...

IBM InfoSphere Guardium Tech Talk: Database Discovery and Sensitive Data Finder

by user

on
Category:

chronic pain

33

views

Report

Comments

Transcript

IBM InfoSphere Guardium Tech Talk: Database Discovery and Sensitive Data Finder
Dan Goodes – Guardium Technical Sales Engineer
July 2013
IBM InfoSphere Guardium Tech Talk:
Database Discovery and Sensitive Data Finder
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Data security and protection for IBM i using
InfoSphere Guardium
Speakers: Scott Forstie and Larry Burroughs
Date &Time: Thursday, August 29, 2013
11:30 AM Eastern (90 minutes)
Register here: http://bit.ly/13anSA2
 Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Dan Goodes – Guardium Technical Sales Engineer
July 2013
IBM InfoSphere Guardium Tech Talk:
Database Discovery and Sensitive Data Finder
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
What we’ll cover today

What is Guardium and what problems does it address?

–
–
Overview of some capabilities
Database Discovery
Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A
5
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Hello Everyone and welcome to TechTalk Tuesday
Here is what we will cover today, starting with a quick introduction to Guardium
Information Management – InfoSphere Guardium
The world is becoming more digitized and interconnected,
opening the door to emerging threats and leaks…
DATA
EXPLOSION
The age of Big Data – the explosion of digital
information – has arrived and is facilitated by
the pervasiveness of applications accessed
from everywhere
CONSUMERIZATION
OF IT
With the advent of Enterprise 2.0 and social
business, the line between personal and
professional hours, devices and data has
disappeared
EVERYTHING
IS EVERYWHERE
Organizations continue to move to new
platforms including cloud, virtualization,
mobile, social business and more
ATTACK
SOPHISTICATION
The speed and dexterity of attacks has
increased coupled with new motivations from
cyber crime to state sponsored to terror
inspired
…making security a top concern, from the boardroom down
6
© 2013 IBM Corporation
First lets talk about where we are coming from before we give you our
perspectives on data security. In IT and business, we are experiencing an
unprecedented openness in the use of technology, which is both an opportunity
for new business, but also a challenge for IT, operationally and from the security
perspective.
The amount of data generated and handled is exploding, giving rise to
technologies like Big Data to help us make sense of it. IT walls are coming down
making room for better communication with the consumers anywhere. And on
the security side, we are seeing more targeted sophisticated attacks to get
access to that critical asset, SENSITIVE DATA.
7
Information Management – InfoSphere Guardium
Data is the key target for security breaches…..
… and Database Servers Are The Primary Source of Breached Data
WHY?
 Database servers contain your client’s
most valuable information
–
–
–
–
–
Financial records
Customer information
Credit card and other account records
Personally identifiable information
Patient records
 High volumes of structured data
 Easy to access
2012 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
“Go where the money is… and go there
often.” - Willie Sutton
7
© 2013 IBM Corporation
The most critical data that organizations have
today are inside of the databases. Because,
for the most part it is structured it is easy to
find.
This is why its most important to understand
our data, where it lives, who has access to it,
what are they doing with it, etc.
Finding all of the sensitive data can be difficult
and that is what we will focus on today.
Although Guardium’s origins are around realtime database activity monitoring for security
and compliance, it has the ability to discover
and classify sensitive data in order to know
what data to protect.
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring for
security & compliance
Data Repositories
 Continuous, policy-based, real-time
monitoring of all data traffic activities,
including actions by privileged users
(databases, warehouses,
file shares, Big Data)
 Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities
 Data protection compliance automation
Host-based
Probes (S-TAPs)
Collector
Appliance
Key Characteristics







Single Integrated Appliance
Non-invasive/disruptive, cross-platform architecture
Dynamically scalable
SOD enforcement for DBA access
Auto discover sensitive resources and data
Detect or block unauthorized & suspicious activity
Granular, real-time policies
 Who, what, when, how
8
 100% visibility including local DBA access
 Minimal performance impact
 Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
 No environment changes
 Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
 Growing integration with broader security and
compliance management vision
© 2013 IBM Corporation
Lets take a quick look at an overview of Guardium’s benefits: Some of these have to do more with Database Activity Monitoring which we won’t be covering
today but for those of you unfamiliar with
Guardium’s capabilities, this is a high-level introduction
Guardium provides a continuous policy based real-time database monitoring
8
8
Information Management – InfoSphere Guardium
Extend real-time Data Activity Monitoring to protect sensitive data in
databases, data warehouses, Big Data environments and file shares
DATA
Big Data
Environments
InfoSphere
BigInsights
NEW
Integration with
LDAP, IAM,
SIEM, TSM,
Remedy, …
9
© 2013 IBM Corporation
Guardium would not be a complete data security solution if it only covered a few
databases, so we have expanded our scope from all major database vendors, to
data warehouses, ECM, file systems, and now to Big Data environments based
on Hadoop, and NoSQL, such as IBM InfoSphere BigInsights , Greenplum,
Cloudera, Cassandra, MongoDB, CouchDB, Hortonworks, just to name a few,
with more being added all the time. We aim to satisfy all data security and
compliance needs in heterogeneous and large scale environments.
9
Information Management – InfoSphere Guardium
What we’ll cover today

