IBM Software                                                            October 2012Thought Leadership White PaperThree gu...
2    Three Guiding Principles to Improve Your Data Security and Compliance StrategyExecutive summary                      ...
IBM Software     3to stop abuse of privileges by authorized database users,              of the cases) followed by backdoo...
4   Three Guiding Principles to Improve Your Data Security and Compliance StrategyInsider threats                         ...
IBM Software   5•	   Denial of service. Denial of service (DoS) may be invoked                 few organizations have the ...
6   Three Guiding Principles to Improve Your Data Security and Compliance Strategy3.	How can data be protected from both a...
IBM Software   7Meeting data security and compliance                                              To address data security...
8    Three Guiding Principles to Improve Your Data Security and Compliance StrategyIn summary, IBM InfoSphere Discovery he...
IBM Software   9Keep in mind these four basic data types are exploding in              IBM InfoSphere Guardium Data Redact...
10    Three Guiding Principles to Improve Your Data Security and Compliance StrategyIBM InfoSphere Guardium Data Encryptio...
IBM Software   11Conclusion: Better Data Security                                   or choose to deploy multiple building ...
© Copyright IBM Corporation 2012IBM CorporationSoftware GroupRoute 100Somers, NY 10589Produced in the United States of Ame...
Upcoming SlideShare
Loading in …5

3 guiding priciples to improve data security


Published on

The information explosion, the proliferation of endpoint devices, growing user volumes, and new computing models like cloud, social business, and big data have created new security vulnerabilities. To secure sensitive data and address compliance requirements, organizations need to adopt a more proactive and systematic approach. Read this white paper to learn three simple guiding principles to help your organization achieve better security and compliance without impacting production systems or straining already-tight budgets.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

3 guiding priciples to improve data security

  1. 1. IBM Software October 2012Thought Leadership White PaperThree guiding principles to improvedata security and complianceA holistic approach to data protection for a complex threat landscape
  2. 2. 2 Three Guiding Principles to Improve Your Data Security and Compliance StrategyExecutive summary protected against new threats or other malicious activity andNews headlines about the increasing frequency of information continually monitored for weaknesses.and identity theft have focused awareness on data security and • Demonstrate compliance to pass audits: It’s not enoughprivacy breaches — and their consequences. In response to this to develop a holistic approach to data security and privacy;issue, regulations have been enacted around the world. organizations must also demonstrate and prove complianceAlthough the specifics of the regulations may differ, failure to to third-party auditors.ensure compliance can result in significant financial penalties,criminal prosecution and loss of customer loyalty. IBM® solutions for data security and privacy are designed to support this holistic approach and incorporate intelligence toIn addition, the information explosion, the proliferation of proactively address IT threats and enterprise risks. IBM hasendpoint devices, growing user volumes, and new computing developed three simple guiding principles (Understand andmodels like cloud, social business and big data have created Define, Secure and Protect, and Monitor and Audit) to helpnew vulnerabilities. To secure sensitive data and address organizations achieve better security and compliance withoutcompliance requirements, organizations need to adopt a more impacting production systems or straining already-tight budgets.proactive and systematic approach. Making sense of the buzz: Why theSince data is a critical component of daily business operations, growing focus on data protection?it is essential to ensure privacy and protect data no matter Data security is a moving target; as data grows, morewhere it resides. Different types of information have different sophisticated threats emerge, the number of regulationsprotection requirements; therefore, organizations must take a increase, and changing economic times make it difficult toholistic approach to safeguarding information: secure and protect data. New attack vectors including cyber security threats (worms, trojans, rootkits, rogues, dialers and• Understand where the data exists: Organizations can’t spyware) and security complexities resulting from changing IT protect sensitive data unless they know where it resides and architectures (virtualization, big data, open enterprise how it’s related across the enterprise. initiatives, consumerization and employee mobility) challenge• Safeguard sensitive data, both structured and organizations to focus on data protection (see Figure 1). unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in According to the October 2011 report “Databases are More at documents, forms, image files, GPS systems and more Risk Than Ever,” which surveyed 355 data security professionals, requires privacy policies to redact (remove) sensitive informa­ one-fourth of respondents felt that a data breach in 2012 was tion while still allowing needed business data to be shared. likely or inevitable. Only 36 percent of organizations have