Transcription
IBM Information Governance SecuritySoftware Overview for InnovapostJune 14, 2013Ken Lee, kklee@ca.ibm.com 2013 IBM Corporation
Agenda Introduction IBM InfoSphere Discovery IBM InfoSphere Guardium Database Activity Monitor IBM InfoSphere Guardium Data Encryption IBM InfoSphere Guardium Data Redaction IBM InfoSphere Optim Data Privacy2 2013 IBM Corporation
Mastering information across the Information Supply ChainTransactional &CollaborativeApplicationsAnalyzeIntegrateBusiness AnalyticsApplicationsContentAnalyticsBig rity & StandardsPrivacyTrusted Relevant Governed3 2013 IBM Corporation
Securing and Protecting Your Information Supply Chain Understanding the “what & where” of enterprise data Protecting the data across the enterprise, both internal andexternal threats Knowing who’s accessing your data when, how and why Monitoring and reporting on database access for auditpurposesDiscover & DefineMonitor & AuditSecure & Protect4 2013 IBM Corporation
Requirements to manage security & protection of dataInformation Governance Core DisciplinesSecurity and PrivacyUnderstand &DefineSecure &ProtectMonitor& AuditDiscover where sensitivedata residesProtect enterprise datafrom both authorized &unauthorized accessAudit and reportfor complianceClassify & define datatypesSafeguard sensitive data indocumentsMonitor and enforcedatabase accessDefine policies& metricsDe-identify confidentialdata in non-productionenvironmentsAssess databasevulnerabilitiesData Stewards “I need to understand my data better to determine what needs to be secured.”“I needwe pass all ouraudits toandprotectcan provethat red& users haveChief ComplianceSecurity OfficerOfficer“Wenot jeopardizedourindata.”unstructureddataall enterprise environments & ensure we canChief Security Officer “Idetectneed acommonsecuritymy enterprise.”potential breach policiesbefore itforoccurs.”5 2013 IBM Corporation
InfoSphere Security and Privacy Solutions InfoSphere Discovery– Identify and document enterprise data relationships including thelocation of sensitive information InfoSphere Guardium Database Activity Monitor– Database Activity Monitoring & Auditing– Know who is accessing your data in real-time and meet businesssecurity audits InfoSphere Guardium Data Encryption– Encrypt sensitive data and provide access for the right user InfoSphere Guardium Data Redaction– Protect sensitive unstructured information in documents fromunintentional disclosure InfoSphere Optim Test Data Management and Data Privacy– Mask private information across non-production environments– Protect sensitive information close to the source or as its beingextracted6 2013 IBM Corporation
Top IT Security Initiatives“Which of the following are likely to be your organization’s top IT security priorities over the next 12 months?”89%89% rankrank datadata securitysecurityasas aa highhigh oror criticalcritical priorityprioritySource: Forrester Research, Inc. Jonathan Penn, “The State Of Enterprise IT Security And Emerging Trends: 2009 To 2010” – January 20107 2013 IBM Corporation
InfoSphere Discovery 2013 IBM Corporation
You can’t manage what you don’t understand? ?9 Complex, poorly documented datarelationships– Which data is sensitive, and which can beshared?– Whole and partial sensitive data elementscan be found in hundreds of tables andfields Data relationships not understoodbecause:?Distributed Data Landscape9– Who can access the data?– Where are those databases located? ? Data can be distributed over multipleapplications, databases and platforms– Corporate memory is poor– Documentation is poor or nonexistent– Logical relationships (enforced throughapplication logic or business rules) arehidden 2013 IBM Corporation
IBM InfoSphere DiscoveryRequirementsAccelerate project deployment byautomating discovery of yourdistributed data landscapeDiscovery Identify hidden sensitivedata requiring protection Define business objects forsecuring sensitive data Discover datatransformation rules andheterogeneous relationshipsto secure dataBenefits Minimize risk of breachesby implementing consistentsecurity controls Automate manual activitiesto minimize cost and timewhile maximizing qualityDiscovery supports analysis of data on distributed platforms (LUW), z/OS and flat files. Business insight into datarelationships reducesproject riskNote: Additional application specific solutions available for SAP, Oracle eBiz, Siebel, JDEdwards, PeopleSoft10 2013 IBM Corporation