What is Guardium and what problems does it address?

–
–
Overview of some capabilities
Database Discovery
Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A
10
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Now that we have had some background and an introduction to Guardium
We are going to concentrate on these today’s main topics
IBM Software Group
Guardium 9: Addressing the Full Lifecycle for
Database Security, Risk Management & Governance
• Discover all databases,
applications & clients
• Discover & classify
sensitive data
• Automatically update
access policies when
sensitive data found
Discover
&
Classify
Assess
&
Harden
• Vulnerability assessment
• Configuration assessment
• Behavioral assessment
• Configuration lock-down
& change tracking
Critical
Data
Infrastructure
• Centralized
governance
• Compliance reporting
• Sign-off management
• Automated escalations
• Secure audit repository
• Data mining for forensics
• Long-term retention
11
Audit
&
Report
Monitor
&
Enforce
• 100% visibility
• Policy-based actions
• Anomaly detection
• Real-time prevention
• Granular access controls
• Privileged user monitoring
• Application monitoring to
identify end-user fraud
• Monitor encrypted connections
• Monitor mainframe activity
• SIEM integration
© 2013 IBM Corporation
Guardium addresses a full lifecycle of database security, its modular based and
can be deployed in parts to satisfy current and future data security projects.
Before you know what to monitor and enforce, before you can report and review
data security for every source in your infrastructure, even before you can address
database vulnerabilities and configurations.
Its always best to start at the ground floor, the foundation, to find where my
sensitive data is. Then efforts can be spent protecting the “RIGHT” data.
11
In order to protect your information, you first need to understand where your sensitive data lives
Database discovery to identify where your databases are located on your network. The agentle
There is also the ability to do Instance discovery which requires an agent on the database serve
It can automatically configure the inspection engines (process names, directory structures, etc)
With Sensitive data finder - Guardium can locate databases via network IP scan and open data
locate matching patterns. e.g. Creditcard, SSN, License Number, Phone Number, National I
Any pattern can be written by a regular expression and Guardium can match these expressions
Actions can then be taken AUTOMATICALLY; e.g. log a policy violation, send a real time alert,
First lets talk about Database Discovery
12
12
Information Management – InfoSphere Guardium
Guardium Auto-Discovery Feature
Even in stable environments, where cataloging processes have
historically existed
•Uncontrolled instances can inadvertently be introduced
•Developers that create “temporary” test environments
•Business units seeking to rapidly implement local applications
•Purchases of new applications with embedded databases.
•Acquisitions and Mergers
The Auto-discovery application can be configured to probe
specified network segments on a scheduled or on-demand basis,
and can report on all databases
13
© 2013 IBM Corporation
Even in stable environments, where cataloging processes have historically
existed, uncontrolled instances can inadvertently be introduced through
mechanisms, including developers that create “temporary” test environments;
business units seeking to rapidly implement local applications; and purchases of
new applications with embedded databases.
One of the hardest areas to understand sensitive data is when data sources are
acquired through acquisitions and mergers
The Auto-discovery application can be configured to probe specified network
segments on a scheduled or on-demand basis, and can report on all databases
discovered—solving the problem of identifying both legacy and newly introduced
databases. Similarly, the Auto-discovery application can be used to demonstrate
that a process exists to identify all new instances.
This is generally a requirement with Industry and Corporate regulations
13
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
14
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Lets go ahead and started
I will be walking though the setup and configuration
select New and build a new Auto-Discovery process
14
Information Management – InfoSphere Guardium
Single Port
Number or
Range
Single IP or
Range
15
© 2013 IBM Corporation
After selecting new you are presented with the database discovery configuration
screen.
Here is where you will set the IP addresses or Range of IPs to scan. As well as a
port or range of ports
We will talk about best practices later in the Techtalk
Check the “Run Probe after Scan” box to send database calls to that port to
identify which database is listening on that port.
You can separate the database IP scan and the Probe if needed.
Manually this could be run right away or at a later time.
An automated schedule can also be set up, so depending on the criteria of the
scan you could run this after hours on a daily, weekly, monthly, quarterly basis to
fit your needs
15
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
16
© 2013 IBM Corporation
While the job is running you can check the progress by clicking this button.
This window will show you all the statistics of the current process.
Whether the scan is running, how many hosts were scanned, how many open
ports where found, how many where probed, how long the prob process took, etc
The report Databases Discovered will be populated during this discovery
process.
Here you can see some databases that were found at 10.10.9.56.
Now lets look at how we can interact with this discovered information
16
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
17
© 2013 IBM Corporation
In almost all breaches or audit findings its been unknown systems, with unknown
connections, and unknown sensitive data elements.
Now that we have discovered some new database, decisions need to be made,
These are databases with potentially sensitive information.
Do we ignore them and hope they go away?
Do we shut them down because they break policy, maybe they were created by
accident that might have licensing implications?
Do we decide they are important and now need to be monitored for regulatory
compliances or corporate data security policies.
With the databases that are discovered, APIs can be invoked to help reduce
administration time and reduce overall costs.
Lets explore some of these built in functions.
17
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
18
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
For example the ability to create an inspection engine so the configurations to
monitor that data source are already set up and ready for when the monitoring
agent is installed, this also has automation capabilities to further reduce
administration time, time is money.
Here we are going to create a data source definition so we can run some of the
schedule job functions like Classification Sensitive Data Finder or a Vulnerability
Assessment scan or Least Privileges Entitlement Reporting.
If you have to import hundreds of data sources, there is an API for that as well.
For security purposes the username and password can even be encrypted so no
plain text is stored.
Again further automating implementation and administration for corporate
efficiency.
18
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
19
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
There is also the ability to discover new instances that are created on already
existing database servers.
Using the Guardium installation manager and the Discovery module, once a new
instance is created it will automatically report on all new instances that are
created.
And the same question can be answered around whether to keep these
instances or not.
With the auto instance discovery, all the pertinent information is already capture
for configuring a new inspection engine for the existing STAP agent for
monitoring.
This again will help reduce administration costs.
19
Information Management – InfoSphere Guardium
Guardium Auto-Discovery
20
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
To help with automation of sign off for efficient process management, Guardium
has a built in audit compliance workflow where any report for example the
discovered databases can automatically be sent to recipients to take action.
This will help close gaps in current processes, like where DBA managers have to
report on all database instances. Traditionally information security offices have to
rely on database managers to accurately report on all
Database instances. What happens in organizations where the application teams
own the databases and the DBA team has no control of what databases get
created?
To automate this process and accurately report on all database instances will
help further reduce administration costs.
20
Information Management – InfoSphere Guardium
What we’ll cover today