taken• Protect non-production environments: Data in non- steps to ensure their applications are not subject to SQL production, development, training and quality assurance injection attacks, and over 70 percent take longer than three environments needs to be protected, yet still usable during months to apply critical patch updates, giving attackers the the application development, testing and training processes. opportunity they are looking for. Most respondents are unable• Secure and continuously monitor access to the data: to tell whether there has been unauthorized access or changes to Enterprise databases, data warehouses, file shares and their databases. In many cases, a breach would go undetected for Hadoop-based systems require real-time monitoring to months or longer, as only 40 percent of organizations audit their ensure data access is protected and audited. Policy-based databases on a regular basis. controls based on access patterns are required to rapidly detect unauthorized or suspicious activity and alert key Prevention strategies are almost non-existent at most personnel. In addition, sensitive data repositories need to be companies. Only one-fourth of respondents say they are able
  3. 3. IBM Software 3to stop abuse of privileges by authorized database users, of the cases) followed by backdoor malware (26 percent),especially highly privileged users such as database use of stolen credentials (24 percent), exploiting backdooradministrators, before it happens. Only 30 percent encrypt or command and control channels (23 percent), and keyloggerssensitive and personally identifiable information in all their and spyware (18 percent). SQL injection attacks accounteddatabases, despite data privacy regulations worldwide requiring for 13 percent of the breaches. As for the targets, 90 percentencryption for data at rest. Additionally, most admit to having of the breaches Verizon investigated went after servers,sensitive data in non-production environments that is mainly point-of-sale servers, web and app servers, andaccessible to developers, testing and even third parties. database servers.Changes in IT environments and evolving Regulatory compliance mandatesbusiness initiatives The number and variety of regulatory mandates are tooSecurity policies and corresponding technologies must evolve numerous to name here, and they affect organizations aroundas organizations embrace new business initiatives such as the globe. Some of the most prevalent mandates include theoutsourcing, virtualization, cloud, mobile, Enterprise 2.0, Sarbanes-Oxley Act (SOX), the Health Insurance Portabilitybig data and social business. This evolution means and Accountability Act (HIPAA), the Payment Card Industryorganizations need to think more broadly about where Data Security Standard (PCI-DSS) (enforcement of which hassensitive data resides and how it is accessed. Organizations firmly started expanding beyond North America), the Federalmust also consider a broad array of both structured and Information Security Management Act (FISMA), and the EUunstructured sensitive data, including customer information, Data Privacy Directive. Along with the rising number oftrade secrets, intellectual property, development plans, regulatory mandates is the increased pressure to showcompetitive differentiators and more. immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to theSmarter, more sophisticated hackers business and shareholders, or face reputation damage and stiffMany organizations are now struggling with the widening gap financial penalties.between hacker capabilities and security defenses. Thechanging nature, complexity and larger scale of outside attacks Information explosionare cause for concern. Previously, the most critical concern was The explosion in digital information is mind-boggling. Invirus outbreaks or short denial-of-service attacks, which would 2009, the world had about 0.8 zettabytes of data. In 2012,create a temporary pause in business operations. Today, hackers it is estimated to be 1.8 ZBs. This is an amazing number,are becoming more savvy and interconnected; they leverage considering a zettabyte is a trillion gigabytes. The informationsocial networks, purchase pre-packaged “hacking” applications explosion has made access to public and private informationand might even be state sponsored. By penetrating the a part of everyday life. The digital explosion also bringsperimeter and infiltrating the network, new advanced an increase in the volume, variety and velocity of data.persistent threats (APTs) exploit employee knowledge gaps and Organizations need to understand the unique challengesprocess weaknesses and technology vulnerabilities in random that big data brings, such as large-scale cloud infrastructures,combinations to steal customer data or corporate data, such as diversity of data sources and formats, the streaming naturetrade secrets, resulting in the potential for billions of dollars of of data acquisition, and high-volume data aggregation.lost business, fines and lawsuits, and irreparable damage to anorganization’s reputation. Critical business applications typically collect this information for legitimate purposes; however, given the interconnectedAccording to the 2012 Verizon Data Breach Investigations nature of the Internet and information systems, as well asReport, the most commonly used venue for breaches was enterprise ERP, CRM and custom business applications,exploiting default or easily guessed passwords (with 29 percent sensitive data is easily subject to theft and misuse.
