2012 IBM Corporation

Similar documents
Real-Time Database Protection and. Overview IBM Corporation

How To Secure A Database From A Leaky, Unsecured, And Unpatched Server

Enterprise Database Security & Monitoring: Guardium Overview

How To Manage A Database With Infosphere Guardium

Securely maintaining sensitive financial and

Database Auditing & Security. Brian Flasck - IBM Louise Joosse - BPSolutions

IBM InfoSphere Guardium

8 Steps to Holistic Database Security

Application Monitoring for SAP

IBM Software Top tips for securing big data environments

Obtaining Value from Your Database Activity Monitoring (DAM) Solution

Auditing Data Access Without Bringing Your Database To Its Knees

Guardium Change Auditing System (CAS)

NIST Accelerator Automated Real-Time Controls to Protect Against Cyberattacks & Insider Threats

MDM and Data Warehousing Complement Each Other

IBM InfoSphere Guardium for DB2 on z/os Technical Deep Dive

Harness the value of information throughout the enterprise. IBM InfoSphere Master Data Management Server. Overview

Database Auditing and Compliance in a Mainframe Environment. Craig S. Mullins, Corporate Technologist, NEON Enterprise Software, Inc.

Data Privacy: The High Cost of Unprotected Sensitive Data 6 Step Data Privacy Protection Plan

Enterprise Security Solutions

Best practices for protecting Enterprise Information in BigData & Datawarehouse. Anwar Ali, Senior Solution Consultant, Information Management

Take Control of Identities & Data Loss. Vipul Kumra

Database Security & Auditing

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

An Oracle White Paper January Oracle Database Firewall

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

Protecting Sensitive Data Reducing Risk with Oracle Database Security

Securing SharePoint 101. Rob Rachwald Imperva

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

MySQL Security: Best Practices

Best Approaches to Database Auditing: Strengths and Weaknesses.

Best Practices Report

SecureVue Product Brochure

An Oracle White Paper January Oracle Database Firewall

IBM Software A Journey to Adaptive MDM

Privileged User Monitoring for SOX Compliance

Breaking down silos of protection: An integrated approach to managing application security

Enforcive / Enterprise Security

Installing and Configuring Guardium, ODF, and OAV

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Application and Database Security with F5 BIG-IP ASM and IBM InfoSphere Guardium

IBM InfoSphere Guardium Vulnerability Assessment

Intelligent Security Design, Development and Acquisition

Copyright 2013, Oracle and/or its affiliates. All rights reserved.

McAfee Database Security. Dan Sarel, VP Database Security Products

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

IT Security & Compliance. On Time. On Budget. On Demand.

Oracle Database Security

IBM Software Four steps to a proactive big data security and privacy strategy

IBM Software InfoSphere Guardium. Planning a data security and auditing deployment for Hadoop

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Database Auditing: Best Practices. Rob Barnes, CISA Director of Security, Risk and Compliance Operations

VULNERABILITY & COMPLIANCE MANAGEMENT SYSTEM

Complete Database Security. Thomas Kyte

Securing and protecting the organization s most sensitive data

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Teleran PCI Customer Case Study

White Paper. Managing Risk to Sensitive Data with SecureSphere

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Strengthen security with intelligent identity and access management

CORE Security and the Payment Card Industry Data Security Standard (PCI DSS)

Hayri Tarhan, Sr. Manager, Public Sector Security, Oracle Ron Carovano, Manager, Business Development, F5 Networks

IBM InfoSphere Guardium Vulnerability Assessment

PCI DSS Reporting WHITEPAPER

Master Data Management and Universal Customer Master Overview

PCI Compliance - A Realistic Approach. Harshul Joshi, CISM, CISA, CISSP Director, Information Technology CBIZ MHM hjoshi@cbiz.com

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

How To Monitor Your Entire It Environment

Making Database Security an IT Security Priority

Identity and Access Management Integration with PowerBroker. Providing Complete Visibility and Auditing of Identities

GFI White Paper PCI-DSS compliance and GFI Software products

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Developing Value from Oracle s Audit Vault For Auditors and IT Security Professionals

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

LogRhythm and PCI Compliance

Microsoft s Compliance Framework for Online Services

<Insert Picture Here> Oracle Database Security Overview

Beyond the Single View with IBM InfoSphere

The Need for Real-Time Database Monitoring, Auditing and Intrusion Prevention

1 Copyright 2012, Oracle and/or its affiliates. All rights reserved. Public Information

Security management solutions White paper. IBM Tivoli and Consul: Facilitating security audit and compliance for heterogeneous environments.

