IBM InfoSphere Guardium Tech Talk: Database Discovery and Sensitive Data Finder

Transcription

1 Dan Goodes Guardium Technical Sales Engineer July 2013 : Database Discovery and Sensitive Data Finder Information Management

2 Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We ll try to answer questions in the chat or address them at speaker s discretion. If we cannot answer your question, please do include your so we can get back to you. When speaker pauses for questions: We ll go through existing questions in the chat

3 Reminder: Guardium Tech Talks Next tech talk: Data security and protection for IBM i using InfoSphere Guardium Speakers: Scott Forstie and Larry Burroughs Date &Time: Thursday, August 29, :30 AM Eastern (90 minutes) Register here: Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerworks community: Please submit a comment on this page for ideas for tech talk topics.

4 Dan Goodes Guardium Technical Sales Engineer July 2013 : Database Discovery and Sensitive Data Finder Information Management

5 What we ll cover today What is Guardium and what problems does it address? Overview of some capabilities Database Discovery Sensitive Data Finder Use Cases Integration Where to find more information Q&A 5 Hello Everyone and welcome to TechTalk Tuesday Here is what we will cover today, starting with a quick introduction to Guardium

6 The world is becoming more digitized and interconnected, opening the door to emerging threats and leaks DATA EXPLOSION The age of Big Data the explosion of digital information has arrived and is facilitated by the pervasiveness of applications accessed from everywhere CONSUMERIZATION OF IT With the advent of Enterprise 2.0 and social business, the line between personal and professional hours, devices and data has disappeared EVERYTHING IS EVERYWHERE Organizations continue to move to new platforms including cloud, virtualization, mobile, social business and more ATTACK SOPHISTICATION The speed and dexterity of attacks has increased coupled with new motivations from cyber crime to state sponsored to terror inspired making security a top concern, from the boardroom down 6 First lets talk about where we are coming from before we give you our perspectives on data security. In IT and business, we are experiencing an unprecedented openness in the use of technology, which is both an opportunity for new business, but also a challenge for IT, operationally and from the security perspective. The amount of data generated and handled is exploding, giving rise to technologies like Big Data to help us make sense of it. IT walls are coming down making room for better communication with the consumers anywhere. And on the security side, we are seeing more targeted sophisticated attacks to get access to that critical asset, SENSITIVE DATA.

7 7 Data is the key target for security breaches.. and Database Servers Are The Primary Source of Breached Data WHY? Database servers contain your client s most valuable information Financial records Customer information Credit card and other account records Personally identifiable information Patient records High volumes of structured data Easy to access 2012 Data Breach Report from Verizon Business RISK Team Go where the money is and go there often. - Willie Sutton 7 The most critical data that organizations have today are inside of the databases. Because, for the most part it is structured it is easy to find. This is why its most important to understand our data, where it lives, who has access to it, what are they doing with it, etc. Finding all of the sensitive data can be difficult and that is what we will focus on today. Although Guardium s origins are around realtime database activity monitoring for security and compliance, it has the ability to discover and classify sensitive data in order to know what data to protect.

8 IBM InfoSphere Guardium provides real-time data activity monitoring for security & compliance Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities Data protection compliance automation Key Characteristics Data Repositories (databases, warehouses, file shares, Big Data) Host-based Probes (S-TAPs) Collector Appliance Single Integrated Appliance Non-invasive/disruptive, cross-platform architecture Dynamically scalable SOD enforcement for DBA access Auto discover sensitive resources and data Detect or block unauthorized & suspicious activity Granular, real-time policies Who, what, when, how 100% visibility including local DBA access Minimal performance impact Does not rely on resident logs that can easily be erased by attackers, rogue insiders No environment changes Prepackaged vulnerability knowledge base and compliance reports for SOX, PCI, etc. Growing integration with broader security and compliance management vision 8 Lets take a quick look at an overview of Guardium s benefits: Some of these have to do more with Database Activity Monitoring which we won t be covering today but for those of you unfamiliar with Guardium s capabilities, this is a high-level introduction Guardium provides a continuous policy based real-time database monitoring 8

