InfoSphere Guardium Tech Talk Data privacy and dynamic masking for web applications: InfoSphere Guardium for Applications

InfoSphere Guardium Tech Talk Data privacy and dynamic masking for web applications: InfoSphere Guardium for Applications Nick Briers, WW Product Manager Ariel Farkash, Lead Developer

Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We ll try to answer questions in the chat or address them at speaker s discretion. If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: We ll go through existing questions in the chat 2 2

Reminder: Next InfoSphere Guardium Tech Talk Next tech talk: Look for an upcoming tech talk in January, 2015!! Link to more information about this and upcoming tech talks can be found on the InfoSphere Guardium developerworks community: http://ibm.co/wh9x0o Please submit a comment on this page for ideas for tech talk topics. 3

Meet fellow Guardium users Next InfoSphere Guardium user group meeting will be held in Foster City, California on Wednesday, January 28 th Guarantee your spot and register today! 4

Agenda Introduction and overview Use cases Live demo 5

What is InfoSphere Guardium for Applications? Provides real-time masking of web application data No changes to application or database required Works for legacy and packaged applications Helps meet compliance to security and privacy requirements Data Center Name: SSN: Balance: John Smith 111-11-1111 $127.50 Guardium Application Dynamic Data Masking Name: SSN: Balance: John Smith * 35* * -**-1111 $127.50 Outsourced Call Center 6

Introduction Why companies need it? Preventing exposure of sensitive or private data by their web applications to people who should not be able or allowed to see that data Meeting their compliance and legal requirements and avoiding penalties Making the best use of existing applications in new business environments whilst still maintaining control of sensitive and private data Keeping the company assets and data under control even when they do not own the data base or application code 7

Introduction Who needs it? Line of business stake holders as they need to be able to move quickly to make the best business decisions Outsourcing managers as they are looking to utilise off shore resources effectively CISO who will be aware of the compliance and security concerns 8

Advantages of InfoSphere Guardium for Applications Simple to deploy and use Policy-driven approach using tried and trusted Guardium architecture and technology Testing is easy with preview capabilities No application code changes required Wide application coverage Real-time masking done at the protocol level on the glass independent of the application, or the data source enable consolidating your application security policies Following security best practices Promotes separation of duties by moving security and compliance decisions out of the app code Privacy setting and policy management done outside of the application 9

Data is the key target for security breaches WHY? most breaches exploit application vulnerability more breached records are extracted from databases Applications are more exposed. 80% of breaches come through the applications Applications present high value data, potential for leakage and risk Applications have direct access to the back-end databases Database are considered the holy grail when it comes to data breaches. Why? High volumes Organized nicely (structured) Easy to extract data 2012 Data Breach Report from Verizon Business RISK Team http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf Go where the money is and go there often. - Willie Sutton 10

The application security threat Web Application Vulnerabilities?????????????????????? XSS and SQL Injection Exploitations Web Application Vulnerabilities 33%of vulnerability disclosers are web application vulnerabilities Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014 XSS and SQL injection exploits are continuing in high numbers Source: IBM X-Force Threat Intelligence Quarterly, 1Q 2014 Many application are not built with security in mind IT often underestimates the risk applications introduce IT often overlook application weaknesses Applications had became the weakest link that attackers exploit to carry out a data breach, and gain access to the back-end data repositories Most application security policies today focus on application vulnerabilities Protection of application data is the key threat and risk to applications 11

Application security spending Where are your security risks versus your spend? 35% - Security Risk 30% - Spending Spend Risk 25% 20% 15% 10% 5% - Application Layer Data Layer Network Layer Human Layer Host Layer Physical Layer Many clients do not prioritize application security in their environments Source: The State of Risk-Based Security Management, Research Study by Ponemon Institute, 2013 12

Solid Architectural Foundation- Guardium Two different environments, same data monitoring architecture Application Dynamic Data Masking Application Security Application Owners Dynamic Data Masking for Apps Data Privacy Database Activity Monitoring Database Security Database Administrators Activity Monitoring Data Integrity and Privacy Application/ Web Server Database Servers STAP Collector Aggregator Database Activity Monitoring and Database Protection 13 Guardium Web Proxy Dynamic Data masking for Applications

InfoSphere Guardium for Applications USE CASES 14

USE CASE Browser Masking: Shield sensitive application data from unauthorized users Authorized User Facilitates outsourcing securely and with privacy 15 Easily share only the right type of data, even with mobile devices Un-authorized User

Application Dynamic Data Masking Sample Use Case: Call Center Outsourcing Health insurance company outsources its call center Customer Service Representatives (CSRs) access company applications remotely InfoSphere Guardium is installed in the middle to guarantee that application screens undergo masking process CSRs utilize the application as usual Sensitive information unessential for CSR operation is masked out Data Center Balance: $127.50 16 Name: John Smith SSN: *35* * -**-1111 Name: John Smith SSN: 111-11-1111 Guardium Application Dynamic Data Masking Outsourced Call Center Balance: $127.50

Application Dynamic Data Masking Sample Use Call Center Outsourcing Health insurance company outsources its call center Customer Service Representatives (CSRs) access company applications remotely InfoSphere Guardium is installed in the middle to guarantee that application screens undergo masking process CSRs utilize the application as usual Sensitive information unessential for CSR operation is tokenized (SSN) CSR updates customer record (tokenized SSN is used as the key to apply the changed data) Form Data Center Name: John Smith SSN: 111-11-1111 Balance: $127.50 Guardium Application Dynamic Data Masking Updated balance written back 17 Name: John Smith SSN: 35 123-45-6789 Balance: $127.50 Outsourced Call Center Form Name: John Smith SSN: 123-45-6789 Balance: $115.50 Balance Updated

Application Dynamic Data Masking Sample Use Case Application Training Customer needs to provide quick training on a new application to various external users and non-privileged internal users Application Test Customer has a need to provide quick verification of application changes, where the application takes as input from many databases types, files (batch processes) and live feeds (e-commerce bridges to external partners). Guardium for Applications provides a simple and easy way to meet these requirements without application change Examining and masking the output of the application after retrieval and processing of data by the application no matter where it came from Can handle HTTP traffic containing HTML, XML or JSON objects Can mask based on content or context Rules engine based on Guardium policy editor and engine No application changes needed Reduce training/ testing costs no need to create a specific test environment 18

Application Dynamic Data Masking Sample Use Case: Compliance and Privacy Customer is offering application services to its customers and now wants to meet PCI requirements for its customers. Options are Rewrite application suite to provide the necessary controls assuming you have access to application code and/ or database Use a technology like Guardium for applications to prevent the viewing of sensitive and private information including card numbers, etc. in line with the requirements of PCI. Guardium for Applications allows the PCI privacy and sensitivity controls To be developed separately from the application in accordance with security best practices To be easily changed as PCI develops without the cost of application changes 19

Learn more Web site: http://www-03.ibm.com/software/products/en/infosphere-guardium-for-applications YouTube demo (PeopleSoft example) http://youtu.be/yh0xnr1crmk developerworks wiki page https://www.ibm.com/developerworks/community/wikis/home?lang=en#!/wiki/wf32fc3a2c8cb_4b9c_8 3e4_09b3c6f60e46/page/InfoSphere%20Guardium%20for%20Applications 20

TECHNICAL ARCHITECTURE 21

High Level Architecture Rules DB User Interface Admin Security officer Runtime Interception point App user Browser 22 App Server

More detailed architecture Rules DB masking rules Author masking rules (policies) proxy icap Masking icap service Parsing and logging Masking runtime library Browser Guardium for Applications components Request App Server 23 Response

DEMO 24