Discover How Data is Related and Where Sensitive DataMay Be HiddenSensitive Relationship 966020MartinAstonCode5372324734System A Table herN field 09934N348150928N478966020N34System Z Table 25NameStreptococcus pyogenesPregnancyAlzheimer DiseaseH1N1DermatamycosesCompound sensitive data:Test results could potentially be revealed.11 Relationships and sensitivedata can’t always be foundjust by a simple data scan– Sensitive data can beembedded within a field– Sensitive data could berevealed through relationshipsacross fields & systems When dealing with hundredsof tables and millions ofrows, this search is complex– you need the right solution 2013 IBM Corporation
InfoSphere GuardiumDatabase Activity Monitor 2013 IBM Corporation
Sony Data Breach Exposes 100 Million Customersto Years of Identity-Theft Risk – Costs SkyrocketBeyond 170 MillionJapan Hackers exploited a known security vulnerability to gain access to 77 millionPlayStation Network and Qriocity user names, addresses, gender, birth dates andother information in mid-April 2011. Hackers also gained access to 23,400 credit card and debit records from non-U.S.customers and the personal account information of 24.6 million account holders froma separate unit, Sony Online Entertainment. The attackers may have stolen customer names, birth dates, and potentially the mother’smaiden name. These are all the things used to check a customer’s identity, and thatcan be used to falsify it. Sony took a 179 Million charge in their latest quarter, but has stated “In addition, inconnection with the data breach, class action lawsuits have been filed against Sony andcertain of its subsidiaries and regulatory inquiries have begun; however, those are allat a preliminary stage, so we are not able to include the possible outcome of any ofthem in our results forecast for the fiscal year ending March 2012 at this moment.”13 2013 IBM Corporation
Data is the key target for security breaches . and Database Servers Are The Primary Source ofBreached DataWHY? Database servers contain your client’smost valuable information–––––Financial recordsCustomer informationCredit card and other account recordsPersonally identifiable informationPatient records High volumes of structured data Easy to access2012 Data Breach Report from Verizon Business RISK ts/rp data-breach-investigations-report-2012 en xg.pdf14 2013 IBM Corporation
Web Application Vulnerabilities Continue to ionsapplicationsarearecustomcustom antityofofpublicpublicreportsreports : IBM Security Solutions X-Force 2010 Trend and Risk Reportwww.ibm.com/security/xforce15 2013 IBM Corporation
Keeping up with ever-changing global and industryregulationsRussia:Computerization & Protection of Information/ Participation in Int’l Info ExchangeKorea:3 Acts for FinancialData PrivacyJapan:Guidelines for theProtection of ComputerProcessed Personal DataUnited Kingdom:Data ProtectionActEU:ProtectionDirectiveGermany:Federal Data ProtectionAct & State LawsSwitzerland:Federal Law onData ore:Computer- Processed Monetary Authority ofPersonal DataSingapore ActProtection LawVietnam:Banking LawHong Kong:Privacy OrdinanceNew Zealand: Philippines:Privacy Act Secrecy of BankDeposit ActAustralia:Canada:Federal PrivacyPersonal Information ProtectionAmendment Bill& Electronics Document ActChinaCommercialBanking LawPakistan:Banking CompaniesOrdinanceIsrael:Protection ofIndia:Privacy LawSEC Board ofIndia ActSouth Africa:Indonesia:Promotion of AccessBank Secrecyto Information ActRegulation 8USA:Federal, Financial & HealthcareIndustry Regulations & State LawsMexico:E-Commerce LawArgentina:Habeas Data ActBrazil:Constitution, Habeas Data &Code of Consumer Protection &DefenseChile:Colombia:Protection ofPolitical Constitution –Personal Data ActArticle 15 2013 IBM Corporation
Key Business Drivers for Database Security &Compliance1Prevent data breaches Prevent disclosure or leakages of sensitivedata2Ensure the integrity of sensitive data Prevent unauthorized changes to data,database structures, configuration files andlogs3Reduce cost of compliance Automate and centralize controls Across diverse regulations, such as PCI DSS, dataprivacy regulations, HIPAA/HITECH etc. Across heterogeneous environments such asdatabases, applications, data warehouses and BigData platforms Simplify the audit review processes17 2013 IBM Corporation
