the next level: managed security in the cloud gail coury, vice president-risk management deepak...

The Next Level: Managed Security in the Cloud

Gail Coury, Vice President-Risk ManagementDeepak Kallakuri, Senior Product Manager

Oracle Managed Cloud ServicesSeptember 30, 2014

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. |

Copyright © 2014, Oracle and/or its affiliates. All rights reserved. | 3

Safe Harbor StatementThe following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.


Agenda

Oracle’s Cloud Solutions Strategy

Oracle Managed Cloud Services

Risk Management and Security

Intermountain Healthcare

Intuit


Oracle CloudConsume Oracle as subscription-based services

Private CloudBuild and manage your own cloud using Oracle cloud products

Oracle Cloud SolutionsOMCS is the on-ramp to Cloud for Oracle customers


Applications to Disk – Singular Focus on Oracle “Red” Stack Oracle Offers Unique Benefits to Customers

vs

• Accelerated upgrades

• Certified configurations optimized across stack

• Predictive incident management

• Go-Live Center reduces post-go-live issues 54%


Hundreds of change projects executed successfully

Up to

5.34 billion database transactions per hour

41+ petabytes of managed storage

World’s largestOracle VM and Linux grid

Massive Scale


Risk Management and Security

Oracle’s Approach


Security Strategy Legal and Security Architecture Reviews Security Technical Design Reviews Security Assessments and Certified Configurations

Security Technologies Security Information Event Management (SIEM) Secure Web Gateways End Point Security (AV/HIDS/Disk Encryption) Intrusion Detection/Prevention Tape Backup Encryption Multi-Factor Authentication for Administrators Segregated Networks Power Broker for Privileged Management SSL Accelerators

Security Services PCI DSS and HIPAA Security Services Enhanced Security Services Government Security Services 21 CFR Part 11 Validation Support Services Identity Management Services (SSO, Provisioning,…) Managed Security Service Packs for @Customer Secure Banking Services Disaster Recovery Services

Governance Objective 3rd Party Opinion via Audits (ISAE 3402 /

SSAE 16) ISO 27001 Certification / ISO 27002 Conformance Formal Risk Assessment Self Testing Security Training for Operations and Customer

Delivery Customer Right to Audit

Layered Defense in Depth Risk Management


Oracle Managed Security Services

21 CFR Part 11

PCI Services

Identity ServicesGovernment Services

HIPAA Services Enhanced Security Services

Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle

Assists the Customer to meet its legal obligations under the HIPAA as amended by the HITECH Act

Oracle Cloud Services is a Level 1 Payment Card Industry (PCI) Compliant Service Provider since 2006

Oracle can reduce the time and cost associated with PCI compliance

Supplements standard security services for “risk conservative” customers

Facilitates customer’s compliance needs

Advanced Services are “cafeteria style”

Designed to enable our customers to be compliant with federal legislative and executive mandates / directives

Helping government run business operations more effectively, and at lower costs

Provides Customers with the consistent and secure way of managing identities and privileges for hosted services

Enables Customers to leverage our expertise to deploy and manage one or more components of Oracle IdM suite

Makes Cloud Services an attractive option for Pharma and Medical Device Manufacturers

Supports the customer’s compliance validation requirements


• 136 Controls Tested Biannually for Commercial• 96 Controls Tested Biannually for Federal

ISO 27001Certification

159 Controls Tested Annually

ISO 27002Certificate of Conformity


Department of Defense (DoD) and Agencies• 1200+ Controls Tested Annually• NIST High & DIACAP MAC Level I Sensitive• FedRAMP JAB Provisional Authority to Operate (P-ATO) - Moderate

ISO Certification

HIPAA Compliance

Compliant Level 1 Service Provider

• 217 Controls Tested Annually


ISAE 3402 / SSAE 16 SOC1

Federal Certification & Accreditation (C&A) & FedRAMP

Payment Card Industry (PCI)

Custom System Validation Services

21 CFR Part 11 for Life Sciences

• 105 Controls Tested Annually

SOC2 / SOC3 For Security & Availability

Managed Cloud Services Compliance


Value

HIPAA Security ServicesAdvanced Service Offerings For Health Information

Base Package

• Annual 3rd Party HIPAA compliance

assessment

• Annual risk assessment

• Quarterly external vulnerability scan

• ePHI Network Topology Review

• Host-based Data Loss Prevention (HDLP)

• HIPAA trained support staff

Advanced Services• Quarterly vulnerability scanning• Database auditing in conjunction with Oracle Audit Vault• Oracle Data Masking• Oracle Transparent Database Encryption• Web Application Firewall• Flat File Encryption• Security Maintenance Program• Annual penetration test

