Date post: | 15-Dec-2015 |
Category: |
Documents |
Upload: | ashleigh-bias |
View: | 221 times |
Download: | 0 times |
The Next Level: Managed Security in the Cloud
Gail Coury, Vice President-Risk ManagementDeepak Kallakuri, Senior Product Manager
Oracle Managed Cloud ServicesSeptember 30, 2014
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3
Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 4
Agenda
Oracle’s Cloud Solutions Strategy
Oracle Managed Cloud Services
Risk Management and Security
Intermountain Healthcare
Intuit
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 5
Oracle CloudConsume Oracle as subscription-based services
Private CloudBuild and manage your own cloud using Oracle cloud products
Oracle Cloud SolutionsOMCS is the on-ramp to Cloud for Oracle customers
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 6
Applications to Disk – Singular Focus on Oracle “Red” Stack Oracle Offers Unique Benefits to Customers
vs
• Accelerated upgrades
• Certified configurations optimized across stack
• Predictive incident management
• Go-Live Center reduces post-go-live issues 54%
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 7
Hundreds of change projects executed successfully
Up to
5.34 billion database transactions per hour
41+ petabytes of managed storage
World’s largestOracle VM and Linux grid
Massive Scale
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 8
Risk Management and Security
Oracle’s Approach
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 9
Security Strategy Legal and Security Architecture Reviews Security Technical Design Reviews Security Assessments and Certified Configurations
Security Technologies Security Information Event Management (SIEM) Secure Web Gateways End Point Security (AV/HIDS/Disk Encryption) Intrusion Detection/Prevention Tape Backup Encryption Multi-Factor Authentication for Administrators Segregated Networks Power Broker for Privileged Management SSL Accelerators
Security Services PCI DSS and HIPAA Security Services Enhanced Security Services Government Security Services 21 CFR Part 11 Validation Support Services Identity Management Services (SSO, Provisioning,…) Managed Security Service Packs for @Customer Secure Banking Services Disaster Recovery Services
Governance Objective 3rd Party Opinion via Audits (ISAE 3402 /
SSAE 16) ISO 27001 Certification / ISO 27002 Conformance Formal Risk Assessment Self Testing Security Training for Operations and Customer
Delivery Customer Right to Audit
Layered Defense in Depth Risk Management
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 10
Oracle Managed Security Services
21 CFR Part 11
PCI Services
Identity ServicesGovernment Services
HIPAA Services Enhanced Security Services
Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle
Assists the Customer to meet its legal obligations under the HIPAA as amended by the HITECH Act
Oracle Cloud Services is a Level 1 Payment Card Industry (PCI) Compliant Service Provider since 2006
Oracle can reduce the time and cost associated with PCI compliance
Supplements standard security services for “risk conservative” customers
Facilitates customer’s compliance needs
Advanced Services are “cafeteria style”
Designed to enable our customers to be compliant with federal legislative and executive mandates / directives
Helping government run business operations more effectively, and at lower costs
Provides Customers with the consistent and secure way of managing identities and privileges for hosted services
Enables Customers to leverage our expertise to deploy and manage one or more components of Oracle IdM suite
Makes Cloud Services an attractive option for Pharma and Medical Device Manufacturers
Supports the customer’s compliance validation requirements
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 11
• 136 Controls Tested Biannually for Commercial• 96 Controls Tested Biannually for Federal
ISO 27001Certification
159 Controls Tested Annually
ISO 27002Certificate of Conformity
72 Controls Tested Annually
