Three guiding principles to improve data security and compliance

Transcription

1 IBM Software October 2012 Thought Leadership White Paper Three guiding principles to improve data security and compliance A holistic approach to data protection for a complex threat landscape

2 2 Three Guiding Principles to Improve Your Data Security and Compliance Strategy Executive summary News headlines about the increasing frequency of information and identity theft have focused awareness on data security and privacy breaches and their consequences. In response to this issue, regulations have been enacted around the world. Although the specifics of the regulations may differ, failure to ensure compliance can result in significant financial penalties, criminal prosecution and loss of customer loyalty. In addition, the information explosion, the proliferation of endpoint devices, growing user volumes, and new computing models like cloud, social business and big data have created new vulnerabilities. To secure sensitive data and address compliance requirements, organizations need to adopt a more proactive and systematic approach. Since data is a critical component of daily business operations, it is essential to ensure privacy and protect data no matter where it resides. Different types of information have different protection requirements; therefore, organizations must take a holistic approach to safeguarding information: Understand where the data exists: Organizations can t protect sensitive data unless they know where it resides and how it s related across the enterprise. Safeguard sensitive data, both structured and unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents, forms, image files, GPS systems and more requires privacy policies to redact (remove) sensitive information while still allowing needed business data to be shared. Protect non-production environments: Data in nonproduction, development, training and quality assurance environments needs to be protected, yet still usable during the application development, testing and training processes. Secure and continuously monitor access to the data: Enterprise databases, data warehouses, file shares and Hadoop-based systems require real-time monitoring to ensure data access is protected and audited. Policy-based controls based on access patterns are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, sensitive data repositories need to be protected against new threats or other malicious activity and continually monitored for weaknesses. Demonstrate compliance to pass audits: It s not enough to develop a holistic approach to data security and privacy; organizations must also demonstrate and prove compliance to third-party auditors. IBM solutions for data security and privacy are designed to support this holistic approach and incorporate intelligence to proactively address IT threats and enterprise risks. IBM has developed three simple guiding principles (Understand and Define, Secure and Protect, and Monitor and Audit) to help organizations achieve better security and compliance without impacting production systems or straining already-tight budgets. Making sense of the buzz: Why the growing focus on data protection? Data security is a moving target; as data grows, more sophisticated threats emerge, the number of regulations increase, and changing economic times make it difficult to secure and protect data. New attack vectors including cyber security threats (worms, trojans, rootkits, rogues, dialers and spyware) and security complexities resulting from changing IT architectures (virtualization, big data, open enterprise initiatives, consumerization and employee mobility) challenge organizations to focus on data protection (see Figure 1). According to the October 2011 report Databases are More at Risk Than Ever, which surveyed 355 data security professionals, one-fourth of respondents felt that a data breach in 2012 was likely or inevitable. Only 36 percent of organizations have taken steps to ensure their applications are not subject to SQL injection attacks, and over 70 percent take longer than three months to apply critical patch updates, giving attackers the opportunity they are looking for. Most respondents are unable to tell whether there has been unauthorized access or changes to their databases. In many cases, a breach would go undetected for months or longer, as only 40 percent of organizations audit their databases on a regular basis. Prevention strategies are almost non-existent at most companies. Only one-fourth of respondents say they are able

