2012 IBM Corporation

Transcription

1

2 IBM InfoSphere Guardium Database Auditing and Monitoring for Telco (Case Study) Nidal Othman Managing Director

3 Agenda: Customer Case Study Environment DB Security Challenges PCI-DSS Compliance The Guardium Solution 2011 IBM Corporation

4 Who: The Largest Telco in Middle East Need: Improve database security for PCI compliance & data governance Phase 1: Monitor & Audit all the customer services transaction. Phase 2: Meet the PCI requirements. Environment: 80 database instances on 40+ servers Oracle, Sybase, SQL Server on AIX, Solaris, Windows Alternatives considered: Native Application auditing Not practical because of Application performance overhead; Results: Compensating control for PCI-DSS Requirement 3.4 (V1.1 Appendix B) Restrict access to cardholder data based on IP address, application, Restrict logical access to the database independent of LDAP Prevent/detect common application or DB attacks (e.g., SQL injection) Track and monitor all access to VIP records. 4

5 Enterprises Need to Monitor and Audit Privileged Users Access to, deletion of, or changes to data Access using inappropriate or non-approved channels Schema modifications Unauthorized addition of user accounts or modifications of existing account End Users Access to excessive amounts of data or data not needed for legitimate work Access to data outside standard working hours Access to data through inappropriate or non approved channel Developers, System Analysts and System Administrators Access to live production data IT Operations Unapproved changes to databases or applications that access data Out of cycle patching of production systems 5

6 Oracle Survey: Most Organizations Have Very Weak Database Controls 3 of 4 organizations can t prevent privileged users from reading or tampering with data in their databases 2 of 3 can t detect or prove that privileged DB users aren t abusing their privileges Only 1 of 4 use automated tools to monitor databases for security issues on a regular basis Close to half said an end-user with common desktop or ad hoc tools either could gain unauthorized direct access to sensitive information (or they weren't sure about it) Majority don t apply Critical Patch Updates in timely manner Source: 2010 Independent Oracle User Group (IOUG) Data Security Survey, based on survey of 430 members. 6

7 Real-World Insider Threat Examples Unauthorized changes to financial/erp data DBA accidentally deleted critical financial table during production hours (was doing a favor for application developer, bypassing change process) Outsourcer erased logs showing he made changes during the day (because it was more convenient than during the night) Theft of sensitive data Departing employees stealing design information & other intellectual property DBAs and outsourcers selling customer information to competitors, crime syndicates and tax authorities Internal fraud Mobile telecom: Insider created & sold pre-paid phone cards 7

8 What Database Audit Tools are Enterprises Using Today? Create reports Manual remediation, dispatch and tracking Manual review 8

9 Guardium Value Proposition 1. Prevent data breaches & fraud Mitigate external & internal threats Secure customer sensitive data 2. Assure data governance Prevent unauthorized changes to financial & ERP data 3. Reduce cost of compliance Automate & centralize controls Simplify processes Without performance impact or changes to databases & applications 9

10 The Compliance Mandate What do you need to monitor? Audit Requirements 1. Access to Sensitive Data (Successful/Failed SELECTs) 2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.) 3. Data Changes (DML) (Insert, Update, Delete) 4. Security Exceptions (Failed logins, SQL errors, etc.) 5. Accounts, Roles & Permissions (DCL) (GRANT, REVOKE) COBIT (SOX) PCI-DSS ISO Data Privacy & Protection Laws NIST SP (FISMA) DDL = Data Definition Language (aka schema changes) DML = Data Manipulation Language (data value changes) DCL = Data Control Language 10

11 Addressing the Full Lifecycle of Database Security & Compliance Prevent cyberattacks Automated & centralized controls Monitor & block privileged users Detect application-layer fraud Enforce change controls Real-time alerts Control firecall IDs Monitor & Enforce Audit & Report Cross-DBMS audit repository Preconfigured policies/reports No database changes Minimal performance impact Sign-off management SIEM integration Find & classify sensitive data Continuously update security policies Discover embedded malware & logic bombs Find & Classify Critical Data Infrastructure Assess & Harden Entitlement reporting Assess static and behavioral database vulnerabilities Configuration auditing Preconfigured tests based on best practices standards (STIG, CIS, CVE) 11