  4. 4. 4 Three Guiding Principles to Improve Your Data Security and Compliance StrategyInsider threats The stakes are high: Risks associated withA high percentage of data breaches actually emanate from insufficient data security and privacyinternal weaknesses. These breaches range from employees Corporations and their officers may face fines from USD5,000who may misuse payment card numbers and other sensitive to USD1 million per day, and possible jail time if data isinformation to those who save confidential data on laptops that misused. According to the Ponemon Institute, “2011: Cost ofare subsequently stolen. Furthermore, organizations are also Data Breach Study” (published March 2012), the averageaccountable for protecting data no matter where the data organizational cost of a data breach in 2011 was USD5.5resides — be it with business partners, consultants, contractors, million. Data breaches in 2011 cost their companies an averagevendors or other third parties. of USD194 per compromised record. The number of breached records per incident in 2011 ranged from approximately 4,500In summary, organizations are focusing more heavily on data records to more than 98,000 records. In 2011, the averagesecurity and privacy concerns. They are looking beyond number of breached records was 28,349.developing point solutions for specific pains and towardbuilding security and privacy policies and procedures into The most expensive breach studied by Ponemon Institutethe enterprise. Building security into business and IT (2010 Annual Study: U.S. Cost of a Data Breach, 2011) tookpolicies is especially important as they embrace the new USD35.3 million to resolve, up USD4.8 million (15 percent)era of computing. from 2009. The least expensive data breach was USD780,000, up USD30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised.Security versus privacySecurity and privacy are related, but they are distinct Hard penalties are only one example of how organizations canconcepts. Security is the infrastructure-level lockdown be harmed; other negative impacts include erosion in sharethat prevents or grants access to certain areas or data price caused by investor concern and negative publicitybased on authorization. In contrast, privacy restrictions resulting from a data breach. Irreparable brand damagecontrol access for users who are authorized to access a identifies a company as one that cannot be trusted.particular set of data. Data privacy ensures those whohave a legitimate business purpose to see a subset of that Five common sources of risk include:data do not abuse their privileges. That business purposeis usually defined by job function, which is defined in turn • Excessive privileges and privileged user abuse. Whenby regulatory or management policy, or both. users (or applications) are granted database privileges thatSome examples of data security solutions include exceed the requirements of their job function, these privilegesdatabase activity monitoring and database vulnerability may be used to gain access to confidential information.assessments. Some examples of data privacy solutions • Unauthorized privilege elevation. Attackers may takeinclude data redaction and data masking. In a recent case advantage of vulnerabilities in database managementillustrating this distinction, physicians at UCLA Medical software to convert low-level access privileges to high-levelCenter were caught going through celebrity Britney access privileges.Spears’ medical records. The hospital’s security policies • SQL injection. SQL injection attacks involve a user whowere honored since physicians require access to medical takes advantage of vulnerabilities in front-end webrecords, but privacy concerns exist since the physicianswere accessing the file out of curiosity and not for a valid applications and stored procedures to send unauthorizedmedical purpose. database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.
