IBM InfoSphere Guardium overview


Published on

IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.

Published in: Technology
1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

IBM InfoSphere Guardium overview

  1. 1. Guardium Database Monitoring & ProtectionKarl WehdenIBM Infosphere Worldwide Data Governance Team28 September 2010 1 © 2009 IBM Corporation
  2. 2. Guardium Value Proposition:Continuously Monitor Access to High-Value Databases to … 1.  Prevent data breaches   Mitigate external & internal threats 2.  Assure data governance   Prevent unauthorized changes to sensitive data 3.  Reduce cost of compliance   Automate & centralize controls →  Across DBMS platforms & applications →  Across SOX, PCI, SAS70, …   Simplify processes © 2009 IBM Corporation
  3. 3. Perimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Insiders (DBAs, developers, outsourcers, etc.)Outsourcing Stolen CredentialsWeb-Facing Apps (Zeus, etc.)Legacy AppIntegration/SOA Employee Self-Service, Partners & Suppliers 3 © 2009 IBM Corporation
  4. 4. Defense in Depth Strategy for Privacy and Security: User access monitoring Prevention of unauthorized access Production data encryption Unstructured data redaction Non-production data masking Archiving and retention compliance 4 © 2009 IBM Corporation
  5. 5. Balanced Control Objectives Visibility into Risk Costs Money: •  The Introduction of unchecked detective controls can introduce significant cost •  The lack of detective controls can create a comfortably underestimated level of risk •  Evaluate the total cost of Control introduction: –  Operational Cost –  Risk mitigation cost –  Risk Avoidance benefit –  Model out for longer than the benefit of the tools selected 5 © 2009 IBM Corporation
  6. 6. Top Data Protection Challenges © 2009 IBM Corporation
  7. 7. “Largest Hacking Case Ever Prosecuted” Stephen “Maksik” Albert Watt, author Gonzalez, Yastremskiy of “blabla” : 30 years in aka sniffer: 2 soupnazi Turkish years in prison prison & $170M in restitution •  Gonzalez sentenced to xx years for Operation Get Rich or Die Tryin’ –  Heartland, 7-Eleven, Hannaford: Stole 130M cards via SQL injection, network reconnaissance, malware, sniffers –  Dave & Buster’s: Stole admin password file from POS service provider –  TJX, OfficeMax + 6 other retailers: Stole 40M cards via SQL injection & war driving   Aided by former Barclay’s network security manager (“healthy childhood, white-collar success”) –  San Diego case: International ring (Ukraine, Estonia, PRC, Philippines, Thailand)   “Maksik” Yastremskiy sentenced to 30 years in Turkish prison; hacked 11 Turkish banks •  “Our most formidable challenge is getting companies to detect they have been compromised ...” Kimberly Kiefer Peretti, senior counsel, DoJ 7 © 2009 IBM Corporation
  8. 8. Chosen by Leading Organizations Worldwide•  5 of the top 5 global banks •  Top government agencies•  2 of the top 3 global retailers •  Top 3 auto maker•  4 of the top 6 global insurers •  #1 dedicated security company•  2 of the world’s favorite beverage brands •  Leading energy suppliers•  The most recognized name in PCs •  Major health care providers•  25 of the world’s leading telcos •  Media & entertainment brands © 2009 IBM Corporation
  9. 9. Key Drivers for Guardium •  SOX (Health Care payers) –  Prevent unauthorized changes to financial data •  Consumer privacy –  Prevent unauthorized viewing of personal data, especially by privileged users (DBAs, developers, outsourcers) –  New Massachusetts law requires monitoring controls to be in place for all Personally Identifiable Information (PII) –  HITECH adds teeth to HIPAA regulations •  PCI –  Track and monitor all access to cardholder data (Req.10) –  Protect stored cardholder data (Req. 3) –  Identify unpatched systems & enforce change controls (Req. 6) –  Compensating control for network segmentation (Req. 7) & column-level encryption (Req. 3) •  Cost savings –  Streamline compliance with automated & centralized controls –  < 6 months payback (typical) © 2009 IBM Corporation
  10. 10. Addressing the Full Database Security Lifecycle Monitor Audit & & Enforce Report Critical Data Infrastructure Discover Assess & & Classify Harden 10 © 2009 IBM Corporation
