Data security in the cloud


Published on

In shared infrastructures such as clouds, sensitive or regulated data—including run-time and archived data—must be properly segregated from unauthorized users. Database and system administrators may have access to multiple clients’ data, and the location of stored data in a cloud may change rapidly. Compliance requirements such as Payment Card Industry Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA) and others may need to be met. This webinar will discuss how to help protect cloud-based customer information and intellectual property from both external and internal threats.

View the On-demand webinar:

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • 2013 mid-year highlights
    Targeted attacks and data breaches
    • Based on the incidents we have covered, SQL injection (SQLi) remains the most common breach paradigm and in the first half of 2013, security incidents have already passed the total number reported in 2011 and are on track to surpass 2012 by the end of year.
    A wave of data breaches which target international branches of large businesses, corporations and franchises takes advantage of the fact that satellite and local language websites representing their brand are not always secured to the same standard as the home office. These types of incidents affected the food, automotive, entertainment and consumer electronics industries, and can result in a reputation hit as well as legal implications from the loss of sensitive customer data. (page 17)
    While remote malware is prevalent, physical access is still a factor in several noted breaches. This could be the result of insiders stealing data, or of the loss of unencrypted assets like old drives, laptops, or mobile devices. These types of incidents are not always maliciously motivated. A mistake in printing retirement information led to U.S. social security numbers7 being visible in the clear window of the mailing envelope, putting sensitive data at risk. Inadvertent loss of data from human error is not uncommon.
  • 2013 Ponemon Institute
    Database Trends and Applications December 2011
    This Ponemon research reveals organizations neglect privacy considerations in nonproduction environments such as testing, Q/A and development. This is in direct violation of many regulations including PCI DSS and HIPAA.
  • From wikipedia:
    Virtualization, in computing, is the creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, database, a storage device or network resources.
    Virtualization can be viewed as part of an overall trend in enterprise IT that includes autonomic computing, a scenario in which the IT environment will be able to manage itself based on perceived activity, and utility computing, in which computer processing power is seen as a utility that clients can pay for only as needed. The usual goal of virtualization is to centralize administrative tasks while improving scalability and work loads.
    In simplest terms, virtualization is the process of inserting a layer of abstraction between a consumer of a resource and the resource itself. By inserting this layer of abstraction, we have decoupled consumers from resources. Virtualization enables previously hard-coupled elements of the IT stack to be taken apart and recombined in ways that easily enable new combinations and usage scenarios. In a sense, virtualization adds layers of lubrication and agility into previously rigid IT architectures.
  • Outward facing apps sitting in the dmz. Firewall. Controlled ports. Still relevant
  • Extensions of your secure environment to the cloud
    IAAS – it cost and flexibility- think about country limits – sensitive information.
    Private cloud – similar to iaas
    When you use saas – third use case in this picture.
  • In IT and business, we are experiencing an unprecedented openness in the use of technology, which is both an opportunity for new business, but also a challenge for IT, operationally and from the security perspective.
    The amount of data generated and handled is exploding, giving rise to technologies like Big Data Analytics to help us make sense of it (Google handles 20 Petabytes/day). But also, the IT walls are coming down, making room for better communication with the consumers anywhere (think of the mobile device communication – 6B and growing - and cloud computing). An on the security side, we are seeing more targeted sophisticated attacks to get access to that critical enterprise asset, SENSITIVE DATA.
    This dynamic is causing the rise in multiple perimeters, that go beyond the traditional perimeter that we protected using firewalls and antivirus. We are having to shift the focus of security closer to the data itself.
    So Security in general and Data Security in particular has to be approached in a more holistic manner: one using Security Intelligence.
    IBM helps clients address multi-perimeter security complexity driven from Mobile and Cloud inertia
    Keeping People, Data, Applications and Business Infrastructure safe from threats-The era of Big Data has arrived – an explosion of digital information – accessed from, and stored on, virtualized cloud and social platforms and on mobile devices that are part consumer, part business. Everything is everywhere. And we are hearing that there will be 40% projected growth in global data generated per year, while we only see a mere 5% growth in global IT spending. For IT, the complexity is overwhelming with possible points of attack near limitless. For business, recent breaches have proven to be extremely costly, with attacks aimed directly at the business, not the technology.
    Securely moving to new technology platforms-Cloud, Mobile, BigData and unknown futures…all bring tremendous cost savings, efficiency, and opportunity. But they come at a price when it comes to addressing security risks. All companies are struggling to find security solutions that mitigate the risk.
    Managing cost/complexity-Although security budgets are growing in double digit percentages due to recent high numbers of high profile breaches, companies still look at security as an unwanted necessity: a cost to be kept minimized. Complexity leads to higher costs: companies struggle with implementing and maintaining their security posture.
    Maintaining and demonstrating compliance-Managing varied and dynamic requirements requires accurate, reliable visibility and comprehensive reporting. In addition to enabling new innovation and maintaining the security, privacy and availability of critical business assets, IT organizations still need to prove it, and they struggle with putting security processes in place (people, technology) to meet and report on compliance guidelines.
  • In our Data Security and Compliance Strategy we strive to address all forms of protection for data in any state, and in every data security process (including direct enforcement, discovery and classification, data access control, monitoring, and auditing), culminating with the collection and analysis of real time data activity to provide better proactive insights around data protection. And, even though we focus on data security, we also see it as an integral part of both a holistic security strategy (security solutions integrations) and an IT/Business process strategy.
