SlideShare a Scribd company logo
IBM Software                                                            October 2012
Thought Leadership White Paper

Three guiding principles to improve
data security and compliance
A holistic approach to data protection for a complex threat landscape
2    Three Guiding Principles to Improve Your Data Security and Compliance Strategy

Executive summary                                                                          protected against new threats or other malicious activity and
News headlines about the increasing frequency of information                               continually monitored for weaknesses.
and identity theft have focused awareness on data security and                        •	   Demonstrate compliance to pass audits: It’s not enough
privacy breaches — and their consequences. In response to this                             to develop a holistic approach to data security and privacy;
issue, regulations have been enacted around the world.                                     organizations must also demonstrate and prove compliance
Although the specifics of the regulations may differ, failure to                           to third-party auditors.
ensure compliance can result in significant financial penalties,
criminal prosecution and loss of customer loyalty.                                    IBM® solutions for data security and privacy are designed to
                                                                                      support this holistic approach and incorporate intelligence to
In addition, the information explosion, the proliferation of                          proactively address IT threats and enterprise risks. IBM has
endpoint devices, growing user volumes, and new computing                             developed three simple guiding principles (Understand and
models like cloud, social business and big data have created                          Define, Secure and Protect, and Monitor and Audit) to help
new vulnerabilities. To secure sensitive data and address                             organizations achieve better security and compliance without
compliance requirements, organizations need to adopt a more                           impacting production systems or straining already-tight budgets.
proactive and systematic approach.
                                                                                      Making sense of the buzz: Why the
Since data is a critical component of daily business operations,                      growing focus on data protection?
it is essential to ensure privacy and protect data no matter                          Data security is a moving target; as data grows, more
where it resides. Different types of information have different                       sophisticated threats emerge, the number of regulations
protection requirements; therefore, organizations must take a                         increase, and changing economic times make it difficult to
holistic approach to safeguarding information:                                        secure and protect data. New attack vectors including cyber
                                                                                      security threats (worms, trojans, rootkits, rogues, dialers and
•	   Understand where the data exists: Organizations can’t                            spyware) and security complexities resulting from changing IT
     protect sensitive data unless they know where it resides and                     architectures (virtualization, big data, open enterprise
     how it’s related across the enterprise.                                          initiatives, consumerization and employee mobility) challenge
•	   Safeguard sensitive data, both structured and                                    organizations to focus on data protection (see Figure 1).
     unstructured: Structured data contained in databases must
     be protected from unauthorized access. Unstructured data in                      According to the October 2011 report “Databases are More at
     documents, forms, image files, GPS systems and more                              Risk Than Ever,” which surveyed 355 data security professionals,
     requires privacy policies to redact (remove) sensitive informa­                  one-fourth of respondents felt that a data breach in 2012 was
     tion while still allowing needed business data to be shared.                     likely or inevitable. Only 36 percent of organizations have taken
•	   Protect non-production environments: Data in non-                                steps to ensure their applications are not subject to SQL
     production, development, training and quality assurance                          injection attacks, and over 70 percent take longer than three
     environments needs to be protected, yet still usable during                      months to apply critical patch updates, giving attackers the
     the application development, testing and training processes.                     opportunity they are looking for. Most respondents are unable
•	   Secure and continuously monitor access to the data:                              to tell whether there has been unauthorized access or changes to
     Enterprise databases, data warehouses, file shares and                           their databases. In many cases, a breach would go undetected for
     Hadoop-based systems require real-time monitoring to                             months or longer, as only 40 percent of organizations audit their
     ensure data access is protected and audited. Policy-based                        databases on a regular basis.
     controls based on access patterns are required to rapidly
     detect unauthorized or suspicious activity and alert key                         Prevention strategies are almost non-existent at most
     personnel. In addition, sensitive data repositories need to be                   companies. Only one-fourth of respondents say they are able
IBM Software     3

to stop abuse of privileges by authorized database users,              of the cases) followed by backdoor malware (26 percent),
especially highly privileged users such as database                    use of stolen credentials (24 percent), exploiting backdoor
administrators, before it happens. Only 30 percent encrypt             or command and control channels (23 percent), and keyloggers
sensitive and personally identifiable information in all their         and spyware (18 percent). SQL injection attacks accounted
databases, despite data privacy regulations worldwide requiring        for 13 percent of the breaches. As for the targets, 90 percent
encryption for data at rest. Additionally, most admit to having        of the breaches Verizon investigated went after servers,
sensitive data in non-production environments that is                  mainly point-of-sale servers, web and app servers, and
accessible to developers, testing and even third parties.              database servers.