What is Guardium and what problems does it address?

–
–
Overview of some capabilities
Database Discovery
Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A
21
IBM InfoSphere Guardium Tech Talk
Now lets look at Guardium’s Sensitive Data Finder
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
•The task of securing sensitive data begins with identifying it
•The Challenge
•
•
Database environments are highly dynamic
In large percentages of incidents, unknown data played a role in the
compromise.
•The InfoSphere Guardium solution provides a complete means
for addressing the entire database security and compliance life
cycle.
•When a match is found, the rule can specify a wide variety of
responsive actions, including:
•
•
•
•
22
Logging the match.
Sending a real-time alert detailing the match to an oversight team.
Automatically adding the object to an existing privacy set or group
Inserting a new-access rule into an existing security-policy definition.
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
The task of securing sensitive data begins with identifying it. This can be
challenging, because database environments are highly dynamic: the content of
known instances is constantly changing and most organizations lack an effective
means of identifying and understanding the content of unknown instances. In
mature organizations, existing databases deployed before change control
mechanisms had been implemented are not uncommon. Larger organizations
growing through acquisition often struggle to gauge with certainty, sensitive data
risk in acquired infrastructures.
In large percentages of incidents, unknown data played a role in the compromise.
To minimize this risk, organizations need a systematic way to identify all
database instances and to determine on an ongoing basis which instances
contain sensitive data, so that appropriate controls can be implemented.
The InfoSphere Guardium solution provides a complete means for addressing the
entire database security and compliance life cycle. Once database instances of
interest are identified by Auto-discovery, Sensitive Data Finder can be used to
examine the content of each, to determine whether sensitive data is included,
and then take appropriate action. When a match is found, the rule can specify a
wide variety of responsive actions, including:
● Logging the match.
● Sending a real-time alert detailing the match to an oversight team.
● Automatically adding the object to an existing privacy set or group (objects with
similar properties, such as those containing payment card data), ensuring related
security policies are automatically applied to the newly discovered object.
● Inserting a new-access rule into an existing security-policy definition.
22
Information Management – InfoSphere Guardium
Discovering Sensitive Data in Databases
• Catalog Search: Search the database
catalog for table or column name
– Example: Search for tables where
column name is like “%card%”
• Search for Data: Match specific values or
patterns in the data
– Example: Search for objects matching
guardium://CREDIT_CARD (a built-in
pattern defining various credit card
patterns)
• Search for Unstructured Data: Match
specific values or patterns in an
unstructured data file (CSV, Text, HTTP,
HTTPS, Samba)
23
© 2013 IBM Corporation
Now that we have discovered new databases, we need to find out if there is any sensitive data
This will help determine whether we can ignore this data source from a data security perspectiv
Like installing a Guardium STAP agent for real-time monitoring, alerting and blocking capabilitie
The reverse also applies, the sensitive data finder will also prove that no sensitive data resides
Most auditors today are familiar with the Guardium capabilities, Imagine being able to give your
They can move on to the more critical applications and databases
This will reduce the audit time and again further reduce costs.
23
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
24
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Now lets step through the process of creating a Classification Policy
24
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
25
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Give some details to the Classification Policy
A Name
You can specify a Category and Classification so they are easily identified during
automation
As well as adding descriptions so maybe the user responsible for signing off on
this workflow will have all of the necessary details.
Roles can be assigned to this operation further securiting and specifying who can
do what with the Guardium product
25
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
26
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Next we can add the rules for what specific data we want to classify
And the action that will fire once a specified match is found
26
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
27
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Again further classifying the operation with category and classification process
In this example we are looking for some creditcard information.