    At rest: masking, encryption, key mgmt, vulnerability assessment
    In motion: DAM, Network DLP, IPS/IDS, dynamic masking and encryption,
    In use: endpoint vulnerability assessment, Endpoint DLP
    In this broader view of IBM’s Cloud Security capabilities, you can see how IBM takes an end-to-end approach to data security, looking at the requirements to protect data in any form, anywhere, from internal or external threats, streamline regulation compliance process and reduce operational costs around data protection. Each IBM solution for data security has a set of capabilities that can be mapped back to the requirements for the focus areas or “domains” of the security framework.
  • Risk – Sensitivity of the data, exposure of the data, location of the data (cloud, within enterprise), Security of the infrastructure (hadoop, database, file servers, etc)
    How to rate:
    Sensitivity – classification
    Business Value
    Common terms defined by the business glossary
    Activity monitoring can identify the usage of the data
    HAM will help identify how active the data is, who is consuming this information, what applications and insights are using the data
  • Risk – Sensitivity of the data, exposure of the data, location of the data (cloud, within enterprise), Security of the infrastructure (hadoop, database, file servers, etc)
    How to rate:
    Sensitivity – classification
    Business Value
    Common terms defined by the business glossary
    Activity monitoring can identify the usage of the data
    HAM will help identify how active the data is, who is consuming this information, what applications and insights are using the data
  • Nir
  • Organizations struggle with the following issues when it comes to protecting security and privacy in virtual and cloud environments: compliance, access, productivity and vulnerability. Data security and privacy solutions should span both structured and unstructured data in virtualized and cloud environments. IBM InfoSphere solutions help secure sensitive data values in databases, in ERP/CRM applications and also in forms and documents across your cloud and virtual infrastructures. Key technologies include database activity monitoring, data masking, data redaction and data encryption. A holistic data protection approach ensures 360-degree lockdown of all organizational data. When developing a data security and privacy strategy, it is important to consider all data types.
    Think about where sensitive data resides in the cloud. Its important to identify sensitive data types and establish policies for use of this data in the cloud. Understanding where data resides, what domains of information exist, how its related across the enterprise and define the policies for securing and protecting that data and demonstrating compliance. The number and variety of compliance regulations keeps growing. You are still accountable even as your data moves to the cloud.
    Hackers come in all shapes and sizes. They could be young computer scientists trying to show off or make a political statement. They could also be tough cyber-criminals or even foreign states trying to collect intelligence on their enemies. It is important to note, organizations should protect against BOTH the internal and external threat. Perhaps you have heard the term tootsie pop security. This is the practice of having a hard, crunchy, security exterior filled with firewalls and IPS devices, but with a soft interior. It is like breaching castle walls and then just walking around and doing whatever you feel like. So, if I’m an attacker, I just have to get inside. Organizations should have solutions in place to understand what’s happening on the inside, for example understanding privilege user behaviors and identifying database platform vulnerabilities.
    Security and privacy policies should enhance not prevent business operations. Security and privacy policies should be build into every day operations and work seamlessly in cloud environments. For example, perhaps you are using a private cloud to facilitate application testing. Consider masking sensitive data to mitigate the security risk.
    The number of database vulnerabilities is vast and hackers can exploit even the smallest window of opportunity. Its important to understand vulnerabilities from all angles and develop an approach to protecting them. Common database vulnerabilities include: back level patches, mis-configurations and system default settings.
  • How can you streamline this process to PROVE compliance, PREVENT attacks and MONITOR your virtualized and cloud environments?
    Alerts of suspicious activity: Ensure your solution alerts your organization of unusual network activity, for example – multiple failed logins from one IP address could indicate someone is trying to hack into your environment.
    Audit reporting and sign-offs: The ability to report user activity – and detect any unauthorized activity; database object creation & configuration – and if it could impact data protection; entitlements – ensure user access to data is in line with their user role.
    Separation of duties: Ensure the user that creates the security policies is independent of the user that reports when these policies are applied – checks & balances
    Trace users between applications, databases: Ensure application information isn’t accessed via a “back door”; track how users are accessing sensitive data.
    Sign-off and escalation procedures: Automate the sign-off and escalation procedures when suspicious activity is detected, so that it can be quickly resolved.
    Integration with enterprise security systems (SIEM): Ensure your solution integrates with your organization’s overall security event manager (centralize storage and interpretation of logs/events generated by the various software running on your network).
  • Securing and protecting data is both an external AND internal issue.
    External threats are usually in the form of malicious attacks to your systems from hackers and thieves. Internal threats are more difficult to define/prevent:
    Some data breaches can be unintentional – sensitive data accidentally available on a public site; third-party developers leveraging private data in multiple test environments.
    But some breaches are due to individuals leveraging their “power user” or authorized access to databases to search & collect data that is not relevant to their business duties. For example, the health organizations recently fined for accessing Michael Jackson’s health records after his death.
  • So, Guardium’s original charter was in-depth handling of all aspects around the protection of critical data in databases. We are expanding this charter to protecting data everywhere (structured and non-structured), including applications. Our differentiation is our approach for real-time monitoring of data flows rather than just the after-the-fact auditing analysis. The benefit of this approach is that it helps customers:
    First, Protect and prevent data breaches and fraud, from both internal and external sources, specially privileged users.
