Encryption is Fundamental: A Technical Overview of Guardium Data Encryption October 2014

IBM Security Systems Encryption is Fundamental: A Technical Overview of Guardium Data Encryption October 2014 Tim Parmenter InfoSphere Guardium Technical Professional Mark Jamison Accelerated Value Specialist 1 2013 IBM Corporation

Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We ll try to answer questions in the chat or address them at speaker s discretion. If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: We ll go through existing questions in the chat 2

Reminder: Guardium Tech Talks Next tech talk: Finding a needle in a haystack: A real-world case study identifying security risk with InfoSphere Guardium Speakers: Joe DiPietro and Oded Sofer Date &Time: Wednesday, Nov 12th, 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/yqd6mo Next tech talk +1: InfoSphere Guardium for DB2 for z/os (Part 2) and Guardium for Data Sets Speakers: Ernie Mancill Date &Time: Tuesday, Nov 18th 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/10lx5gx 3

Agenda The Need for Encryption Encryption Techniques How Data Encryption Protects Data Encryption Architecture & Integration Q & A Key Take Aways InfoSphere Guardium is the leader in data protection and synergizes with the rest of the IBM Security Portfolio to extend protection reach. Encrypting Data is essential to ensure security/compliance for all sensitive data. 4

2014 The Year of Encryption 5

Data Governance and Security have changed! Data Explosion Consumerization of IT Everything is Everywhere Attack Sophistication Moving from traditional perimeterbased security to logical perimeter approach to security focusing on the data and where it resides Antivirus IPS Firewall Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently Focus needs to shift from the perimeter to the data that needs to be protected 6

Introducing IBM InfoSphere Guardium Data Encryption Data Encryption Ensure compliance with data encryption Ensure compliance and protect enterprise data with encryption Requirements Protect sensitive enterprise information and avoid data breaches Minimize impact to production Enforce separation of duties by keeping security and data administration separate Meet government and industry regulations (eg. PCI-DSS) Benefits Protect data from misuse Satisfy compliance requirements including proactive separation of duties Scale to protect structured and unstructured data across heterogeneous environments without enterprise changes 7

InfoSphere Guardium Data Encryption Value Proposition: Continuously restrict access to sensitive data including databases, data warehouses, big data environments and file shares to. 1 2 3 4 Prevent data breaches Prevent disclosure or leakages of sensitive data Ensure the integrity of sensitive data Prevent unauthorized changes to data, database structures, configuration files and logs Reduce cost of compliance Automate and centralize controls o Across diverse regulations, such as PCI DSS, data privacy regulations, HIPAA/HITECH etc. o Across heterogeneous environments such as databases, applications, data warehouses and Big Data platforms like Hadoop Protect data in an efficient, scalable, and cost effective way Increase operational efficiency No degradation of infrastructure or business processes 8

Regulations Requiring Data Encryption Regulation/Driver Who is Effected? Requirements PCI DSS (Visa, MC, Discover, AMEX) HIPAA Security Standard (OCR) Data Breach Disclosure in over 50 Countries (Example: EU, South Korea, Turkey) Local Government Data Protection Acts (Local governments around the world) Executive Mandates IP/Trade Secret Protection Major retailers and processors world wide Organizations that handle patient health information Publically held organizations or government agencies Publically held organizations or government agencies Private and public organizations Private and public organizations Encryption of credit card data with associated secure key management processes Confidentiality, integrity and availability of patient health information Notifications and investigations of security breaches Encryption of sensitive data Encryption employee and customer data Encryption and control access to intellectual property 9

Encryption Approaches Storage Level Encryption performed on path to the disks or on the disk itself Application Level / Column Level Use application coding to encrypt data within columns of database data Tokenization Database TDE (tablespace) Microsoft/Oracle Encryption of database tablespaces File Level (GDE) Data is encrypted at the File System level, as it s created in the file 10

Guardium Data Encryption Use Cases Big Picture Data Files Usage: Sensitive data used by systems and end users touched by privileged users (DBA s), Activity Monitoring requirement for separation of duties and consistent audit policy. Also: Encrypt Tablespace, Log, and other Data files at File System to protect against System OS privileged user cred Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL 11 Unstructured Data Usage: Monitor WHO is touching the files and for WHAT purpose. Usage: Encrypt and Control access to any type of data used by LUW server Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc Cloud Usage: Monitor and know WHO is touching your data stored in the cloud and for WHAT purpose Usage: Encrypt and Control Access to data used by Cloud Instances Common Cloud Providers: IBM, Amazon EC2, Rackspace, MS Azure

GDE File/Table/Volume based Encryption Authentication/ Authorization Authentication/ Authorization Applications Applications Databases/Applications Databases/Applications Data Security Manager Centralized Key Management Policy Decision Point Highly Available Rules-Policy Engine Detailed Auditing File Level LAN/ WAN Security Manager File System File System Device Level Implements Encryption, Access Control, Auditing on Host Support for file systems and raw partitions Volume Manager Volume Manager SAN / NAS / DAS / VM / Cloud SAN / NAS / DAS / VM / Cloud 12 Protect ALL sensitive data wherever/however it s stored

Web Server Application Servers Primary Remote Enterprise/HA Architecture Application Servers Secondary DSM Encrypted Folder/Guardpoint Web Server Application Servers GDE File System Agent Data Security Manager/DSM DSM Secure High Availability Connection 13

