Handwritten Text Recognition for manuscripts and early printed texts
Sw keynote
1.
2. <Insert Picture Here>
Security Inside Out
Cost-Effective Security and Compliance
Steve Wainwright
Senior Director Information Security
UK, Ireland & Israel
3. More data than ever…
Growth
Doubles
Yearly
1,800 Exabytes
2006 2011
Source: IDC, 2008
Oracle Confidential
3
4. More breaches than ever…
Data Breach Once exposed, the data is out there – the bell can’t be un-rung
PUBLICLY REPORTED DATA BREACHES
400
300
630%
Increase
200
100
Total Personally
Identifying Information
Records Exposed 0
(Millions) 2005 2006 2007 2008
Average cost of a data breach $202 per record
Average total cost exceeds $6.6 million per breach
Source: DataLossDB, Ponemon Institute, 2009
Oracle Confidential
4
5. More threats than ever…
70% attacks originate inside the firewall
90% attacks perpetrated by employees with privileged access
Oracle Confidential
5
6. More regulations than ever…
• Federal, state, local,
industry…adding more
mandates every year!
• Need to meet AND demonstrate
compliance
• Compliance costs are
unsustainable
? Report and audit
90% Companies behind in compliance
Source: IT Policy Compliance Group, 2007.
7. Higher Costs Than Ever…
• User Management Costs
• User Productivity Costs
• Compliance &
Remediation Costs
• Security Breach
Remediation Costs $
It Adds Up
8. Market Overview: IT Security In 2009
Protecting the organization's information assets is the top
issue facing security programs: data security (90%) is most
often cited as an important or very important issue for IT
security organizations.
8
10. The Information World Has Changed
Organised crime Identity Theft
Online Fraud Terrorism
Insider Threats
Economic Climate
Regulatory Pressures
Phone, internet and mail order fraud is up 37% on 2006 to £290m in the UK
11. Business Drivers
Reasons for Investment in Security
• Cost reduction
• Compliance to regulations
• Improved customer experience
• Protect organisation for reputation
damage
• Increase agility and enter new markets
• Increase competitive advantage
• Improved efficiencies
• Make security transparent
• Improved collaborative working
Source: Security Café Workshop at InfoSec 2009
11
13. Security Framework
Domain Approach
Physical Security Control
Client Perimeter
and
Security Security
Management
Access Management
Infrastructure Security
Employee
Resources
Documents/Data
Applications/Processes
Customers
Resource Security
Partners
Security Standards and Policies
Process
Audit and Report
13
14. Security - Layered Defence
The need for a joined up approach
• Identity Administration
Access
• Access Enforcement
• Application/Process Security
Application
• Data Security
• Infrastructure Security
Data
• Physical Security
14
21. Security Framework
The value of this approach
Principles Benefits
• Ensure Principle of “Security First” • Creates agility to meet changing threat
• Built-in not Bolt-on Security landscapes and create new models
• Enforce controls • Leads to re-useable patterns
• Improved management • Provides joined up protection against
• Holistic not silo solutions data loss, fraud and theft
• Platform for agility and flexibility • Achieves greater compliance for lower
cost
• Creates better customer experience
• Builds “trusted” brand
21
22. Oracle Security Inside Out
Database Security
• Encryption and Masking
• Privileged User Controls
• Multi-Factor Authorization
• Activity Monitoring and Audit
• Secure Configuration
Identity Management
• User Provisioning
• Role Management
• Entitlements Management
Information • Risk-Based Access Control
Infrastructure • Virtual Directories
Databases Information Rights
Applications Management
Content • Centralized document access control
• Digital shredding
• Document Activity Monitoring and Audit
Oracle Confidential
22
23. Complete, Open, Integrated
Systems
• Engineered to work together
• Tested together
• Certified together
• Packaged together
• Deployed together
• Upgraded together
• Managed together
• Supported together
24. Together, We Will Spend $4.3 Billion In
R&D In Our First Full Fiscal Year
$4.3
R&D Spending
USD $Bs
$2.7 $2.8
$2.2
$1.9
$1.5
FY05 FY06 FY07 FY08 FY09 … FY11
25. Industry specific cover image
Telco X Identity Management Assessment
Oracle Insight Report - Issue 1.0
January 28th 2009
Rob McManus
Insight Programme Director, Technology Solutions & Channels
Jason Rees
Insight Programme Director, Technology Solutions & Channels
26. Oracle Recommendations – Flight Path
Governance User Management Access Management
& Architecture
Data
Increase
OpCo adoption Management
Implement new
Web Access Mgt
Increase number
of integrated
applications
IdM Service
Management
Virtual directory Authorisation &
technologies
Authentication
Management
Automation of Enterprise SSO
Standards for
Rules and application
Workflows integration Role Management
Principles and
Standards
Strong
Implement Authentication
New IdM
Replacement of Audit &
hardware tokens
Institute Reporting
Governanc
e Board
Automate
re-certification
and Attestation
Timescale 1-6 months 6-12 months Year 2
26
27. Prioritisation of IdM Capability Areas
“SECONDARY
“TARGETS”
TARGETS”
User Management
Audit & Reporting
High
Governance
Access Management
Primary Focus
Architecture
PRIORITY LEVEL
Medium
Secondary Focus
Authorisation Management
Authentication Management
“LONGER TERM”
Future Phases
Low
Performed Planned and Well Mature Industry
Locally Tracked Defined Leading
OPERATING PERFORMANCE
27
28. Investment in IdM Should Produce Strong Value for Telco X
Oracle Estimates an ROI of 410% based on Conservative Case,
Payback in 16 months
5 Year Net Present Value:
£12 million
£14,000,000
£12,329,802
£12,000,000