12 Non-Invasive, Real-Time Database Security & Monitoring Continuously monitors all database activities (including local access by superusers) Heterogeneous, cross-dbms solution Does not rely on native DBMS logs Minimal performance impact (2-3%) No DBMS or application changes Supports Separation of Duties Activity logs can t be erased by attackers or DBAs Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.) Granular, real-time policies & auditing Who, what, when, where, how 12

13 Scalable Multi-tier Architecture z/os Z-TAP S-TAP Z2000 Off-shore Internet HR G3000 S-TAP G5000 S-GATE G2000 Remote Locations G1000 G2000 G2000 G5000 G5000 Central Manager Finance S-TAP Data Center 13

14 Continuous fine-grained auditing All SQL traffic contextually analyzed & filtered in real-time to provide specific information required by auditors Client IP Client host name Domain login App user ID Client OS MAC TTL Origin Failed logins Server IP Server port Server name Session SQL patterns Network protocol Server OS Timestamp Access programs ALL SQL commands Fields Objects Verbs DDL DML DCL DB user name DB version DB type DB protocol Origin DB errors SELECTs 14 14

15 Phased implementation Understand data access (who, what, when, where, how) Alert on unauthorized data access real-time (schema changes, procedure modifications errors, failed logins) Deny unauthorized data access (passive to inline mode) visibility detection prevention 15

16 Provide insight such as... Who is changing database schemas or dropping tables? When are there any unauthorized source programs changing data? What are DBAs or outsourced staff doing to the databases? How many failed login attempts have occurred? Who is extracting credit card data? What data is being accessed from which network node? What data is being accessed by which application? How is data being accessed? What database errors are being generated? What is the exposure to sensitive objects? When is someone attempting an SQL injection attack? 16

17 Who s accessing in-scope data? 17

18 Nidal Othman Managing Director StarLink Middle East

19

20 Master Data Management By: EJADA Systems

21 AGENDA Ejada Corporate Overview Master Data Management Overview Case Study Master Data Management for Product Domain Master Data Management for Customer Domain 2011 IBM 21

22 EJADA Systems (Corporate Overview) EJADA is a Leading IT Solutions and Services company specialized in providing business and technology solutions to large enterprises in the Middle East and North Africa EJADA is recognized in the Saudi market as one of the top three performers and has significantly outperformed the actual Services Industry growth in the Kingdom and Middle East EJADA employs over 700 people and has direct access to over 500 consultants through its equity partnership in several IT companies in the region The Market Leader in: Application Consulting and Customization Since 2006 Application Management Outsourcing Since 2008 Information Systems Consulting Since 2009 EJADA is Appraised CMMI Level 3 company 22

23 Geography Coverage With our Head Office in Riyadh we are operating out of branches in Jeddah, Al Khobar, Amman, Cairo, Alexandria, and Dubai; we have plans to open new offices in Abu Dhabi, Qatar and Kuwait, while expanding our reach through Channel Partners in Lebanon, Yemen and Oman. Head Office Branches Channels 23

24 EJADA Information Management Center of Excellency Ejada Information Management Center of Excellence launched at year 2000 (> 80 Consultant) Ejada implemented Information Management Solutions for major clients in the Middle East Unique experience in the Financial Services and Telco Industry in the region Solution Architects Project Managers Business Analysts Data Analysts Business Intelligence Data Warehouse Master Data Management Data Integration Data Modelers Functional Consultants Technical Consultants Data Quality Metadata Management Data Governance 24

25 Ejada MDM Competency Ejada is the leader & has unique experience in MDM implementation in the Middle East. Seven major successful MDM implementations in the Saudi Arabia (Banking & Telecommunication) Ejada have deep experience with most of the reputable MDM tools, data quality and data integration tools In depth knowledge & experience with Telecom industry standards like (TM Frameworx, etom, SID) Having Center of Excellency in other related areas namely Enterprise Application Integration (EAI) and CRM implementation. Ejada can gauge how the MDM system would be integrate efficiently into the overall architecture of organization for best. 25

