Transcription
Information ManagementData SheetFederal GovernmentIBM InfoSphere Guardiumfor federal informationsystemsContinuous monitoring to secure sensitive data andsimplify SCAP compliance validationHighlights Continuously monitor data activity toidentify and block unauthorized accessor changes, including those initiated byprivileged users Automate assessment of databaseconfigurations to identify securityvulnerabilities and suggest prioritizedremedial actions Simplify and automate the implementationof controls to demonstrate compliancewith the Federal Information SecurityManagement Act, OMB, SP 800-53 andother mandates Maximize security and interoperabilityby supporting federal standards and bestpractices including DISA Database STIGvulnerability tests and CVE identifiers Monitor, aggregate and understanddatabase entitlements Build security into big data environmentssuch as Hadoop, InfoSphere BigInsights and NoSQL databasesThe challenge of protecting data and validatingcompliance in federal agenciesAccording to a March 2013 article in Reuters, cyber attacks and cyberespionage have supplanted terrorism as the top security threat facingthe United States.1 Cleanup from cyberattacks cost an average ofUSD8.9 million annually.2 The types of sensitive information targetedin attacks are typically stored in databases, and increasingly in big datarepositories, such as Hadoop. As a result, the implementation of datasecurity controls is becoming a very high priority. Furthermore, recenthigh profile events have called attention to the fact that these controlsmust also encompass the protection of sensitive data from insiders,particularly administrators who most often have unfettered access toall the data they manage.“We know hackers steal peoples’ identities andinfiltrate private email. We know foreign countriesand companies swipe our corporate secrets. Now ourenemies are also seeking the ability to sabotage ourpower grid, our financial institutions, and our airtraffic control systems.”3— President Obama, State of the Union address 2013
Information ManagementData SheetFederal GovernmentIn response to the escalating threat to federal informationsystems, a variety of legislative and regulatory mandates nowrequire federal agencies to implement controls to protectsensitive data. These include Federal Information SecurityManagement Act (FISMA) and National Instituteof Standards and Technology (NIST) standards such asFederal Information Processing Standards (FIPS)-200, SpecialPublications (SP) 800-53 and Security Content AutomationProtocol (SCAP) (SP 800-126). Recognizing the real-timenature of current threats and the limited impact that staticcontrols implemented in the past have had on attacks, mostagencies are now moving aggressively to meet compliancerequirements with capabilities that enable real-time detectionand mitigation of security vulnerabilities.Managing a database infrastructure to address these evolvingsecurity and compliance requirements is quite challenging fora variety of reasons, including: “Agencies need to be able to continuouslymonitor security-related information fromacross the enterprise in a manageable andactionable way. To do this, agencies need toautomate security-related activities andacquire the tools that correlate and analyzesecurity-related information.”4 — Vivek Kundra, Federal CIO2The shortage of resources with required database andsecurity skillsThe number of systems to be secured, which can range upinto the thousands in large agenciesThe highly dynamic nature of these systems, which undergoconstant changesThe need to implement consistent controls and reportingon systems from a variety of vendorsThe effort required to assemble and organize the widevariety of information required to demonstrate compliancewith all applicable mandatesThe explosive amount of data speeding through theenterprise, which makes it challenging to understandwhat is sensitive and how to protect itThe increasing adoption of big data platforms, such asHadoop and NoSQL, which means that existing approachesmight not scale to embrace new types of data sources
