Data security and privacy

Transcription

1 IBM Software Thought Leadership White Paper September 2011 Data security and privacy A holistic approach

2 2 Data security and privacy Executive summary News headlines about the increasing frequency of stolen information and identity theft have focused awareness on data security and privacy breaches and their consequences. In response to this issue, regulations have been enacted around the world. Although the specifics of the regulations may differ, failure to ensure compliance can result in significant financial penalties and even jail time. Organizations also risk losing customer loyalty and destroying brand equity. The impact is serious enough to have caused the demise of numerous previously prosperous organizations. Companies rely on data to support daily business operations, so it is essential to ensure privacy and protect data no matter where it resides. Also, different types of information have different protection and privacy requirements; therefore, organizations must take a holistic approach to protecting and securing their information: Understand where the data exists: You can t protect sensitive data unless you know where it resides and how it s related across the enterprise. Safeguard sensitive data, both structured and unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents and forms requires privacy policies to redact (remove) sensitive information while still allowing needed business data to be shared. Protect non-production environments: Data in nonproduction, training and quality assurance environments needs to be protected yet still usable during the application development, testing and training processes. Secure and continuously monitor access to the data: Enterprise databases and file shares require real-time insight to ensure data access is protected and audited. Policy-based controls are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, databases and file shares need to be protected against new threats or other malicious activity and continually monitored for weaknesses. Demonstrate compliance to pass audits: It s not enough to develop a holistic approach to data security and privacy. Organizations must also demonstrate compliance and prove to third party auditors. IBM InfoSphere solutions for data security and privacy are designed to support this holistic approach, helping your organization protect itself against a complex threat landscape while remaining focused on your business goals. Making sense of the buzz: Why the growing focus on data protection? According to Forrester Research s February 2011 independent report, Forrsights: The Evolution Of IT Security, 2010 To 2011, IT security remains a hotbed of activity and growth as firms struggle with a more menacing, capable threat landscape; respond to a growing body of regulation and third-party requirements; and adapt to an unprecedented level of IT upheaval. 1 Much of this focus is specifically positioned around a few key themes: new cyber security threats (such as Stuxnet and Aurora); changing IT architectures (such a virtualization in the data center, open enterprise initiatives, consumerization and employee mobility); regulations (especially PCI and other data privacy directives); and growing pressures around third-party mandates. During the past several years, according to the Forrester report, security has steadily risen in visibility achieving board-level attention and support. For example, Forrester s research indicates 54 percent of enterprise Chief Information Security Officers (CISOs) report to a C-level executive and 42 percent of them report outside of the IT department. 1 These percentages reflect the increasing business relevance security has in organizations of all types, across diverse industries. The number of organizations that view security as a high or critical priority is now at its highest level in recent years.