Changes in IT environments and evolving                                Regulatory compliance mandates
business initiatives                                                   The number and variety of regulatory mandates are too
Security policies and corresponding technologies must evolve           numerous to name here, and they affect organizations around
as organizations embrace new business initiatives such as              the globe. Some of the most prevalent mandates include the
outsourcing, virtualization, cloud, mobile, Enterprise 2.0,            Sarbanes-Oxley Act (SOX), the Health Insurance Portability
big data and social business. This evolution means                     and Accountability Act (HIPAA), the Payment Card Industry
organizations need to think more broadly about where                   Data Security Standard (PCI-DSS) (enforcement of which has
sensitive data resides and how it is accessed. Organizations           firmly started expanding beyond North America), the Federal
must also consider a broad array of both structured and                Information Security Management Act (FISMA), and the EU
unstructured sensitive data, including customer information,           Data Privacy Directive. Along with the rising number of
trade secrets, intellectual property, development plans,               regulatory mandates is the increased pressure to show
competitive differentiators and more.                                  immediate compliance. Enterprises are under tremendous
                                                                       time pressure and need to show immediate progress to the
Smarter, more sophisticated hackers                                    business and shareholders, or face reputation damage and stiff
Many organizations are now struggling with the widening gap            financial penalties.
between hacker capabilities and security defenses. The
changing nature, complexity and larger scale of outside attacks        Information explosion
are cause for concern. Previously, the most critical concern was       The explosion in digital information is mind-boggling. In
virus outbreaks or short denial-of-service attacks, which would        2009, the world had about 0.8 zettabytes of data. In 2012,
create a temporary pause in business operations. Today, hackers        it is estimated to be 1.8 ZBs. This is an amazing number,
are becoming more savvy and interconnected; they leverage              considering a zettabyte is a trillion gigabytes. The information
social networks, purchase pre-packaged “hacking” applications          explosion has made access to public and private information
and might even be state sponsored. By penetrating the                  a part of everyday life. The digital explosion also brings
perimeter and infiltrating the network, new advanced                   an increase in the volume, variety and velocity of data.
persistent threats (APTs) exploit employee knowledge gaps and          Organizations need to understand the unique challenges
process weaknesses and technology vulnerabilities in random            that big data brings, such as large-scale cloud infrastructures,
combinations to steal customer data or corporate data, such as         diversity of data sources and formats, the streaming nature
trade secrets, resulting in the potential for billions of dollars of   of data acquisition, and high-volume data aggregation.
lost business, fines and lawsuits, and irreparable damage to an
organization’s reputation.                                             Critical business applications typically collect this information
                                                                       for legitimate purposes; however, given the interconnected
According to the 2012 Verizon Data Breach Investigations               nature of the Internet and information systems, as well as
Report, the most commonly used venue for breaches was                  enterprise ERP, CRM and custom business applications,
exploiting default or easily guessed passwords (with 29 percent        sensitive data is easily subject to theft and misuse.
4   Three Guiding Principles to Improve Your Data Security and Compliance Strategy