Information ManagementData SheetFederal GovernmentAn integrated solution to meet growingdata security and compliancerequirementsIBM InfoSphere Guardium offers a family of integratedmodules for managing the entire data security and compliancelife cycle (see Figure 1), irrespective of the size and mix ofplatforms. Supported platforms include Oracle Database,Microsoft SQL Server, Microsoft SharePoint, IBM DB2 ,IBM Informix , IBM VSAM, Sun MySQL, Sybase ASE,Sybase IQ, IBM PureData , Teradata, PostgreSQL and FTPproducts. In addition, to address the challenges of security forbig data, InfoSphere Guardium supports Hadoop-basedsystems, such as Cloudera and InfoSphere BigInsights ,as well as NoSQL databases.Monitor&AuditEnforce&ProtectCritical ed to provide ease of use and optimize the utilizationof operational resources, InfoSphere Guardium provides ameans of automating: The identification and classification of unregistereddatabase instances, so that you can ensure controlsare applied to all sensitive data, even in highlydynamic environmentsThe continuous assessment of database infrastructuresto identify, prioritize and accelerate remediation ofvulner abilities that can be exploited to compromisesensitive dataThe real-time monitoring and enforcement of policiesfor sensitive data useThe collection and reporting of audit information tovalidate compliance with a range of mandatesFigure 1: InfoSphere Guardium is a single integrated solution that simplifiesall facets of data security and compliance3
Information ManagementData SheetFederal GovernmentContinuous monitoring and policyenforcement to protect sensitive datathe security team to blocking the transaction in real time.For maximum scalability and flexibility, multiple tiers ofappliances can be added to accommodate growth, enablingcentralized monitoring and management of security policiesagency wide.InfoSphere Guardium Data Activity Monitor is a simple,scalable solution for centralizing and automating the controlsneeded to protect all kinds of sensitive data in distributedheterogeneous environments, including big data environments.Lightweight host-based probes are installed on any databaseserver with sensitive data, data, enabling all database trans actions to be monitored in real time (see Figure 2) withoutchanging database configurations or enabling resourceintensive native logging facilities. Hardware or softwarecollector appliances gather monitored data from the probes,providing analysis, reporting and the secure audit trailrequired by mandates such as SP 800-53. If a transactionviolates the policies configured by your agency (see Figure 3),a number of responses can be specified, ranging from alertingFigure 3: InfoSphere Guardium continuously monitors data access inreal time to detect policy violations and provides a range of actions forresponding when any are detectedz/OSCloudenvironmentS-TAP for DB2S-TAP for IMSS-TAP for ollectorApplicationserversCollectorAmericas datacentersOracle, SQL Server, DB2(distributed and mainframe)Informix, Sybase, MySQL,Teradata, Netezza, PostgreSQLEurope datacentersCentral Policy Managerand Audit RepositoryShare pointserversS-TAPIntegration with LDAP,IAM, Kerberos, SIEM,Remedy, McAfee ePO,IBM TSM, Tivoli, etc.CollectorSolaris, S-TAP for System iData-levelaccess controlS-TAPCollectorAsia Pacificdata centersFigure 2: The scalable InfoSphere Guardium architecture protects sensitive data in large and small environments with centralized aggregation of audit data andcentralized management of security policies—agency wide4
Information ManagementData SheetFederal GovernmentInfoSphere Guardium Entitlement Reports provide a simplemeans of aggregating, understanding and utilizing user rightsinformation. You can eliminate the time-consuming anderror-prone process of manually collecting and analyzing userrights information and ensure important security gaps arequickly identified, while reducing operational costs throughautomation. InfoSphere Guardium can be configured to scanall selected databases on a scheduled basis, automaticallycollecting information on user rights. The result is the abilityto maximize sensitive data protection, minimize operationalcosts and ensure successful audits.One of the biggest trends in federal information systems is themove to big data infrastructures. Big data environments helpagencies process, analyze and derive maximum value fromnew data formats, as well as traditional structured formats, inreal time. As big data environments ingest more data, agencieswill face significant risks and threats to the repositoriescontaining this data. Unique challenges of big dataenvironments include:Key pre-defined Entitlement Reports include: Accounts with system privilegesAll system and administrative privileges, shown bothby user and roleObject privileges by userAll objects with public accessUser privileges by objectRoles granted to users and rolesGrants and revocation of privilegesExecute privileges by procedure Schema-less distributed environments, where data frommultiple sources can be joined and aggregated in arbitraryways, make it challenging to establish access controlsThe nature of big data — high volume, variety andvelocity — makes it difficult to ensure data integrityAggregation of data from across the enterprise meanssensitive data is in a repositoryAnother data source to secure, and most existing datasecurity and compliance approaches will not scaleInfoSphere Guardium is among the first to market to deliversecurity for data environments by monitoring big data activityfrom applications and users (both internal and external) in realtime and taking action on policy violations. InfoSphere Guardiumalso reports on activities to fulfill compliance requirementsand support forensic investigations.5