  5. 5. IBM Software 5• Denial of service. Denial of service (DoS) may be invoked few organizations have the funding or resources to implement through many techniques. Common DoS techniques include another process-heavy initiative. Organizations need to build buffer overflows, data corruption, network flooding and security and privacy policies into their daily operations and resource consumption. The latter is unique to the database gather support for these policies across the enterprise environment and frequently overlooked. including IT staff, business leaders, operations, and legal• Exposure of backup data. Some recent high-profile attacks departments. Privacy requirements do vary by role, and have involved theft of database backup tapes and hard disks understanding who needs access to what data is not a trivial which were not encrypted. task. Third, the manual or homegrown data protection approaches many organizations use today lead to higher risk and inefficiency. Manual approaches typically don’t protect a diverse set of data types in both structured and unstructured settings, and do not scale as organizations grow. Finally, the rising number of compliance regulations with time-sensitive components adds more operational stress, rather than clarifying priorities. Organizations require a fresh approach to data protection —  one which ensures that they build security and privacy rules into their best practices, and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority. Leveraging a holistic data security andFigure 1: Analysis of malicious or criminal attacks experienced according to privacy approachthe 2011 Cost of Data Breach Study conducted by the Ponemon Institute Organizations need a holistic approach to data protection. This(published March 2012) approach should protect diverse data types across physical, cloud and big data environments, and include the protection of structured and unstructured data in both production andBarriers to implementation: Challenges non-production (development, test and training) environments.associated with protecting data Such an approach can help focus limited resources withoutSo with the market focused on security and the risks clearly added processes or increased complexity. A holistic approachdocumented, why haven’t organizations adopted a holistic also helps organizations to demonstrate compliance withoutapproach to data protection? Why are organizations interrupting critical business processes or daily operations.overwhelmed by new threats? To get started, organizations should consider six key questions.The reality is that significant challenges and complexities exist. These questions are designed to help focus attention to theFor one, there are numerous vendor solutions available that most critical data vulnerabilities:are focused on one approach or one aspect of data protection.Few look across the range of threats and data types and sources 1. Where does sensitive data reside across the enterprise?to deliver a holistic strategy which can be flexible as new 2. How can access to your enterprise databases be protected,threats arise and new computing models are embraced. Next, monitored and audited?
  6. 6. 6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy3. How can data be protected from both authorized and data will dictate the appropriate data transformation policy. unauthorized access? For example, a policy could be established to mask data on4. Can confidential data in documents be safeguarded while screen or on the fly to prevent call center employees from still enabling the necessary business data to be shared? viewing national identification numbers. Another example5. Can data in non-production environments be protected, could be masking revenue numbers in reports shared with yet still be usable for training, application development business partners or third-party vendors. and testing? 4. Data redaction can remove sensitive data from forms and6. What types of data encryption are appropriate? documents based on job role or business purpose. For example, physicians need to see sensitive information such asThe answers to these questions provide the foundation for a symptoms and prognosis data, whereas a billing clerk needsholistic approach to data protection and scales as organizations the patient’s insurance number and billing address. Theembrace the new era of computing. The answers also help challenge is to provide the appropriate protection, whileorganizations focus in on key areas they may be neglecting meeting business needs and ensuring that data is managedwith current approaches. on a “need-to-know” basis. Data redaction solutions should protect sensitive information in unstructured documents,1. Organizations can’t protect data if they don’t know it exists. forms and graphics. Sensitive data resides in structured and unstructured formats 5. De-identifying data in non-production environments is in production environments and non-production simply the process of systematically removing, masking or environments. Organizations need to document and define transforming data elements that could be used to identify an all data assets and