Insider threats                                                                      The stakes are high: Risks associated with
A high percentage of data breaches actually emanate from                             insufficient data security and privacy
internal weaknesses. These breaches range from employees                             Corporations and their officers may face fines from USD5,000
who may misuse payment card numbers and other sensitive                              to USD1 million per day, and possible jail time if data is
information to those who save confidential data on laptops that                      misused. According to the Ponemon Institute, “2011: Cost of
are subsequently stolen. Furthermore, organizations are also                         Data Breach Study” (published March 2012), the average
accountable for protecting data no matter where the data                             organizational cost of a data breach in 2011 was USD5.5
resides — be it with business partners, consultants, contractors,                    million. Data breaches in 2011 cost their companies an average
vendors or other third parties.                                                      of USD194 per compromised record. The number of breached
                                                                                     records per incident in 2011 ranged from approximately 4,500
In summary, organizations are focusing more heavily on data                          records to more than 98,000 records. In 2011, the average
security and privacy concerns. They are looking beyond                               number of breached records was 28,349.
developing point solutions for specific pains and toward
building security and privacy policies and procedures into                           The most expensive breach studied by Ponemon Institute
the enterprise. Building security into business and IT                               (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took
policies is especially important as they embrace the new                             USD35.3 million to resolve, up USD4.8 million (15 percent)
era of computing.                                                                    from 2009. The least expensive data breach was USD780,000,
                                                                                     up USD30,000 (4 percent) from 2009. As in prior years, data
                                                                                     breach cost appears to be directly proportional to the number
                                                                                     of records compromised.
Security versus privacy
Security and privacy are related, but they are distinct                              Hard penalties are only one example of how organizations can
concepts. Security is the infrastructure-level lockdown                              be harmed; other negative impacts include erosion in share
that prevents or grants access to certain areas or data                              price caused by investor concern and negative publicity
based on authorization. In contrast, privacy restrictions                            resulting from a data breach. Irreparable brand damage
control access for users who are authorized to access a                              identifies a company as one that cannot be trusted.
particular set of data. Data privacy ensures those who
have a legitimate business purpose to see a subset of that                           Five common sources of risk include:
data do not abuse their privileges. That business purpose
is usually defined by job function, which is defined in turn                         •	   Excessive privileges and privileged user abuse. When
by regulatory or management policy, or both.                                              users (or applications) are granted database privileges that
Some examples of data security solutions include                                          exceed the requirements of their job function, these privileges
database activity monitoring and database vulnerability                                   may be used to gain access to confidential information.
assessments. Some examples of data privacy solutions                                 •	   Unauthorized privilege elevation. Attackers may take
include data redaction and data masking. In a recent case                                 advantage of vulnerabilities in database management
illustrating this distinction, physicians at UCLA Medical                                 software to convert low-level access privileges to high-level
Center were caught going through celebrity Britney
                                                                                          access privileges.
Spears’ medical records. The hospital’s security policies
                                                                                     •	   SQL injection. SQL injection attacks involve a user who
were honored since physicians require access to medical
                                                                                          takes advantage of vulnerabilities in front-end web
records, but privacy concerns exist since the physicians
were accessing the file out of curiosity and not for a valid                              applications and stored procedures to send unauthorized
medical purpose.                                                                          database queries, often with elevated privileges. Using SQL
                                                                                          injection, attackers could even gain unrestricted access to an
                                                                                          entire database.
IBM Software   5

•	   Denial of service. Denial of service (DoS) may be invoked                 few organizations have the funding or resources to implement
     through many techniques. Common DoS techniques include                    another process-heavy initiative. Organizations need to build
     buffer overflows, data corruption, network flooding and                   security and privacy policies into their daily operations and
     resource consumption. The latter is unique to the database                gather support for these policies across the enterprise
     environment and frequently overlooked.                                    including IT staff, business leaders, operations, and legal
•	   Exposure of backup data. Some recent high-profile attacks                 departments. Privacy requirements do vary by role, and
     have involved theft of database backup tapes and hard disks               understanding who needs access to what data is not a trivial
     which were not encrypted.                                                 task. Third, the manual or homegrown data protection
                                                                               approaches many organizations use today lead to higher risk
                                                                               and inefficiency. Manual approaches typically don’t protect a
                                                                               diverse set of data types in both structured and unstructured
                                                                               settings, and do not scale as organizations grow. Finally, the
                                                                               rising number of compliance regulations with time-sensitive
                                                                               components adds more operational stress, rather than
                                                                               clarifying priorities.

                                                                               Organizations require a fresh approach to data protection — 
                                                                               one which ensures that they build security and privacy rules
                                                                               into their best practices, and helps, rather than hinders, their
                                                                               bottom line. Numerous driving factors combined with high
                                                                               stakes make figuring out how to approach data security and
                                                                               privacy an important priority.

                                                                               Leveraging a holistic data security and
Figure 1: Analysis of malicious or criminal attacks experienced according to
                                                                               privacy approach
the 2011 Cost of Data Breach Study conducted by the Ponemon Institute          Organizations need a holistic approach to data protection. This
(published March 2012)                                                         approach should protect diverse data types across physical,
                                                                               cloud and big data environments, and include the protection of
                                                                               structured and unstructured data in both production and
Barriers to implementation: Challenges                                         non-production (development, test and training) environments.
associated with protecting data                                                Such an approach can help focus limited resources without
So with the market focused on security and the risks clearly                   added processes or increased complexity. A holistic approach
documented, why haven’t organizations adopted a holistic                       also helps organizations to demonstrate compliance without
approach to data protection? Why are organizations                             interrupting critical business processes or daily operations.
overwhelmed by new threats?
                                                                               To get started, organizations should consider six key questions.
The reality is that significant challenges and complexities exist.             These questions are designed to help focus attention to the
For one, there are numerous vendor solutions available that                    most critical data vulnerabilities:
are focused on one approach or one aspect of data protection.
Few look across the range of threats and data types and sources                1.	Where does sensitive data reside across the enterprise?
to deliver a holistic strategy which can be flexible as new                    2.	How can access to your enterprise databases be protected,
threats arise and new computing models are embraced. Next,                        monitored and audited?
6   Three Guiding Principles to Improve Your Data Security and Compliance Strategy