3 IBM Software 3 to stop abuse of privileges by authorized database users, especially highly privileged users such as database administrators, before it happens. Only 30 percent encrypt sensitive and personally identifiable information in all their databases, despite data privacy regulations worldwide requiring encryption for data at rest. Additionally, most admit to having sensitive data in non-production environments that is accessible to developers, testing and even third parties. Changes in IT environments and evolving business initiatives Security policies and corresponding technologies must evolve as organizations embrace new business initiatives such as outsourcing, virtualization, cloud, mobile, Enterprise 2.0, big data and social business. This evolution means organizations need to think more broadly about where sensitive data resides and how it is accessed. Organizations must also consider a broad array of both structured and unstructured sensitive data, including customer information, trade secrets, intellectual property, development plans, competitive differentiators and more. Smarter, more sophisticated hackers Many organizations are now struggling with the widening gap between hacker capabilities and security defenses. The changing nature, complexity and larger scale of outside attacks are cause for concern. Previously, the most critical concern was virus outbreaks or short denial-of-service attacks, which would create a temporary pause in business operations. Today, hackers are becoming more savvy and interconnected; they leverage social networks, purchase pre-packaged hacking applications and might even be state sponsored. By penetrating the perimeter and infiltrating the network, new advanced persistent threats (APTs) exploit employee knowledge gaps and process weaknesses and technology vulnerabilities in random combinations to steal customer data or corporate data, such as trade secrets, resulting in the potential for billions of dollars of lost business, fines and lawsuits, and irreparable damage to an organization s reputation. According to the 2012 Verizon Data Breach Investigations Report, the most commonly used venue for breaches was exploiting default or easily guessed passwords (with 29 percent of the cases) followed by backdoor malware (26 percent), use of stolen credentials (24 percent), exploiting backdoor or command and control channels (23 percent), and keyloggers and spyware (18 percent). SQL injection attacks accounted for 13 percent of the breaches. As for the targets, 90 percent of the breaches Verizon investigated went after servers, mainly point-of-sale servers, web and app servers, and database servers. Regulatory compliance mandates The number and variety of regulatory mandates are too numerous to name here, and they affect organizations around the globe. Some of the most prevalent mandates include the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI-DSS) (enforcement of which has firmly started expanding beyond North America), the Federal Information Security Management Act (FISMA), and the EU Data Privacy Directive. Along with the rising number of regulatory mandates is the increased pressure to show immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to the business and shareholders, or face reputation damage and stiff financial penalties. Information explosion The explosion in digital information is mind-boggling. In 2009, the world had about 0.8 zettabytes of data. In 2012, it is estimated to be 1.8 ZBs. This is an amazing number, considering a zettabyte is a trillion gigabytes. The information explosion has made access to public and private information a part of everyday life. The digital explosion also brings an increase in the volume, variety and velocity of data. Organizations need to understand the unique challenges that big data brings, such as large-scale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition, and high-volume data aggregation. Critical business applications typically collect this information for legitimate purposes; however, given the interconnected nature of the Internet and information systems, as well as enterprise ERP, CRM and custom business applications, sensitive data is easily subject to theft and misuse.

4 4 Three Guiding Principles to Improve Your Data Security and Compliance Strategy Insider threats A high percentage of data breaches actually emanate from internal weaknesses. These breaches range from employees who may misuse payment card numbers and other sensitive information to those who save confidential data on laptops that are subsequently stolen. Furthermore, organizations are also accountable for protecting data no matter where the data resides be it with business partners, consultants, contractors, vendors or other third parties. In summary, organizations are focusing more heavily on data security and privacy concerns. They are looking beyond developing point solutions for specific pains and toward building security and privacy policies and procedures into the enterprise. Building security into business and IT policies is especially important as they embrace the new era of computing. Security versus privacy Security and privacy are related, but they are distinct concepts. Security is the infrastructure-level lockdown that prevents or grants access to certain areas or data based on authorization. In contrast, privacy restrictions control access for users who are authorized to access a particular set of data. Data privacy ensures those who have a legitimate business purpose to see a subset of that data do not abuse their privileges. That business purpose is usually defined by job function, which is defined in turn by regulatory or management policy, or both. Some examples of data security solutions include database activity monitoring and database vulnerability assessments. Some examples of data privacy solutions include data redaction and data masking. In a recent case illustrating this distinction, physicians at UCLA Medical Center were caught going through celebrity Britney Spears medical records. The hospital s security policies were honored since physicians require access to medical records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid medical purpose. The stakes are high: Risks associated with insufficient data security and privacy Corporations and their officers may face fines from USD5,000 to USD1 million per day, and possible jail time if data is misused. According to the Ponemon Institute, 2011: Cost of Data Breach Study (published March 2012), the average organizational cost of a data breach in 2011 was USD5.5 million. Data breaches in 2011 cost their companies an average of USD194 per compromised record. The number of breached records per incident in 2011 ranged from approximately 4,500 records to more than 98,000 records. In 2011, the average number of breached records was 28,349. The most expensive breach studied by Ponemon Institute (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took USD35.3 million to resolve, up USD4.8 million (15 percent) from The least expensive data breach was USD780,000, up USD30,000 (4 percent) from As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Hard penalties are only one example of how organizations can be harmed; other negative impacts include erosion in share price caused by investor concern and negative publicity resulting from a data breach. Irreparable brand damage identifies a company as one that cannot be trusted. Five common sources of risk include: Excessive privileges and privileged user abuse. When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information. Unauthorized privilege elevation. Attackers may take advantage of vulnerabilities in database management software to convert low-level access privileges to high-level access privileges. SQL injection. SQL injection attacks involve a user who takes advantage of vulnerabilities in front-end web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.