relationships, no matter what the source. individual. Data de-identification enables developers, testers It is important to classify enterprise data, understand data and trainers to use realistic data and produce valid results, relationships and define service levels. The data discovery while still complying with privacy protection rules. Data that process analyzes data values and data patterns to identify the has been scrubbed or cleansed in such a manner is generally relationships that link disparate data elements into logical considered acceptable to use in non-production units of information, or “business objects” (such as customer, environments and ensures that even if the data is stolen, patient or invoice). exposed or lost, it will be of no use to anyone.2. Activity monitoring provides privileged and non-privileged 6. Data encryption is not a new technology, and many different user and application access monitoring that is independent approaches exist. Encryption is explicitly required by many of native database logging and audit functions. It can regulations including PCI DSS, and also enables safe harbor function as a compensating control for privileged user provisions in many regulatory mandates. This means separation-of-duties issues by monitoring all administrator organizations are exempt from disclosing data breaches if the activity. Activity monitoring also improves security by data is encrypted. It is challenging for an organization to detecting unusual database, data warehouse, file share or identify the best encryption approach due to prolific Hadoop systems read and update activities from the offerings from various vendors. For encrypting structured application layer. Event aggregation, correlation and data, consider a file-level approach. This will protect both reporting provide an audit capability without the need to structured data in the database management system (DBMS) enable native audit functions. Activity monitoring solutions and also unstructured files such as DBMS log or should be able to detect malicious activity or inappropriate configuration files, and is transparent to the network, storage or unapproved privileged user access. and applications. Look for encryption offerings which3. Data should be protected through a variety of data provide a strong separation of duties and a unified policy and transformation techniques including encryption, masking and key management system to centralize and simplify data redaction. Defining the appropriate business use for enterprise security management.
  7. 7. IBM Software 7Meeting data security and compliance To address data security and compliance, IBM has definedchallenges three guiding principles to ensure a holistic data protectionWhat makes IBM’s approach to data protection unique? approach: Understand and Define, Secure and Protect, and MonitorExpertise. The alignment of people, process, technology and and Audit. By following these three principles, organizationsinformation separates the IBM data security and privacy can improve their overall security posture and help meetsolutions from the competition. The goal of the IBM portfolio compliance mandates with to help organizations meet legal, regulatory and business Understand and defineobligations without adding additional overhead. This helps Organizations must discover where sensitive data resides,organizations support compliance initiatives, reduce costs, classify and define data types, and determine metrics andminimize risk and sustain profitable growth. In addition, IBM policies to ensure protection over time. Data can be distributedhas integrated data security into a broader security framework. over multiple applications, databases and platforms with littleThe IBM Security Framework (see Figure 2) and associated documentation. Many organizations rely too heavily on systembest practices provide the expertise, data analysis, and maturity and application experts for this information. Sometimes, thismodels to give IBM’s clients the opportunity to embrace information is built into application logic, and hiddeninnovation with confidence. relationships might be enforced behind the scenes. Finding sensitive data and discovering data relationships requires careful analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete Security Intelligence, landscape can organizations define proper enterprise data Analytics and GRC security and privacy policies. Professional Services IBM InfoSphere® Discovery is designed to identify and document what data you have, where it is located and how it’s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification Cloud and Managed and definition of data relationships across complex, heterogeneous environments. Services Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis —  with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately Software and Applicances identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchicalFigure 2: IBM is the only vendor providing a sophisticated securityframework with security intelligence across people, data, applications databases and any structured data source represented inand infrastructure. text file format.