£10,000,000
Benefits Achieved
£8,654,465
£8,000,000
Total Costs
£6,000,000
£4,391,073
£4,000,000 Accumulated
discounted cash
flow (NPV)
£2,000,000
£1,174,242
£0
Year -£639,858
1 Year 2 Year 3 Year 4 Year 5
-£2,000,000
-£4,000,000
Source: Discovery workshops; data provided; Oracle analysis
Note: Implementation costs are very approximate at this early stage; discount rate used is 16%; costs do not include all relevant non-
Oracle items, e.g. internal Telco Ximplementation costs, hardware costs and training costs; benefits do not include productivity
gains
28 28
29. Benefits of Oracle’s Recommendation
Benefit Area/Driver Type FINANCIAL IMPACT
Conservative Pragmatic Aggressive
1a. Increase productivity of new hires Productivity £1,239,854 £1,859,781 £2,479,708
1b. Reduce Joiner Administrative effort for Line Managers Productivity £929,891 £1,859,781 £2,789,672
1c. Employee searches Productivity £290,591 £348,709 £406,827
1d. Fewer systems to update Productivity £1,210,795 £2,421,590 £3,632,385
2a. Reduction in Help Desk administration costs for account requests Headcount £1,832,727 £2,618,182 £3,403,636
2b. Incremental Productivity - reduced password reset calls to helpdesk Productivity £6,974,179 £11,623,632 £16,273,085
2c. Reduction in Help Desk Administration costs - Password Resets Headcount £1,846,154 £3,000,000 £3,692,308
3a. Reduction in Administrative Labour Costs for Certification Headcount £660,000 £1,100,000 £1,540,000
3b. Reduction in Attestation Review Effort Headcount £651,375 £1,085,625 £1,519,875
3c. Reduction in Audit Remediation Costs Headcount £250,000 £250,000 £250,000
3e. Replace Hardware Tokens Saving £120,000 £120,000 £120,000
4a. Cost of assisting staff present and past following loss of personal data Saving £337,500 £675,000 £1,012,500
4b. Fraud Avoidance and Reduction Saving £500,000 £500,000 £500,000
4c. Application development savings Saving £1,250,000 £3,000,000 £4,000,000
Total £18,093,066 £30,462,301 £41,619,997
Note 1: Potential annual benefits
Note 2: Based on Oracle experiences, analyst reports and information gained through interviews with Telco X
Note 3: Includes Productivity savings which have been removed from ROI calculation overleaf
29 29
We completed a number of interactive session at InfoSec this year, at Oracle Security Café Workshops. We found that the top 4 business drivers were:Cost reduction – providing in controls to reduce cost, example being secure consolidation of IT services and the ability to outsource in a controlled and trusted wayCompliance to regulations - Still a popular topic – we have had SOX, HIPPA and PCI DSS – what is next?Improved customer experience – allowing user to interact with the enterprise in a secure way, and build brand trustProtect organisation for reputation damage – How much is reputation worth to an organisation? Should orgnaisations be worried? – Well a study of US workers found that 59% of people made redundant would steal data, so in this economic climate….Improved efficienciesCollaborative workingIncrease agility and enter new marketsIncrease competitive advantage2 mins
Information is at the heart of anything we do.Security is part of all business, process, tecnology and information viewpoints . Risk Appetite and Assessments allows the organisation make decision how they want to approach security.But are also cultural and educational needs, and business governance help to bridge the gaps between business and security. Again remembering that technology is just part of the overall ability of an organisation to deliver the right security controls.2 min
Security Frameworks (or Architecture) provide a common chassis for the organisation. This is not a one size fits all approach, the framework can provide multiple baselines and solutions patterns. These patterns can be captured for re-use against the changing threat landscape and different business models i.e.: Managed Fraud ServicesResources Resources are all types of information, data, structured or unstructured – the data is the crown jewels. Ultimately everything that goes in front, process and application, access management is just a way to mediate access to resources.BUILD SLIDESAsk the question: What is the value of resource to the business? What is the associated risk appetite of the your organisation?Summarise:Oracle has been working in the security space pretty much since day 1. The very first Oracle customers were in the government space back in 19778 mins
Only as strong as the weakness linkWe must take a joined up and layered approach to our end to end security solutions and patterns.No point in having strong access enforcement if your identity administration (i.e.: recruitment and vetting) is weak. No point in having great application security, if a user or system can access the data directlyNo point in having strong access security if someone can enter a data centre and steal an un-encrypted disk from the server2 mins
Look at some of the examples where security has been a positive benefit;The government pensions department used to require 4 forms to be completed for pension enquiries, secure collaboration of information now allows enquiries to be resolved with a single phone call.Amazon have built such a strong brand that they could release Cloud services. Security is a huge part of that, stories in the press about lost credit cards etc would have damaged the brand to an extent where Cloud services might not be trusted. Taking this further Amazon have to be sure about the security of the Cloud itself so as not to damage existing customer perception from their traditional channels.Talk about the principles of security, then the benefits4 mins