    Second, It helps them control access to sensitive enterprise data (like in what is controlled through SAP, Peoplesoft, etc, and even some unstructured document data), thus assuring data governance
    and Third, It streamlines the process for compliance around data protection. Guardium provides the tools to slash compliance cost, by automating and centralizing the controls you need to comply with a variety of mandates, such as SOX or PCI. Because of our extensive heterogeneous support, this can be accomplished across all popular databases and applications, ensuring you can deploy a single solution enterprise-wide.
  • A forth value proposition is focused on being enterprise ready.
    What it means is the ability to scale Guardium in an efficient, and cost effective manner.
    Every release Guardium introduces significant improvement in scalability, integrations and automation-related features, with one goal in mind – streamline the administration, configuration and usage of the solution in large environments.
    We will touch more on this as we dive deeper into version-9 and the technical details
  • Lets take a quick look at how Guardium achieves these benefits:
    It does this using a single integrated, virtualizable, appliance, which can be configured as a Collector, a Central Policy Manager, or Vulnerability Assessment Server with the simple use of license keys. The key to monitoring non-intrusively is the S-TAP, which is a light-weight kernel shim that goes on the DB server, and taps all DB traffic (operations, data, errors.. Inbound and outbound). Basically, Guardium is a gateway to all data flows. No DB, app, or network changes are necessary. All this traffic is collected at the Collector, which runs policy against it and provides real-time alerting. If you want to also control or block traffic the STAP can be configured as an SGATE. The Central Policy Manager is the central point of control for all collectors.
    You may notice that all major DB infrastructures and some major applications are supported. This is where Guardium provides extra value-add. By in-depth understanding of all these protocol/schema differences.
    The appliances can be configured in a grid that is dynamically scalable, and extends to support even virtualized and Cloud environments. Need more expand your environment? add more probes and collectors. The STAP only takes a max 2% performance hit on DBs, which is much less than turning native auditing on, with the additional benefit of SOD, since the DBAdmin does not have control over the appliance and cannot affect its audit collection.
    The appliance is easily deployable, and it discovers not only the DBs, but also the sensitive data and objects within them. It can even relate these object to certain applications like SAP, Peoplesoft, Siebel, Sharepoint, etc. This gives customers an quick overview of their current entitlements, which enables them to control privileged access.
    Once setup, the Collector or Central Policy Manager can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan these DBs and DB Servers for needed patches or configuration hardening, based on periodically updated vulnerability templates. All this information (configuration, vulnerability, audit) can easily be packaged and reported for the major regulations. We have pre-packaged modules for each major regulation.
    And to the part that may interest you the most, Guardium can readily integrate with several Security and Systems Management solutions, providing a complementary in-depth view of the database security posture.
    The Guardium appliance is hardened, by which we mean that there is no root access allowed to the data stored there.
    The heavy duty lifting of parsing and logging data traffic is done there. The appliance is easily deployable
    Once setup, the Collector can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan these DBs and DB Servers for needed patches or configuration hardening, based on periodically updated vulnerability templates.
    STAP Agents are very lightweight. They require nochanges to the Database or Applications. Collectors (appliance) handle the heavy lifting (parsing, logging, etc) to reduce the impact on the database server. They are OS-specific (aka Linux, Windows) The S-TAP is listening for network packets between the db client and the db server. The Guardium Admin configures each S-TAPto listen to the correct database ports and to interpret the specific type of database that Guardium needs to listen for. These configurations are called ‘inspection engines’. There is also an automatic discovery process to do the db discovery for you and configure the inspection engines with the correct ports. The S-TAPS Monitor ALL Access via network (TCP) or local connections (Bequeath, Shared memory, named pipes, etc). A Privileged User working on the server console won’t be detected by any solution that only monitors network traffic, so be careful of SPAN port solutions only.
    The GUI is a web-based and is out of the box customized for different roles such as PCI auditor. It’s also quite customizable with the ability add and delete portlets for specific functions. Those customizations can be rolled out to others.
  • So how does InfoSphere Guardium work in virtual and cloud environments? It works seamlessly.
    In this example, lets say you want to manage your hardware more efficiently. You decide to reduce the number of physical servers you have and create virtual machines for your database instances. The good news is that the InfoSphere Guardium database security offerings follow your virtual machines. The InfoSphere Guardium Database Activity Monitor, the InfoSphere Guardium Vulnerability Assessment solution and the InfoSphere Guardium Database Encryption Agent are installed at the operating system level. No extra provisioning, configuration or installation required. We refer to this as a “snap-in” model.
    In addition, the InfoSphere Guardium Collector, which stores the logs from the database activity monitor can also be virtualized on the same hardware of on a different piece of hardware as required. As new virtual machines come online, they will be able to automatically discover the InfoSphere Guardium Collector. No need to do additional configuration as your enterprise expands. The S-TAP processes monitors all transactions into and out of the database and sends this information to the virtual machine containing the collector.
    Also, the InfoSphere Guardium Database Encryption Expert Security Server can communicate with the virtual encryption agent with no problem, no matter how many new encryption agents come online. The security administrator sets the security and key policies via the InfoSphere Guardium Encryption Expert Data Security Server and updates are automatically set to the agents running on virtual machines across the cloud.