• Designed to protect Customer’s electronic protected health information (ePHI) in environments managed by Oracle

• Assists the Customer to meet its legal obligations under the HIPAA1 as amended by the HITECH2 Act

1 Health Insurance Portability and Accountability Act of 1996 2 Health Information Technology for Economic and Clinical Health Act of 2009


Managed Identity ServicesBased on Oracle Identity Products

Solution DescriptionSingle Sign On

Oracle Access ManagerDirectory Services Plus

•Easy login, single place to manage identities•Platform for strong authentication and federation

Strong AuthenticationOracle Adaptive Access ManagerOracle Access ManagerDirectory Services Plus

•Strong authentication to combat phishing & malware•Dashboard and alerts for suspicious behavior

ProvisioningOracle Identity Manager

•Visible, authenticated & logged user account mgmt•Reports for compliance

Identity AnalyticsOracle Identity Analytics

•Discover and analyze existing accounts and access•Facilitate attestation/certification of access grants

FederationOracle Identity FederationOracle Access ManagerDirectory Services Plus

•Enable single sign on across domains•Leverage customer and partner SSO infrastructure


Value

Enhanced Security ServicesOngoing Vulnerability and Risk Management

Base Package

• Quarterly Vulnerability Scans

• Quarterly Web Application Vulnerability

Scans

• Annual Penetration Test

• Network Diagram

• Quarterly Firewall Policy Review

• Quarterly Network Device Configuration

Review

• Quarterly Security Meetings

Advanced Services• Oracle Database Auditing• Oracle Data Masking• Oracle Database Encryption (TDE)• Oracle Database Vault• Web Application Firewall• Client SSL Auth for SOA• File Integrity Monitoring• Security Maintenance Program

• Comprehensive services for ongoing vulnerability and risk management

• Base Services plus choice of options

• Oracle expertise in deploying Oracle security technologies

Intermountain HealthcareJoe Finlinson, IS Director - Business Applications

15

About Intermountain Healthcare

• Headquarters in Salt Lake City, Utah• Largest employer in the state – 35,000 employees• Created in 1975 as LDS Church “gifts” hospitals to the community• Hospital network

24 Hospitals 2,500 + Licensed Beds

• Medical Group 1,000 Employed Physicians 130 Clinics

• SelectHealth – health plan Direct Subscribers– 550,000

• $3.6 billion in Net Patient Services Revenue• $5.0 billion in Assets• AA+ Standard & Poor’s Aa1 Moody’s• Only System to receive highest ratings from both S&P and Moody’s

16

Our Aspirations

Our Mission • Excellence in the provision of healthcare services to communities in

the Intermountian region.

Our Values• Mutual Respect, Accountability, Trust, Excellence

Our vision • Our vision is to be a model healthcare system by continually learning

and providing extraordinary care in all of its dimensions

The Dimensions of Care

Oracle Database 11G

OraclePeopleSoft

FSCM

Oracle WebLogic Suite 11G

Oracle SOA Suite 11G

Oracle B2BOracle

Healthcare

Custom J 2EE

Applications

Oracle API Gateway

Oracle Identity

Management

Oracle Managed Cloud Services

HyperionOBIEE/OBIA

UPK

Cloud Deployment

What Keeps You Awake at Night?

How Does OMCS Protect Intermountain?

HIPAA Security Services• Annual Penetration Testing• Quarterly Environment Scanning• Database Audit• Web Application Firewall• Client Security Socket Layer (Mutually Authenticated SSL)

BenefitsWorld Class security experts

Well defined Policies and Procedures pre-built for compliance

Systems built from the ground up with security and privacy in mind

Peace of mind in a complex regulatory environment

Intuit Confidential and Proprietary

Intuit’s simply secured journeyPaul Van Amsterdam – VP of IT

Intuit Confidential and Proprietary26 Intuit Confidential and Proprietary26

Intuit’s MissionTo improve our customers’ financial lives so profoundly…

they can’t imagine going back to the old way

CONSUMERSSMALL

BUSINESSESACCOUNTING

PROFESSIONALS


Employees

8,000+

A Premiere Innovative Growth Company

Customers

45M

Global OfficesUS, UK, India, Canada,

Australia, others

Revenue

4.5B

Founded

1983Public 1993

INTU


Driver for change

• Intuit needed to mature its enterprise access controls

• Board asked how we could accelerate the program


Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

Enterprise roles

User lifecycle management

Access management and federation

Auditing and reporting

EIAM Program Approach

Wave 0 Wave 2 Wave 3 Wave 4 Wave 5Wave 1

Complete Pilot ER by 8/1

Defined ER for BUs in scope by 6/30

SSO enabled for target systemsCentralized self service

Foundational reporting enabled

User attestationDelegated attestation enabled

OIM, OAM, OVD & OWSM

eBiz, BRM, PIM, Siebel, OASIS, Orbit

ABC, Great Plains, Mediation Server, Pivotal, Softrax

Logtran, PSP, Cyclone, IOP OPS Secure Token, EFE

AD (MNET), Admin Platform, CM Admin, Compass, Metavante, Skypass/ Skynet, Perforce