9 Extend real-time Data Activity Monitoring to protect sensitive data in databases, data warehouses, Big Data environments and file shares DATA Big Data Environments InfoSphere BigInsights NEW Integration with LDAP, IAM, SIEM, TSM, Remedy, 9 Guardium would not be a complete data security solution if it only covered a few databases, so we have expanded our scope from all major database vendors, to data warehouses, ECM, file systems, and now to Big Data environments based on Hadoop, and NoSQL, such as IBM InfoSphere BigInsights, Greenplum, Cloudera, Cassandra, MongoDB, CouchDB, Hortonworks, just to name a few, with more being added all the time. We aim to satisfy all data security and compliance needs in heterogeneous and large scale environments. 9

10 What we ll cover today What is Guardium and what problems does it address? Overview of some capabilities Database Discovery Sensitive Data Finder Use Cases Integration Where to find more information Q&A 10 Now that we have had some background and an introduction to Guardium We are going to concentrate on these today s main topics

11 IBM Software Group Guardium 9: Addressing the Full Lifecycle for Database Security, Risk Management & Governance Discover all databases, applications & clients Discover & classify sensitive data Automatically update access policies when sensitive data found Discover & Classify Assess & Harden Vulnerability assessment Configuration assessment Behavioral assessment Configuration lock-down & change tracking Critical Data Infrastructure Centralized governance Compliance reporting Sign-off management Automated escalations Secure audit repository Data mining for forensics Long-term retention 11 Audit & Report Monitor & Enforce 100% visibility Policy-based actions Anomaly detection Real-time prevention Granular access controls Privileged user monitoring Application monitoring to identify end-user fraud Monitor encrypted connections Monitor mainframe activity SIEM integration Guardium addresses a full lifecycle of database security, its modular based and can be deployed in parts to satisfy current and future data security projects. Before you know what to monitor and enforce, before you can report and review data security for every source in your infrastructure, even before you can address database vulnerabilities and configurations. Its always best to start at the ground floor, the foundation, to find where my sensitive data is. Then efforts can be spent protecting the RIGHT data. 11

12 In order to protect your information, you first need to understand where your sensitive data lives Database discovery to identify where your databases are located on your network. The agentle There is also the ability to do Instance discovery which requires an agent on the database serve It can automatically configure the inspection engines (process names, directory structures, etc) With Sensitive data finder - Guardium can locate databases via network IP scan and open data locate matching patterns. e.g. Creditcard, SSN, License Number, Phone Number, National I Any pattern can be written by a regular expression and Guardium can match these expressions Actions can then be taken AUTOMATICALLY; e.g. log a policy violation, send a real time alert, First lets talk about Database Discovery 12 12

13 Guardium Auto-Discovery Feature Even in stable environments, where cataloging processes have historically existed Uncontrolled instances can inadvertently be introduced Developers that create temporary test environments Business units seeking to rapidly implement local applications Purchases of new applications with embedded databases. Acquisitions and Mergers The Auto-discovery application can be configured to probe specified network segments on a scheduled or on-demand basis, and can report on all databases 13 Even in stable environments, where cataloging processes have historically existed, uncontrolled instances can inadvertently be introduced through mechanisms, including developers that create temporary test environments; business units seeking to rapidly implement local applications; and purchases of new applications with embedded databases. One of the hardest areas to understand sensitive data is when data sources are acquired through acquisitions and mergers The Auto-discovery application can be configured to probe specified network segments on a scheduled or on-demand basis, and can report on all databases discovered solving the problem of identifying both legacy and newly introduced databases. Similarly, the Auto-discovery application can be used to demonstrate that a process exists to identify all new instances. This is generally a requirement with Industry and Corporate regulations 13

14 Guardium Auto-Discovery 14 Lets go ahead and started I will be walking though the setup and configuration select New and build a new Auto-Discovery process 14