    Now sometimes when we begin to consult with clients about database security we are questioned about the need for it, given the fact that most organizations have invested in firewalls and IPS to secure their perimeter. However, perimeter security isn’t sufficient to protect your databases. Hackers have shown themselves adept at exploiting vulnerabilities and other techniques to slip through and compromise your databases. So database security is of high importance.
    Leveraging the Guardium portfolio, you can achieve the following benefits:
    Database activity monitoring to understand 100% of database transactions and document who, what, when and how of database transactions
    Data encryption to protect the actual data itself to protect against accidental disclosure or hackers
    Database vulnerability assessments to understand weaknesses in your database running as a virtual machine for example mis-configurations, use of default setting or back level patches
    Assure compliance – InfoSphere Guardium comes complete with regulatory accelerators including SOX and PCI DSS, you can monitor the database activity relevant for each mandate
    Using the InfoSphere Guardium portfolio you can set up access policies for each of your virtual machines running instances of DB2 or another database. This way you can control who and what accesses database resources. If an unauthorized access occurs, you can take action. For example, terminate the connection or sent an alert.
    This about existing database security and privacy solutions you have in place today. Will they scale across your virtual environment?
  • Confirm with nir
    When choosing security and privacy solutions, pick those which work in a virtual and cloud environment without any special setup, configuration or added expense. Many security and privacy solutions are depended on network resources or monitor certain physical assets like ports. Choose solutions what follow the virtual machine and scale across physical, virtual and cloud infrastructures and don’t require any special changes for virtual and cloud environments.
  • Guardium would not be a complete data security solution if it only covered a few databases, so we have expanded our scope from all major databases, to data warehouses (also Big Data), ECM, file systems, and now to Big Data environements based on Hadoop, such as IBM InfoSphere BigInsights and Cloudera. We aim to satisfy all data security and compliance needs in heterogeneous and large scale environments.
    MongoDB (2.2.3)
    Cassandra (1.2.2)
    GreenplumDB (4.2) –EMC DW
    HortonWorks (1.2.1)
    CouchDB (1.2.1)
  • Safeguarding information is required by numerous legal and corporate mandates. Developing a holistic data protection approach while at the same time managing resource costs, requires organizations to invest in solutions which span physical, virtual and cloud environments.
    To ensure data is protected in virtualized and cloud environments organizations need to understand what data is going into these environments, how access to this data can be monitored, what types of vulnerabilities exist and how to demonstrate compliance. Protections should be build into virtual and cloud environments from the start.
    IBM InfoSphere Guardium can help support your cloud and virtualization strategy with:
    Virtualized database activity monitoring, database vulnerability assessments, data redaction and data encryption
    Automatic discovery and classification of data in the cloud
    Static and dynamic data masking to ensure a least privileged access model to cloud resources
    Audit and compliance reports customized for different regulations to demonstrate compliance in the cloud
    InfoSphere Guardium provides a single comprehensive solution for physical, virtual and cloud infrastructures through centralized, automated security controls across heterogeneous environments. InfoSphere Guardium helps streamline compliance, improve productivity, manage data access and manage database vulnerabilities.
  • There are many, many other examples of successful InfoSphere Guardium deployments. InfoSphere Guardium is the most widely deployed Database Auditing and Protection solution .They span across top customers in all verticals and continents, for example:
    (Review a few of the highlights from the slide)
  • Created July 2013
    Santiago Stock Exchange – Bolsa Comercio Santiago
    Client Overview
    The third largest market in Latin America behind Mexico and Brazil. Provides back office services for custody, billing, statements, and accountability. The Santiago Stock Exchange in Chile provides “software-as-a-service” environment
    Santiago Stock Exchange relies on a wide range of electronic trading and information systems as well as capital and portfolio management applications, to support its daily business operations.
    Business Need:
    Maintain the data integrity and protect the confidentiality of data generated by its core applications and systems to comply with government regulations in a “software-as-a-service” environment
    Implement a security solution that would enable it to define access policies and monitor the connections to its core systems and applications without inhibiting performance or availability.
    Provides comprehensive database monitoring and automated audit reporting, without affecting application performance
    Automatically audits data access, supports compliance with government regulations for data security, and helps avoid costly sanctions for non-compliance
    Monitors all user activity, even privileged users, and limits database access to only those who are authorized
    Solution Components:
    IBM InfoSphere Guardium Database Activity Monitor
    Case Study Link:
    “The name of the service is trust. So our clients have to be sure that their data are highly protected. So the responsibility of the Santiago Stock Exchange is to maintain the data in a very secured environment.” — André Araya Falcone, Chief Information Officer, Santiago Stock Exchange.
  • Created July 2013
    Leading Healthcare Payer
    Client Overview
    Leading healthcare payer organization with more than 500,000 members.
    The IT infrastructure includes nearly 50 database instances in production, staging, test, and development environments. These databases support a range of financial, customer, and patient applications.
    Business need:
    Need to implement database auditing to support compliance with Sarbanes Oxley (SOX) and Health Insurance Portability and Accountability Act (HIPAA).
    Find a cost effective means of implementing controls to protect sensitive data and validating compliance with multiple mandates.