We can specify if we are searching for Data or a Catalog search, this can be
useful when looking for specific tables of a newly acquired data source.
Find those Tables or wildcard the name %credit%. This will reduce the time it
takes to actually search for data.
If I know there is a table named Creditcard, I know this data source is of interest
and will continue with a more specified search.
However if I don’t find any tables of interest I can set up a scan for a later date
and concentrate on the low hanging fruit data sources.
Also we have the ability to search for patterns in some unstructured data files,
like CSV, Text, HTTP, HTTPS, Samba
27
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
28
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here are a set of rules that this job will execute, specifically targeting criteria
based on financial institution’s formatting.
Looking for VISA, Mastercard, American Express, etc.
When you specify more detailed information in your search criteria you will
reduce the false positives and increase the hit percentages of what data you are
looking for.
This is important for performance and overall classification projects
28
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
29
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Inside the Classification Rule,
You can search Synonyms, System Tables, Schema Tables, as well as views,
this is important for not only knowing if there is sensitive data but how its
presented to users.
Here you can see the search expression for this Visa rule, using the caret or
circumflex character with a 4 you can specify that you want to find just numbers
that start with a 4, which may be Visa numbers
When trying to reduce false positives its important to specify a more complex
regular expressions to find exactly what you are looking for.
I will go into best practices around performance of these jobs and false positives
in a later section.
Once a match is found there are Classification Rule Actions that can be set to
automatically fire.
29
Information Management – InfoSphere Guardium
30
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
An example would be to automatiicaly populate a group, for instance the
Cardholder Sensitive Object or Discovered CreditCards group.
This way when doing reporting, alerting or policy management for database
activity monitoring it reduces administration costs to use grouping in Guardium
30
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
31
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Once the Sensitive Data Finder, Classification job is configured it can be run right
away manually, or it can be scheduled as part of the compliance workflow for
automation.
There is a Guardium Job Queue which will show you all running processes
The data sources to scan can be configured manually, or as one of the shared
data sources that was already discovered in the Auto-Discovery process.
That was the example we walked through earlier
31
Information Management – InfoSphere Guardium
32
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
This is an example of the results, the schema name, column name, table name of
the matched object, and a comments field with all of the information will be
presented.
In the comments field you can see the object was added to a group called All
Credit Cards Discovered.
We had rules set up for the specific Card companies, but not for objects where a
plan 16 digit number was found.
There are many scenarios that can be used to reduce false positives.
This custom authentication process table could hold transaction or ticket numbers
that are 16 digits maybe requiring some addition scans now that we know there
may be a similarity.
Regular expressions can be very customizable
32
Information Management – InfoSphere Guardium
33
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
And if we check that group, you will see the matching information.
Schema name, table name, column name.
Now anytime a report, an alert or a policy rule references this group the newly
discovered object will be referenced.
33
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder
34
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Now the sensitive data object is in the right group it can be applied to the realtime policies,
In this case we are applying a blocking rule, anytime someone who isn’t in the
application schema users (like a privilege user)
Is committing a select statement against the group of discovered credit cards,
apply the SGATE which will terminate their connection.
34
Information Management – InfoSphere Guardium
Guardium Sensitive Data Finder - Automation
35
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Further automating processes and sign off management, the Sensitive Data
Finder Classification process can be kicked off by our Audit Compliance
Workflow.
This will be sent off to recipients for their review and signatures. Comments,
Escalation, rejection and further review operations can apply.
35
Information Management – InfoSphere Guardium
What we’ll cover today