Knowledgent White Paper Series. Developing an MDM Strategy WHITE PAPER. Key Components for Success

SafeNet DataSecure vs. Native Oracle Encryption

Service Oriented Data Management

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Security and Control Issues within Relational Databases

Master Data Management What is it? Why do I Care? What are the Solutions?

A discussion of information integration solutions November Deploying a Center of Excellence for data integration.

Transcription:

IBM InfoSphere Guardium Database Auditing and Monitoring for Telco (Case Study) Nidal Othman Managing Director

Agenda: Customer Case Study Environment DB Security Challenges PCI-DSS Compliance The Guardium Solution 2011 IBM Corporation

Who: The Largest Telco in Middle East Need: Improve database security for PCI compliance & data governance Phase 1: Monitor & Audit all the customer services transaction. Phase 2: Meet the PCI requirements. Environment: 80 database instances on 40+ servers Oracle, Sybase, SQL Server on AIX, Solaris, Windows Alternatives considered: Native Application auditing Not practical because of Application performance overhead; Results: Compensating control for PCI-DSS Requirement 3.4 (V1.1 Appendix B) Restrict access to cardholder data based on IP address, application, Restrict logical access to the database independent of LDAP Prevent/detect common application or DB attacks (e.g., SQL injection) Track and monitor all access to VIP records. 4

Enterprises Need to Monitor and Audit Privileged Users Access to, deletion of, or changes to data Access using inappropriate or non-approved channels Schema modifications Unauthorized addition of user accounts or modifications of existing account End Users Access to excessive amounts of data or data not needed for legitimate work Access to data outside standard working hours Access to data through inappropriate or non approved channel Developers, System Analysts and System Administrators Access to live production data IT Operations Unapproved changes to databases or applications that access data Out of cycle patching of production systems 5

Oracle Survey: Most Organizations Have Very Weak Database Controls 3 of 4 organizations can t prevent privileged users from reading or tampering with data in their databases 2 of 3 can t detect or prove that privileged DB users aren t abusing their privileges Only 1 of 4 use automated tools to monitor databases for security issues on a regular basis Close to half said an end-user with common desktop or ad hoc tools either could gain unauthorized direct access to sensitive information (or they weren't sure about it) Majority don t apply Critical Patch Updates in timely manner Source: 2010 Independent Oracle User Group (IOUG) Data Security Survey, based on survey of 430 members. http://www.oracle.com/dm/offers/fy11/50651_2010_report_ioug_data_security_survey.pdf 6

Real-World Insider Threat Examples Unauthorized changes to financial/erp data DBA accidentally deleted critical financial table during production hours (was doing a favor for application developer, bypassing change process) Outsourcer erased logs showing he made changes during the day (because it was more convenient than during the night) Theft of sensitive data Departing employees stealing design information & other intellectual property DBAs and outsourcers selling customer information to competitors, crime syndicates and tax authorities Internal fraud Mobile telecom: Insider created & sold pre-paid phone cards 7

What Database Audit Tools are Enterprises Using Today? Create reports Manual remediation, dispatch and tracking Manual review 8

Guardium Value Proposition 1. Prevent data breaches & fraud Mitigate external & internal threats Secure customer sensitive data 2. Assure data governance Prevent unauthorized changes to financial & ERP data 3. Reduce cost of compliance Automate & centralize controls Simplify processes Without performance impact or changes to databases & applications 9

The Compliance Mandate What do you need to monitor? Audit Requirements 1. Access to Sensitive Data (Successful/Failed SELECTs) 2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.) 3. Data Changes (DML) (Insert, Update, Delete) 4. Security Exceptions (Failed logins, SQL errors, etc.) 5. Accounts, Roles & Permissions (DCL) (GRANT, REVOKE) COBIT (SOX) PCI-DSS ISO 27002 Data Privacy & Protection Laws NIST SP 800-53 (FISMA) DDL = Data Definition Language (aka schema changes) DML = Data Manipulation Language (data value changes) DCL = Data Control Language 10