    After inquiring with Gartner and Forrester Research, this organization evaluated multiple vendors and chose the IBM InfoSphere Guardium solution.
    Monitors user access to critical financial, customer, and patient application databases, including privileged users
    Centralizes and automates controls and regulatory reporting across distributed heterogeneous database environments
    Provides proactive security via real-time alerts for critical events without affecting performance or requiring changes to databases or applications
    Solution Components:
    IBM InfoSphere Guardium Database Activity Monitor
    Case Study Link:
    No Quote Available
  • there are currently two Guardium certification tests.If you are looking into taking an IBM professional product certification exam, you may look into taking the 000-463 certification ( completion of the 000-463 certification, you will become an IBM Certified Guardium Specialist ( certification requires deep knowledge of the IBM InfoSphere Guardium product. It is recommended that the individual to have experiences in implementing the product to take the exam. You can view the detailed topics here: each topics are covered in the product manuals. You will also find the Guardium InforCenter a useful resource when you prepare for the exam:
  • Data is a key part of the ibm security framework and not only the way we are covering data on the cloud and a whole set of security solutions including security and analytics that also have cloud presence for the cloud – which means we are managing security for customers who want ot secure their interction with the cloud
    Fromn the cloud – the capability we have available from the cloud.
    We have a concerted effort to have this be an extension of your IT securiyt into the cloud.
  • Mandatory Thank You Slide (available in English only).
  • Again, we put the Guardium agents both on the Mongos (routing server/map-reduce) and the distributed shards.
    The same way we support DBs and Hadoop, we minimaly affect performance of the access traffic, yet we collect rich audit information and monitor against policy. Also with the added benefit of SOD.
    InfoSphere Guardium uses a real-time monitoring architecture. The key to the architecture is the use of S-TAPs, software taps, that sit on the Mongo servers. . These S-TAPs are nonintrusive, and have very low ovverhead and require no server configuration changes. The S-TAP streams network packets to a separate, hardened software or hardware appliance called a collector and stored in an internal repository. There are prebuilt reports for most activities that can be easily customized using the report bulder. And real time alerts can be generated and sent via email or forwarded to a security intelligence and event management system such as IBM QRAdar, Arcsight …
    Additional detais. .
    The main events covered include:
    Operations against the HDFS – whether HDFS commands issued from command line or HDFS operations that come from map reduce jobs or hive queries
    Requests for MapReduce jobs, who ran it, when , from what client IP.
    Errors and exceptions
    Hive queries and HBase operations
  • Of the databases which are vulnerable and used for production purposes, we need to encrypt the data. Requirement 3 of PCI DSS “Protect stored cardholder data” requires production data to be encrypted.
    Encryption helps:
    Ensure broad threat protection
    Lost or stolen media
    Unauthorized file sharing
    Privileged user abuse
    Data leakage / unauthorized access
    File protection: backups, log, configuration, executable
    Help satisfy compliance requirements
    Corporate / internal mandates
    Promote separation of duties
    Security management
    Technical staff
    Business owners
    Develop defense in depth strategy
  • Put permiter slide between 7 and 8
    Thi sis the ‘how’ slide
  • The InfoSphere Guardium solution was one of the first database security solutions on the market, so we have over a period of years been able to build in virtually all the functions needed to secure databases and validate compliance throughout the whole security lifecycle.
    With an understanding of how the solution works, let’s take a look at how it can simplify and automate a variety of important tasks. We’ll see that Guardium can help with the data security process by:
    Discovering the data environment composition : you cannot govern what you do not understand. Find un-catalogued databases and sensitive information.
    Helping understand the security/risk posture and hardening the data environment. Discover actual entitlements to data and objects, to help eliminate unwanted privileges and reduce the cost of managing user rights. Vulnerability & Configuration Assessment Architecture.
    And finally, maintaining security and compliance on a continuous basis by monitoring all transactions, automating controls to protect our sensitive data, and simplifying the process of capturing and utilizing the data needed to validate compliance with a wide variety of mandates. Cross-platform policies and auditing for enterprise-wide deployment. Fine-Grained Policies with Real-Time Alerts. Prevent policy violations in real-time (blocking). Expanding Fraud Identification at the Application Layer. Identify inappropriate use by authorized users. Automate oversight processes to ensure compliance and reduce operational costs
  • Created July 2013
    International Telecommunications Company
    Client Overview
    Leading international telecommunications organization had systems managed by a well-known global systems integrator.
    Business Need:
    Monitor access to sensitive customer data in thousands of Operational Support (OSS) and Business Support (BSS) databases in data centers across a wide geographical area.