InfoSphere Guardium Data Encryption (GDE) - Addresses compliance requirements and protects data at the File System Level File And Volume Encryption High Performance / Low overhead Intel/AMD X86 processor AES-NI hardware encryption available Transparent No changes to application or management required Broad OS, file system and volume support Data File & Distributed File System Encryption Heterogeneous, transparent and high performance Encrypts the tablespace at the file and volume level Broad support for multiple database and big data vendors Policy Based Access Control to Encrypted Data Policy-based - Transparent Linked to LDAP and system level accounts By process, user, time and more Prevents Privileged User access to protected data while allowing normal application and systems management use Key Management Securely stores and manages keys used in the implementation 14

File Encryption Management File System Metadata Clear Text Data Encryption Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: J Smith Credit Card #: 6011579389213 Block-Writes File Data Bal: $5,145,789 Social Sec No: 514-73-8970 File Data 15 Block-Reads File Data dfjdnk%(amg 8nGmwlNskd 9f Sk9ineo93o2n*&*^ xiu2ks0bksjd Nac0&6mKcoS qcio9m*sdopf File Data File systems always read and write in fixed block sizes Encryption takes place on the block IOs to a protected file GDE simply encrypts or decrypts the block reads and writes

Policy Rules WHO is attempting to access protected data? Configure one or more users, groups, or applications users may invoke who can access protected data WHAT data is being accessed? Configure a mix of files and directories WHEN is the data being accessed? Configure a range of hours and days of the week for authorized access HOW is the data being accessed? Configure allowable file system operations allowed to access the data e.g. read, write, delete, rename, etc. EFFECT: Permit; Deny; Apply Key; Audit 16

Describing Policy Processing Subject 1. Access request 2. Agent intercepts I/O and checks Subject s credentials: User = oracle Process = oracle.exe 3. Agent checks policy rules. Rule 1: User = root Rule 2: User = oracle and Process = tar Rule 3: User = oracle and Process = oracle.exe 17 No Match No Match Match; 4. Effect applied

Enterprise-Ready, Cloud-Ready Automation API and script accessible controls Web and command line APIs For policy management, deployment, integration Enables fast rollouts, easy integration with other infrastructure and policy management solutions Logs to identify the latest threats / malicious insiders RFC5424 and CEF compatible log formats for use with SIEM Detailed access records and access attempts For individual protected locations and for management infrastructure Identify anomalous usage from APTs and malicious insiders Data Security Management Software Appliance HW appliance available through separate contract if HSM required in bid. Centralized, scalable, highly available common management across all environments Cluster-able for scalability, redundancy, remote location support Simple web-based management UI Separation of duties and roles supports tenancy models, compliance requirements Audit reporting for encrypted data access, data protection infrastructure use 18

Administrator Roles Roles provide separation of duties for Administrators System Administrator System Administrator Role Responsible for adding administrator IDs to the system, configuring the system s logging and high availability, and creating domains. Domain Administrator Role Responsible for assigning roles to IDs within a domain Domain Administrator Security Administrator Role Responsible for implementing their assigned roles (i.e. creating keys, creating policies, managing hosts); perform the more regular routines of implementing encryption on managed systems Security Administrator 19

Protecting Big Data 20 All data sources potentially contain sensitive information Data is distributed as needed throughout the cluster by the Big Data application Deploy IBM InfoSphere Guardium Data Encryption Agents to all systems hosting Data Stores Agents protect the data store at the file system or volume level Cloudera CDH4 Certified

IBM Security Systems GDE Case Study for HIPAA Compliance 212014 IBM Corporation 2013 IBM Corporation

GDE Case Study for HIPAA Compliance Large retail customer: Highly Distributed (More than 2000 stores with a local copy of files and databases) Significant throughput (Handles hundreds of prescriptions at each store every day) Central Management important Needs a means to encrypt data at rest to Meet HIPAA compliance Needs a low cost alternative to encrypted SAN 22

GDE Case Study for HIPAA Compliance The Solution? IBM Guardium Data Encryption A GDE agent on each box. A DSM cluster to manage policies for all systems. Why GDE? Seemlessly transparent. Had to do performance testing, but no applications were recompiled, and no database changes were required. Limited Bandwidth usage. Since polices are cached, can bring system up with limited network access. Only does periodic heartbeats to DSM aside from bootup, so minimum impact on network. 23

GDE Case Study for HIPAA Compliance Why GDE cont. Built in access management if needed. Compliance currently does not require data be locked from users at certain times, but if requirement changes no new product license is required. Command Line Interface available for large deployment. vmssc tool allows you to bypass the DSM gui and add hosts, and guardpoints, and even automate adding all the guardpoints to a large range of systems. The ability to cluster DSM s. Giving an easy setup for your Policy Manager to be Highly Available. 24

GDE Case Study for HIPAA Compliance Key Considerations Learned Backup and Recovery process time increased Database Query Performance largely unaffected Initial query of tables might be up to 5% slower, but the nature of Bufferpool caching eliminated any subsequent performance issues. Restoring onto a new guardpoint is significantly faster in nearly all cases dataxform tool is best used when restore is not an option. Biggest performance hit is in the initial opening of a file. 25

Reminder: Guardium Tech Talks Next tech talk: Finding a needle in a haystack: A real-world case study identifying security risk with InfoSphere Guardium Speakers: Joe DiPietro and Oded Sofer Date &Time: Wednesday, Nov 12th, 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/yqd6mo Next tech talk +1: InfoSphere Guardium for DB2 for z/os (Part 2) and Guardium for Data Sets Speakers: Ernie Mancill Date &Time: Tuesday, Nov 18th 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/10lx5gx 26

Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 27 Italian