Non-Invasive, Real-Time Database Security &Monitoring 18Continuously monitors all database activities(including local access by superusers) Supports Separation of Duties Automated compliance reporting, sign-offs &escalations (SOX, PCI, NIST, etc.) Granular, real-time policies & auditing Who, what, when, where, howHeterogeneous, cross-DBMS solutionDoes not rely on native DBMS logsMinimal performance impact (2-3%)No DBMS or application changesActivity logs can’t be erased by attackersor DBAs 2013 IBM Corporation
Heterogeneous Scalable ArchitectureInfoSphereBigInsights19 2013 IBM Corporation
Addressing the Full Lifecycle of Database Security20 2013 IBM Corporation
Highest Overall Score forCurrent Offering, Strategy, & Market Presence “Guardium continues to demonstrate its leadership in supporting very largeheterogeneous environments, delivering high performance and scalability,simplifying administration, and performing real-time database protection.” “IBM continues to focus on innovation and extending the Guardium product tointegrate with other IBM products.” #1 score in all 3 Top Categories and all 17 subcategories along with perfect scoresfor Audit Policies; Auditing Repository; Corporate Strategy; Installed Base; Services;and International Presence. “Guardium offers support for almost any of the features that one might find in anauditing and real-time protection solution.” “Guardium offers strong support for database-access auditing, application auditing,policy management, auditing repository, and real-time protection.” “Guardium has been deployed across many large enterprises and hundreds ofmission-critical databases.” “IBM offers comprehensive professional services to help customers with complexenvironments as well as those who need assistance implementing database securityacross their enterprise.”The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks ofForrester Research, Inc. The Forrester Wave is a graphical representation of Forrester's call on a market and isplotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does notendorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best availableresources. Opinions reflect judgment at the time and are subject to change.21Source: “The Forrester Wave : Database Auditing And RealTime Protection, Q2 2011” (May 2011) 2013 IBM Corporation
Granular Policies with Detective & Preventive aseServer10.10.9.56 2013 IBM Corporation
Identifying Fraud at the Application LayerMarcJoe Issue: Application server uses generic service account to access DB– Doesn’t identify who initiated transaction (connection pooling) Solution: Guardium tracks access to application user associated withspecific SQL commands– Out-of-the-box support for all major enterprise applications(Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects,Cognos ) and custom applications (WebSphere, WebLogic, .)User– Deterministic vs. time-based “best guess”ApplicationServer23– No changes to applicationsDatabaseServer 2013 IBM Corporation
Tracking Privileged Users Who "su"Challenge: How do you trackusers who 'switch' accounts(perhaps to cover theirtracks)?User activity– Native databaselogging/auditing & SIEM toolscan't capture OS userinformation– Other database monitoringsolutions only provide OSshell account that was usedWhat Guardium Shows You24 2013 IBM Corporation
Cross-DBMS, Data-Level Access Control (S-GATE)Application ersIssue SQLSSGATEGATEOutsourced DBAHold SQLConnection terminated Cross-DBMS policiesBlock privileged user actionsNo database changesNo application changesWithout risk of inlineappliances that can interferewith application trafficCheck PolicyOn AppliancePolicy Violation:Drop ConnectionSession Terminated25 2013 IBM Corporation
Unauthorized Users Masked when Sensitive InformationCross-DBMS, Data-Level Access Control (Redact)Application ServersSQLOracle, DB2,MySQL,Sybase, etc.UnauthorizedUsersIssue SQL Cross-DBMS policiesMask sensitive dataNo database changesNo application changesS-TAPS-TAPOutsourced DBAActual data storedin the databaseRedact and MaskSensitive DataUser view of the data in the database26 2013 IBM Corporation
Automating Sign-offs & Escalations for Compliance Automates entire compliance workflow 27 Report distribution to oversight team Electronic sign-offs Escalations, comments & exception handlingAddresses auditors’ requirements to document oversight processesResults of audit process stored with audit data in secure audit repositoryStreamlines and simplifies compliance processes 2013 IBM Corporation