3.	How can data be protected from both authorized and                                   data will dictate the appropriate data transformation policy.
   unauthorized access?                                                                 For example, a policy could be established to mask data on
4.	Can confidential data in documents be safeguarded while                              screen or on the fly to prevent call center employees from
   still enabling the necessary business data to be shared?                             viewing national identification numbers. Another example
5.	Can data in non-production environments be protected,                                could be masking revenue numbers in reports shared with
   yet still be usable for training, application development                            business partners or third-party vendors.
   and testing?                                                                      4.	Data redaction can remove sensitive data from forms and
6.	What types of data encryption are appropriate?                                       documents based on job role or business purpose. For
                                                                                        example, physicians need to see sensitive information such as
The answers to these questions provide the foundation for a                             symptoms and prognosis data, whereas a billing clerk needs
holistic approach to data protection and scales as organizations                        the patient’s insurance number and billing address. The
embrace the new era of computing. The answers also help                                 challenge is to provide the appropriate protection, while
organizations focus in on key areas they may be neglecting                              meeting business needs and ensuring that data is managed
with current approaches.                                                                on a “need-to-know” basis. Data redaction solutions should
                                                                                        protect sensitive information in unstructured documents,
1.	Organizations can’t protect data if they don’t know it exists.                       forms and graphics.
   Sensitive data resides in structured and unstructured formats                     5.	De-identifying data in non-production environments is
   in production environments and non-production                                        simply the process of systematically removing, masking or
   environments. Organizations need to document and define                              transforming data elements that could be used to identify an
   all data assets and relationships, no matter what the source.                        individual. Data de-identification enables developers, testers
   It is important to classify enterprise data, understand data                         and trainers to use realistic data and produce valid results,
   relationships and define service levels. The data discovery                          while still complying with privacy protection rules. Data that
   process analyzes data values and data patterns to identify the                       has been scrubbed or cleansed in such a manner is generally
   relationships that link disparate data elements into logical                         considered acceptable to use in non-production
   units of information, or “business objects” (such as customer,                       environments and ensures that even if the data is stolen,
   patient or invoice).                                                                 exposed or lost, it will be of no use to anyone.
2.	Activity monitoring provides privileged and non-privileged                        6.	Data encryption is not a new technology, and many different
   user and application access monitoring that is independent                           approaches exist. Encryption is explicitly required by many
   of native database logging and audit functions. It can                               regulations including PCI DSS, and also enables safe harbor
   function as a compensating control for privileged user                               provisions in many regulatory mandates. This means
   separation-of-duties issues by monitoring all administrator                          organizations are exempt from disclosing data breaches if the
   activity. Activity monitoring also improves security by                              data is encrypted. It is challenging for an organization to
   detecting unusual database, data warehouse, file share or                            identify the best encryption approach due to prolific
   Hadoop systems read and update activities from the                                   offerings from various vendors. For encrypting structured
   application layer. Event aggregation, correlation and                                data, consider a file-level approach. This will protect both
   reporting provide an audit capability without the need to                            structured data in the database management system (DBMS)
   enable native audit functions. Activity monitoring solutions                         and also unstructured files such as DBMS log or
   should be able to detect malicious activity or inappropriate                         configuration files, and is transparent to the network, storage
   or unapproved privileged user access.                                                and applications. Look for encryption offerings which
3.	Data should be protected through a variety of data                                   provide a strong separation of duties and a unified policy and
   transformation techniques including encryption, masking and                          key management system to centralize and simplify data
   redaction. Defining the appropriate business use for enterprise                      security management.
IBM Software   7