What is Guardium and what problems does it address?

–
–
Overview of some capabilities
Database Discovery
Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A
36
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Now lets talk about some use cases, For example Deployments, best practices
around performance and lowering false positives
Information Management – InfoSphere Guardium
Use Cases
Deployments - TechTalk
37
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
The last two techtalks were around successful deployments and from that
standpoint;
Guardium Sensitive Data Finder can be used to accelerate the deployment
process, Because knowing the data is important for building Relevant reports,
alerts and Policy rules to apply.
Deployment services uses a lot of the extrusion rules in the activity monitoring to
determine and review the objects as part of their services.
However with growth and acquisition of data sources, Sensitive data finder will be
a useful tool as for identifying those new sensitive objects. Making the product
grow with your infrastructure.
37
Information Management – InfoSphere Guardium
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes)
DML = Data Manipulation Language (data value changes)
DCL = Data Control Language
38
© 2013 IBM Corporation
And there’s the Compliance Factor of
You HAVE to do this!
HIPAA, SOX, PCI, they require that you CERTIFY that your company is
doing this!
You NEED granular visibility!
This is mostly around DAM however in order to know what data applies to
these activities, you need to discover what data matches,
For example, HIPAA is all about PII/PHI data how do you know what DDL,
DML, and DCL is happening on HIPAA sensitive objects if they haven’t
been identified yet.
38
Information Management – InfoSphere Guardium
Use Cases Deployments – Compliance Accelerators
39
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
To accelerate the real-time database activity monitoring capabilities of Guardium
one needs to understand how the sensitive data is accessed.
Guardium comes with out of the box compliance regulation accelerators. First
step is understanding the PCI sensitive data that exists in the database.
Once the Sensitive Data Finder Classification process is complete, those PCI
objects have automatically been grouped together so that these out of the box
reports can be relevant.
Lets take a look at an example.
39
Information Management – InfoSphere Guardium
Use Cases Deployments – Compliance Accelerators
40
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
For instance, regulation 10.2.2 is about admin activity.
Does it need to see all admin activity? NO just the admin activity that pertains to
the PCI regulations.
So grouping the admins, with the PCI servers including only that activity that
pertains to the PCI sensitive objects will be reported.
This will instantaneously give your PCI auditors precisely what they need for the
audit. No more having to rifle through hundreds of lines of activity to find what you
need.
Eliminating the needle in the haystack scenario
40
Information Management – InfoSphere Guardium
Use Cases Deployments – Compliance Accelerators
41
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here we see an example of that precision grouping capability within the
Sarbanes-Oxley Accelerator
All of the DML activity on the SOX relevant Financial servers where it affects
SOX sensitive data is reported,
How do we know its SOX sensitive information? Because we ran a SOX specific
Sensitive Data Finder Classification job, looking for financial information and put
those objects into that group
Further enhancing the automation and driving down those corporate Costs.
41
Information Management – InfoSphere Guardium
Use Cases
PCI, SOX, HIPAA, ETC
Regular Expression Examples
42
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here are some use case examples for Regular Expressions that can be use for
all Regulatory Compliances.
Its not just about PCI, SOX and HIPAA, it can be any industry, government or
corporate regulation.
42
Information Management – InfoSphere Guardium
Use Cases - Best Practices
Performance
Network and Database Impact
Runtime
Reducing False Positives
Correct Configurations
43
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Just like with poorly constructed queries and database performance
Guardium auto-discovery and Sensitive data finder are processes that take a
very small amount of resource to complete.
Whether they are network, file system or database its important to understand
these functions, create the correctly configured job and run during time frames
that make sense to the business.
43
Information Management – InfoSphere Guardium
44
© 2013 IBM Corporation
From an Auto-Discovery process,
Guardium is running a regular nmap type process here nothing particularly
proprietary as far as our scanning technology goes.
We go out and scan a single IP or a Range looking for open ports and DB
listeners on those ports.
It’s a simple operation however can have impact on your network, this operation