  8. 8. 8 Three Guiding Principles to Improve Your Data Security and Compliance StrategyIn summary, IBM InfoSphere Discovery helps organizations: and VSAM.  A holistic data protection approach ensures a 360-degree lockdown of all organizational data.• Locate and inventory the data sources across the enterprise• Identify and classify sensitive data For each type of data (structured, unstructured, offline and• Understand data relationships online), we recommend different technologies to keep it safe.• Define and document privacy rules Keep in mind that the various data types exist in both• Document and manage ongoing requirements and threats production and non-production environments.Secure and protectData security and privacy solutions should span aheterogeneous enterprise, and protect both structured and Structured data: This data is based on a data model, and isunstructured data across production and non-production available in structured formats like databases or XML.environments (see Figure 3). IBM InfoSphere solutions help Unstructured data: This data is in forms or documents whichprotect sensitive data in ERP/CRM applications, databases, may be handwritten, typed or in file repositories, such as wordwarehouses, file shares and Hadoop-based systems, and also in processing documents, email messages, pictures, digital audio,unstructured formats such as forms and documents. Key video, GPS data and more.technologies include activity monitoring, data masking, dataredaction and data encryption. InfoSphere Guardium provides Online data: This is data used daily to support the business,enterprise-wide controls and capabilities across many platforms including metadata, configuration data or log files.and data sources, enhancing the investments made in platforms, Offline data: This is data in backup tapes or on storage devices.such as RACF on System z, that provide built-in securitymodels that leverage data sources such as DB2 for z/OS, IMS, Data in heterogeneous databases Data not in databases (Oracle, DB2, Netezza, Informix, (Hadoop, File Shares, ex. SharePoint, Sybase, Sun MySQL, Teradata) .TIF, .PDF, .doc, scanned documents) Structured Unstructured • Data Redaction • Activity Monitoring Data Data • Activity Monitoring • Vulnerability Assessment N on-Produc • Data Masking • Data Masking & t io • Data Encryption duction n Systems Pro Data extracted from Data in daily use databases • Activity Monitoring • Vulnerability Assessment • Data Encryption Offline Online • Data Masking Data • Data Encryption DataFigure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments
  9. 9. IBM Software 9Keep in mind these four basic data types are exploding in IBM InfoSphere Guardium Data Redaction protectsterms of volume, variety and velocity. Many organizations are sensitive information buried in unstructured documents andlooking to include these data types in big data systems such as forms from unintentional disclosure. The automated solutionNetezza or Hadoop for deeper analysis. lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version ofIBM InfoSphere Guardium® Activity Monitor and the documents made available to unprivileged readers. BasedVulnerability Assessment provide a security solution which on industry-leading software redaction techniques, InfoSphereaddresses the entire database security and compliance life cycle Guardium Data Redaction also offers the flexibility of humanwith a unified web console, back-end data store and workflow review and oversight if required.automation system, enabling you to: IBM InfoSphere Optim™ Data Masking Solution provides• Assess database and data repository vulnerabilities and a comprehensive set of data masking techniques that can configuration flaws support your data privacy compliance requirements on• Ensure configurations are locked down after recommended demand, including: changes are implemented• Provide 100-percent visibility and granularity into all data • Application-aware masking capabilities help ensure that source transactions — across all platforms and masked data, like names and street addresses, resembles the protocols — with a secure, tamper-proof audit trail that look and feel of the original information. (see Figure 4) supports separation of duties • Context-aware, prepackaged data masking routines make• Monitor and enforce policies for sensitive data access, it easy to de-identify elements such as payment card privileged user actions, change control, application user numbers, Social Security numbers, street addresses and activities and security exceptions such as failed logins email addresses.