data privacy solutions. Unique and cutting-edge data privacy solutions including privileged user access control, encryption for data at rest as well as data in motion, data classification, secure backups, and secure enterprise search.Privileged users in an enterprise are one factor that can lead to data leaks and compromises. This can occur when individuals with privileged administrator access or other users intentionally or unintentionally use their status to access information that they were never intended to view. It is not ""uncommon that developers, system administrators, and others have full unrestricted access. Restricting their privileges to just what they need to do their jobs greatly helps lower risk.Protecting personally identifiable information is vital, yet increasingly challenging. Many attacks today are targeted explicitly at acquiring such information from corporate systems. This data needs to be protected equally while in transit on the network or while at rest in a database or on tapes and backup storage. Selectively encrypting only sensitive portions of a data set, such as a database column containing credit card numbers, ensures minimal performance and storage overhead typically associated with data encryption. Classifying data based on sensitivity and controlling access according to classification is also a highly effective approach to ensuring data privacy. Finally, adding a security layer to enterprise search results prevents confidential information from being inadvertently revealed.Governance, risk, and compliance solutions. Comprehensive solutions for governance, risk and compliance that include identity auditing and reporting, audit consolidation and risk and compliance process management.Achieving sustainable compliance cost-effectively is a goal for most businesses today. Effective solutions are those that not only help automate compliance controls and processes; they are also flexible enough to adapt to meet changing requirements." With Oracle Database Vault and the transparent data encryption feature provided by Oracle Advanced Security, our highly sensitive personal and medical data is now protected against unauthorised access. We, therefore, were able to integrate our national health information system with healthcare providers local information systems. Madis Tiik, member of management board, Estonian eHealth FoundationCORRECT RESPONSES3Untitled DocumentSECURITY INSIDE OUT: ENSURING COST-EFFECTIVE SECURITY AND COMPLIANCEQUESTIONS TO ASK A PROSPECTIVE SUPPLIERDatabase securityEncryption and maskingPrivileged user controlsMulti-factor authorisationActivity monitoring and auditSecure configurationIdentity managementUser provisioning Role managementEntitlements management Risk-based access control Virtual directoriesInformation rights managementTrack and audit document usageControl and revoke document accessSecured inside or outside firewallCentrally administered"""""""""""""" 2009 Oracle and IDG Global Solutions. All Rights Reserved.CONCLUSIONIt is no surprise that information security has become a top priority for CIOs. A business inadequately protected from the constant barrage of threats and attacks risks losing a lot more than data. A single security breach could diminish business reputation, customer loyalty, and ultimately profitability. Information security is no longer just a technology issue: it has become a critical business issue.Historically organisations have focused their security on perimeter and network security leaving the infrastructure inside the firewall, their databases, middleware, and applications vulnerable. Organisations need to consider security inside out and look at protecting their information from the inside. Current solutions can help by providing a complete, open, integrated, and secure stack.Industry-leading comprehensive best-in-class security solutions are now available, providing a common security framework for applications as well as data. These solutions secure not only the database, applications, and middleware, but also all the leading enterprise applications and platforms (including SAP, IBM Web Sphere and others) allowing customers to leverage and protect their existing investments.For further information on security solutions visit:oracle.com/security