Information ManagementData SheetFederal GovernmentEnhanced security with automatedidentification of software andconfiguration flawsof platforms, to identify and prioritize the remediation ofsoftware and configuration flaws, while minimizing use ofscarce technical resources.One interagency initiative to support improved real-timedetection and mitigation of security vulnerabilities is theInformation Security Automation Program. The objectiveof the program is to automate standards-based securityconfiguration assessment and compliance reporting activities,including those related to database infrastructures. Withautomated and regular security assessments, agencies canevaluate the strength of their database environments, compareit with guidelines and measure improvements over time.InfoSphere Guardium Database Vulnerability Assessmentand Configuration Auditing System (CAS) modulescombine to automate the following SCAP CVE, CCEand CPE functions: The ability to scan specified high-value databaseinfrastructures on a schedule or on demandComprehensive identification of database vulnerabilities(see Figure 4), such as missing patches, misconfiguredprivileges, weak passwords and default vendor accountsAn extensive library of tests that uses industry-wide bestpractices including CIS benchmarks and the DefenseInformation Systems Agency Database Security TechnicalGuides (STIG)The capability to create custom tests to tailor vulnerabilityassessments to unique application environmentsIdentification of changes to configuration files and otherobjects external to the database, such as the authenticationor communications encryption settings, that can affect thesecurity posture of your infrastructureA summary security health report card (Figure 5) andsupporting details including specific issues identified,Common Vulnerability Scoring System (CVSS) scores,Common Vulnerability and Exposure (CVE) identifiers andconcrete recommendations to strengthen database securityComplete report generation and data export capabilitiesFigure 4: InfoSphere Guardium automates the testing of heterogeneousdatabase infrastructures to identify and accelerate remediation of softwareand configuration flawsTo facilitate further use of the security information generatedby InfoSphere Guardium, IBM supports the development ofstandards for the interchange of software flaw and securityconfiguration information, such as SP 800-126.With InfoSphere Guardium, you can continuously test yourentire database environment, irrespective of the size and mixFigure 5: Prioritized results of vulnerability assessments are summarized ina security health report card, with supporting detail and recommendations onconcrete steps to improve security provided6
Information ManagementData SheetFederal GovernmentAutomate and streamline complianceactivitiesAbout InfoSphere GuardiumInfoSphere Guardium is the most widely used solution forpreventing information leaks from data centers and ensuringthe integrity of enterprise data. It is installed for more than500 customers worldwide, including:InfoSphere Guardium provides an integrated workflowautomation application to streamline compliance processesand ensure that action is taken to remediate all identifiedissues. The application automates report generation,distribution to stakeholders and management of electronicsign-offs and escalations. Compliance workflow automationresults are stored in a tamper-proof repository along withaudit data so agencies can demonstrate to auditors that allpolicy violations have been recorded and resolved in a timelymanner and that audit data has not been altered. Figure 6shows the modules that help demonstrate compliance tofederal requirements. Compliance workflow automationeliminates costly, cumbersome, error-prone manual processes. InfoSphere Guardium ModuleFederal RequirementDatabase VulnerabilityAssessmentSP 800-53, CIS, DoD DatabaseSTIG, CVE and CVSS asspecified in SP 800-126Configuration Auditing Systemfor OS level file monitoringDoD Database STIG, CVE andCVSS as specified in SP 800-126Configuration AuditingSystem for