• Automate the entire compliance auditing • Persistent masking capabilities propagate masked process — including report distribution to oversight teams, replacement values consistently across applications, sign-offs and escalations — with preconfigured reports for databases, operating systems and hardware platforms. SOX, PCI DSS and data privacy • Static or dynamic data masking supports both production• Create a single, centralized audit repository for enterprise- and non-production environments. wide compliance reporting, performance optimization, investigations and forensics With InfoSphere Optim, organizations can de-identify data in• Easily scale from safeguarding a single database to a way that is valid for use in development, testing and training protecting thousands of databases, data warehouses, file environments, while protecting data privacy. shares or Hadoop-based systems in distributed data centers around the worldTraditionally, protecting unstructured information in forms,documents and graphics has been performed manually by Maskdeleting electronic content and using a black marking pen onpaper to delete or hide sensitive information. But this manualprocess can introduce errors, inadvertently omit informationand leave behind hidden information within files that exposessensitive data. Today’s high volumes of electronic forms anddocuments make this manual process too burdensome for Figure 4: Personal identifiable information is masked with realistic butpractical purposes, and increase an organization’s risk of exposure. fictional data
  10. 10. 10 Three Guiding Principles to Improve Your Data Security and Compliance StrategyIBM InfoSphere Guardium Data Encryption provides devices as well as non-IBM encryption solutions that use thea single, manageable and scalable solution to encrypt Key Management Interoperability Protocol (KMIP). IBMenterprise data without sacrificing application performance Tivoli Key Lifecycle Manager provides the following dataor creating key management complexity. InfoSphere security benefits:Guardium Data Encryption helps solve the challenges ofinvasive and point approaches through a consistent and • Centralize and automate the encryption key managementtransparent approach to encrypting and managing enterprise processdata security. Unlike invasive approaches such as column- • Enhance data security while dramatically reducing thelevel database encryption, PKI-based file encryption or native number of encryption keys to be managedpoint encryption, IBM InfoSphere Guardium Data • Simplify encryption key management with an intuitive userEncryption offers a single, transparent solution that is also interface for configuration and managementeasy to manage. This unique approach to encryption provides • Minimize the risk of loss or breach of sensitive informationthe best of both worlds: seamless support for information • Facilitate compliance management of regulatory standardsmanagement needs combined with strong, policy-based data such as SOX and HIPAAsecurity. Agents provide a transparent shield that evaluates • Extend key management capabilities to both IBM andall information requests against easily customizable policies non-IBM productsand provides intelligent decryption-based control over • Leverage open standards to help enable flexibility andreads, writes, and access to encrypted contents. This high- facilitate vendor interoperabilityperformance solution is ideal for distributed environments,and agents deliver consistent, auditable and non-invasive Monitor and auditdata-centric security for virtually any file, database or After data has been located and locked down, organizationsapplication — anywhere it resides. must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis.In summary, InfoSphere Guardium Data Encryption provides: Monitoring of user activity, object creation, data repository configurations and entitlements help IT professionals and• A single, consistent, transparent encryption method across auditors trace users between applications and databases. These complex enterprises teams can set fine-grained policies for appropriate behavior• An auditable, enterprise-executable, policy-based approach and receive alerts if these policies are violated. Organizations• Among the fastest implementation processes achievable, need to quickly show compliance and empower auditors to requiring no application, database or system changes verify compliance status. Audit reporting and sign-offs help• Simplified, secure and centralized key management across facilitate the compliance process while keeping costs low and distributed environments minimizing technical and business disruptions. In summary,• Intelligent, easy-to-customize data security policies for organizations should create continuous, fine-grained audit strong, persistent data security trails of all database activities, including the “who, what, when,• Strong separation of duties where and how” of each transaction.• Top-notch performance with proven ability to meet SLAs for mission-critical systems IBM InfoSphere Guardium Activity Monitor provides granular, database management system (DBMS) —  independent auditingIBM Tivoli® Key Lifecycle Manager helps IT organizations with minimal impact on performance. InfoSphere Guardium isbetter manage the encryption key life cycle by enabling them also designed to help organizations reduce operational costs viato centralize and strengthen key management processes. It can automation, centralized cross-DBMS policies and auditmanage encryption keys for IBM self-encrypting storage repositories, and filtering and compression.