3 IBM Software 3 Many factors are fueling this increased focus on data security and privacy, as detailed below. Changes in IT environments and evolving business initiatives Security policies and corresponding technologies must evolve as organizations embrace new business initiatives such as outsourcing, virtualization, cloud, mobility, Web 2.0 and social networking. This evolution means organizations need to think more broadly about where sensitive data resides and how it is accessed. Organizations must also consider a broad array of sensitive data, including customer information, trade secrets, development plans, competitive differentiators and more. Smarter, more sophisticated hackers Many organizations are now struggling with the widening gap between hacker capabilities and security defenses. The changing nature, complexity, and larger scale of outside attacks are cause for concern for organizations. According to the same Forrester report mentioned previously, security attacks now have a far more damaging business impact compared to ten years ago. 1 Previously the most critical concern was virus outbreaks or short denial-of-service attacks, which would create a temporary pause in business operations. Today, the theft of customer data or corporate data, such as trade secrets, could result in billions of dollars of lost business, fines and lawsuits, and irreparable damage to an organization s reputation. Regulatory compliance mandates The number and variety of regulatory mandates are too numerous to name here, and they affect organizations around the globe. Some of the most prevalent mandates include: Sarbanes-Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI-DSS) (enforcement of which has firmly started expanding beyond North America), Federal Information Security Management Act (FISMA), and the EU Data Privacy Directive. Along with the rising number of regulatory mandates is the increased pressure to show immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to the business and shareholders, or face reputation damage and stiff financial penalties. Information explosion The explosion in electronic information is mind boggling. IDC estimates that 45 gigabytes of data currently exists for each person on the planet, or an astonishing 281 billion gigabytes in total. While a mere five percent of that data will end up on enterprise data servers, it is forecast to grow at a staggering 60 percent per year, resulting in 14 exabytes of corporate data by The information explosion has made access to public and private information a part of everyday life. Critical business applications typically collect this information for legitimate purposes; however, given the interconnected nature of the Internet and information systems, as well as enterprise ERP, CRM and custom business applications, sensitive data is easily subject to theft and misuse. 2 Inside threats A high percentage of data breaches actually emanate from internal weaknesses. Examples range from employees, who may misuse payment card numbers and other sensitive information, to those who save confidential data on laptops that are subsequently stolen. Furthermore, organizations are also accountable for protecting data no matter where the data resides including with business partners, vendors or other third parties. In summary, organizations are focusing more heavily on data security and privacy concerns. They are looking beyond developing point solutions for specific pains, and towards building security and privacy policies and procedures into the enterprise. Organizations are also considering implementing strategic recovery plans. Such plans require proving risks have been mitigated, continually demonstrating compliance over time even in the face of new threats and finding ways to engender trust even after an incident occurs.

4 4 Data security and privacy Security versus privacy Security and privacy are related, but they are distinct concepts. Security is the infrastructure-level lockdown that prevents or grants access to certain areas or data based on authorization. In contrast, privacy restrictions control access for users who are authorized to access a particular set of data. Data privacy ensures those who have a legitimate business purpose to see a subset of that data do not abuse their privileges. That business purpose is usually defined by job function, which is defined in turn by regulatory or management policy, or both. Some examples of data security solutions include database activity monitoring and database vulnerability assessments. Some examples of data privacy solutions include data redaction and data masking. In a recent case illustrating this distinction, physicians at UCLA Medical Center were caught going through celebrity Britney Spears medical records. The hospital s security policies were honored since physicians require access to medical records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid medical purpose. The stakes are high: Risks associated with insufficient data security and privacy Corporations and their officers may face fines from $5,000 to $1,000,000 per day, and possible jail time if data is misused. According to 2010 Ponemon research, for the fifth year in a row, data breach costs have continued to rise. The average organizational cost of a data breach in 2010 increased to $7.2 million, up 7 percent from $6.8 million in Total breach costs have grown every year since Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from The most expensive breach studied by Ponemon in 2010 took $35.3 million to resolve, up $4.8 million (15 percent) from The least expensive data breach was $780,000, up $30,000 (4 percent) from As in prior years, data breach cost appears to be directly proportional to the number of records compromised. 2 Hard penalties are only one example of how organizations can be harmed; other negative impacts include erosion in share price caused by investor concern and negative publicity resulting from a data breach. Irreparable brand damage identifies a company as one that cannot be trusted. Some common sources of risk include: Excessive privileges and privileged user abuse. When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information. Unauthorized privilege elevation. Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. SQL injection. SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database. Denial of service. Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked. Exposure of backup data. Some recent high profile attacks have involved theft of database backup tapes and hard disks which were not encrypted.