Vulnerability Assessments Using CIS, STIG BenchmarksHistorical Progressor RegressionOverallScoreDetailed ScoringMatrixFilter controlfor easy use28 2013 IBM Corporation
Validated by Industry Experts“Dominance in this space”#1 Scores for Current Offering,Architecture & Product Strategy“Most Powerful ComplianceRegulations Tools . Ever"“5-Star Ratings: Easyinstallation, sophisticatedreporting, strong Guardium is ahead of thepack and gainingpack and gainingspeed.”speed.”“Top of DBEP Class”“Practically every feature you'llneed to lock down sensitive data.“2007 Editor's Choice Awardin "Auditing andCompliance"29“Enterprise-class data securityproduct that should be on everyorganization's radar." 2013 IBM Corporation
InfoSphere GuardiumData Encryption 2013 IBM Corporation
InfoSphere Guardium products Guardium Data Encryption (DE) and Guardium Database Activity Monitor(DAM) are complimentary security products Guardium DAM StrengthDE Server– SQL Access Monitoring– SQL Intrusion Prevention– Auditing– Reporting Guardium DE StrengthGuardium Collector– Transparent Data Encryption– Key management– File Access Control31 2013 IBM Corporation
The Data Threats – Data at Rest & Data in Transit Online – internal threats–Attackers breaking through perimeter security–Privileged user abuse–Data replicates to many locations Offline – theft and loss–Backups typically written to portable media–Often stored offsite for long periods Onwire – internal and external threats–Hackers and sniffers picking data off the networkNetworkTransport3232 2013 IBM Corporation
What is InfoSphere Guardium Data Encryption? Data protection for your database environments– High performance encryption, access control andauditing– Data privacy for both online and backupenvironments– Unified policy and key management forcentralized administration across multiple dataservers Transparency to users, databases, applications,storage– No coding or changes to existing IT infrastructure– Protect data in any storage environment– User access to data same as before Centralized administration– Policy and Key management– Audit logs– High Availability33 2013 IBM Corporation
Data Encryption ArchitectureComponents: DE Security ServerDE Secure Offline AgentDE Secure File System Online AgentBackup FilesAuthenticated UsersSSLx.509 CertificatesApplicationsDBMS ServerDB2 OfflineAgentOnline AgentWebAdministrationhttpsFile SystemIBM DE ServerFailoverKey, Policy,Audit LogStoreOnlineFiles34Encryption Expert Security Server Policy and Key Management Centralized administration Separation of duties 2013 IBM Corporation
File ManagementFile SystemMetadataFile DataFileData 3535Clear TextEncryptionExpertName: Jsmith.docCreated: 6/4/99Modified: 8/15/02Name: Jsmith.docCreated: 6/4/99Modified: 8/15/02Name: J SmithCredit Card #:6011579389213Exp Date: 04/04Bal: 5,145,789Social Sec No:514-73-8970WritesEE AgentPolicyReadsFileDatadfjdNk%(Amg8nGmwlNskd M*sdopFqCio9M*sdopFFileDataProtects Sensitive Information Without Disrupting Data ManagementHigh-Performance EncryptionData Access as an Intended Privilege 2013 IBM Corporation
Context-Aware Access ControlWho? Filters Users or Groups Who May Access Protected DataFilters the Applications Users May Invoke to Access Protected DataIdentifies the File System Operations Available to the User/Application CombinationWhat? Where? When? Verifies Authorized Time Window Available for Access byWindow-Sensitive Tasks (e.g., Backup, Contract Employees)How? Separates the Ability to Access Data From the Ability to View DataIdentifies Protected Data (e.g., File, Directory, ory Compliance - challenges of data security 2013 IBM Corporation
Distributed Enforcement - Centralized ecurity ServersDAS Centralized Security Server: Multiple database instances Online and Offline Heterogeneous databases3737 2013 IBM Corporation
IBM InfoSphere Guardium Data Redaction 2013 IBM Corporation
IBM Infosphere Guardium Data RedactionProtect Sensitive Data Buried in Unstructured Documents and Forms Protect sensitive unstructured data indocuments, forms and graphics–Finds and removes sensitive data andmetadata from documents–Supports multiple file types: PDF, TIFF,MS-Word, TxtReduce the cost of compliance– 39New!Balances automated extraction withhuman review via web-based consoleControl unintentional data disclosure byuser type–Controls the data viewed by each userwith policy rules–Integrate with enterprise LDAP security 2013 IBM Corporation