Meeting data security and compliance                                              To address data security and compliance, IBM has defined
challenges                                                                        three guiding principles to ensure a holistic data protection
What makes IBM’s approach to data protection unique?                              approach: Understand and Define, Secure and Protect, and Monitor
Expertise. The alignment of people, process, technology and                       and Audit. By following these three principles, organizations
information separates the IBM data security and privacy                           can improve their overall security posture and help meet
solutions from the competition. The goal of the IBM portfolio                     compliance mandates with confidence.
is to help organizations meet legal, regulatory and business
                                                                                  Understand and define
obligations without adding additional overhead. This helps
                                                                                  Organizations must discover where sensitive data resides,
organizations support compliance initiatives, reduce costs,
                                                                                  classify and define data types, and determine metrics and
minimize risk and sustain profitable growth. In addition, IBM
                                                                                  policies to ensure protection over time. Data can be distributed
has integrated data security into a broader security framework.
                                                                                  over multiple applications, databases and platforms with little
The IBM Security Framework (see Figure 2) and associated
                                                                                  documentation. Many organizations rely too heavily on system
best practices provide the expertise, data analysis, and maturity
                                                                                  and application experts for this information. Sometimes, this
models to give IBM’s clients the opportunity to embrace
                                                                                  information is built into application logic, and hidden
innovation with confidence.
                                                                                  relationships might be enforced behind the scenes.

                                                                                  Finding sensitive data and discovering data relationships
                                                                                  requires careful analysis. Data sources and relationships should
                                                                                  be clearly understood and documented so no sensitive data is
                                                                                  left vulnerable. Only after understanding the complete
                       Security Intelligence,                                     landscape can organizations define proper enterprise data
                        Analytics and GRC                                         security and privacy policies.

                                                                                  IBM InfoSphere® Discovery is designed to identify and
                                                                                  document what data you have, where it is located and how
                                                                                  it’s linked across systems by intelligently capturing
                                                                                  relationships and determining applied transformations
                                                                                  and business rules. It helps automate the identification
                                                              Cloud and Managed

                                                                                  and definition of data relationships across complex,
                                                                                  heterogeneous environments.

                                                                                  Without an automated process to identify data relationships
                                                                                  and define business objects, organizations can spend
                                                                                  months performing manual analysis —  with no assurance
                                                                                  of completeness or accuracy. IBM InfoSphere Discovery,
                                                                                  on the other hand, can help automatically and accurately
                          Software and
                          Applicances                                             identify relationships and define business objects in a
                                                                                  fraction of the time required using manual or profiling
                                                                                  approaches. It accommodates a wide range of enterprise
                                                                                  data sources, including relational databases, hierarchical
Figure 2: IBM is the only vendor providing a sophisticated security
framework with security intelligence across people, data, applications            databases and any structured data source represented in
and infrastructure.                                                               text file format.
8    Three Guiding Principles to Improve Your Data Security and Compliance Strategy

In summary, IBM InfoSphere Discovery helps organizations:                                       and VSAM.  A holistic data protection approach ensures a
                                                                                                360-degree lockdown of all organizational data.
•	   Locate and inventory the data sources across the enterprise
•	   Identify and classify sensitive data                                                       For each type of data (structured, unstructured, offline and
•	   Understand data relationships                                                              online), we recommend different technologies to keep it safe.
•	   Define and document privacy rules                                                          Keep in mind that the various data types exist in both
•	   Document and manage ongoing requirements and threats                                       production and non-production environments.

Secure and protect
Data security and privacy solutions should span a
heterogeneous enterprise, and protect both structured and                                       Structured data: This data is based on a data model, and is
unstructured data across production and non-production                                          available in structured formats like databases or XML.
environments (see Figure 3). IBM InfoSphere solutions help
                                                                                                Unstructured data: This data is in forms or documents which
protect sensitive data in ERP/CRM applications, databases,
                                                                                                may be handwritten, typed or in file repositories, such as word
warehouses, file shares and Hadoop-based systems, and also in
                                                                                                processing documents, email messages, pictures, digital audio,
unstructured formats such as forms and documents. Key                                           video, GPS data and more.
technologies include activity monitoring, data masking, data
redaction and data encryption. InfoSphere Guardium provides                                     Online data: This is data used daily to support the business,
enterprise-wide controls and capabilities across many platforms                                 including metadata, configuration data or log files.
and data sources, enhancing the investments made in platforms,                                  Offline data: This is data in backup tapes or on storage devices.
such as RACF on System z, that provide built-in security
models that leverage data sources such as DB2 for z/OS, IMS,