Addressing the Full Lifecycle of Database Security & Compliance Prevent cyberattacks Automated & centralized controls Monitor & block privileged users Detect application-layer fraud Enforce change controls Real-time alerts Control firecall IDs Monitor & Enforce Audit & Report Cross-DBMS audit repository Preconfigured policies/reports No database changes Minimal performance impact Sign-off management SIEM integration Find & classify sensitive data Continuously update security policies Discover embedded malware & logic bombs Find & Classify Critical Data Infrastructure Assess & Harden Entitlement reporting Assess static and behavioral database vulnerabilities Configuration auditing Preconfigured tests based on best practices standards (STIG, CIS, CVE) 11

Non-Invasive, Real-Time Database Security & Monitoring Continuously monitors all database activities (including local access by superusers) Heterogeneous, cross-dbms solution Does not rely on native DBMS logs Minimal performance impact (2-3%) No DBMS or application changes Supports Separation of Duties Activity logs can t be erased by attackers or DBAs Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.) Granular, real-time policies & auditing Who, what, when, where, how 12

Scalable Multi-tier Architecture z/os Z-TAP S-TAP Z2000 Off-shore Internet HR G3000 S-TAP G5000 S-GATE G2000 Remote Locations G1000 G2000 G2000 G5000 G5000 Central Manager Finance S-TAP Data Center 13

Continuous fine-grained auditing All SQL traffic contextually analyzed & filtered in real-time to provide specific information required by auditors Client IP Client host name Domain login App user ID Client OS MAC TTL Origin Failed logins Server IP Server port Server name Session SQL patterns Network protocol Server OS Timestamp Access programs ALL SQL commands Fields Objects Verbs DDL DML DCL DB user name DB version DB type DB protocol Origin DB errors SELECTs 14 14

Phased implementation Understand data access (who, what, when, where, how) Alert on unauthorized data access real-time (schema changes, procedure modifications errors, failed logins) Deny unauthorized data access (passive to inline mode) visibility detection prevention 15

Provide insight such as... Who is changing database schemas or dropping tables? When are there any unauthorized source programs changing data? What are DBAs or outsourced staff doing to the databases? How many failed login attempts have occurred? Who is extracting credit card data? What data is being accessed from which network node? What data is being accessed by which application? How is data being accessed? What database errors are being generated? What is the exposure to sensitive objects? When is someone attempting an SQL injection attack? 16

Who s accessing in-scope data? 17

Nidal Othman Managing Director StarLink Middle East nidal@starlink.ae 971 50 5511750

Master Data Management By: EJADA Systems

AGENDA Ejada Corporate Overview Master Data Management Overview Case Study Master Data Management for Product Domain Master Data Management for Customer Domain 2011 IBM 21

EJADA Systems (Corporate Overview) EJADA is a Leading IT Solutions and Services company specialized in providing business and technology solutions to large enterprises in the Middle East and North Africa EJADA is recognized in the Saudi market as one of the top three performers and has significantly outperformed the actual Services Industry growth in the Kingdom and Middle East EJADA employs over 700 people and has direct access to over 500 consultants through its equity partnership in several IT companies in the region The Market Leader in: Application Consulting and Customization Since 2006 Application Management Outsourcing Since 2008 Information Systems Consulting Since 2009 EJADA is Appraised CMMI Level 3 company 22

Geography Coverage With our Head Office in Riyadh we are operating out of branches in Jeddah, Al Khobar, Amman, Cairo, Alexandria, and Dubai; we have plans to open new offices in Abu Dhabi, Qatar and Kuwait, while expanding our reach through Channel Partners in Lebanon, Yemen and Oman. Head Office Branches Channels 23

EJADA Information Management Center of Excellency Ejada Information Management Center of Excellence launched at year 2000 (> 80 Consultant) Ejada implemented Information Management Solutions for major clients in the Middle East Unique experience in the Financial Services and Telco Industry in the region Solution Architects Project Managers Business Analysts Data Analysts Business Intelligence Data Warehouse Master Data Management Data Integration Data Modelers Functional Consultants Technical Consultants Data Quality Metadata Management Data Governance 24

Ejada MDM Competency Ejada is the leader & has unique experience in MDM implementation in the Middle East. Seven major successful MDM implementations in the Saudi Arabia (Banking & Telecommunication) Ejada have deep experience with most of the reputable MDM tools, data quality and data integration tools In depth knowledge & experience with Telecom industry standards like (TM Frameworx, etom, SID) Having Center of Excellency in other related areas namely Enterprise Application Integration (EAI) and CRM implementation. Ejada can gauge how the MDM system would be integrate efficiently into the overall architecture of organization for best. 25

