1 Securing and protecting the organization s most sensitive data A comprehensive solution using IBM InfoSphere Guardium Data Activity Monitoring and InfoSphere Guardium Data Encryption to provide layered protection for sensitive data assets. Highlights IBM InfoSphere Guardium Data Activity Monitoring for database access monitoring and alerts IBM InfoSphere Guardium Data Encryption for file level data encryption and access control Databases are the backbone of every organization s operations powering enterprise applications, supporting financial transactions and internal processes as well as underpinning a multitude of mission critical business analytics processes. Further, the data contained within these dynamic repositories is both highly regulated and a primary target for internal and external attackers. The nature of this data requires enterprises to meet strict compliance standards, ensure data integrity and protect sensitive information, both within the database and at the file system level. To achieve this requires a layered, well-focused data-centric security approach that includes: Discovery and classification of sensitive data scattered throughout the organization both in databases and other data repositories Continuous monitoring and auditing of data access Real-time policy-based control of data access according to defined business policies within the database environment and at the operating system or file system level Real-time alerts for security violations and attacks Proof of compliance and streamlined response to audits The need for a comprehensive approach to data protection Compliance remains the most pressing concern for many organizations. However, data breaches, the requirement to protect sensitive intellectual property, and the desire to maintain a trusted brand are mobilizing organizations in every industry to seek strong security protection for the critical information and data that exists in their IT infrastructure.
2 Regulatory compliance drives initial adoption Compliance with industry and government regulations often serves as the catalyst for implementing data protection. Regulations such as PCI-DSS, USA HIPAA/HITECH and South Korea s PIPA include specific controls and protections. These include privileged user data access controls, separation of duties amongst those responsible for data management, data access auditing, and requirements to encrypt sensitive data. While satisfying compliance requirements is a good first step, it is just a starting point for a more complete data security strategy. Protection from data breaches and remediation requirements Worldwide data breach laws, such as the UK Data Protection Act, EU Data Protection Directive, and US federal and state data protection laws, raise the bar in data security. These laws prescribe fines and customer notification requirements in the event of a data breach. Encryption provides specific protections and safe harbor exceptions in the event of loss or theft, but in some cases, may not provide full protection for sensitive data. However, encryption is just a starting point. Encryption solutions also need to include privileged user access controls and access pattern analysis to identify malicious insiders and cyber attacks that have compromised user accounts. Intellectual property protection Most enterprises, and many government organizations, have a wealth of intellectual property (IP). IP is highly dependent upon the organization, and may take the form of planning documents, manufacturing methods, designs, application code, user profiles or other sensitive critical data. It is important to note that much of this intellectual property may reside in non-database resources. Even unintentional disclosure of such intellectual property can cause severe damage to organizations, ranging from financial losses, loss of trust or credibility, and an impact on national security, in cases of public sector entities. IBM Infosphere Guardium Data Activity Monitoring IBM Infosphere Guardium Data Encryption Governance and Compliance Controls Role Based Data Access Controls User Application Database Encryption Integrated Key Management Monitoring and Alerts Discovery Data Masking FS Agent Volume Agent File Systems Storage Volume Managers Monitoring and Alerts Access Policies and Privileged User Control Simple Web UI High Performance Scalable Directory Services Integration LDAP Server Both Security Intelligence with SIEM Integration APIs / Integration Ready Figure 1 2
3 New cloud and big data environments widen the threat of exposure In the ongoing race to remain efficient, organizations increasingly leverage virtualization, seek cloud-based solutions, or implement big data projects. These solutions reduce costs, drive efficiency, and create new opportunities for business competitiveness. But as sensitive data moves into these new environments, the security measures once applied to traditional data repositories must now be translated to the new virtual, cloud or big data environments. These new environments also come with new risks. Shared, comingled data storage represents one problem common to all environments, while additional privileged user roles add more risk, and the lack of control over the physical infrastructure inherent in these solutions also adds to the problem. The solution: A comprehensive risk-based data protection approach These data protection challenges can be overcome by using IBM InfoSphere Guardium Data Activity Monitor and InfoSphere Guardium Data Encryption Discovery, classification and entitlements Almost universally, enterprise use of databases has grown