          Data in heterogeneous databases                                                                                           Data not in databases
          (Oracle, DB2, Netezza, Informix,                                                                                  (Hadoop, File Shares, ex. SharePoint,
          Sybase, Sun MySQL, Teradata)                                                                                      .TIF, .PDF, .doc, scanned documents)
                                                               Structured                             Unstructured
                                                                                                                                              • Data Redaction
          • Activity Monitoring                                   Data                                    Data                             • Activity Monitoring
          • Vulnerability Assessment                                                        N on-Produc                                         • Data Masking
          • Data Masking                                                                  &            t

          • Data Encryption


          Data extracted from                                                                                                              Data in daily use
                                                                                                                                          • Activity Monitoring
                                                                                                                                   • Vulnerability Assessment
          • Data Encryption                                       Offline                                 Online                               • Data Masking
                                                                   Data                                                                      • Data Encryption

Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments
IBM Software   9

Keep in mind these four basic data types are exploding in              IBM InfoSphere Guardium Data Redaction protects
terms of volume, variety and velocity. Many organizations are          sensitive information buried in unstructured documents and
looking to include these data types in big data systems such as        forms from unintentional disclosure. The automated solution
Netezza or Hadoop for deeper analysis.                                 lends efficiency to the redaction process by detecting sensitive
                                                                       information and automatically removing it from the version of
IBM InfoSphere Guardium® Activity Monitor and                          the documents made available to unprivileged readers. Based
Vulnerability Assessment provide a security solution which             on industry-leading software redaction techniques, InfoSphere
addresses the entire database security and compliance life cycle       Guardium Data Redaction also offers the flexibility of human
with a unified web console, back-end data store and workflow           review and oversight if required.
automation system, enabling you to:
                                                                       IBM InfoSphere Optim™ Data Masking Solution provides
•	   Assess database and data repository vulnerabilities and           a comprehensive set of data masking techniques that can
     configuration flaws                                               support your data privacy compliance requirements on
•	   Ensure configurations are locked down after recommended           demand, including:
     changes are implemented
•	   Provide 100-percent visibility and granularity into all data      •	   Application-aware masking capabilities help ensure that
     source transactions — across all platforms and                         masked data, like names and street addresses, resembles the
     protocols — with a secure, tamper-proof audit trail that               look and feel of the original information. (see Figure 4)
     supports separation of duties                                     •	   Context-aware, prepackaged data masking routines make
•	   Monitor and enforce policies for sensitive data access,                it easy to de-identify elements such as payment card
     privileged user actions, change control, application user              numbers, Social Security numbers, street addresses and
     activities and security exceptions such as failed logins               email addresses.
•	   Automate the entire compliance auditing                           •	   Persistent masking capabilities propagate masked
     process — including report distribution to oversight teams,            replacement values consistently across applications,
     sign-offs and escalations — with preconfigured reports for             databases, operating systems and hardware platforms.
     SOX, PCI DSS and data privacy                                     •	   Static or dynamic data masking supports both production
•	   Create a single, centralized audit repository for enterprise-          and non-production environments.
     wide compliance reporting, performance optimization,
     investigations and forensics                                      With InfoSphere Optim, organizations can de-identify data in
•	   Easily scale from safeguarding a single database to               a way that is valid for use in development, testing and training
     protecting thousands of databases, data warehouses, file          environments, while protecting data privacy.
     shares or Hadoop-based systems in distributed data centers
     around the world

Traditionally, protecting unstructured information in forms,
documents and graphics has been performed manually by
deleting electronic content and using a black marking pen on
paper to delete or hide sensitive information. But this manual
process can introduce errors, inadvertently omit information
and leave behind hidden information within files that exposes
sensitive data. Today’s high volumes of electronic forms and
documents make this manual process too burdensome for                  Figure 4: Personal identifiable information is masked with realistic but
practical purposes, and increase an organization’s risk of exposure.   fictional data
10    Three Guiding Principles to Improve Your Data Security and Compliance Strategy