  11. 11. IBM Software 11Conclusion: Better Data Security or choose to deploy multiple building blocks together forand Compliance increased acceleration and value. The IBM InfoSphere platformProtecting data security and privacy is a detailed, continuous provides an enterprise-class foundation for information-responsibility which should be part of every best practice. IBM intensive projects, providing the performance, scalability,provides an integrated data security and privacy approach reliability and acceleration needed to simplify difficult challengesdelivered through these three guiding principles. and deliver trusted information to your business faster.1. Understand and Define About IBM Security2. Secure and Protect IBM’s security portfolio provides the security intelligence to3. Monitor and Audit help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions forProtecting data requires a 360-degree, holistic approach. With identity and access management, database security, applicationdeep, broad expertise in the security and privacy space, IBM can development, risk management, endpoint management,help your organization define and implement such an approach. network security and more. IBM operates the world’s broadest security research and development and delivery organization.IBM solutions are open, modular and support all aspects of This consists of nine security operations centers, nine IBMdata security and privacy, including structured, semi-structured Research centers, 11 software security development labs and anand unstructured data, no matter where it resides. IBM Institute for Advanced Security with chapters in the Unitedsolutions support virtually all leading enterprise databases and States, Europe and Asia Pacific. IBM monitors 13 billionoperating systems, including IBM DB2®, Oracle, Teradata, security events per day in more than 130 countries and holdsNetezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM more than 3,000 security patents.IMS™,  IBM DB2 for z/OS, IBM Virtual Storage AccessMethod (VSAM), Microsoft Windows, UNIX, Linux and IBM For more informationz/OS®. InfoSphere also supports key ERP and CRM For more information on IBM security, please visit:applications — Oracle E-Business Suite, PeopleSoft Enterprise, Edwards EnterpriseOne, Siebel and Amdocs CRM — aswell as most custom and packaged applications. IBM supports To learn more about IBM InfoSphere solutions for protectingaccess monitoring for file sharing software such as Microsoft data security and privacy, please contact your IBM salesSharePoint and IBM FileNet. IBM also supports Hadoop- representative or visit: systems such as Cloudera and InfoSphere BigInsights. To learn more about the new IBM DB2 for z/OS securityAbout IBM InfoSphere features, download the Redbook at InfoSphere software is an integrated platform for defining, Redbooks.nsf/RedbookAbstracts/sg247959.htmlintegrating, protecting and managing trusted information acrossyour systems. The IBM InfoSphere platform provides the Additionally, financing solutions from IBM Global Financingfoundational building blocks of trusted information, including can enable effective cash management, protection fromdata integration, data warehousing, master data management technology obsolescence, improved total cost of ownership andand information governance, all integrated around a core of return on investment. Also, our Global Asset Recovery Servicesshared metadata and models. The portfolio is modular, allowing help address environmental concerns with new, more energy-you to start anywhere, and mix and match IBM InfoSphere efficient solutions. For more information on IBM Globalsoftware building blocks with components from other vendors, Financing, visit:
  12. 12. © Copyright IBM Corporation 2012IBM CorporationSoftware GroupRoute 100Somers, NY 10589Produced in the United States of AmericaOctober 2012IBM, the IBM logo,, DB2, Guardium, IMS, Informix, InfoSphere,Optim, Tivoli, and z/OS are trademarks of International Business MachinesCorp., registered in many jurisdictions worldwide. Other product andservice names might be trademarks of IBM or other companies. A currentlist of IBM trademarks is available on the Web at “Copyright and trademarkinformation” at is a registered trademark of Linus Torvalds in the United States,other countries or both.Microsoft, Windows, Windows NT, and the Windows logo are trademarksof Microsoft Corporation in the United States, other countries or both.Netezza is a trademark or registered trademark of Netezza Corporation,an IBM Company.UNIX is a registered trademark of The Open Group in the United Statesand other countries.This document is current as of the initial date of publication and maybe changed by IBM at any time. Not all offerings are available in everycountry in which IBM operates.THE INFORMATION IN THIS DOCUMENT IS PROVIDED“AS IS” WITHOUT ANY WARRANTY, EXPRESS ORMPLIED, INCLUDING WITHOUT ANY WARRANTIESOF MERCHANTABILITY, FITNESS FOR A PARTICULARPURPOSE AND ANY WARRANTY OR CONDITION OFNON-INFRINGEMENT. IBM products are warranted accordingto the terms and conditions of the agreements under which theyare provided. Please Recycle IMW14568-USEN-05