15 Single Port Number or Range Single IP or Range 15 After selecting new you are presented with the database discovery configuration screen. Here is where you will set the IP addresses or Range of IPs to scan. As well as a port or range of ports We will talk about best practices later in the Techtalk Check the Run Probe after Scan box to send database calls to that port to identify which database is listening on that port. You can separate the database IP scan and the Probe if needed. Manually this could be run right away or at a later time. An automated schedule can also be set up, so depending on the criteria of the scan you could run this after hours on a daily, weekly, monthly, quarterly basis to fit your needs 15

16 Guardium Auto-Discovery 16 While the job is running you can check the progress by clicking this button. This window will show you all the statistics of the current process. Whether the scan is running, how many hosts were scanned, how many open ports where found, how many where probed, how long the prob process took, etc The report Databases Discovered will be populated during this discovery process. Here you can see some databases that were found at Now lets look at how we can interact with this discovered information 16

17 Guardium Auto-Discovery 17 In almost all breaches or audit findings its been unknown systems, with unknown connections, and unknown sensitive data elements. Now that we have discovered some new database, decisions need to be made, These are databases with potentially sensitive information. Do we ignore them and hope they go away? Do we shut them down because they break policy, maybe they were created by accident that might have licensing implications? Do we decide they are important and now need to be monitored for regulatory compliances or corporate data security policies. With the databases that are discovered, APIs can be invoked to help reduce administration time and reduce overall costs. Lets explore some of these built in functions. 17

18 Guardium Auto-Discovery 18 For example the ability to create an inspection engine so the configurations to monitor that data source are already set up and ready for when the monitoring agent is installed, this also has automation capabilities to further reduce administration time, time is money. Here we are going to create a data source definition so we can run some of the schedule job functions like Classification Sensitive Data Finder or a Vulnerability Assessment scan or Least Privileges Entitlement Reporting. If you have to import hundreds of data sources, there is an API for that as well. For security purposes the username and password can even be encrypted so no plain text is stored. Again further automating implementation and administration for corporate efficiency. 18

19 Guardium Auto-Discovery 19 There is also the ability to discover new instances that are created on already existing database servers. Using the Guardium installation manager and the Discovery module, once a new instance is created it will automatically report on all new instances that are created. And the same question can be answered around whether to keep these instances or not. With the auto instance discovery, all the pertinent information is already capture for configuring a new inspection engine for the existing STAP agent for monitoring. This again will help reduce administration costs. 19

20 Guardium Auto-Discovery 20 To help with automation of sign off for efficient process management, Guardium has a built in audit compliance workflow where any report for example the discovered databases can automatically be sent to recipients to take action. This will help close gaps in current processes, like where DBA managers have to report on all database instances. Traditionally information security offices have to rely on database managers to accurately report on all Database instances. What happens in organizations where the application teams own the databases and the DBA team has no control of what databases get created? To automate this process and accurately report on all database instances will help further reduce administration costs. 20

21 What we ll cover today What is Guardium and what problems does it address? Overview of some capabilities Database Discovery Sensitive Data Finder Use Cases Integration Where to find more information Q&A 21 Now lets look at Guardium s Sensitive Data Finder

22 Guardium Sensitive Data Finder The task of securing sensitive data begins with identifying it The Challenge Database environments are highly dynamic In large percentages of incidents, unknown data played a role in the compromise. The InfoSphere Guardium solution provides a complete means for addressing the entire database security and compliance life cycle. When a match is found, the rule can specify a wide variety of responsive actions, including: 22 Logging the match. Sending a real-time alert detailing the match to an oversight team. Automatically adding the object to an existing privacy set or group Inserting a new-access rule into an existing security-policy definition. The task of securing sensitive data begins with identifying it. This can be challenging, because database environments are highly dynamic: the content of known instances is constantly changing and most organizations lack an effective means of identifying and understanding the content of unknown instances. In mature organizations, existing databases deployed before change control mechanisms had been implemented are not uncommon. Larger organizations growing through acquisition often struggle to gauge with certainty, sensitive data risk in acquired infrastructures. In large percentages of incidents, unknown data played a role in the compromise. To minimize this risk, organizations need a systematic way to identify all database instances and to determine on an ongoing basis which instances contain sensitive data, so that appropriate controls can be implemented. The InfoSphere Guardium solution provides a complete means for addressing the entire database security and compliance life cycle. Once database instances of interest are identified by Auto-discovery, Sensitive Data Finder can be used to examine the content of each, to determine whether sensitive data is included, and then take appropriate action. When a match is found, the rule can specify a wide variety of responsive actions, including: Logging the match. Sending a real-time alert detailing the match to an oversight team. Automatically adding the object to an existing privacy set or group (objects with similar properties, such as those containing payment card data), ensuring related security policies are automatically applied to the newly discovered object. Inserting a new-access rule into an existing security-policy definition. 22