5 IBM Software 5 Denial of service. Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked. Exposure of backup data. Some recent high-profile attacks have involved theft of database backup tapes and hard disks which were not encrypted. few organizations have the funding or resources to implement another process-heavy initiative. Organizations need to build security and privacy policies into their daily operations and gather support for these policies across the enterprise including IT staff, business leaders, operations, and legal departments. Privacy requirements do vary by role, and understanding who needs access to what data is not a trivial task. Third, the manual or homegrown data protection approaches many organizations use today lead to higher risk and inefficiency. Manual approaches typically don t protect a diverse set of data types in both structured and unstructured settings, and do not scale as organizations grow. Finally, the rising number of compliance regulations with time-sensitive components adds more operational stress, rather than clarifying priorities. Organizations require a fresh approach to data protection one which ensures that they build security and privacy rules into their best practices, and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority. Figure 1: Analysis of malicious or criminal attacks experienced according to the 2011 Cost of Data Breach Study conducted by the Ponemon Institute (published March 2012) Barriers to implementation: Challenges associated with protecting data So with the market focused on security and the risks clearly documented, why haven t organizations adopted a holistic approach to data protection? Why are organizations overwhelmed by new threats? The reality is that significant challenges and complexities exist. For one, there are numerous vendor solutions available that are focused on one approach or one aspect of data protection. Few look across the range of threats and data types and sources to deliver a holistic strategy which can be flexible as new threats arise and new computing models are embraced. Next, Leveraging a holistic data security and privacy approach Organizations need a holistic approach to data protection. This approach should protect diverse data types across physical, cloud and big data environments, and include the protection of structured and unstructured data in both production and non-production (development, test and training) environments. Such an approach can help focus limited resources without added processes or increased complexity. A holistic approach also helps organizations to demonstrate compliance without interrupting critical business processes or daily operations. To get started, organizations should consider six key questions. These questions are designed to help focus attention to the most critical data vulnerabilities: 1. Where does sensitive data reside across the enterprise? 2. How can access to your enterprise databases be protected, monitored and audited?

6 6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy 3. How can data be protected from both authorized and unauthorized access? 4. Can confidential data in documents be safeguarded while still enabling the necessary business data to be shared? 5. Can data in non-production environments be protected, yet still be usable for training, application development and testing? 6. What types of data encryption are appropriate? The answers to these questions provide the foundation for a holistic approach to data protection and scales as organizations embrace the new era of computing. The answers also help organizations focus in on key areas they may be neglecting with current approaches. 1. Organizations can t protect data if they don t know it exists. Sensitive data resides in structured and unstructured formats in production environments and non-production environments. Organizations need to document and define all data assets and relationships, no matter what the source. It is important to classify enterprise data, understand data relationships and define service levels. The data discovery process analyzes data values and data patterns to identify the relationships that link disparate data elements into logical units of information, or business objects (such as customer, patient or invoice). 2. Activity monitoring provides privileged and non-privileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separation-of-duties issues by monitoring all administrator activity. Activity monitoring also improves security by detecting unusual database, data warehouse, file share or Hadoop systems read and update activities from the application layer. Event aggregation, correlation and reporting provide an audit capability without the need to enable native audit functions. Activity monitoring solutions should be able to detect malicious activity or inappropriate or unapproved privileged user access. 3. Data should be protected through a variety of data transformation techniques including encryption, masking and redaction. Defining the appropriate business use for enterprise data will dictate the appropriate data transformation policy. For example, a policy could be established to mask data on screen or on the fly to prevent call center employees from viewing national identification numbers. Another example could be masking revenue numbers in reports shared with business partners or third-party vendors. 4. Data redaction can remove sensitive data from forms and documents based on job role or business purpose. For example, physicians need to see sensitive information such as symptoms and prognosis data, whereas a billing clerk needs the patient s insurance number and billing address. The challenge is to provide the appropriate protection, while meeting business needs and ensuring that data is managed on a need-to-know basis. Data redaction solutions should protect sensitive information in unstructured documents, forms and graphics. 5. De-identifying data in non-production environments is simply the process of systematically removing, masking or transforming data elements that could be used to identify an individual. Data de-identification enables developers, testers and trainers to use realistic data and produce valid results, while still complying with privacy protection rules. Data that has been scrubbed or cleansed in such a manner is generally considered acceptable to use in non-production environments and ensures that even if the data is stolen, exposed or lost, it will be of no use to anyone. 6. Data encryption is not a new technology, and many different approaches exist. Encryption is explicitly required by many regulations including PCI DSS, and also enables safe harbor provisions in many regulatory mandates. This means organizations are exempt from disclosing data breaches if the data is encrypted. It is challenging for an organization to identify the best encryption approach due to prolific offerings from various vendors. For encrypting structured data, consider a file-level approach. This will protect both structured data in the database management system (DBMS) and also unstructured files such as DBMS log or configuration files, and is transparent to the network, storage and applications. Look for encryption offerings which provide a strong separation of duties and a unified policy and key management system to centralize and simplify data security management.