will be seen by your network folks.
So it make sense to do proper planning for these scans.
There is something like 65,000 available ports on a server so its not a good idea
to go scan 10.10.9.* and not specify a port or port range.
It is a good idea to put some port numbers in that make sense, looking for DB2?
Use a range of 50,000 to 60,000, looking for Oracle use 1000-2000,
And so forth. Initially if you want to do a large amount of Ips and Ports plan for
after hours work
44
Information Management – InfoSphere Guardium
Use Cases - Best Practices
Performance
45
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
When using the Sensitive Data Finder
The Comprehensive search check box; is only relevant when the number of
records in a table exceeds the Sample size
This is a high quality search because the results are more likely to be
representative of the data. Unchecking Comprehensive search will search the
first "Sample size" records for a match. This type of search can be much faster
than a comprehensive search but it may sacrifice the quality of the results.
Enter a Sample size when searching for data, if the number of records in a table
is <= to "Sample size", then all those records are searched for a match. When the
number of records in a table exceeds "Sample size", then Comprehensive
search, as defined above, may be used.
When a classification process runs, it should have very little impact on the
database server.
It begins by scanning sets of 50 consecutive rows returned by the database
server, beginning with the first row. The second set of 50 begins with the 1000th
row. Thereafter, it skips ahead by powers of two, such that the next block of 50
begins at 2K, 4K, 8K, 16K, 32K, and so forth. During this process, if any query
takes longer than 10 seconds, the skip interval is multiplied by 10, so if the
current sequence is 640K, the next will be 6.4M, and so forth
The Classifier also throttles itself to periodically idle so that it does not overwhelm
the database server with requests.
If any one query takes longer than 12 minutes, the query will be cancelled, a
45
Information Management – InfoSphere Guardium
Use Cases - Best Practices Eliminate False Positives
46
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Configurations within the Classification process will help with performance best
practices, as these scans can be more targeted,
However, generalized scans may take longer to complete as they have less
specifications.
For Instance
Doing catalog searches first will help identify the sensitive tables, try a wild card
with Credit, or account, or social or SSN.
These scans will take seconds and since its identifying sensitive tables, they can
automatically be added to those groups of sensitive objects
Once those tables have be identified its time to create more in depth
classification rules, these specified scans will look for the unique patterns of data,
this is where you can find potentially sensitive information in tables where they
aren’t clearly marked or are coded with non-descriptive table names or in tables
where they don’t belong like Comment fields.
When a rule name begins with "guardium:// for this example we use
CREDIT_CARD", and there is a valid credit card number pattern in the Search
Expression box, the classification policy will use the Luhn algorithm
Specify or wild card the table and column name and the scan will be more
targeted.
For testing purposes this is a good way to see if your rules will fire as you already
know that table contains those matching patterns
46
Information Management – InfoSphere Guardium
Use Cases – Special Projects
Risk Based Approach to Data Security – Dark Reading Webinar
https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1004756&K=6IK
Helping to Quantify the Risk and Protection Value
 List the top 10 assets you have in your organization
 Assign a value to these assets
 Identify specific threats to these assets
 Identify vulnerabilities with these assets
 Calculate your risk score and compare it to the asset value
 Risk is dependent on the asset values, threats and vulnerabilities
 Let’s use a simple example as it relates to the databases
 PCI is a very common example and we’ll relate this to credit card processing
47
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Last year there was a webinar that we did in conjunction with The Dark Reading
Group regarding Risk Base approach to data security.
Building out a score matrix for high risk, applications, databases, users,
connections, will help organizations realize the risk factors quicker.
One of the most important aspects of this approach is to score your top 10
assets, these are the assets that would cost your organization the most
If there was a breach or audit finding.
Locating these assets will be quicker when using Guardium’s Sensitive Data
Finder.
The link is in the slide and is a very useful webinar to watch the replay.
47
Information Management – InfoSphere Guardium
What we’ll cover today

What is Guardium and what problems does it address?