23 Discovering Sensitive Data in Databases Catalog Search: Search the database catalog for table or column name Example: Search for tables where column name is like %card% Search for Data: Match specific values or patterns in the data Example: Search for objects matching guardium://credit_card (a built-in pattern defining various credit card patterns) Search for Unstructured Data: Match specific values or patterns in an unstructured data file (CSV, Text, HTTP, HTTPS, Samba) 23 Now that we have discovered new databases, we need to find out if there is any sensitive data This will help determine whether we can ignore this data source from a data security perspectiv Like installing a Guardium STAP agent for real-time monitoring, alerting and blocking capabilitie The reverse also applies, the sensitive data finder will also prove that no sensitive data resides Most auditors today are familiar with the Guardium capabilities, Imagine being able to give your They can move on to the more critical applications and databases This will reduce the audit time and again further reduce costs. 23

24 Guardium Sensitive Data Finder 24 Now lets step through the process of creating a Classification Policy 24

25 Guardium Sensitive Data Finder 25 Give some details to the Classification Policy A Name You can specify a Category and Classification so they are easily identified during automation As well as adding descriptions so maybe the user responsible for signing off on this workflow will have all of the necessary details. Roles can be assigned to this operation further securiting and specifying who can do what with the Guardium product 25

26 Guardium Sensitive Data Finder 26 Next we can add the rules for what specific data we want to classify And the action that will fire once a specified match is found 26

27 Guardium Sensitive Data Finder 27 Again further classifying the operation with category and classification process In this example we are looking for some creditcard information. We can specify if we are searching for Data or a Catalog search, this can be useful when looking for specific tables of a newly acquired data source. Find those Tables or wildcard the name %credit%. This will reduce the time it takes to actually search for data. If I know there is a table named Creditcard, I know this data source is of interest and will continue with a more specified search. However if I don t find any tables of interest I can set up a scan for a later date and concentrate on the low hanging fruit data sources. Also we have the ability to search for patterns in some unstructured data files, like CSV, Text, HTTP, HTTPS, Samba 27

28 Guardium Sensitive Data Finder 28 Here are a set of rules that this job will execute, specifically targeting criteria based on financial institution s formatting. Looking for VISA, Mastercard, American Express, etc. When you specify more detailed information in your search criteria you will reduce the false positives and increase the hit percentages of what data you are looking for. This is important for performance and overall classification projects 28

29 Guardium Sensitive Data Finder 29 Inside the Classification Rule, You can search Synonyms, System Tables, Schema Tables, as well as views, this is important for not only knowing if there is sensitive data but how its presented to users. Here you can see the search expression for this Visa rule, using the caret or circumflex character with a 4 you can specify that you want to find just numbers that start with a 4, which may be Visa numbers When trying to reduce false positives its important to specify a more complex regular expressions to find exactly what you are looking for. I will go into best practices around performance of these jobs and false positives in a later section. Once a match is found there are Classification Rule Actions that can be set to automatically fire. 29

30 30 An example would be to automatiicaly populate a group, for instance the Cardholder Sensitive Object or Discovered CreditCards group. This way when doing reporting, alerting or policy management for database activity monitoring it reduces administration costs to use grouping in Guardium 30