5 IBM Software 5 Cost Activity Lost customer business due to churn 39% 40% 43% Legal services - defense Investigations & forensics Audit and consulting services 14% 14% 11% 8% 9% 9% 10% 12% 11% use today lead to higher risk and inefficiency. Manual approaches typically don t protect a diverse set of data types in both structured and unstructured settings and do not scale as organizations grow. Finally, the rising number of compliance regulations with time sensitive components adds more operational stress, rather than clarifying priorities. Customer acquistion costs Inbound contact costs Outbound contact costs Legal services - compliance Identify protection services Free or discounted services Public relations / communications 9% 9% 9% 6% 5% 6% 5% 2% 6% 4% 6% 4% 2% 2% 2% 1% 1% 2% 1% 1% 1% Organizations require a fresh approach to data protection one which ensures organizations build security and privacy rules into their best practices and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority. Total 100% 102% Figure 1: Percent of breach costs by specific cost activity, Barriers to implementation: Challenges associated with protecting data So with the market focused on security and the risks clearly documented, why haven t organizations adopted a holistic approach to data protection? Why are organizations overwhelmed by new threats? 102% The reality is significant challenges and complexities exist. For one, there are numerous vendor solutions available that are focused on one approach or one aspect of data protection. Few look across the range of threats and data types and sources to deliver a holistic strategy which can be flexible as new threats arise. Next, few organizations have the funding or resources to implement another process-heavy initiative. Organizations need to build security and privacy policies into their daily operations and gather support for these policies across the enterprise including IT staff, business leaders, operations, and legal departments. Privacy requirements do vary by role, and understanding who needs access to what data is not a trivial task. Third, manual or homegrown data protection approaches many organizations Leveraging a holistic data security and privacy approach Organizations need a holistic approach to data protection. This approach should protect diverse data types across different locations throughout the enterprise, including the protection of structured and unstructured data in both production and nonproduction (development, test and training) environments. Such an approach can help focus limited resources without added processes or increased complexity. A holistic approach also helps organizations to demonstrate compliance without interrupting critical business processes or daily operations. To get started, organizations should consider four key questions. These questions are designed to help focus attention to the most critical data vulnerabilities: 1. Where does sensitive data reside across the enterprise? 2. How can access to your enterprise databases be protected, monitored and audited? How can data be protected from both authorized and unauthorized access? 3. Can confidential data in documents be safeguarded while still enabling the necessary business data to be shared? 4. Can data in your non-production environments be protected, yet still be usable for training, application development and testing?

6 6 Data security and privacy The answers to these questions provide the foundation for a holistic approach to data protection. They help organizations focus in on key areas they may be neglecting with current approaches. 1. Organizations can t protect data if they don t know it exists. Sensitive data resides in structured and unstructured formats in production environments and non-production environments. Organizations need to document and define all data assets and relationships no matter the source. It is important to classify enterprise data, understand data relationships and define service levels. The data discovery process analyzes data values and data patterns to identify the relationships that link disparate data elements into logical units of information, or business objects (such as customer, patient or invoice). 2. Database Activity Monitoring provides privileged and nonprivileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation-of-duties issues by monitoring administrator activity. The technology also improves database security by detecting unusual database read and update activity from the application layer. Database event aggregation, correlation and reporting provide a database audit capability without the need to enable native database audit functions, which are also a part of database activity monitoring. Database activity monitoring solutions should be able to detect malicious activity or inappropriate or unapproved database administrator (DBA) access. 3. Data redaction can remove sensitive data from forms and documents based on job role or business purpose. For example, physicians need to see sensitive information such as symptoms and prognosis data whereas a billing clerk needs the patient s insurance number and billing address. The challenge is to provide the appropriate protection, while meeting business needs and ensuring that data is managed on a need-to-know basis. Data redaction solutions should protect sensitive information in unstructured documents, forms and graphics. 4. De-identifying data in non-production environments is simply the process of systematically removing, masking or transforming data elements that could be used to identify an individual. Data de-identification enables developers, testers and trainers to use realistic data and produce valid results, while still complying with privacy protection rules. Data that has been scrubbed or cleansed in such a manner is generally considered acceptable to use in non-production environments and ensures that even if the data is stolen, exposed or lost, it will be of no use to anyone. Meeting data security and privacy challenges with IBM InfoSphere What makes IBM s approach to data protection unique? Expertise. The IBM Information Governance Council was established in 2005 with a focus on governance and continuous process improvement. The collaboration of top global organizations, business partners and industry experts form the council and their collective experiences are built into IBM InfoSphere data security and privacy offerings. The alignment of people, process, technology and information separates the IBM InfoSphere data security and privacy solutions from the competition. The goal of the IBM InfoSphere portfolio is to help organizations meet legal, regulatory and business obligations without adding additional processes. The IBM InfoSphere solutions focus on process optimization to support business goals, which can help organizations develop strategic advantages. The goal is to help organizations support compliance initiatives, reduce costs, minimize risk and sustain profitable growth. IBM InfoSphere solutions are open, modular and support all aspects of data security and privacy, including structured, semi-structured and unstructured data no matter where it lives. IBM InfoSphere solutions support virtually all leading enterprise databases and operating systems, including IBM DB2, Oracle, Teradata, Netezza, Sybase, Microsoft SQL Server, IBM Informix, IBM IMS, IBM Virtual Storage Access