–
–
Overview of some capabilities
Database Discovery
Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A
48
IBM InfoSphere Guardium Tech Talk
Now lets look at some integration points
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Big Data
Big Insights
PureData
•Informix
nit
or
,
•IMS
au
di
t
au
dit
,p
Data Discovery/Classification
•Tivoli Storage Manager
Event Monitoring
en
op
tic
ro
tec
t
ts
ke
S
trib
dis
cies
& poli
covery
is
d
share
s
AP
ST
ute
Tivoli Netcool
ts
Software Distribution
Tivoli Provisioning Manager
Endpoint Configuration
Assessment and Patch
Management
ivit
act
d -u
ser
r en
mo
nito
lnerabili
ty
SIEM
QRadar
dg
ro u
pm
gm
LDAP Directory
t
mo
Security Directory Server
nit
or
en
d-u
se
Transaction
ra
cti
Application
v it
y
CICS
y
Cognos
audit, vu
vit
cti
Business
Intelligence
r an
ra
se
-u
nd
re
ito
on
InfoSphere MDM
m
Master Data Management
ity
activ
end-user activity
r
d-use
or en
•Optim Capture Replay
send ale
rt,
us e
monit
Database tools
leverage audit change
•Change Data Capture
leverage capture function
•Query Monitor
share discovery
•Optim Test Data Manager
•InfoSphere Data Stage
InfoSphere
Guardium
y
Optim Data Masking
P
NM
r
ale
remediate vulnerability Tivoli Endpoint Manager
share discovery & classify.
Static Data Masking
49
Tivoli Maximo
share discovery
•InfoSphere Discovery
•Business Glossary
udit
•DB2 [LUW, i, z, native agent]
mo
a
itor,
Databases
on
ito
r,
mon
m
PureFlex
Help Desk
Storage and Archival
•Optim Archival
archive audit
Datawarehouses
Netezza
monitor, audit, archive
InfoSphere Guardium integration with other IBM products
Web Application Platform
WebSphere
Analytic Engines
InfoSphere Sensemaking
© 2013 IBM Corporation
Guardium Integrates with a number of other technologies inside and outside of
IBM.
Outbound messaging and the ability to consume just
about any data make Guardium a powerful activity
reporting tool.
Sharing of information is important within organizations in
order to increase corporate efficiencies while driving
down costs.
Lets look at a few of these integration points as it
pertains to Discovery and classification projects
49
Information Management – InfoSphere Guardium
Pattern Based Sensitive Data Discovery Example: SSN
InfoSphere Discovery Classified Columns View
50
Knowledge Transfer Material
50
© 2013 IBM Corporation
InfoSphere Discovery is a tool which is unique in the industry. It removes the
need for manual analysis of your data and the relationships in your
environment. Discovery automatically, intelligently identifies and characterizes
the data elements within a source and groups data elements into business
entities based on the relationships between them. For example, Customer,
Counterparty, and Invoice might represent a common business entity.
With InfoSphere discovery all sensitive data elements can be shared with
Guardium.
You may have already invested in data discovery projects and have already
completed some data classification, this information can easily be shared with
Guardium so that the real-time policy rules, alerts and reports are also
monitoring the data elements already defined by your organization.
50
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here we see an automated production of the CSV files, in the a consumable
format that will match the data structure inside the Guardium repository.
Quickly and easily share sensitive objects back and forth, to accelerate all data
design and classification projects.
51
Information Management – InfoSphere Guardium
When to use Guardium and Discovery
If your needs are to…
Find all databases & sensitive data then apply appropriate policies
Monitor database security and compliance in real-time throughout
the lifecycle
Protect and control access to sensitive data
Validate compliance with security mandates
InfoSphere
Guardium
Business Needs / Project Types: Database Security, Compliance
Target roles: Data Protection groups, Security Departments, DBA,
Auditors, IT Operation, Operations Group, Risk and Compliance
If your needs are to…
Gain an understanding of data content, data relationships, and data
transformations across multiple heterogeneous sources
Discover business objects across data sources
Identify sensitive data across data sources
InfoSphere
Discovery
Business Needs / Project Types: Archiving, Test Data Management,
App. Consolidation, Information Integration (DHW, BI, MDM, etc)
Target Roles: Business Analysts, System Architects, Data Analysts,
Data Steward, Application Development Groups
52
© 2013 IBM Corporation
Both products can do sensitive data discovery based on regular expression
pattern matching, so when to use one over the other?
Guardium gives you the ability to quickly and easily point to a data source and
scan it for sensitive data, this is usually because of a security project like
database activity monitoring.
Automatically updating groups and providing alerting capabilities when sensitive