Guardium Data RedactionRole-based security for compliance requirementsDoctor needs to seesymptom information notpersonal patient infoPatient: Mary JonesSIN: 123-456-789[SSN]Phone: 786-543-2100[Phone]Patient: Mary JonesSIN: 123-456-789Phone: 786-543-2100.: Associated signs andsymptoms includeaching joints, redness.: Associated signs andsymptoms includeaching[symptoms]joints, redness Physician view40SIN & phone are not blocked out–Financial clerk needs to see this,but not symptomsFinancial clerk view 2013 IBM Corporation
IBM InfoSphere Optim Data Privacy 2013 IBM Corporation
Optim is a Platform for Integrated Data ManagementIntegrated Data ManagementProduction DatabasesTest & Development DatabasesIBM InfoSphere DiscoveryValue: Automates analysis of dataand data relationships for completeunderstanding of data assets Define the business objects for archiving andsubsetting Identify all instances of private data so that theycan be fully protectedIBM Optim TestData ManagementSolution42IBM Optim DataPrivacy SolutionIBM OptimDecommissioningSolutionValue: SpeedApplication DeliveryValue: RiskManagementValue: ReduceInfrastructure Cost &Compliance Create realistic andmanageable testenvironments Speed applicationdelivery Improve Test Coverage Improve Quality Protect PII Data Apply Single DataMasking Solution Leverage realisticdata Decommissionredundant or obsoleteapplications Retain Access tohistorical dataDiscover undocumentedbusiness rules used to transformdata from existing systemsPrototype and test newtransformations for the targetsystemIBM Optim DataGrowth SolutionValue: ImproveApplication Performance,Reduce InfrastructureCosts & ImproveCompliance Retain only needed data,move the rest to archives Deploy Tiered StorageStrategies Retain Data According toValue Simplify Infrastructure 2013 IBM Corporation
Optim Enterprise ArchitectureDiscoveryTest Data ManagementData PrivacyData GrowthApplication RetirementAn integrated, modular environment to manage enterprise application data andoptimize data-driven applications from requirements to retirement acrossheterogeneous environments.43 2013 IBM Corporation
The Easiest Way to Expose Private Data Internally with the Test Environment 70% of data breaches occur internally(Gartner) Test environments use personallyidentifiable data Standard NDAs may not deter adisgruntled employee What about test data stored on laptops? What about test data sent tooutsourced/overseas consultants? PCI DSS Reg. 6.3.4 states, “Productiondata (real credit card numbers) cannotbe used for testing or development”* The Solution is Data De-Identification *44 2013 IBM Corporation
IBM InfoSphere Optim Data Masking SolutionDe-identify sensitive informationwith realistic but fictional data fortesting & development purposesData PrivacyRequirements Protect confidential data intest, training &development systems Consolidate and maskdata from multipleinterrelated applications tocreate a “production-like”test environment Apply a range ofpredefined or custom datamasking techniquesBenefits Prevent data misuse/breaches & associatedfines Speed testing toaccelerate time to marketOptim Data Masking supports data on distributed platforms (LUW) and z/OS.Out-of-the-box support for packaged applications available for ERP/CRM solutions:45 Reduce manual effort andmanage costsOther 2013 IBM Corporation
Optim Data Privacy and Test Data ManagementValidate and CompareProductionSubsetMaskTestPropagate Automate creation of complete testPeopleSoft / DB2environment De-identify for privacy protection Deploy multiple masking algorithmsPeopleSoft / DB2 Substitute real data with fictionalized yetCuram / DB2Custom App /SQL Server4646 contextually accurate dataProvide consistency acrossenvironments and iterationsNo value to hackersEnable off-shore testingCompare results to identify defects earlyCuram / DB2Custom App /SQL Server 2013 IBM Corporation
A Comprehensive Solution for Data Privacy is NeededA comprehensive set of data masking techniques to transform or de-identify data, including: String literal values Character substrings Random or sequential numbersExampleExample 11 Arithmetic expressions Concatenated expressions Date aging Lookup values IntelligenceExampleExample al Info Table112233 SINPatientPatientNo.No. 123456SINAmandaSchaferWintersNameName 645PabloElliotPicassoFlynn987-654-321123-456 -78940 MurrayBayberryCourtDriveAddressAddress 12CityProvBurnabyCity VancouverProv BCV0V0V0ZipZip V1V1V1Data is masked with contextually correctdata to preserve integrity of test dataReferential integrity is maintained with keypropagationEvent nn 2013 IBM Corporation