  11. 11. Real-Time Database Security & Monitoring SQL DB2 Server•  Non-invasive architecture •  Enforces separation of duties •  Outside database •  Does not rely on DBMS-resident logs that can •  Minimal performance impact (2-3%) easily be erased by attackers or rogue insiders •  No DBMS or application changes •  Granular, real-time policies & auditing•  Cross-DBMS solution •  Who, what, when, how •  Automated compliance reporting, sign-offs &•  100% visibility including local DBA access escalations (SOX, PCI, NIST, etc.) © 2009 IBM Corporation
  12. 12. Scalable Multi-Tier Architecture Integration with LDAP/ AD, IAM, change management, SIEM, archiving, … © 2009 IBM Corporation
  13. 13. © 2009 IBM Corporation
  14. 14. Thank You! © 2009 IBM Corporation
  15. 15. IBM/Guardium vs. Oracle Database Security Oracle Database Vault, Oracle Audit Vault IBM/Guardium Heterogeneous support Minimal performance impact or changes Enforces Separation of Duties (SoD) Real-time monitoring & alerting Extrusion/data leakage monitoring Application monitoring (EBS, PeopleSoft, SAP, etc.) Reduces DBA workloadOracle is a registered trademark of Oracle Corporation and/or its affiliates. © 2009 IBM Corporation
  16. 16. Appendix 16 © 2009 IBM Corporation
  17. 17. Blue Cross Blue Shield Case Study •  Who: BCBS organization with 475,000 members •  Need: Secure financial data for SOX; secure patient data for HIPAA; adhere to NIST –  Monitor all access to critical databases, including access by privileged users –  Create a centralized audit trail for all database systems –  Produce detailed compliance reports for auditors –  Implement proactive security via real-time alerts •  Environment: –  Oracle, SQL Server 2003/2005, IBM DB2, Sybase –  AIX & Windows –  LDAP & Microsoft MOM •  Alternatives considered –  Native logging: Rejected due to performance overhead & need for centralized management –  Application Security Inc (AppSec): Preferred Guardium’s appliance model •  Results: –  Monitoring 130 database instances on 100 servers (3 week implementation) –  Guardium helped client to interpret regulations and implement policies –  Integrated with Tivoli Storage Manager (TSM) for archiving of audit data 17 © 2009 IBM Corporation
  18. 18. Global Manufacturer with 239% ROI •  Who: F500 consumer food manufacturer ($15B revenue) •  Need: Secure SAP & Siebel data –  Enforce change controls & implement consistent auditing across platforms Commissioned Forrester •  Environment: Consulting Case Study –  SAP, Siebel, Manugistics, IT2 + 21 other Key Financial Systems (KFS) –  Oracle & IBM DB2 on AIX; SQL Server on Windows •  Results: 239% ROI & 5.9 months payback, plus: –  Proactive security: Real-time alert when changes made to critical tables –  Simplified compliance: Passed 4 audits (internal & external)   “The ability to associate changes with a ticket number makes our job a lot easier … which is something the auditors ask about.” [Lead Security Analyst] –  Strategic focus on data security   “There’s a new and sharper focus on database security within the IT organization. Security is more top-of-mind among IT operations people and other staff such as developers.” © 2009 IBM Corporation
  19. 19. Safeguarding Customer Information for WashingtonMetropolitan Area Transit Authority (Metro) •  Who: Operates 2nd largest U.S. rail transit system and transports more than a third of the federal government to work •  Need: Metro needed to safeguard sensitive customer data and simplify compliance with PCI-DSS -- without impacting performance or changing database configurations –  Protecting customer data –  Passing audits more quickly and easily –  Monitoring for potential fraud in PeopleSoft system •  Environment: –  More than 9 million transactions per year (Level 1 merchant) –  Complex, multi-tier heterogeneous environment •  Alternatives considered: Native logging and auditing impractical •  Customer Impact: “Our customers trust us to transport them safely and safeguard their personal information.” –  “We looked at native DBMS logging and auditing, but it’s impractical because of its high overhead, especially when you’re capturing every SELECT in a high-volume environment like ours. In addition, native auditing doesn’t enforce separation of duties or prevent unauthorized access by privileged insiders.” 19 © 2009 IBM Corporation