    Need to enforce data privacy policies and automate audit reporting to support regulatory compliance requirements
    Monitors OSS and BSS database activity in real-time across heterogeneous operating environments in 16 data centers
    Automates audit reporting and provides detailed audit trail of all access to sensitive data
    Provides real-time blocking and alerts to help ensure that privacy policies are strictly enforced
    Solution Components:
    IBM InfoSphere Guardium Database Activity Monitor
    Case Study Link:
    No Quote Available
  • Data security in the cloud

    1. 1. Data Security in the Cloud Kathryn Zeidenstein, InfoSphere Guardium Evangelist © 2013 IBM Corporation
    2. 2. Agenda • • • • 2 Background Data security 101 Challenges for data protection in the cloud How InfoSphere Guardium solutions address cloud challenges © 2013 IBM Corporation
    3. 3. Security incidents are on the rise 3 IBM X-Force 2013 Midyear Trend and Risk Report © 2013 IBM Corporation
    4. 4. Sensitive Data Is at Risk 70% $188 of organizations surveyed use live customer data in non-production environments (testing, Q/A, development) per record cost of a data breach Database Trends and Applications. Ensuring Protection for Sensitive Test Data The Ponemon Institute. 2013 Cost of Data Beach Study $5.4M Average cost of a data breach 50% The Ponemon Institute. 2013 Cost of Data Breach Study of organizations surveyed have no way of knowing if data used in test was compromised 52% of surveyed organizations outsource development The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis 4 © 2013 IBM Corporation
    5. 5. Virtualization has fundamentally changed the data center Operational and business benefits Reduce total cost of ownership • • • • Fewer servers Less floor space needed Reduced power and cooling costs Increased utilization of server resources Deploy server images faster compared to physical server hardware • Virtual machines can be created very quickly • Minutes to provision, rather than weeks to request, procure, install and test Achieve higher return on investment Standardize and optimize IT infrastructure to allow for scalability and reliability Achieve greater IT and business agility to respond faster 5 © 2013 IBM Corporation
    6. 6. Traditional IT infrastructures IT security is obtained through the Demilitarized Zone (DMZ) Trusted Intranet DMZ Untrusted Internet Online Banking Application Employee Application 6 © 2013 IBM Corporation
    7. 7. Cloud IT infrastructure Enterprise security is obtained through “application zones” Trusted Intranet DMZ Untrusted Internet Online Banking Application Employee Application Leverage Public Clouds Investment API Services 7 Deliver Mobile App Consume Apps and Services © 2013 IBM Corporation
    8. 8. The new era of computing has arrived Data Explosion Consumerization of IT Moving from traditional perimeterbased security… Everything is Everywhere Attack Sophistication …to logical “perimeter” approach to security—focusing on the data and where it resides Antivirus IPS Firewall • Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently • Focus needs to shift from the perimeter to the data that needs to be protected 8 © 2013 IBM Corporation
    9. 9. Data Security Vision • Protect data in any form, anywhere, from internal or external threats • Streamline regulation compliance process • Reduce operational costs around data protection Data Classification Data Classification Type of data PCI data SOX data Video Document Proprietary Data Data Discovery Data Repository Data Repository Repository Databases DW/Hadoop Hadoop No-SQL File Shares Data Consumers Data C onsumers Location On premise Private cloud Public cloud Managed Data at Rest Stored (Databases, File Servers, Big Data, Data Warehouses, Application Servers, Cloud/Virtual ..) 9 Encryption Tokenization Redaction Masking Storage Consumer Customers (anyone) Outsourced (3rd party) Employees (internal) Role-based (trusted) Data in Motion Over Network (SQL, HTTP, SSH, FTP, email,. …) Channel Hosted applications Cloud applications Mobile Activity Monitoring Real-time Alerting Dynamic Masking Blocking Activity Reporting © 2013 IBM Corporation
    10. 10. Our philosophy: You need to understand the data in order to protect it How old is it? When was it last used? Who owns the data? Relevanc e Value Is it used? How often? By who? DAT DAT A A Risk Sensitivity Exposure Volumes Lifecycle Production Test/Dev Archive Analysis 10 © 2013 IBM Corporation
    11. 11. Investment 101 Higher RISK  possible higher returns In other words… we are willing to take risks if there is sufficient value behind it 11 © 2013 IBM Corporation
    12. 12. Data Security 101 Data Security 101 Need Valu to understand the data in order to protect it e For the Business High Value, Low Risk Table with no sensitive data that is used often by an important business application Below the line Above the line Risk levels are too high given the business value of the data High value data with low (or at least acceptable) risk levels DAT DAT A A Low Value, Low Risk Temp table with no sensitive data 12 Value Risk High Value, High Risk Table with sensitive data that is used often by business application Low Value, High Risk Dormant table with sensitive data To the business © 2013 IBM Corporation
    13. 13. Understanding the Data – Value vs. Risk Understanding the Data – Value vs. Risk Value to the Business The Goal: Reduce the risk and get all data element above the ‘risk’ line How? Discover the DATA Discover the DATA 1. Understand the VALUE 1. Understand the VALUE 2. Determine the RISK 2. Determine the RISK Risk 1. Determine the VALUE 1. Determine the VALUE 3. Reduce the RISK 3. Reduce the RISK 2. Determine the RISK 2. Determine the RISK Activity Monitoring How often? What data? Discovery & Classification - What data is out there? - How sensitive is it? Integrations Who uses the data? Activity Monitoring - How exposed is the data? - What data is being extracted? Business Glossary Insights on how data is used by the business 13 Vulnerability Assessment - How secure is the repository? - Is it fully patched? - Best practice configuration? 3. Reduce the RISK 3. Reduce the RISK Activity Monitoring - Alert/Block suspicious Activities - Prevent unauthorized access to data - Report and Review all data activities Vulnerability Assessment - Assessments & Remediation Steps - Configuration “lock down” - Purge dormant data Encryption - Encrypt data at rest Test Data Management 2013 IBM - Declassify data on©test/devCorporation env.