Automated provisioning for 6 target systems by 7/31

Automated access/revocation by 7/31

KPIs dashboards deployed

Security event correlation enabled

Delegated administration

Expanded to additional BUs

Expanded to additional targets systems & BUs

Privileged account management

FY 14 FY 15** FY 16

Expanded to additional targets OAM/OIM upgraded to 11g 5/24

‘*’ – subject to prioritization and scoping considerations defined in this report

** Acc/SVN, B2B App, Barista, Gentran (GIS), ERS removed from Q1 FY’15 list due to IFS divestiture


Keys to our success

1. Active engagement from Oracle Managed Cloud Services and Oracle developmenta. Leverage the expertise from Oracle across the board and leverage known base capabilitiesb. Results in lower risk to the overall program

2. We are learning together (active-active, multi data center HA)a. Be open to sharing issues and developing solutions togetherb. Additional product enhancements and share what works and opportunities

3. Ensure you focus on outcomesa. Alignment with the business on what we are solving forb. Focus on the future, by moving from compliance to risk based investments

4. Lower risk by leveraging Oracle in executing what they do besta. Transparent data encryptionb. Audit Vaultc. Database Vaultd. File Integrity Monitoring


Managed Security Services @CustomerTurn-key service offerings to manage Oracle database security product

Database Encryption Service

Data Masking Service

DB Configuration Compliance

Service

Database Auditing Service

• Data Masking for Oracle Database

• Masking templates for EBSO

• Transparent Data Encryption

• EM Lifecycle Compliance Management

• File Integrity Monitoring

• Database Auditing• Audit Vault• Periodic activity reports

Database Protection Service

• Oracle Database Vault • Transparent Data Encryption

• Complete lifecycle management: Design, implement, manage, monitor and report

• Predictable cost, rapid deployment and reliable

• Close cooperation with product development for faster issue resolution


Security Capabilities Summary

• Processes built to support the ISO 27000

framework

• Automation to monitor, correlate, and alert

• Security health checks prior to and during

deployment

• Encryption to protect the data

• Compliance services that can be leveraged

• Disaster recovery services to cover any

requirement

• Use, host and manage Oracle security

products

IT SECURITY

ENABLERS• Protect privacy • Protect from intrusion and malicious acts

• Comply with regulatory requirements • Avoid adverse legal consequences• Assure business continuity • Protect the valuation and reputation of your company

BUSINESSBENEFITS


Learn More: Sessions & Customer Success Panel DiscussionsDEMOgrounds – Moscone West, ERP Managed Cloud Lounge – Moscone West, Level 3

Session Type Day / Time LocationOracle Managed Cloud Services:

Your On-Ramp to the Cloud Strategy Monday, SEP 2910:15 AM – 11:00 AM Moscone South - 301

How the Cloud is Changing the CIO Role Panel Monday, SEP 291:30 PM – 2:15 PM Moscone South – 300

Innovation that Fuels the CloudManaged Cloud Services Session Tuesday, SEP 30

10:45 AM – 11:30 AM Moscone South – 300

The Next Level: Managed Security in the Cloud Panel Tuesday, SEP 30

12:00 PM – 12:45 PMIntercontinental

Grand Ballroom C

The Power of Engineered Systems in the Cloud Panel Wednesday, OCT 112:45 PM – 1:30 PM Moscone South - 300

Extend Your CloudOracle Functional Business Services Panel Wednesday, OCT 1

2:00 PM – 2:45 PM Moscone South - 309

Managed Cloud Database Service:Database Cloud Delivered On-Premise Session Wednesday, OCT 1

3:30 PM – 4:15 PM Moscone South - 300

Oracle Managed Cloud for Industries Session Thursday, OCT 29:30 AM – 10:15 AM

Marriott MarquisSalon 10/11

the next level: managed security in the cloud gail coury, vice president-risk management deepak...

Documents

oracle andor

hipaa security services

oracle customers

oracle red stack oracle

sole discretion of oracle

security oracles approach

security strategy legal

managed security service