  20. 20. How Does Guardium Complement Tivoli? •  Guardium is part of the “Data and Information” layer of the IBM Security Framework •  Integrates with Tivoli Security & Information Event Manager (TSIEM) for sharing of policy violation alerts & selected log information •  Use TSIEM for: –  Collecting logs & events from wide range of systems (UNIX, Windows, z/OS, firewalls, etc.) –  Enterprise-wide dashboard & reports; correlation •  Use Guardium for: –  All database-related security & compliance functions: real-time monitoring & auditing (including privileged user monitoring), vulnerability assessment, data discovery, configuration auditing, compliance reporting & workflow automation –  Feeding policy violations & audit logs to TSIEM 20 © 2009 IBM Corporation
  21. 21. IBM Acquires Guardium (11/30/09) •  Joining IBMs Information Management business •  Why Guardium? Unique ability to:   Safeguard critical enterprise information   Reduce operational costs by automating compliance processes   Simplify governance with centralized policies for heterogeneous infrastructures   Continuously monitor access and changes to high-value databases •  Trusted information lies at the center of today’s business transformations   Guardium enables organizations to maintain trusted information infrastructures   Business analytics and trusted information drive smarter business outcomes   This supports IBM’s vision of creating a Smarter Planet: Smarter energy, smarter healthcare, smarter cities, smarter finance, smarter IT, and more © 2009 IBM Corporation
  22. 22. How Guardium Fits with IBM’s IM Portfolio: Governance Optim InfoSphere Relating Governing Guardium Mastering Information Information Information Integrating Information 22 © 2009 IBM Corporation
  23. 23. How Guardium Fits with IBM’s Security Portfolio Tivoli Identity Manager, Access Manager, zSecure, SIEM, … Guardium DB Monitoring, Optim TDM & DP, AME, SIEM, … Rational AppScan, Ounce Suite, WebSphere DataPower, … Server Protection, Network Intrusion Prevention System (IPS, … 23 © 2009 IBM Corporation
  24. 24. PCI Compliance for •  Who: World’s largest dedicated security company •  Need: Safeguard millions of PCI transactions –  Maintain strict SLAs with ISP customers (Comcast, COX, etc.) –  Automate PCI controls •  Environment: Guardium deployed in less than 48 hours –  Multiple data centers; clustered databases –  Integrated with ArcSight SIEM –  Expanding coverage to SAP systems for SOX •  Previous Solution: Central database audit repository with native DBMS logs –  Massive data volumes; performance & reliability issues; SOD issues •  Results: –  “McAfee needed a solution with continuous real-time visibility into all sensitive cardholder data – in order to quickly spot unauthorized activity and comply with PCI- DSS – but given our significant transaction volumes, performance and reliability considerations were crucial.” –  “We were initially using a database auditing solution that collected information from native DBMS logs and stored it in an audit repository, but granular logging significantly impacted our database servers and the audit repository was simply unable to handle the massive transaction volume generated by our environment.” © 2009 IBM Corporation
  25. 25. Financial Services Firm with 1M+ Sessions/Day •  Who: Global NYSE-traded company with 75M customers •  Need: Enhance SOX compliance & data governance –  Phase 1: Monitor all privileged user activities, especially DB changes. –  Phase 2: Focus on data privacy. •  Environment: 4 data centers managed by IBM Global Services –  122 database instances on 100+ servers –  Oracle, IBM DB2, Sybase, SQL Server on AIX, HP-UX, Solaris, Windows –  PeopleSoft plus 75 in-house applications •  Alternatives considered: Native auditing –  Not practical because of performance overhead; DB servers at 99% capacity •  Results: Now auditing 1M+ sessions per day (GRANTs, DDL, etc.) –  Caught DBAs accessing databases with Excel & shared credentials –  Producing daily automated reports for SOX with sign-off by oversight teams –  Automated change control reconciliation using ticket IDs –  Passed 2 external audits © 2009 IBM Corporation