26 MDM OVERVIEW 26

27 What is Master Data? Master Data IS The high value common information an organization uses repeatedly across many business processes The key facts describing your core business entities: customers, partners, employee, products and location and currently Master Data is typically scattered within heterogeneous application silos across the enterprise Master Data IS NOT All the data within the enterprise, such as transaction data, billing data etc. Application-unique data Thus Master Data is that persistent (Static & Quasi Static), non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the organization 27

28 What is MDM Application? Decouples master information from individual applications Becomes a centralized independent resource and Contain configurable functionality to maintain and be the system of truth for master data Integration of common data functionality into an enterprise application 28

29 MDM Solution Main Components Data Integrity Services On-Line Integration services Batch data Integration Services Data Quality and Validation Rules Engine Data Profiling Data Quality Management Validation Rules Master Data Repository Suspect Duplicate Processing Duplication rules Identify suspect duplicated records Automatic merging Alerts Data Stewardship UI 360 view of master data Merge duplicate records Master data Synchronization Hierarchy management 29

30 MDM SOLUTION FOR TELCO OPERATOR CASE STUDY 30

31 Case Study (Telecom Operator) Client One of the largest mobile communications and technology provider in the Middle East Project Scope Master Data Management for Customer domain and Product domain Facts Solution Number of Customers > 14,000,000 Number of Accounts > 35,000,000 Number of offerings > 400 IBM InfoSphere Master Data Management Server IBM InfoSphere Information Server (DataStage. QualityStage) 31

32 Case Study (Telecom Operator) Business Problems Lengthy & Complex process of launching new products It is required define the products specifications in multiple systems (CRM, Marketing, Billing, Financial, Provisioning, Network, portal, Call Centers, IVR, POS, etc) The rise of worldwide and local competitors requires launching new innovative services quickly Definition and terminologies of the product components are not unified across systems Inconsistent definition of offering components across systems. Lack of synchronization process of product information No Unified single authoring tools for the product catalog definition Lack of unified product catalog 32

33 Case Study (Telecom Operator) Strategic Objectives Provide complete (360 o ) End-to-End view of the Product Catalog from Marketing, Product Development, Provisioning, Billing, Channels (e-portal, CRM, Call Centers, IVR, POS, etc) Provide unified product authoring functionalities and synchronization mechanism of the product information across the enterprise (rather than repeating the definition of the products everywhere) Time to Market: Automate and Speed up the process of creating / updating products. Data Consistency : Provide the integration / synchronization of product data across the enterprise operational systems Compliance with Telco Standards for information management and operation model (TM Forum Frameworx, SID, etom) for Product Life Cycle Management Streamlining the account activation process by get the product decomposition information from a centralized repository 33

34 Case Study (Telecom Operator) Challenges Product Model definition TELCO product model is a multi-layer Agree on standard terminology of the product components with stack holders The initial load of the existing offering into the new product hub: Number of existing offering are extremely high (> 400) Lack of documentation about the existing offering Merging duplicate offering Remodel the existing offering to comply with the new product model standards Changes in the operational system Implement the end-to-end business process for product creation / modification 9 Systems need to be involved in the business process changes 34

35 Case Study (Telecom Operator) Sample Offer O:Family Bundle O: Connect (1,1) O: Basic GSM (3) Pricing Products Resources Pricing Products Resources Pricing F:Overriden Setup Price (No Dimension) P: Mobile Connect R:Ferrari, Long tail F: Setup Price (Device type, duration, data limit) P: Mobile Telephony & Messaging R: International Favorite Number (0,1) F: Setup Price (No Dimensions) Resources R:Data limit(1g,5g,unlimited) F: MRC (data limit) Resources R: MSISDN (1) R:Duration(1 m, 3 m, 6 m) R: MSISDN (1) R: SIM Card (1) R: SIM Card (1) 35

36 Case Study (Telecom Operator) Product Data Model A reusable product component that is eligible to be sold with one or more offerings It is the physical resources e.g. SIM Card and logical resources e.g. MSISDN that customer can consume or use and represents the capabilities required to deliver the service Supplementary Offering Pricing (Setup Fees / Recurring Charges) Resources Offering Product Customer Facing Service Commercial Terms and Conditions, including Pricing, that are agreed to at time of Sale Promotions A product component that is eligible to be sold with one or more offerings for specific time period Basis for the Technical Configuration as Specified during Order Entry (Wrapper) What your customer is actually aware of using when interacting with the Delivery Environment 36