7 IBM Software 7 Method (VSAM), Microsoft Windows, UNIX, Linux and IBM z/os. InfoSphere also supports key ERP and CRM applications Oracle E-Business Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Amdocs CRM as well as most custom and packaged applications. Finally, IBM InfoSphere supports access monitoring for file sharing software such as Microsoft SharePoint. IBM InfoSphere provides a unique three-tiered approach to ensure a holistic data protection approach: Understand and Define, Secure and Protect, and Monitor and Audit. Understand and define Organizations must discover were sensitive data resides, classify and define data types, and determine metrics and policies to ensure protection overtime. Data can be distributed over multiple applications, databases and platforms with little documentation. Many organizations rely too heavily on system and application experts for this information. Sometimes, this information is built into application logic and hidden relationships might be enforced behind the scenes. Finding sensitive data and discovering data relationships requires carefully analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete landscape can organizations define proper enterprise data security and privacy policies. IBM InfoSphere Discovery is designed to identify and document what data you have, where it is located and how it s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification and definition of data relationships across complex, heterogeneous environments. Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchical databases and any structured data source represented in text file format. In summary, IBM InfoSphere Discovery helps organizations: Locate and inventory the databases across the enterprise Identify sensitive data and classify it Understand data relationships Define and document privacy rules Document and manage ongoing requirements and threats Secure and protect Data security and privacy solutions should span a heterogeneous enterprise and protect both structured and unstructured data across production and non-production environments. IBM InfoSphere solutions help secure sensitive data values in databases, in ERP/CRM applications and also in unstructured environments such as forms and documents. Key technologies include database activity monitoring, data masking, data redaction and data encryption. A holistic data protection approach ensures 360-degree lockdown of all organizational data.

8 8 Data security and privacy Data in heterogeneous databases (Oracle, DB2, Netezza, Informix, Sybase, Sun MySQL, Teradata) DB Activity Monitoring DB Vulnerability Assessment Data Masking Data Encryption Structured Data Unstructured Data Data not in databases (File Shares, ex. SharePoint,.TIF,.PDF,.doc, scanned documents) Data Redaction Access monitoring for file shares Data extracted from databases Data Encryption Data Masking Offline Data Production & Non-Production Systems Online Data Data in daily use DB Activity Monitoring DB Vulnerability Assessment Data Masking Data Encryption Figure 2: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments. For each type of data (structured, unstructured, offline and online), we recommend different technologies to keep it safe. Keep in mind that the various data types exist in both production and non-production environments. Structured data: This data is based on a data model and is available in structured formats like databases or XML. Unstructured data: This data is in forms or documents which may be handwritten or typed, such as word processing documents, messages, pictures, digital audio and video. Online data: This is data used daily to support the business, including metadata, configuration data or log files. Offline data: This is data in backup tapes or on storage devices. IBM InfoSphere Guardium Database Security provides a database security solution which addresses the entire database security and compliance life cycle with a unified web console, back-end data store and workflow automation system, enabling you to: Assess database vulnerabilities and configuration flaws Ensure configurations are locked down after recommended changes are implemented Provide 100-percent visibility and granularity into all database transactions across all platforms and protocols with a secure, tamper-proof audit trail that supports separation of duties Track activities on major file sharing platforms like Microsoft SharePoint