  26. 26. Securing Customer Data for European Telco •  Who: Global telco with 70M mobile customers; €30B revenue. •  Need: Ensure privacy of call records for compliance with data privacy laws. –  Phase 1: Safeguard OSS systems –  Phase 2: Safeguard BSS systems •  Environment: 15 heterogeneous, geographically-distributed data centers –  Oracle, SQL Server, Informix, Sybase –  HP-UX, HP Tru64, Solaris, Windows, UNIX –  SAP, Remedy plus in-house applications (billing, Web portal, etc.) •  Alternatives considered: Native auditing; Oracle Audit Vault. –  Not practical because of performance overhead; lack of granularity; non-support for older versions; need for multi-DBMS support. •  Results: –  Deployed to 12 initial data centers in only 2 weeks! –  Now auditing all traffic in high-traffic environment; centrally managed. –  Passed several external audits –  Future plans: Implement application user monitoring; 2-factor authentication; expand scope to other applications. © 2009 IBM Corporation
  27. 27. Simplifying Enterprise Security for Dell •  Need: –  Improve database security for SOX, PCI & SAS70 –  Simplify & automate compliance controls •  Guardium Deployment: Published case study in Dell Power Solutions –  Phase 1: Deployed to 300 DB servers in 10 data centers (in 12 weeks) –  Phase 2: Deployed to additional 725 database servers •  Environment : –  Oracle & SQL Server on Windows, Linux; Oracle RAC, SQL Server clusters –  Oracle EBS, JDE, Hyperion plus in-house applications •  Previous Solution: Native logging (MS) or auditing (Oracle) with in-house scripts –  Supportability issues; DBA time required; massive data volumes; SOD issues. •  Results: Automated compliance reporting; real-time alerting; centralized cross-DBMS policies; closed-loop change control with Remedy integration –  Guardium “successfully met Dell’s requirements without causing outages to any databases; produced a significant reduction in auditing overhead in databases.” © 2009 IBM Corporation
  28. 28. Addressing the Full Database Security Lifecycle Monitor Audit & & Enforce Report Critical Data Infrastructure Discover Assess & & Classify Harden 28 © 2009 IBM Corporation
  29. 29. Granular Policies with Detective & Preventive ControlsApplication Database Server Server10.10.9.244 © 2009 IBM Corporation
  30. 30. Enforcing Change Control Policies Tag DBA actions with ticket IDs Compare observed changes to approved changes Identify unauthorized changes (red) or changes with invalid ticket IDs © 2009 IBM Corporation 30
  31. 31. Auditing Database Configuration Changes •  Tracks changes to files, environment variables, registry settings, scripts, etc. that can affect security posture •  200+ pre-configured, customizable templates for all major OS/DBMS configurations 31 © 2009 IBM Corporation
  32. 32. Cross-DBMS, Data-Level Access Control (S-GATE) Application   Cross-DBMS policies Servers SQL Oracle,   Block privileged user actions DB2, Privileged   No database changes MySQL, Users Sybase, etc.   No application changes Issue SQL S-GATE   Without risk of inline Hold SQL appliances that can interfereOutsourced DBA Connection terminated with application traffic Check Policy On Appliance Policy Violation: Drop Connection Session Terminated © 2009 IBM Corporation
  33. 33. Discovering & Classifying Sensitive Data   Discover databases   Discover sensitive data   Policy-based actions   Alerts   Add to group of sensitive objects 33 © 2009 IBM Corporation
  34. 34. Identifying Fraud at the Application Layer Joe Marc • Issue: Application server uses generic service account to access DB –  Doesn’t identify who initiated transaction (connection pooling) • Solution: Guardium tracks access to application user User associated with specific SQL commands (Generic) –  Out-of-the-box support for all major enterprise applications (Oracle EBS, PeopleSoft, SAP, Siebel,Application Business Objects, Cognos…) and custom Database Server applications (WebSphere …) Server –  No changes required to applications –  Deterministic tracking of user IDs   Does not rely on time-based “best-guess” 34 © 2009 IBM Corporation
  35. 35. Automated Sign-offs & Escalations for Compliance •  Automates entire compliance workflow •  Report distribution to oversight team •  Electronic sign-offs •  Escalations •  Comments & exception handling •  Addresses auditors’ requirements to document oversight processes •  Results of audit process stored with audit data in secure audit repository •  Streamlines and simplifies compliance processes © 2009 IBM Corporation
  36. 36. Database Servers = Majority of Compromised Records SQL injection played a role in 79% of records compromised during 2009 breaches 2009 Data Breach Report from Verizon Business RISK Team © 2009 IBM Corporation