Department of Defense (DoD) and Agencies• 1200+ Controls Tested Annually• NIST High & DIACAP MAC Level I Sensitive• FedRAMP JAB Provisional Authority to Operate (P-ATO) - Moderate
ISO Certification
HIPAA Compliance
Compliant Level 1 Service Provider
• 217 Controls Tested Annually
64 Controls Tested Annually
ISAE 3402 / SSAE 16 SOC1
Federal Certification & Accreditation (C&A) & FedRAMP
Payment Card Industry (PCI)
Custom System Validation Services
21 CFR Part 11 for Life Sciences
• 105 Controls Tested Annually
SOC2 / SOC3 For Security & Availability
Managed Cloud Services Compliance
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 12
Value
HIPAA Security ServicesAdvanced Service Offerings For Health Information
Base Package
• Annual 3rd Party HIPAA compliance
assessment
• Annual risk assessment
• Quarterly external vulnerability scan
• ePHI Network Topology Review
• Host-based Data Loss Prevention (HDLP)
• HIPAA trained support staff
Advanced Services• Quarterly vulnerability scanning• Database auditing in conjunction with Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption• Web Application Firewall• Flat File Encryption• Security Maintenance Program• Annual penetration test
• Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle
• Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act
1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 13
Managed Identity ServicesBased on Oracle Identity Products
Solution DescriptionSingle Sign On
Oracle Access ManagerDirectory Services Plus
•Easy login, single place to manage identities•Platform for strong authentication and federation
Strong AuthenticationOracle Adaptive Access ManagerOracle Access ManagerDirectory Services Plus
•Strong authentication to combat phishing & malware•Dashboard and alerts for suspicious behavior
ProvisioningOracle Identity Manager
•Visible, authenticated & logged user account mgmt•Reports for compliance
Identity AnalyticsOracle Identity Analytics
•Discover and analyze existing accounts and access•Facilitate attestation/certification of access grants
FederationOracle Identity FederationOracle Access ManagerDirectory Services Plus
•Enable single sign on across domains•Leverage customer and partner SSO infrastructure
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 14
Value
Enhanced Security ServicesOngoing Vulnerability and Risk Management
Base Package
• Quarterly Vulnerability Scans
• Quarterly Web Application Vulnerability
Scans
• Annual Penetration Test
• Network Diagram
• Quarterly Firewall Policy Review
• Quarterly Network Device Configuration
Review
• Quarterly Security Meetings
Advanced Services• Oracle Database Auditing• Oracle Data Masking• Oracle Database Encryption (TDE)• Oracle Database Vault• Web Application Firewall• Client SSL Auth for SOA• File Integrity Monitoring• Security Maintenance Program
• Comprehensive services for ongoing vulnerability and risk management
• Base Services plus choice of options
• Oracle expertise in deploying Oracle security technologies
About Intermountain Healthcare
• Headquarters in Salt Lake City, Utah• Largest employer in the state – 35,000 employees• Created in 1975 as LDS Church “gifts” hospitals to the community• Hospital network
24 Hospitals 2,500 + Licensed Beds
• Medical Group 1,000 Employed Physicians 130 Clinics
• SelectHealth – health plan Direct Subscribers– 550,000
• $3.6 billion in Net Patient Services Revenue• $5.0 billion in Assets• AA+ Standard & Poor’s Aa1 Moody’s• Only System to receive highest ratings from both S&P and Moody’s
16
Our Aspirations
Our Mission • Excellence in the provision of healthcare services to communities in
the Intermountian region.
Our Values• Mutual Respect, Accountability, Trust, Excellence
Our vision • Our vision is to be a model healthcare system by continually learning
and providing extraordinary care in all of its dimensions
Oracle Database 11G
OraclePeopleSoft
FSCM
Oracle WebLogic Suite 11G
Oracle SOA Suite 11G
Oracle B2BOracle
Healthcare
Custom J 2EE
Applications
Oracle API Gateway
Oracle Identity
Management
Oracle Managed Cloud Services
HyperionOBIEE/OBIA
UPK
Cloud Deployment
How Does OMCS Protect Intermountain?