dramatically in recent years, often without appropriate oversight. In addition, there has been an increase in data growth for non-database formats like documents and plans. This condition has been exacerbated by the advent of big data. The result is often an unmanaged sprawl of data, often sensitive in nature, Privileged User Control Inside and Outside of the Database Database File System Or Volume SA DBA Privileged Users DB Approved Users Privileged Users SA Root Encrypted DB ~ +_)? $%~:>> Cleartext Approved Processes and Users John Smith 401 Main Street Apt 2076 Access Attempts Allow/Block Access Attempts Data Firewall Allow/Block Encrypt/Decrypt IBM Infosphere Guardium Data Activity Monitor protects access to the data in the database IBM Infosphere Guardium Data Encryption Figure 2: IBM InfoSphere Guardium Data Activity Monitoring delivers capabilities for discovering, classifying, monitoring, auditing and reporting of sensitive data access. 3
4 throughout the enterprise environment. InfoSphere Guardium Data Activity Monitor can proactively identify the repositories containing sensitive data such as database instances. It can uncover, classify, and report on entitlements to the sensitive data contained within the data repository, reducing compliance costs and enabling tighter controls for data access. Real-time data access monitoring and auditing The solution tracks all data access for databases as well as other data repositories, and then provides real-time alerts on any unusual activity or unauthorized access attempts. Based on these alerts, enterprises can respond immediately to prevent potential loss of data, even from privileged users that have bona fide access, including to encrypted data. Additionally, all traffic monitored is centrally collected into normalized audit logs that can easily be used for compliance reporting or forensics. More importantly, this capability even avoids the need to turn on data source audit logging (which can represent large performance issues), and does not require any change to the database, network, or application. Data masking, blocking, and quarantine Not only is sensitive data monitored constantly and access control maintained in real time according to business policy, but unauthorized requests can also trigger immediate alerts, blocking of data access, masking of private data, or result in the quarantine of suspicious users for further investigation. Using unobtrusive technologies, legitimate data requests are fulfilled without the performance burden of more traditional security methods. As the situation demands, specific data may also be masked so that the threat of data loss is reduced, even from authorized users. Automated governance controls A complete set of best practice configurations and settings is included. Configuration defaults, monitoring and alerting policies, application-sensitive objects, compliance reports and settings required to meet specific regulatory requirements are a core solution element. These solution elements enable organization to quickly meet urgent compliance requirements, implement data breach safeguards and protect critical IP. Additionally, InfoSphere Guardium provides an enterprise-class workflow capability that automates the compliance review process according to business policy, making it faster, more repeatable, and less error prone. IBM InfoSphere Guardium Data Encryption protects critical data with file- and volume-level protection IBM InfoSphere Guardium Data Encryption complements Guardium Data Activity Monitoring capabilities with file-level encryption and key management for critical data containers, policy-based access controls that decrypt information only for authorized processes and users, and file-level data access logging and alerting. Integrated encryption and key management InfoSphere Guardium Data Encryption uses strong industry-standard algorithms to lock down database files. Common concerns with encryption solutions include possible increased overhead, performance impact, and intrusiveness. The solution uses the scalable, high-performance encryption capabilities built into current CPUs that support the Intel AES NI hardware acceleration capability found in current CPUs, resulting in minimal overhead. A simple-to-use, centralized and hardened key management capability is also included in the solution. Keys are never exposed not even to security administrators. Security domains enable segregation between business units (for enterprises) or customers (for cloud and other service providers), and also support multi-tenancy. Access policies with privileged user access controls InfoSphere Guardium Data Encryption complements data traffic controls provided by Guardium Data Activity Monitoring with policy-based access controls at the database file level. These controls extend data protection, only decrypting the database file for authorized users and processes. In a typical database application, only the signed database executable and database user role is allowed access to database tables; all other users and processes see only encrypted information. This allows privileged users the ability to perform system management functions without additional risk to the protected database or file content. In addition, regular system management operations can continue, with no changes required to the infrastructure. Backups, updates and regular maintenance can continue as usual, without exposing sensitive information. Access policies are linked to system and directory services, so that policy usage always tracks current groups and user roles within the organization. 4