MDM OVERVIEW 26

What is Master Data? Master Data IS The high value common information an organization uses repeatedly across many business processes The key facts describing your core business entities: customers, partners, employee, products and location and currently Master Data is typically scattered within heterogeneous application silos across the enterprise Master Data IS NOT All the data within the enterprise, such as transaction data, billing data etc. Application-unique data Thus Master Data is that persistent (Static & Quasi Static), non-transactional data that defines a business entity for which there is, or should be, an agreed upon view across the organization 27

What is MDM Application? Decouples master information from individual applications Becomes a centralized independent resource and Contain configurable functionality to maintain and be the system of truth for master data Integration of common data functionality into an enterprise application 28

MDM Solution Main Components Data Integrity Services On-Line Integration services Batch data Integration Services Data Quality and Validation Rules Engine Data Profiling Data Quality Management Validation Rules Master Data Repository Suspect Duplicate Processing Duplication rules Identify suspect duplicated records Automatic merging Alerts Data Stewardship UI 360 view of master data Merge duplicate records Master data Synchronization Hierarchy management 29

MDM SOLUTION FOR TELCO OPERATOR CASE STUDY 30

Case Study (Telecom Operator) Client One of the largest mobile communications and technology provider in the Middle East Project Scope Master Data Management for Customer domain and Product domain Facts Solution Number of Customers > 14,000,000 Number of Accounts > 35,000,000 Number of offerings > 400 IBM InfoSphere Master Data Management Server IBM InfoSphere Information Server (DataStage. QualityStage) 31

Case Study (Telecom Operator) Business Problems Lengthy & Complex process of launching new products It is required define the products specifications in multiple systems (CRM, Marketing, Billing, Financial, Provisioning, Network, portal, Call Centers, IVR, POS, etc) The rise of worldwide and local competitors requires launching new innovative services quickly Definition and terminologies of the product components are not unified across systems Inconsistent definition of offering components across systems. Lack of synchronization process of product information No Unified single authoring tools for the product catalog definition Lack of unified product catalog 32

Case Study (Telecom Operator) Strategic Objectives Provide complete (360 o ) End-to-End view of the Product Catalog from Marketing, Product Development, Provisioning, Billing, Channels (e-portal, CRM, Call Centers, IVR, POS, etc) Provide unified product authoring functionalities and synchronization mechanism of the product information across the enterprise (rather than repeating the definition of the products everywhere) Time to Market: Automate and Speed up the process of creating / updating products. Data Consistency : Provide the integration / synchronization of product data across the enterprise operational systems Compliance with Telco Standards for information management and operation model (TM Forum Frameworx, SID, etom) for Product Life Cycle Management Streamlining the account activation process by get the product decomposition information from a centralized repository 33

Case Study (Telecom Operator) Challenges Product Model definition TELCO product model is a multi-layer Agree on standard terminology of the product components with stack holders The initial load of the existing offering into the new product hub: Number of existing offering are extremely high (> 400) Lack of documentation about the existing offering Merging duplicate offering Remodel the existing offering to comply with the new product model standards Changes in the operational system Implement the end-to-end business process for product creation / modification 9 Systems need to be involved in the business process changes 34

Case Study (Telecom Operator) Sample Offer O:Family Bundle O: Connect (1,1) O: Basic GSM (3) Pricing Products Resources Pricing Products Resources Pricing F:Overriden Setup Price (No Dimension) P: Mobile Connect R:Ferrari, Long tail F: Setup Price (Device type, duration, data limit) P: Mobile Telephony & Messaging R: International Favorite Number (0,1) F: Setup Price (No Dimensions) Resources R:Data limit(1g,5g,unlimited) F: MRC (data limit) Resources R: MSISDN (1) R:Duration(1 m, 3 m, 6 m) R: MSISDN (1) R: SIM Card (1) R: SIM Card (1) 35