31 Guardium Sensitive Data Finder 31 Once the Sensitive Data Finder, Classification job is configured it can be run right away manually, or it can be scheduled as part of the compliance workflow for automation. There is a Guardium Job Queue which will show you all running processes The data sources to scan can be configured manually, or as one of the shared data sources that was already discovered in the Auto-Discovery process. That was the example we walked through earlier 31

32 32 This is an example of the results, the schema name, column name, table name of the matched object, and a comments field with all of the information will be presented. In the comments field you can see the object was added to a group called All Credit Cards Discovered. We had rules set up for the specific Card companies, but not for objects where a plan 16 digit number was found. There are many scenarios that can be used to reduce false positives. This custom authentication process table could hold transaction or ticket numbers that are 16 digits maybe requiring some addition scans now that we know there may be a similarity. Regular expressions can be very customizable 32

33 33 And if we check that group, you will see the matching information. Schema name, table name, column name. Now anytime a report, an alert or a policy rule references this group the newly discovered object will be referenced. 33

34 Guardium Sensitive Data Finder 34 Now the sensitive data object is in the right group it can be applied to the realtime policies, In this case we are applying a blocking rule, anytime someone who isn t in the application schema users (like a privilege user) Is committing a select statement against the group of discovered credit cards, apply the SGATE which will terminate their connection. 34

35 Guardium Sensitive Data Finder - Automation 35 Further automating processes and sign off management, the Sensitive Data Finder Classification process can be kicked off by our Audit Compliance Workflow. This will be sent off to recipients for their review and signatures. Comments, Escalation, rejection and further review operations can apply. 35

36 What we ll cover today What is Guardium and what problems does it address? Overview of some capabilities Database Discovery Sensitive Data Finder Use Cases Integration Where to find more information Q&A 36 Now lets talk about some use cases, For example Deployments, best practices around performance and lowering false positives

37 Use Cases Deployments - TechTalk 37 The last two techtalks were around successful deployments and from that standpoint; Guardium Sensitive Data Finder can be used to accelerate the deployment process, Because knowing the data is important for building Relevant reports, alerts and Policy rules to apply. Deployment services uses a lot of the extrusion rules in the activity monitoring to determine and review the objects as part of their services. However with growth and acquisition of data sources, Sensitive data finder will be a useful tool as for identifying those new sensitive objects. Making the product grow with your infrastructure. 37

38 The Compliance Mandate What do you need to monitor? DDL = Data Definition Language (aka schema changes) DML = Data Manipulation Language (data value changes) DCL = Data Control Language 38 And there s the Compliance Factor of You HAVE to do this! HIPAA, SOX, PCI, they require that you CERTIFY that your company is doing this! You NEED granular visibility! This is mostly around DAM however in order to know what data applies to these activities, you need to discover what data matches, For example, HIPAA is all about PII/PHI data how do you know what DDL, DML, and DCL is happening on HIPAA sensitive objects if they haven t been identified yet. 38

39 Use Cases Deployments Compliance Accelerators 39 To accelerate the real-time database activity monitoring capabilities of Guardium one needs to understand how the sensitive data is accessed. Guardium comes with out of the box compliance regulation accelerators. First step is understanding the PCI sensitive data that exists in the database. Once the Sensitive Data Finder Classification process is complete, those PCI objects have automatically been grouped together so that these out of the box reports can be relevant. Lets take a look at an example. 39

40 Use Cases Deployments Compliance Accelerators 40 For instance, regulation is about admin activity. Does it need to see all admin activity? NO just the admin activity that pertains to the PCI regulations. So grouping the admins, with the PCI servers including only that activity that pertains to the PCI sensitive objects will be reported. This will instantaneously give your PCI auditors precisely what they need for the audit. No more having to rifle through hundreds of lines of activity to find what you need. Eliminating the needle in the haystack scenario 40