7 IBM Software 7 Meeting data security and compliance challenges What makes IBM s approach to data protection unique? Expertise. The alignment of people, process, technology and information separates the IBM data security and privacy solutions from the competition. The goal of the IBM portfolio is to help organizations meet legal, regulatory and business obligations without adding additional overhead. This helps organizations support compliance initiatives, reduce costs, minimize risk and sustain profitable growth. In addition, IBM has integrated data security into a broader security framework. The IBM Security Framework (see Figure 2) and associated best practices provide the expertise, data analysis, and maturity models to give IBM s clients the opportunity to embrace innovation with confidence. Security Intelligence, Analytics and GRC Software and Applicances Professional Services Cloud and Managed Services Figure 2: IBM is the only vendor providing a sophisticated security framework with security intelligence across people, data, applications and infrastructure. To address data security and compliance, IBM has defined three guiding principles to ensure a holistic data protection approach: Understand and Define, Secure and Protect, and Monitor and Audit. By following these three principles, organizations can improve their overall security posture and help meet compliance mandates with confidence. Understand and define Organizations must discover where sensitive data resides, classify and define data types, and determine metrics and policies to ensure protection over time. Data can be distributed over multiple applications, databases and platforms with little documentation. Many organizations rely too heavily on system and application experts for this information. Sometimes, this information is built into application logic, and hidden relationships might be enforced behind the scenes. Finding sensitive data and discovering data relationships requires careful analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete landscape can organizations define proper enterprise data security and privacy policies. IBM InfoSphere Discovery is designed to identify and document what data you have, where it is located and how it s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification and definition of data relationships across complex, heterogeneous environments. Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchical databases and any structured data source represented in text file format.

8 8 Three Guiding Principles to Improve Your Data Security and Compliance Strategy In summary, IBM InfoSphere Discovery helps organizations: Locate and inventory the data sources across the enterprise Identify and classify sensitive data Understand data relationships Define and document privacy rules Document and manage ongoing requirements and threats Secure and protect Data security and privacy solutions should span a heterogeneous enterprise, and protect both structured and unstructured data across production and non-production environments (see Figure 3). IBM InfoSphere solutions help protect sensitive data in ERP/CRM applications, databases, warehouses, file shares and Hadoop-based systems, and also in unstructured formats such as forms and documents. Key technologies include activity monitoring, data masking, data redaction and data encryption. InfoSphere Guardium provides enterprise-wide controls and capabilities across many platforms and data sources, enhancing the investments made in platforms, such as RACF on System z, that provide built-in security models that leverage data sources such as DB2 for z/os, IMS, and VSAM. A holistic data protection approach ensures a 360-degree lockdown of all organizational data. For each type of data (structured, unstructured, offline and online), we recommend different technologies to keep it safe. Keep in mind that the various data types exist in both production and non-production environments. Structured data: This data is based on a data model, and is available in structured formats like databases or XML. Unstructured data: This data is in forms or documents which may be handwritten, typed or in file repositories, such as word processing documents, messages, pictures, digital audio, video, GPS data and more. Online data: This is data used daily to support the business, including metadata, configuration data or log files. Offline data: This is data in backup tapes or on storage devices. Data in heterogeneous databases (Oracle, DB2, Netezza, Informix, Sybase, Sun MySQL, Teradata) Activity Monitoring Vulnerability Assessment Data Masking Data Encryption Structured Data Unstructured Data Data not in databases (Hadoop, File Shares, ex. SharePoint,.TIF,.PDF,.doc, scanned documents) Data Redaction Activity Monitoring Data Masking Data extracted from databases Data Encryption Offline Data Production & Non-Production Systems Online Data Data in daily use Activity Monitoring Vulnerability Assessment Data Masking Data Encryption Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments

9 IBM Software 9 Keep in mind these four basic data types are exploding in terms of volume, variety and velocity. Many organizations are looking to include these data types in big data systems such as Netezza or Hadoop for deeper analysis. IBM InfoSphere Guardium Activity Monitor and Vulnerability Assessment provide a security solution which addresses the entire database security and compliance life cycle with a unified web console, back-end data store and workflow automation system, enabling you to: Assess database and data repository vulnerabilities and configuration flaws Ensure configurations are locked down after recommended changes are implemented Provide 100-percent visibility and granularity into all data source transactions across all platforms and protocols with a secure, tamper-proof audit trail that supports separation of duties Monitor and enforce policies for sensitive data access, privileged user actions, change control, application user activities and security exceptions such as failed logins Automate the entire compliance auditing process including report distribution to oversight teams, sign-offs and escalations with preconfigured reports for SOX, PCI DSS and data privacy Create a single, centralized audit repository for enterprisewide compliance reporting, performance optimization, investigations and forensics Easily scale from safeguarding a single database to protecting thousands of databases, data warehouses, file shares or Hadoop-based systems in distributed data centers around the world Traditionally, protecting unstructured information in forms, documents and graphics has been performed manually by deleting electronic content and using a black marking pen on paper to delete or hide sensitive information. But this manual process can introduce errors, inadvertently omit information and leave behind hidden information within files that exposes sensitive data. Today s high volumes of electronic forms and documents make this manual process too burdensome for practical purposes, and increase an organization s risk of exposure. IBM InfoSphere Guardium Data Redaction protects sensitive information buried in unstructured documents and forms from unintentional disclosure. The automated solution lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version of the documents made available to unprivileged readers. Based on industry-leading software redaction techniques, InfoSphere Guardium Data Redaction also offers the flexibility of human review and oversight if required. IBM InfoSphere Optim Data Masking Solution provides a comprehensive set of data masking techniques that can support your data privacy compliance requirements on demand, including: Application-aware masking capabilities help ensure that masked data, like names and street addresses, resembles the look and feel of the original information. (see Figure 4) Context-aware, prepackaged data masking routines make it easy to de-identify elements such as payment card numbers, Social Security numbers, street addresses and addresses. Persistent masking capabilities propagate masked replacement values consistently across applications, databases, operating systems and hardware platforms. Static or dynamic data masking supports both production and non-production environments. With InfoSphere Optim, organizations can de-identify data in a way that is valid for use in development, testing and training environments, while protecting data privacy. Mask Figure 4: Personal identifiable information is masked with realistic but fictional data