9 IBM Software 9 Monitor and enforce policies for sensitive data access, privileged user actions, change control, application user activities and security exceptions such as failed logins Automate the entire compliance auditing process including report distribution to oversight teams, sign-offs and escalations with pre-configured reports for SOX, PCI DSS and data privacy Create a single, centralized audit repository for enterprisewide compliance reporting, performance optimization, investigations and forensics Easily scale from safeguarding a single database to protecting thousands of databases in distributed data centers around the world IBM InfoSphere Guardium Data Redaction is designed to protect unstructured information. Traditionally, protecting unstructured information in forms, documents and graphics has been performed manually by deleting electronic content and using a black marking pen on paper to delete or hide sensitive information. But this manual process can introduce errors, inadvertently omit information and leave behind hidden information within files that exposes sensitive data. Today s high volumes of electronic forms and documents make this manual process too burdensome for practical purposes and increase organizations risk of exposure. IBM InfoSphere Guardium Data Redaction protects sensitive information buried in unstructured documents and forms from unintentional disclosure. The automated solution lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version of the documents made available to unprivileged readers. Based on industry-leading software redaction techniques, InfoSphere Guardium Data Redaction also offers the flexibility of human review and oversight if required. IBM InfoSphere Optim Data Masking Solution provides a comprehensive set of data masking techniques that can support your data privacy compliance requirements, including: Application-aware masking capabilities help ensure that masked data, like names and street addresses, resembles the look and feel of the original information Context-aware, prepackaged data masking routines make it easy to de-identify elements such as payment card numbers, Social Security numbers, street addresses and addresses Persistent masking capabilities propagate masked replacement values consistently across applications, databases, operating systems and hardware platforms. With InfoSphere Optim, companies can de-identify data in a way that is valid for use in development, testing and training environments, while protecting data privacy. Mask Figure 3: Personal identifiable information is masked with realistic but fictional data for testing and development purposes.

10 10 Data security and privacy IBM InfoSphere Guardium Encryption Expert provides a single, manageable and scalable solution to encrypt enterprise data without sacrificing application performance or creating key management complexity. InfoSphere Guardium Encryption Expert helps solve the challenges of invasive and point approaches through a consistent and transparent approach to encrypting and managing enterprise data security. John Smith 401 Main Street Apt 2076 Austin, TX *&^$!@#)( ~I +_)? $%~:>> %^$#%&, >< <>?_)-^%~~ Encrypt Decrypt *&^$!@#)( ~I +_)? $%~:>> %^$#%&, >< <>?_)-^%~~ John Smith 401 Main Street Apt 2076 Austin, TX Unlike invasive approaches such as column-level database encryption, PKI-based file encryption or native point encryption, IBM InfoSphere Guardium Encryption Expert offers a single, transparent solution that is also easy to manage. This unique approach to encryption provides the best of both worlds: seamless support for information management needs combined with strong, policy-based data security. Agents provide a transparent shield that evaluates all information requests against easily customizable policies and provides intelligent decryption-based control over reads, writes, and access to encrypted contents. This high-performance solution is ideal for distributed environments, and agents deliver consistent, auditable and non-invasive datacentric security for virtually any file, database or application anywhere it resides. In summary, InfoSphere Guardium Encryption Expert provides: A single, consistent, transparent encryption method across complex enterprises An auditable, enterprise-executable, policy-based approach Among the fastest implementation processes achievable requiring no application, database or system changes Simplified, secure and centralized key management across distributed environments Intelligent, easy-to-customize data security policies provide strong, persistent data security Strong separation of duties Top-notch performance with proven ability to meet SLAs for mission critical systems Figure 4: Personal identifiable information is encrypted making it meaningless without a proper key. IBM Tivoli Key Lifecycle Manager helps IT organizations better manage the encryption key life cycle by enabling them to centralize and strengthen key management processes. It can manage encryption keys for IBM self-encrypting storage devices as well as non-ibm encryption solutions that use the Key Management Interoperability Protocol (KMIP). Tivoli Key Lifecycle Manager provides the following data security benefits: Centralize and automate the encryption key management process Enhance data security while dramatically reducing the number of encryption keys to be managed Simplify encryption key management with an intuitive user interface for configuration and management Minimize the risk of loss or breach of sensitive information Facilitate compliance management of regulatory standards such as SOX and HIPAA Extend key management capabilities to both IBM and non- IBM products Leverage open standards to help enable flexibility and facilitate vendor interoperability