serverconfiguration monitoringDoD Database STIG, CVE andCVSS as specified in SP 800-126Database Activity MonitorContinuous monitoringFive of the top 5 global banksFour of the top 6 insurersTop government agenciesTwo of the top 3 retailersTwenty of the world’s top communication service providersTwo of the world’s favorite beverage brandsThe most recognized name in personal computingA top 3 auto makerA top 3 aerospace companyA leading supplier of business intelligence softwareInfoSphere Guardium was the first solution to address thecore data security gap by providing a scalable, cross-databasemanagement system enterprise platform that both protectsdatabases in real time and automates the entire complianceauditing process. InfoSphere Guardium is also among the firstto market with security solutions for big data environments.InfoSphere Guardium is part of IBM InfoSphere, anintegrated platform for defining, integrating, protectingand managing trusted information across your systems.The InfoSphere platform provides all the foundationalbuilding blocks of trusted information, including dataintegration, data warehousing, master data management andinformation governance, all integrated around a core ofshared metadata and models. The portfolio is modular, soyou can start anywhere and mix and match InfoSpheresoftware building blocks with components from othervendors, or deploy multiple building blocks together forincreased acceleration and value.Figure 6: InfoSphere Guardium simplifies and automates the implementationof controls to demonstrate compliance with a variety of government specificmandatesImplemented by leading federal andstate agenciesLeading federal and state agencies have selected the InfoSphereGuardium solution because it provides a simple, scalable meansof securing a wide variety of sensitive data by means ofcontinuous monitoring and assessment, while accommodatingthe need to simplify compliance validation processes.Customers include federal, civilian, defense and intelligenceagencies. These include agencies with a focus on finance,social services, security and infrastructure management.The InfoSphere platform provides an enterprise-classfoundation for information-intensive projects, providing theperformance, scalability, reliability and acceleration needed tosimplify difficult challenges and deliver trusted information toyour business faster.For more informationTo learn more about IBM InfoSphere Guardium, contact yourIBM sales representative or visit: ibm.com/guardium7
Copyright IBM Corporation 2013IBM CorporationIBM Software GroupRoute 100Somers, NY 10589Produced in the United States of AmericaApril 2013IBM, the IBM logo, ibm.com, DB2, Informix, InfoSphere, Guardium,PureData, BigInsights and Tivoli are trademarks of International BusinessMachines Corporation in the United States, other countries or both. Ifthese and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol ( or TM), thesesymbols indicate U.S. registered or common law trademarks owned byIBM at the time this information was published. Such trademarks mayalso be registered or common law trademarks in other countries. Acurrent list of IBM trademarks is available on the Web at “Copyright andtrademark information” at: ibm.com/legal/copytrade.shtml.Microsoft, Windows, Windows NT, and the Windows logo aretrademarks of Microsoft Corporation in the United States, othercountries, or both. Other product, company or service names may betrademarks or service marks of others.THE INFORMATION IN THIS DOCUMENT IS PROVIDED “ASIS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED,INCLUDING WITHOUT ANY WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSEAND ANY WARRANTY OR CONDITION OF NONINFRINGEMENT. IBM products are warranted according to the termsand conditions of the agreements under which they are provided.1 Hosenball, Mark and Patricia Zengerle. “Cyber attacks leading threatagainst U.S.: spy agencies.” Reuters. March 12, 2013.2 Messmer, Ellen. “Cyberattacks in U.S. cost an average 8.9 millionannually to clean up, study says.” Network World. October 8, 2012.3 Abdullah, Halimah. “Watch where you click: International cyber attackson the rise.” CNN. March 12, 2013.4 Office of Management and Budget, April 21, 2010 Memorandum forHeads of Executive Department and Agencies on FY2010 FISMAReportingPlease RecycleIMS14371-USEN-00
configuration assessment and compliance reporting activities, including those related to database infrastructures. With automated and regular security assessments, agencies can evaluate the strength of their database environments, compare it with guidelines and measure improvements over time. InfoSphere Guardium