Case Study (Telecom Operator) Product Data Model A reusable product component that is eligible to be sold with one or more offerings It is the physical resources e.g. SIM Card and logical resources e.g. MSISDN that customer can consume or use and represents the capabilities required to deliver the service Supplementary Offering Pricing (Setup Fees / Recurring Charges) Resources Offering Product Customer Facing Service Commercial Terms and Conditions, including Pricing, that are agreed to at time of Sale Promotions A product component that is eligible to be sold with one or more offerings for specific time period Basis for the Technical Configuration as Specified during Order Entry (Wrapper) What your customer is actually aware of using when interacting with the Delivery Environment 36

Case Study (Telecom Operator) The Solution Implement MDM Product domain using IBM InfoSphere MDM Server Build Product Data Model that is fully compatible with telecom standards and information framework known as (SID) and business process framework known as (etom) Provide Product Authoring User Interface (UI) with capability of publishing the product definition and structure to the downstream systems including service fulfillment, billing, CRM, Provide set of Reports that shows the product catalogue with different level of product definition details and facility to drill down into the different product structure components 37

CRM Detailed Product Structure (offering up to CFS) Setup Fees & MRC Promotion List Billing Product & CFS List Case Study (Telecom Operator) The Solution Product Authoring UI MDM Products Hub Product Structure (Offerings, Product, CFS, and Sellable Devices) Promotion Information (List & Promo to Offer relationship) Network Elements Usage Charges (Pre-Paid) Product & Promo List & Price Logical / Physical Resources Promotion Management & POS Supplementary Services Setup Fees & MRC Usage Charges (Post Paid) Product Cross Reference (Mapping of product codes across Systems) MRC Monthly Recurring Charges for auto-renewal Promotion Information Promo Price Modifiers (Post Paid) Provisioning Setup Fees / MRC SDP Content Services & Pricing Product List Structure (Up to CFS Level) DWH e-portal Credit Risk & Collections Product & Service List RFS & CFS to RFS Relationship Product list Promotion List Product list Promotion List Product List Credit Limit 38

MDM SOLUTION FOR TELCO OPERATOR CUSTOMER DOMAIN CASE STUDY 39

Centralize customer information management Automate error handling, account setup & other administration costs Reduce Data Management Costs Meet regulations. Enforce security and permissions across value chain Case Study (Telecom Operator) Strategic Objectives Comply with Regulations Understand Customers Customer Shift from product centric to customer centric view Gain complete understanding of customer s relationships & hierarchies Improve Customer Data Quality Utilize Customer Insight Increase accuracy and completeness of customer information Ensure consistency and accuracy across operational systems Make informed decisions during customer interactions Detect and manage customer events 40 6/19/2012

Case Study (Telecom Operator) The Solution MDM Customer Hub Implement MDM Customer and Contract domain; using: IBM InfoSphere MDM Server IBM InfoSphere Information Server Components IBM Information Analyzer (source data profiling) IBM InfoSphere Data Stage (extract / transform / load along the path from source systems to MDM server) IBM InfoSphere Quality Stage (data validation, standardization, and cleansing) 41

Customer Creation Business Scenario EAI Customer Acquisition Channel Business Process Controller Transformations Common Objects Transformations Legacy Systems Nodes Nodes Nodes Adaptor Transport Layer Adaptor 33Z454 CSR/Agent creates record, sends to EAI EAI transforms record, sends to MDM MDM cleanses record, no match found MDM creates new record MDM returns new profile to EAI EAI publishes record to subscribers Subscribers return new record IDs MDM Cleansing Tool 42

Customer Data Model MDM Implementation Work Streams Data model derivation is the core job in the MDM implementation. Derive a data model that unifies the customer view all over the enterprise and to comply with Industry standards Data Quality Management Extraction and Transformation Analyze the quality of customer data across the existing repositories Survivorship rules analysis Define protection and cleansing actions Serve the initial load of customer data into the new MDM customer data model On-Line Integration The Integration strategy drives the online integration that would be in place between the MDM system and other external systems for customer data synchronization Data Steward and Data Administration Front End / Legacy System Changes Managing data stored in the MDM is necessary to make sure that data is accurate and up-to-date. Thus for ensuring the consistency of the data, MDM has introduced several roles. These roles are to set the configurations of the data quality engine, monitor the current data status and resolve any conflicts if exist Some changes might need to be done in the Front-End or the external legacy systems. The common reasons could be the need to store the unique customer number generated by the MDM system, provision to store/display multiple addresses of the customer, etc 43

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information