Large Regional BankMonitors database activity to support compliance regulationsThe need:Prevent users from inappropriately accessing or jeopardizing the integrity ofenterprise data. Protect financial and transactional data including: payment cardprimary account numbers (PAN data), automatic cleansing house (ACH)transaction data and human resources (HR) data. Comply with Sarbanes-Oxley,Payment Card Industry Data Security Standard (PCI-DSS) and other financialprivacy and audit regulations.The solution:Implemented IBM InfoSphere Guardium Database Activity Monitor to monitor enduser and privileged user activity across the IBM DB2, Oracle Database, MS SQLServer, and MySQL databases in the AIX, Solaris, Windows and Linuxenvironments.The benefits: Effectively monitors database activity for over 800 banking branches and supportscompliance with privacy and audit regulations“Monitoring databaseactivity with IBM Guardiumis helping us supportcompliance with our privacyand audit requirementswithout impacting databaseperformance.”— Source: Senior DBA, LargeRegional BankSolution components: IBM InfoSphere GuardiumDatabase Activity Monitor Helps prevent fraud and delivers return on investment with capabilities to identifysuspicious database activities Supports data governance by preventing unauthorized changes to critical databasevalues and structures48 2013 IBM Corporation
CSFiThe need:CSFi needed to satisfy PCI DSS. This meant ensuring that no device or systemretains cardholder data while trying to grow in new overseas markets to beat thecompetition and increase revenues.The solution:CSFi used InfoSphere Guardium Data Encryption to satisfy PCI DSS rather thanusing column level encryption which can slow performance and is difficult toimplement.Solution components: IBM InfoSphere GuardiumData Encryption IBM Informix Dynamic ServerThe benefits: Ensure compliance with Payment Card Industry Data Security Standard (PCIDSS) Allow IT staff to focus on value recreation and not tedious manual tasks Achieve all security and privacy requirements while maximizing systemthroughput Meet SLAs for processing transactions in just a few milliseconds4949 2013 IBM Corporation
Arek OyDeploys a pension earnings and accrual system in 30 monthsThe need:Pension laws (TyEL) in Finland changed radically in 2007. In response, Arek Oyhad to develop and deliver a tested and reliable Pension Earnings and AccrualSystem within 30 months. Arek Oy had to protect confidential employee salaryand pension information in multiple non-production (development and testing)environments. Failure to satisfy requirements would result in loss of customergood will and future business opportunities.The solution:Using IBM InfoSphere Optim subsetting capabilities rather than cloning largeproduction databases made it possible for Arek Oy staff to create robust, realistictest databases that supported faster iterative testing cycles. In addition,InfoSphere Optim offered proven capabilities for performing complex datamasking routines, while preserving the integrity of the pension data fordevelopment and testing purposes.The benefits: Improved development and testing efficiencies, enabling Arek Oy topromote faster deployment of new pension application functionality andenhancements Protected confidential data to strengthen public confidence and supportTyEL compliance requirements“We see Optim as an integralpart of our development solutionset. Optim’s data maskingcapabilities help ensure that wecan protect privacy in ourdevelopment and testingenvironments.”— Katri Savolainen, Project Manager,Arek OySolution components: IBM InfoSphere Optim DataMasking Solution IBM InfoSphere Optim TestData Management SolutionArek Oy Case Study50 2013 IBM Corporation
5151 2013 IBM Corporation
InfoSphere Guardium Database Activity Monitor - Database Activity Monitoring & Auditing - Know who is accessing your data in real-time and meet business security audits InfoSphere Guardium Data Encryption - Encrypt sensitive data and provide access for the right user InfoSphere Guardium Data Redaction