41 Use Cases Deployments Compliance Accelerators 41 Here we see an example of that precision grouping capability within the Sarbanes-Oxley Accelerator All of the DML activity on the SOX relevant Financial servers where it affects SOX sensitive data is reported, How do we know its SOX sensitive information? Because we ran a SOX specific Sensitive Data Finder Classification job, looking for financial information and put those objects into that group Further enhancing the automation and driving down those corporate Costs. 41

42 Use Cases PCI, SOX, HIPAA, ETC Regular Expression Examples 42 Here are some use case examples for Regular Expressions that can be use for all Regulatory Compliances. Its not just about PCI, SOX and HIPAA, it can be any industry, government or corporate regulation. 42

43 Use Cases - Best Practices Performance Network and Database Impact Runtime Reducing False Positives Correct Configurations 43 Just like with poorly constructed queries and database performance Guardium auto-discovery and Sensitive data finder are processes that take a very small amount of resource to complete. Whether they are network, file system or database its important to understand these functions, create the correctly configured job and run during time frames that make sense to the business. 43

44 44 From an Auto-Discovery process, Guardium is running a regular nmap type process here nothing particularly proprietary as far as our scanning technology goes. We go out and scan a single IP or a Range looking for open ports and DB listeners on those ports. It s a simple operation however can have impact on your network, this operation will be seen by your network folks. So it make sense to do proper planning for these scans. There is something like 65,000 available ports on a server so its not a good idea to go scan * and not specify a port or port range. It is a good idea to put some port numbers in that make sense, looking for DB2? Use a range of 50,000 to 60,000, looking for Oracle use , And so forth. Initially if you want to do a large amount of Ips and Ports plan for after hours work 44

45 Use Cases - Best Practices Performance 45 When using the Sensitive Data Finder The Comprehensive search check box; is only relevant when the number of records in a table exceeds the Sample size This is a high quality search because the results are more likely to be representative of the data. Unchecking Comprehensive search will search the first "Sample size" records for a match. This type of search can be much faster than a comprehensive search but it may sacrifice the quality of the results. Enter a Sample size when searching for data, if the number of records in a table is <= to "Sample size", then all those records are searched for a match. When the number of records in a table exceeds "Sample size", then Comprehensive search, as defined above, may be used. When a classification process runs, it should have very little impact on the database server. It begins by scanning sets of 50 consecutive rows returned by the database server, beginning with the first row. The second set of 50 begins with the 1000th row. Thereafter, it skips ahead by powers of two, such that the next block of 50 begins at 2K, 4K, 8K, 16K, 32K, and so forth. During this process, if any query takes longer than 10 seconds, the skip interval is multiplied by 10, so if the current sequence is 640K, the next will be 6.4M, and so forth The Classifier also throttles itself to periodically idle so that it does not overwhelm the database server with requests. If any one query takes longer than 12 minutes, the query will be cancelled, a 45

46 Use Cases - Best Practices Eliminate False Positives 46 Configurations within the Classification process will help with performance best practices, as these scans can be more targeted, However, generalized scans may take longer to complete as they have less specifications. For Instance Doing catalog searches first will help identify the sensitive tables, try a wild card with Credit, or account, or social or SSN. These scans will take seconds and since its identifying sensitive tables, they can automatically be added to those groups of sensitive objects Once those tables have be identified its time to create more in depth classification rules, these specified scans will look for the unique patterns of data, this is where you can find potentially sensitive information in tables where they aren t clearly marked or are coded with non-descriptive table names or in tables where they don t belong like Comment fields. When a rule name begins with "guardium:// for this example we use CREDIT_CARD", and there is a valid credit card number pattern in the Search Expression box, the classification policy will use the Luhn algorithm Specify or wild card the table and column name and the scan will be more targeted. For testing purposes this is a good way to see if your rules will fire as you already know that table contains those matching patterns 46