37 Case Study (Telecom Operator) The Solution Implement MDM Product domain using IBM InfoSphere MDM Server Build Product Data Model that is fully compatible with telecom standards and information framework known as (SID) and business process framework known as (etom) Provide Product Authoring User Interface (UI) with capability of publishing the product definition and structure to the downstream systems including service fulfillment, billing, CRM, Provide set of Reports that shows the product catalogue with different level of product definition details and facility to drill down into the different product structure components 37

38 CRM Detailed Product Structure (offering up to CFS) Setup Fees & MRC Promotion List Billing Product & CFS List Case Study (Telecom Operator) The Solution Product Authoring UI MDM Products Hub Product Structure (Offerings, Product, CFS, and Sellable Devices) Promotion Information (List & Promo to Offer relationship) Network Elements Usage Charges (Pre-Paid) Product & Promo List & Price Logical / Physical Resources Promotion Management & POS Supplementary Services Setup Fees & MRC Usage Charges (Post Paid) Product Cross Reference (Mapping of product codes across Systems) MRC Monthly Recurring Charges for auto-renewal Promotion Information Promo Price Modifiers (Post Paid) Provisioning Setup Fees / MRC SDP Content Services & Pricing Product List Structure (Up to CFS Level) DWH e-portal Credit Risk & Collections Product & Service List RFS & CFS to RFS Relationship Product list Promotion List Product list Promotion List Product List Credit Limit 38

39 MDM SOLUTION FOR TELCO OPERATOR CUSTOMER DOMAIN CASE STUDY 39

40 Centralize customer information management Automate error handling, account setup & other administration costs Reduce Data Management Costs Meet regulations. Enforce security and permissions across value chain Case Study (Telecom Operator) Strategic Objectives Comply with Regulations Understand Customers Customer Shift from product centric to customer centric view Gain complete understanding of customer s relationships & hierarchies Improve Customer Data Quality Utilize Customer Insight Increase accuracy and completeness of customer information Ensure consistency and accuracy across operational systems Make informed decisions during customer interactions Detect and manage customer events 40 6/19/2012

41 Case Study (Telecom Operator) The Solution MDM Customer Hub Implement MDM Customer and Contract domain; using: IBM InfoSphere MDM Server IBM InfoSphere Information Server Components IBM Information Analyzer (source data profiling) IBM InfoSphere Data Stage (extract / transform / load along the path from source systems to MDM server) IBM InfoSphere Quality Stage (data validation, standardization, and cleansing) 41

42 Customer Creation Business Scenario EAI Customer Acquisition Channel Business Process Controller Transformations Common Objects Transformations Legacy Systems Nodes Nodes Nodes Adaptor Transport Layer Adaptor 33Z454 CSR/Agent creates record, sends to EAI EAI transforms record, sends to MDM MDM cleanses record, no match found MDM creates new record MDM returns new profile to EAI EAI publishes record to subscribers Subscribers return new record IDs MDM Cleansing Tool 42

43 Customer Data Model MDM Implementation Work Streams Data model derivation is the core job in the MDM implementation. Derive a data model that unifies the customer view all over the enterprise and to comply with Industry standards Data Quality Management Extraction and Transformation Analyze the quality of customer data across the existing repositories Survivorship rules analysis Define protection and cleansing actions Serve the initial load of customer data into the new MDM customer data model On-Line Integration The Integration strategy drives the online integration that would be in place between the MDM system and other external systems for customer data synchronization Data Steward and Data Administration Front End / Legacy System Changes Managing data stored in the MDM is necessary to make sure that data is accurate and up-to-date. Thus for ensuring the consistency of the data, MDM has introduced several roles. These roles are to set the configurations of the data quality engine, monitor the current data status and resolve any conflicts if exist Some changes might need to be done in the Front-End or the external legacy systems. The common reasons could be the need to store the unique customer number generated by the MDM system, provision to store/display multiple addresses of the customer, etc 43