11 IBM Software 11 Monitor and audit After data has been located and locked down, organizations must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis. Monitoring of user activity, object creation, database configuration and entitlements help IT professionals and auditors trace users between applications and databases. These teams can set fine-grained policies for appropriate behavior and receive alerts if these policies are violated. Organizations need to quickly show compliance and empower auditors to verify compliance status. Audit reporting and sign-offs should help facilitate the compliance process while keeping costs low and minimizing technical and business disruptions. In summary, organizations should create continuous, fine-grained audit trails of all database activities, including the who, what, when, where and how of each transaction. IBM InfoSphere Guardium database security provides granular, database management system (DBMS)-independent auditing with minimal impact on performance. InfoSphere Guardium is also designed to help organizations reduce operational costs via automation, centralized cross-dbms policies and audit repositories, filtering and compression. Conclusions Protecting data security and privacy is a detailed, continuous responsibility which should be part of every best practice. IBM InfoSphere provides an integrated data security and privacy approach delivered through the three-tiered strategy of Understand and Define, Secure and Protect, and Monitor and Audit. Since the InfoSphere solutions are scalable and modular, organizations can focus on their most critical concern first and then adopt other solutions overtime. Protecting data requires a 360-degree, holistic approach: with deep, broad expertise in the security and privacy space, IBM can help your organization define and implement such an approach. About IBM InfoSphere IBM InfoSphere software is an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The IBM InfoSphere platform provides the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match IBM InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The IBM InfoSphere platform provides an enterprise-class foundation for information-intensive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster. About IBM security solutions IBM has the extensive knowledge, innovative research methods and complex technologies required to deliver products and services that are recognized for leadership in IT security. IBM builds security technology into the fabric of the hardware, software and services it delivers not bolting it on after the fact. As your trusted partner for security, IBM experienced and certified consultants, architects, project managers and subject matter experts are prepared to provide your organization with a comprehensive platform of preemptive security products and services designed to protect your entire IT infrastructure, from the network gateway to the desktop.

12 For more information To learn more about IBM InfoSphere, please contact your IBM sales representative or visit: ibm.com/software/data/infosphere To learn more about IBM InfoSphere solutions for protecting data security and privacy please contact your IBM sales representative or visit: ibm.com/software/data/optim/protect-data-privacy Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energyefficient solutions. For more information on IBM Global Financing, visit: ibm.com/financing Copyright IBM Corporation 2011 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America September 2011 All Rights Reserved IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere, Tivoli, and z/os are trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or ), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product or service names may be trademarks or service marks of others. 1 Jonathan Penn and Heidi Shey, Forrsights: The Evolution Of IT Security, 2010 To 2011, Julian Stuhler, Top 10 IBM Management Trends, Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach, Please Recycle IMW14568-USEN-01