47 Use Cases Special Projects Risk Based Approach to Data Security Dark Reading Webinar Helping to Quantify the Risk and Protection Value List the top 10 assets you have in your organization Assign a value to these assets Identify specific threats to these assets Identify vulnerabilities with these assets Calculate your risk score and compare it to the asset value Risk is dependent on the asset values, threats and vulnerabilities Let s use a simple example as it relates to the databases PCI is a very common example and we ll relate this to credit card processing 47 Last year there was a webinar that we did in conjunction with The Dark Reading Group regarding Risk Base approach to data security. Building out a score matrix for high risk, applications, databases, users, connections, will help organizations realize the risk factors quicker. One of the most important aspects of this approach is to score your top 10 assets, these are the assets that would cost your organization the most If there was a breach or audit finding. Locating these assets will be quicker when using Guardium s Sensitive Data Finder. The link is in the slide and is a very useful webinar to watch the replay. 47

48 What we ll cover today What is Guardium and what problems does it address? Overview of some capabilities Database Discovery Sensitive Data Finder Use Cases Integration Where to find more information Q&A 48 Now lets look at some integration points

49 Big Data Big Insights PureData Informix nit or, IMS au di t au dit,p Data Discovery/Classification Tivoli Storage Manager Event Monitoring en op tic ro tec t ts ke S trib dis cies & poli covery is d share s AP ST ute Tivoli Netcool ts Software Distribution Tivoli Provisioning Manager Endpoint Configuration Assessment and Patch Management ivit act d -u ser r en mo nito lnerabili ty SIEM QRadar dg ro u pm gm LDAP Directory t mo Security Directory Server nit or en d-u se Transaction ra cti Application v it y CICS y Cognos audit, vu vit cti Business Intelligence r an ra se -u nd re ito on InfoSphere MDM m Master Data Management ity activ end-user activity r d-use or en Optim Capture Replay send ale rt, us e monit Database tools leverage audit change Change Data Capture leverage capture function Query Monitor share discovery Optim Test Data Manager InfoSphere Data Stage InfoSphere Guardium y Optim Data Masking P NM r ale remediate vulnerability Tivoli Endpoint Manager share discovery & classify. Static Data Masking 49 Tivoli Maximo share discovery InfoSphere Discovery Business Glossary udit DB2 [LUW, i, z, native agent] mo a itor, Databases on ito r, mon m PureFlex Help Desk Storage and Archival Optim Archival archive audit Datawarehouses Netezza monitor, audit, archive InfoSphere Guardium integration with other IBM products Web Application Platform WebSphere Analytic Engines InfoSphere Sensemaking Guardium Integrates with a number of other technologies inside and outside of IBM. Outbound messaging and the ability to consume just about any data make Guardium a powerful activity reporting tool. Sharing of information is important within organizations in order to increase corporate efficiencies while driving down costs. Lets look at a few of these integration points as it pertains to Discovery and classification projects 49

50 Pattern Based Sensitive Data Discovery Example: SSN InfoSphere Discovery Classified Columns View 50 Knowledge Transfer Material 50 InfoSphere Discovery is a tool which is unique in the industry. It removes the need for manual analysis of your data and the relationships in your environment. Discovery automatically, intelligently identifies and characterizes the data elements within a source and groups data elements into business entities based on the relationships between them. For example, Customer, Counterparty, and Invoice might represent a common business entity. With InfoSphere discovery all sensitive data elements can be shared with Guardium. You may have already invested in data discovery projects and have already completed some data classification, this information can easily be shared with Guardium so that the real-time policy rules, alerts and reports are also monitoring the data elements already defined by your organization. 50

51 Here we see an automated production of the CSV files, in the a consumable format that will match the data structure inside the Guardium repository. Quickly and easily share sensitive objects back and forth, to accelerate all data design and classification projects. 51