5 Shared capabilities and benefits Both IBM InfoSphere Guardium Data Activity Monitor and Guardium Data Encryption support the core capabilities that today s enterprises demand for integration and adoption within their environ-ments. These include scalability, highperformance operation, directory services integration, simple web-based user interfaces, SIEM integration for security intelligence, and flexible integration capabilities for easy deployment and policy control. Scalability, high performance, and nonintrusive deployment With this solution set, enterprises can grow from a small set of servers to the largest environments. Large-scale environments include not only traditional physical data centers, but also large virtualized environment, such as public, private or hybrid clouds comprising tens of thousands of servers and databases. Big data environments present similar challenges. Performance and transparency are also key requirements for enterprise deployment. Operation of the combined solution is non-intrusive to applications, and has minimal impact on response times, no need for data source logging, and no changes required to databases, applications or network infrastructure. Integration with directory services for hands-off policy management Sensitive data LDAP access monitoring, on both privileged and other users, is a compliance requirement and a security best practice. Security management and data access policies for both data protection technologies are synchronized with the latest groups, users and application accounts by leveraging standard LDAP connectivity. This allows you to avoid having to change access policies every time there is organizational churn. Simple, web-based user interfaces Simple, web-based user interfaces for security management enable the use of the solution for environments with just a few servers to the largest enterprise and cloud deployments. Security intelligence Integration with Security Information and Event Management (SIEM) systems, such as IBM Security QRadar, enables the identification of abnormal or unauthorized data access patterns that may represent a threat, and the combination of this information with information from other security tools can provide extended threat identification. Intelligent data access policy violation alerts can be sent to the SIEM solution in real-time from InfoSphere Guardium Data Activity Monitor. These alerts can be correlated to other potential threats across the enterprise, and remediated holistically. Using this information, SIEM systems can alert and report on incidents as they occur enabling customers to improve responsiveness to malicious insiders and to remediate appropriately. InfoSphere Guardium Encryption also provides SIEM systems with detailed audit logs for OS-level access to database tables and other files that similarly allow for analysis of unusual access patterns that may represent a threat. Integration capabilities Today s data centers are complex environments, with enterprises utilizing dozens of complex tools for security management, risk and governance, systems management, monitoring, configuration management, and virtualization. Ratios of support staff to servers managed are also being radically reduced. Organizations that once had a 50-to-1 ratio of servers to system administrators now have ratios of 100s or 1000s to 1. To be effective in this environment requires integration with the wide set of enterprise tools for deployment, configuration, and policy management. InfoSphere Guardium Data Access Monitoring and InfoSphere Guardium Data Encryption both offer the comprehensive integration capabilities that allow deep integration with other enterprise toolsets to support these new realities. A complete solution Data protection from the data center to the cloud Although this discussion has focused around protection for database environments, these combined solutions also offer comprehensive capabilities for protecting sensitive data anywhere within file systems, big data environments, and public, 5
6 private and hybrid clouds. Combined, they enable compliance with industry regulations, help to protect organizations from data breaches, and protect sensitive data where it matters most: at the source. About IBM InfoSphere IBM InfoSphere software is an integrated platform for defining, integrating, protecting and managing trusted information across your systems. It provides the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere and mix and match InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The InfoSphere platform delivers an enterprise-class foundation for information-intensive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster. About IBM Security IBM s security portfolio provides the security intelligence needed to help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions for identity and access management, data security, application development, risk management, endpoint management, network security, and more. IBM operates the world s broadest security research and development and delivery organization. This consists of nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents. Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America October 2013 IBM, the IBM logo, ibm.com, InfoSphere, and Guardium are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON- INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Please Recycle For more information To learn more about IBM InfoSphere solutions for protecting data security and privacy, please contact your IBM sales representative or visit: ibm.com/guardium IMS14434-USEN-00