    14. 14. Data security is an ongoing process   Discovery Assessment Identity Classification Masking/Encryption Access Mgmt Discover Find sensitive data Harden Secure the repository Where is my sensitive data? Activity Monitoring Monitor Control access Blocking Quarantine Block Prevent unauthorized activities Record events 123 XJE Masking/ Encryption Mask Protect sensitive data Who has privileged access? Are there dormant entitlements? Who is accessing the data and what are they doing? How can I check for known vulnerabilities? How do I encrypt sensitive data? 14 How to prevent unauthorized access? How to can I mask sensitive data going to the Cloud? © 2013 IBM Corporation
    15. 15. Key challenges to protecting data in virtualized and cloud environments  Compliance • Limited time, lots of regulation, growing costs of compliance • Audits require monitoring and reporting on database activities  Access • Ability to know who’s accessing your data when, how and why • Complex role based data access requirements  Productivity • Manual approaches lead to higher risk and inefficiency • Centralized security management required for maximum efficiency  Vulnerability • Complex database vulnerabilities • New sources of threats: outsourcing, web applications, stolen credentials 15 © 2013 IBM Corporation
    16. 16. Streamline compliance in virtualized and cloud environments Receive alerts of suspicious activity Audit all database activities • user activity • object creation • database configuration • entitlements Enforce separation of duties – creation of policies vs. reporting on application of policies Trace users between applications, databases Automate compliance with sign-off and escalation procedures Integrate with enterprise security systems (SIEM) 16 © 2013 IBM Corporation
    17. 17. Data access is both an external and internal issue Prevent “power users” from abusing their access to sensitive data (separation of duties) • DBA and power users Prevent authorized users from misusing sensitive data • For example, third-party or off-shore developers Prevent intrusion and theft of data • For example, someone walking off with a back-up tape • Hacker • Block suspicious network traffic 17 © 2013 IBM Corporation
    18. 18. InfoSphere Guardium Value Proposition: Continuously monitor access to sensitive data including databases, data warehouses, big data environments and file shares to…. 1 1 Prevent data breaches • Prevent disclosure or leakages of sensitive data 2 2 3 3 Ensure the integrity of sensitive data • Prevent unauthorized changes to data, database structures, configuration files and logs Reduce cost of compliance • Automate and centralize controls o Across diverse regulations, such as PCI DSS, data privacy regulations, HIPAA/HITECH etc. o Across heterogeneous environments such as databases, applications, data warehouses and Big Data platforms like Hadoop • Simplify the audit review processes 18 © 2013 IBM Corporation
    19. 19. InfoSphere Guardium value proposition (cont.) 4 4 Protect data in an efficient, scalable, and cost effective way Increase operational efficiency Automate & centralize internal controls Across heterogeneous & distributed environments Identify and help resolve performance issues & application errors Highly-scalable platform, proven in most demanding data center environments worldwide No degradation of infrastructure or business processes Non-invasive architecture No changes required to applications or databases 19 © 2013 IBM Corporation
    20. 20. InfoSphere Guardium Architecture Application Servers (SAP, Oracle EBS, Custom Apps, etc) Role-based GUI S-TAP – Software Tap (Light weight probe which copies information to the appliance) Guardium Appliance  Continuous, policy-based, real-time Secure Audit Records Audit data – reports, quick search, and outlier detection monitoring of all data traffic activities, including actions by privileged users  Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities  Data protection compliance automation 20 20 Real-time alerts can be integrated with SIEM systems © 2013 IBM Corporation 21 Feb 2013 IBM InfoSphere Guardium Tech Talk
    21. 21. InfoSphere Guardium database security Comprehensive data protection for virtual and cloud infrastructures Administer databases Access applications DBA End User Virtual Servers Application Servers •Database Activity Monitor •Database Vulnerability Assessment •Data Encryption •Data Redaction •Dynamic Data Masking Repository Manage security policies Security administrator 21 © 2013 IBM Corporation
    22. 22. Guardium provides data security and privacy on the cloud InfoSphere Guardium is “cloud ready” Virtualized Guardium appliances are available as virtual appliances Secured Designed for Multitenancy, with a tamper-resistant repository, builtin data level security, granular division/security for auditing results Automated Database and instance discovery for private/hybrid clouds Data source discovery for Amazon RDS instances Scripting and APIs – including new REST API Securing Cloud Data with Guardium Agile Deployment flexibility using load-balancing and ‘Grid’ technology Embedded/Certified (on PureSystems Appliances) IBM PureData for Hadoop IBM PureData for Analytics IBM PureData for Transactions 22 Guardium Data Encryption Encrypting on for data rest in the cloud Dynamic Data Masking Redact/mask sensitive data when used by priv. users Additional cloud masking capabilities are on roadmap Document Redaction Redact sensitive data before documents are uploaded to the cloud or extracted from content management systems © 2013 IBM Corporation
    23. 23. Extend real-time Data Activity Monitoring to also protect sensitive data in data warehouses, Big Data Environments and file shares InfoSphere BigInsights HANA CIC S FTP 23 InfoSphere Guardium © 2013 IBM Corporation
    24. 24. Organizations are moving towards virtualization & cloud computing Build data protection in from the start IBM InfoSphere Guardium can help with: • Automatic discovery and classification of cloud data • Virtualized security •Database activity monitoring, database vulnerability assessments, data redaction and data encryption • Static and dynamic data masking to ensure a least privileged access model to cloud resources • Automated compliance reports customized for different regulations to demonstrate compliance in the cloud 24 © 2013 IBM Corporation