52 When to use Guardium and Discovery If your needs are to Find all databases & sensitive data then apply appropriate policies Monitor database security and compliance in real-time throughout the lifecycle Protect and control access to sensitive data Validate compliance with security mandates InfoSphere Guardium Business Needs / Project Types: Database Security, Compliance Target roles: Data Protection groups, Security Departments, DBA, Auditors, IT Operation, Operations Group, Risk and Compliance If your needs are to Gain an understanding of data content, data relationships, and data transformations across multiple heterogeneous sources Discover business objects across data sources Identify sensitive data across data sources InfoSphere Discovery Business Needs / Project Types: Archiving, Test Data Management, App. Consolidation, Information Integration (DHW, BI, MDM, etc) Target Roles: Business Analysts, System Architects, Data Analysts, Data Steward, Application Development Groups 52 Both products can do sensitive data discovery based on regular expression pattern matching, so when to use one over the other? Guardium gives you the ability to quickly and easily point to a data source and scan it for sensitive data, this is usually because of a security project like database activity monitoring. Automatically updating groups and providing alerting capabilities when sensitive data is located. Infosphere discovery on the other hand is a VERY powerful data analytical tool for helping organizations understand their data, the relationships inside the database and the relationships of the data In other databases. It does database model discovery and has powerful algorithms for find matching values, even inside of larger data sets. For example a social security number may be part of a larger transaction number. This larger number could be identified as sensitive and could be shared with Guardium for data security requirements. To help accelerate a data relationship project Guardium s sensitive data finder results could also be shared with Infosphere Discovery.

53 Info Analyzer Extended Data Classification & Data Rules While Discovery helps an organization to understand their data and the complex relationships within their data, Information Analyzer provides the ability to examine the quality of the data in terms of consistency, validity, redundancy, and integrity. Information Analyzer allows for not only an initial assessment of data quality, but on-going monitoring of data quality through established Data Rules. 53

54 EXPORT Custom Dashboard and Reporting Broad set of functions exposed through API beyond reporting needs GET HTML Report1 XSLT1 XML Server CSV Report XSLT2 HTML Report2 XSLT IBM InfoSphere Information Analyzer information analyzer is the trusted source for the classified data, its repository information can be shared with Guardium as well. Any CSV could be imported into Guardium's repository for reporting purposes, Correlation alerts can even be set up to scan the imported data for threshold values

55 Optim Archiving and Test Data Management Production TDM Test Data Subset Guardium and TDM can share masking policies Guardium can suggest archive candidates Archives Reference Data Archive Retrieved Historical Historical Data Retrieve Current Universal Access to Application Data Developers QA Optim sends access requests to Guardium Application ODBC / JDBC XML Report Writer Archiving is an intelligent process for moving inactive or infrequently accessed data that still has value, while providing the ability to search and retrieve the data 55 Guardium integrates with Optim, mostly from an activity monitoring aspect where we can see what jobs ran and who ran them, however The Data objects that will be obfuscated or masked during a Test Data management project can be populated by Guardium Sensitive Data finder. Again accelerating operational processes and driving down those corporate costs. 55

56 Information, training, and community InfoSphere Guardium YouTube Channel includes overviews and technical demos InfoSphere Guardium newsletter developerworks forum (very active) Guardium DAM User Group on Linked-In (very active) Community on developerworks (includes content and links to a myriad of sources, articles, etc) Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come) Technical training courses (classroom and self-paced) New! InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to bamealm@us.ibm.com if interested. 56 there are currently two Guardium certification tests. If you are looking into taking an IBM professional product certification exam, you may look into taking the certification ( Upon completion of the certification, you will become an IBM Certified Guardium Specialist ( The certification requires deep knowledge of the IBM InfoSphere Guardium product. It is recommended that the individual to have experiences in implementing the product to take the exam. You can view the detailed topics here: Details each topics are covered in the product manuals. You will also find the Guardium InforCenter a useful resource when you prepare for the exam: 56

57 Reminder: Guardium Tech Talks Next tech talk: Data security and protection for IBM i using InfoSphere Guardium Speakers: Scott Forstie and Larry Burroughs Date &Time: Thursday, August 29, :30 AM Eastern (90 minutes) Register here: Link to more information about this and upcoming tech talks can be found on the InfoSpere Guardium developerworks community: Please submit a comment on this page for ideas for tech talk topics.

58 Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Japanese Grazie Italian Thank you very much for time today. 58