HIPAA Security Services• Annual Penetration Testing• Quarterly Environment Scanning• Database Audit• Web Application Firewall• Client Security Socket Layer (Mutually Authenticated SSL)
BenefitsWorld Class security experts
Well defined Policies and Procedures pre-built for compliance
Systems built from the ground up with security and privacy in mind
Peace of mind in a complex regulatory environment
Intuit Confidential and Proprietary26 Intuit Confidential and Proprietary26
Intuit’s MissionTo improve our customers’ financial lives so profoundly…
they can’t imagine going back to the old way
CONSUMERSSMALL
BUSINESSESACCOUNTING
PROFESSIONALS
Intuit Confidential and Proprietary27 Intuit Confidential and Proprietary27
Employees
8,000+
A Premiere Innovative Growth Company
Customers
45M
Global OfficesUS, UK, India, Canada,
Australia, others
Revenue
4.5B
Founded
1983Public 1993
INTU
Intuit Confidential and Proprietary28 Intuit Confidential and Proprietary28
Driver for change
• Intuit needed to mature its enterprise access controls
• Board asked how we could accelerate the program
Intuit Confidential and Proprietary29 Intuit Confidential and Proprietary29
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4
Enterprise roles
User lifecycle management
Access management and federation
Auditing and reporting
EIAM Program Approach
Wave 0 Wave 2 Wave 3 Wave 4 Wave 5Wave 1
Complete Pilot ER by 8/1
Defined ER for BUs in scope by 6/30
SSO enabled for target systemsCentralized self service
Foundational reporting enabled
User attestationDelegated attestation enabled
OIM, OAM, OVD & OWSM
eBiz, BRM, PIM, Siebel, OASIS, Orbit
ABC, Great Plains, Mediation Server, Pivotal, Softrax
Logtran, PSP, Cyclone, IOP OPS Secure Token, EFE
AD (MNET), Admin Platform, CM Admin, Compass, Metavante, Skypass/ Skynet, Perforce
Automated provisioning for 6 target systems by 7/31
Automated access/revocation by 7/31
KPIs dashboards deployed
Security event correlation enabled
Delegated administration
Expanded to additional BUs
Expanded to additional targets systems & BUs
Privileged account management
FY 14 FY 15** FY 16
Expanded to additional targets OAM/OIM upgraded to 11g 5/24
‘*’ – subject to prioritization and scoping considerations defined in this report
** Acc/SVN, B2B App, Barista, Gentran (GIS), ERS removed from Q1 FY’15 list due to IFS divestiture
Intuit Confidential and Proprietary30 Intuit Confidential and Proprietary30
Keys to our success
1. Active engagement from Oracle Managed Cloud Services and Oracle developmenta. Leverage the expertise from Oracle across the board and leverage known base capabilitiesb. Results in lower risk to the overall program
2. We are learning together (active-active, multi data center HA)a. Be open to sharing issues and developing solutions togetherb. Additional product enhancements and share what works and opportunities
3. Ensure you focus on outcomesa. Alignment with the business on what we are solving forb. Focus on the future, by moving from compliance to risk based investments
4. Lower risk by leveraging Oracle in executing what they do besta. Transparent data encryptionb. Audit Vaultc. Database Vaultd. File Integrity Monitoring
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 31
Managed Security Services @CustomerTurn-key service offerings to manage Oracle database security product
Database Encryption Service
Data Masking Service
DB Configuration Compliance
Service
Database Auditing Service
• Data Masking for Oracle Database
• Masking templates for EBSO
• Transparent Data Encryption
• EM Lifecycle Compliance Management
• File Integrity Monitoring
• Database Auditing• Audit Vault• Periodic activity reports
Database Protection Service
• Oracle Database Vault • Transparent Data Encryption
• Complete lifecycle management: Design, implement, manage, monitor and report
• Predictable cost, rapid deployment and reliable
• Close cooperation with product development for faster issue resolution
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 32
Security Capabilities Summary
• Processes built to support the ISO 27000
framework
• Automation to monitor, correlate, and alert
• Security health checks prior to and during
deployment
• Encryption to protect the data
• Compliance services that can be leveraged
• Disaster recovery services to cover any
requirement
• Use, host and manage Oracle security
products
IT SECURITY
ENABLERS• Protect privacy • Protect from intrusion and malicious acts
• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation and reputation of your company
BUSINESSBENEFITS
Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 33
Learn More: Sessions & Customer Success Panel DiscussionsDEMOgrounds – Moscone West, ERP Managed Cloud Lounge – Moscone West, Level 3
Session Type Day / Time LocationOracle Managed Cloud Services:
Your On-Ramp to the Cloud Strategy Monday, SEP 2910:15 AM – 11:00 AM Moscone South - 301
How the Cloud is Changing the CIO Role Panel Monday, SEP 291:30 PM – 2:15 PM Moscone South – 300
Innovation that Fuels the CloudManaged Cloud Services Session Tuesday, SEP 30
10:45 AM – 11:30 AM Moscone South – 300
The Next Level: Managed Security in the Cloud Panel Tuesday, SEP 30
12:00 PM – 12:45 PMIntercontinental
Grand Ballroom C
The Power of Engineered Systems in the Cloud Panel Wednesday, OCT 112:45 PM – 1:30 PM Moscone South - 300
Extend Your CloudOracle Functional Business Services Panel Wednesday, OCT 1
2:00 PM – 2:45 PM Moscone South - 309
Managed Cloud Database Service:Database Cloud Delivered On-Premise Session Wednesday, OCT 1
3:30 PM – 4:15 PM Moscone South - 300
Oracle Managed Cloud for Industries Session Thursday, OCT 29:30 AM – 10:15 AM
Marriott MarquisSalon 10/11