10 10 Three Guiding Principles to Improve Your Data Security and Compliance Strategy IBM InfoSphere Guardium Data Encryption provides a single, manageable and scalable solution to encrypt enterprise data without sacrificing application performance or creating key management complexity. InfoSphere Guardium Data Encryption helps solve the challenges of invasive and point approaches through a consistent and transparent approach to encrypting and managing enterprise data security. Unlike invasive approaches such as columnlevel database encryption, PKI-based file encryption or native point encryption, IBM InfoSphere Guardium Data Encryption offers a single, transparent solution that is also easy to manage. This unique approach to encryption provides the best of both worlds: seamless support for information management needs combined with strong, policy-based data security. Agents provide a transparent shield that evaluates all information requests against easily customizable policies and provides intelligent decryption-based control over reads, writes, and access to encrypted contents. This highperformance solution is ideal for distributed environments, and agents deliver consistent, auditable and non-invasive data-centric security for virtually any file, database or application anywhere it resides. In summary, InfoSphere Guardium Data Encryption provides: A single, consistent, transparent encryption method across complex enterprises An auditable, enterprise-executable, policy-based approach Among the fastest implementation processes achievable, requiring no application, database or system changes Simplified, secure and centralized key management across distributed environments Intelligent, easy-to-customize data security policies for strong, persistent data security Strong separation of duties Top-notch performance with proven ability to meet SLAs for mission-critical systems IBM Tivoli Key Lifecycle Manager helps IT organizations better manage the encryption key life cycle by enabling them to centralize and strengthen key management processes. It can manage encryption keys for IBM self-encrypting storage devices as well as non-ibm encryption solutions that use the Key Management Interoperability Protocol (KMIP). IBM Tivoli Key Lifecycle Manager provides the following data security benefits: Centralize and automate the encryption key management process Enhance data security while dramatically reducing the number of encryption keys to be managed Simplify encryption key management with an intuitive user interface for configuration and management Minimize the risk of loss or breach of sensitive information Facilitate compliance management of regulatory standards such as SOX and HIPAA Extend key management capabilities to both IBM and non-ibm products Leverage open standards to help enable flexibility and facilitate vendor interoperability Monitor and audit After data has been located and locked down, organizations must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis. Monitoring of user activity, object creation, data repository configurations and entitlements help IT professionals and auditors trace users between applications and databases. These teams can set fine-grained policies for appropriate behavior and receive alerts if these policies are violated. Organizations need to quickly show compliance and empower auditors to verify compliance status. Audit reporting and sign-offs help facilitate the compliance process while keeping costs low and minimizing technical and business disruptions. In summary, organizations should create continuous, fine-grained audit trails of all database activities, including the who, what, when, where and how of each transaction. IBM InfoSphere Guardium Activity Monitor provides granular, database management system (DBMS) independent auditing with minimal impact on performance. InfoSphere Guardium is also designed to help organizations reduce operational costs via automation, centralized cross-dbms policies and audit repositories, and filtering and compression.

11 IBM Software 11 Conclusion: Better Data Security and Compliance Protecting data security and privacy is a detailed, continuous responsibility which should be part of every best practice. IBM provides an integrated data security and privacy approach delivered through these three guiding principles. 1. Understand and Define 2. Secure and Protect 3. Monitor and Audit Protecting data requires a 360-degree, holistic approach. With deep, broad expertise in the security and privacy space, IBM can help your organization define and implement such an approach. IBM solutions are open, modular and support all aspects of data security and privacy, including structured, semi-structured and unstructured data, no matter where it resides. IBM solutions support virtually all leading enterprise databases and operating systems, including IBM DB2, Oracle, Teradata, Netezza, Sybase, Microsoft SQL Server, IBM Informix, IBM IMS, IBM DB2 for z/os, IBM Virtual Storage Access Method (VSAM), Microsoft Windows, UNIX, Linux and IBM z/os. InfoSphere also supports key ERP and CRM applications Oracle E-Business Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Amdocs CRM as well as most custom and packaged applications. IBM supports access monitoring for file sharing software such as Microsoft SharePoint and IBM FileNet. IBM also supports Hadoopbased systems such as Cloudera and InfoSphere BigInsights. About IBM InfoSphere IBM InfoSphere software is an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The IBM InfoSphere platform provides the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match IBM InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The IBM InfoSphere platform provides an enterprise-class foundation for informationintensive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster. About IBM Security IBM s security portfolio provides the security intelligence to help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. IBM operates the world s broadest security research and development and delivery organization. This consists of nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents. For more information For more information on IBM security, please visit: ibm.com/security. To learn more about IBM InfoSphere solutions for protecting data security and privacy, please contact your IBM sales representative or visit: ibm.com/guardium. To learn more about the new IBM DB2 for z/os security features, download the Redbook at Redbooks.nsf/RedbookAbstracts/sg html Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energyefficient solutions. For more information on IBM Global Financing, visit: ibm.com/financing.

12 Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY Produced in the United States of America October 2012 IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere, Optim, Tivoli, and z/os are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at Copyright and trademark information at ibm.com/legal/copytrade.shtml. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company. UNIX is a registered trademark of The Open Group in the United States and other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR MPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Please Recycle IMW14568-USEN-05