data is located.
Infosphere discovery on the other hand is a VERY powerful data analytical tool
for helping organizations understand their data, the relationships inside the
database and the relationships of the data
In other databases. It does database model discovery and has powerful
algorithms for find matching values, even inside of larger data sets.
For example a social security number may be part of a larger transaction number.
This larger number could be identified as sensitive and could be shared with
Guardium for data security requirements.
To help accelerate a data relationship project Guardium’s sensitive data finder
results could also be shared with Infosphere Discovery.
Information Management – InfoSphere Guardium
Info Analyzer Extended Data Classification & Data Rules
53
53
© 2013 IBM Corporation
While Discovery helps an organization to understand their data and the complex
relationships within their data, Information Analyzer provides the ability to
examine the quality of the data in terms of consistency, validity, redundancy, and
integrity. Information Analyzer allows for not only an initial assessment of data
quality, but on-going monitoring of data quality through established Data Rules.
53
Information Management – InfoSphere Guardium
EXPORT – Custom Dashboard and Reporting
 Broad set of functions exposed through API beyond reporting needs
GET …
HTML
Report1
XSLT1
XML
Server
CSV
Report
XSLT2
HTML
Report2
XSLT3
54
54
IBM InfoSphere Information Analyzer
© 2013 IBM Corporation
information analyzer is the trusted source for the classified data, its repository
information can be shared with Guardium as well.
Any CSV could be imported into Guardium's repository for reporting purposes,
Correlation alerts can even be set up to scan the imported data for threshold
values
Information Management – InfoSphere Guardium
Optim Archiving and Test Data Management
Production
TDM
Test Data
Subset
Guardium and
TDM can share
masking policies
Guardium
can suggest
archive
candidates
Archives
Reference Data
Archive
Retrieved
Historical
Historical Data
Retrieve
Current
Universal Access to Application Data
Developers
QA
Optim sends
access requests
to Guardium
Application
ODBC /
JDBC
XML
Report
Writer
Archiving is an intelligent process for moving inactive or
infrequently accessed data that still has value, while
providing the ability to search and retrieve the data
55
© 2013 IBM Corporation
Guardium integrates with Optim, mostly from an activity monitoring aspect where we
can see what jobs ran and who ran them, however
The Data objects that will be obfuscated or masked during a Test Data management
project can be populated by Guardium Sensitive Data finder.
Again accelerating operational processes and driving down those corporate costs.
55
Information Management – InfoSphere Guardium
Information, training, and community
 InfoSphere Guardium YouTube Channel – includes overviews and technical demos
 InfoSphere Guardium newsletter
 developerWorks forum (very active)
 Guardium DAM User Group on Linked-In (very active)
 Community on developerWorks (includes content and links to a myriad of sources, articles,
etc)
 Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
 Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group.
Open, technical discussions with other users.
Send a note to [email protected] if
interested.
56
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
there are currently two Guardium certification tests.
If you are looking into taking an IBM professional product certification exam, you
may look into taking the 000-463 certification (http://www03.ibm.com/certify/tests/ovr463.shtml).
Upon completion of the 000-463 certification, you will become an IBM Certified
Guardium Specialist (http://www-03.ibm.com/certify/certs/28000701.shtml).
The certification requires deep knowledge of the IBM InfoSphere Guardium
product. It is recommended that the individual to have experiences in
implementing the product to take the exam. You can view the detailed topics
here: http://www-03.ibm.com/certify/tests/obj463.shtml
Details each topics are covered in the product manuals. You will also find the
Guardium InforCenter a useful resource when you prepare for the exam:
http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp
56
Information Management – InfoSphere Guardium
Reminder: Guardium Tech Talks
Next tech talk: Data security and protection for IBM i using
InfoSphere Guardium
Speakers: Scott Forstie and Larry Burroughs
Date &Time: Thursday, August 29, 2013
11:30 AM Eastern (90 minutes)
Register here: http://bit.ly/13anSA2
 Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
 Please submit a comment on this page for ideas for tech talk topics.
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Japanese
IBM InfoSphere Guardium Tech Talk
Grazie
Italian
© 2013 IBM Corporation
Thank you very much for time today.
58
Fly UP