    25. 25. Chosen by the leading organizations worldwide to secure their most critical data 5 of the top 5 global banks XX Protecting access to Billions of dollars in financial assets 2 of the top 3 global retailers XX Safeguarding the integrity of 2.5 billion credit card or personal information transactions per year 5 of the top 6 global insurers Protecting more than 100,000 databases with personal and private information 4 of the top 4 global managed healthcare providers Protecting access to 136 million patients private information Top government agencies Safeguarding the integrity of the world’s government information and defense 8 of the top 10 telcos worldwide Maintaining the privacy of over 1,100,000,000 subscribers The most recognized name in PCs Protecting over 7 million 25 credit card transactions per year © 2013 IBM Corporation
    26. 26. Santiago Stock Exchange tightens security of its core applications Need • Maintain data integrity and protect confidentiality of data generated in core applications and systems to comply with government regulations in a “software-as-a-service” environment Benefits • Provides comprehensive database monitoring and automated audit reporting, without affecting application performance • Automatically audits data access, supports compliance with government regulations for data security, and helps avoid costly sanctions • Monitors all user activity, even privileged users, and limits database access to only those who are authorized 26 26 © 2013 IBM Corporation
    27. 27. Leading Healthcare Payer supports data security and compliance Need • Find a cost-effective means to protect information for over 500,000 members and comply with SOX and HIPAA regulatory requirements Benefits • Monitors user access to critical financial, customer, and patient application databases, including privileged insiders • Centralizes and automates audit controls and regulatory reporting across distributed, heterogeneous database environments • Provides proactive security via real-time alerts for critical events without affecting performance or requiring changes to databases or applications 27 27 © 2013 IBM Corporation
    28. 28. Information, training, and community • • • • • • InfoSphere Guardium YouTube Channel InfoSphere Guardium newsletter developerWorks forum Guardium DAM User Group on Linked-In Community on developerWorks Technical training courses Visit: E-book: Comprehensive data protection for physical, virtual and cloud infrastructures 28 © 2013 IBM Corporation
    29. 29. Intelligent Security – for the cloud and from the cloud Differentiated Security Capabilities… Security analytics and intelligence Establish a platform with real-time correlation and detection across the cloud with IBM QRadar SIEM Manage distributed identities and user access Protect user access to cloud assets with IBM Identity and Access Management Scan, monitor and audit applications and data Deliver secure mobile and web apps, and monitor data access in real time with AppScan and Guardium Professional, Managed, and Cloud Services Protect the network from threats Protect servers, endpoints and networks against threats with IBM Network Security … based on open standards 29 © 2013 IBM Corporation
    30. 30. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY. © Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. 30 © 2013 IBM Corporation
    31. 31. InfoSphere Guardium protects NoSQL data sources, like Mongo DB, with its non-intrusive scalable architecture  Lightweight agent sits on MongoDB routing servers (mongos) and shards (mongod) Network traffic is copied and sent to a hardened appliance where parsing, analysis, and logging occurs, minimizing overhead on the MongoDB cluster Separation of duties is enforced – no direct access to audit data Monitoring Reports InfoSphere Guardium Collector Mongos Clients S-TAPs Shards MongoDB Sharded Cluster (Routing servers and Shards) 31 Real-time alerts can be integrated with SIEM systems © 2013 IBM Corporation
    32. 32. Encrypt or else… (poor John and Jane Doe) 32 32 © 2013 IBM Corporation
    33. 33. Cloud is an opportunity for enhanced security Manage your risk across cloud apps, services 1 2 Know your user 4 33 Protect your data 3 Professional, Managed, and Cloud Services Establish your risk posture Gain assurance of your apps 5 Protect against threats and fraud © 2013 IBM Corporation
    34. 34. Addressing the full data security and compliance lifecycle 34 © 2013 IBM Corporation
    35. 35. International Telecom automates audit reporting and enforces data privacy policies Need • Monitor access to sensitive customer data in thousands of Operational Support (OSS) and Business Support (BSS) system databases in data centers across a wide geographic area Benefits • Monitors OSS and BSS database activity in realtime across heterogeneous operating environments in 16 data centers • Automates audit reporting and provides detailed audit trail of all access to sensitive data • Provides real-time blocking and alerts to help ensure that privacy policies are strictly enforced 35 35 Home © 2013 IBM Corporation
    36. 36. Leverage experts to help manage your security Security Event and Log Management Application Security Management Help reduce data loss, financial loss and website downtime Offsite management of security logs and events Managed Web and Email Security Help protect against spam, worms, viruses, spyware, adware and offensive content Cloud delivered services – IBM Managed Security Services Security Intelligence ● People ● Data ● Apps ● Infrastructure Managed DDOS Protection Preparation, protection, monitoring and response, leveraging Akamai 36 IBM X-Force® Threat Analysis Service Vulnerability Management Service Help provide proactive discovery and remediation of vulnerabilities Customized security threat intelligence based on IBM X-Force® research and development © 2013 IBM Corporation