IBM InfoSphere Guardium Data Encryption provides                                       devices as well as non-IBM encryption solutions that use the
a single, manageable and scalable solution to encrypt                                  Key Management Interoperability Protocol (KMIP). IBM
enterprise data without sacrificing application performance                            Tivoli Key Lifecycle Manager provides the following data
or creating key management complexity. InfoSphere                                      security benefits:
Guardium Data Encryption helps solve the challenges of
invasive and point approaches through a consistent and                                 •	   Centralize and automate the encryption key management
transparent approach to encrypting and managing enterprise                                  process
data security. Unlike invasive approaches such as column-                              •	   Enhance data security while dramatically reducing the
level database encryption, PKI-based file encryption or native                              number of encryption keys to be managed
point encryption, IBM InfoSphere Guardium Data                                         •	   Simplify encryption key management with an intuitive user
Encryption offers a single, transparent solution that is also                               interface for configuration and management
easy to manage. This unique approach to encryption provides                            •	   Minimize the risk of loss or breach of sensitive information
the best of both worlds: seamless support for information                              •	   Facilitate compliance management of regulatory standards
management needs combined with strong, policy-based data                                    such as SOX and HIPAA
security. Agents provide a transparent shield that evaluates                           •	   Extend key management capabilities to both IBM and
all information requests against easily customizable policies                               non-IBM products
and provides intelligent decryption-based control over                                 •	   Leverage open standards to help enable flexibility and
reads, writes, and access to encrypted contents. This high-                                 facilitate vendor interoperability
performance solution is ideal for distributed environments,
and agents deliver consistent, auditable and non-invasive                              Monitor and audit
data-centric security for virtually any file, database or                              After data has been located and locked down, organizations
application — anywhere it resides.                                                     must prove compliance, be prepared to respond to new internal
                                                                                       and external risks, and monitor systems on an ongoing basis.
In summary, InfoSphere Guardium Data Encryption provides:                              Monitoring of user activity, object creation, data repository
                                                                                       configurations and entitlements help IT professionals and
•	   A single, consistent, transparent encryption method across                        auditors trace users between applications and databases. These
     complex enterprises                                                               teams can set fine-grained policies for appropriate behavior
•	   An auditable, enterprise-executable, policy-based approach                        and receive alerts if these policies are violated. Organizations
•	   Among the fastest implementation processes achievable,                            need to quickly show compliance and empower auditors to
     requiring no application, database or system changes                              verify compliance status. Audit reporting and sign-offs help
•	   Simplified, secure and centralized key management across                          facilitate the compliance process while keeping costs low and
     distributed environments                                                          minimizing technical and business disruptions. In summary,
•	   Intelligent, easy-to-customize data security policies for                         organizations should create continuous, fine-grained audit
     strong, persistent data security                                                  trails of all database activities, including the “who, what, when,
•	   Strong separation of duties                                                       where and how” of each transaction.
•	   Top-notch performance with proven ability to meet SLAs
     for mission-critical systems                                                      IBM InfoSphere Guardium Activity Monitor provides granular,
                                                                                       database management system (DBMS) —  independent auditing
IBM Tivoli® Key Lifecycle Manager helps IT organizations                               with minimal impact on performance. InfoSphere Guardium is
better manage the encryption key life cycle by enabling them                           also designed to help organizations reduce operational costs via
to centralize and strengthen key management processes. It can                          automation, centralized cross-DBMS policies and audit
manage encryption keys for IBM self-encrypting storage                                 repositories, and filtering and compression.
IBM Software   11

Conclusion: Better Data Security                                   or choose to deploy multiple building blocks together for
and Compliance                                                     increased acceleration and value. The IBM InfoSphere platform
Protecting data security and privacy is a detailed, continuous     provides an enterprise-class foundation for information-
responsibility which should be part of every best practice. IBM    intensive projects, providing the performance, scalability,
provides an integrated data security and privacy approach          reliability and acceleration needed to simplify difficult challenges
delivered through these three guiding principles.                  and deliver trusted information to your business faster.

1.	Understand and Define                                           About IBM Security
2.	Secure and Protect                                              IBM’s security portfolio provides the security intelligence to
3.	Monitor and Audit                                               help organizations holistically protect their people,
                                                                   infrastructure, data and applications. IBM offers solutions for
Protecting data requires a 360-degree, holistic approach. With     identity and access management, database security, application
deep, broad expertise in the security and privacy space, IBM can   development, risk management, endpoint management,
help your organization define and implement such an approach.      network security and more. IBM operates the world’s broadest
                                                                   security research and development and delivery organization.
IBM solutions are open, modular and support all aspects of         This consists of nine security operations centers, nine IBM
data security and privacy, including structured, semi-structured   Research centers, 11 software security development labs and an
and unstructured data, no matter where it resides. IBM             Institute for Advanced Security with chapters in the United
solutions support virtually all leading enterprise databases and   States, Europe and Asia Pacific. IBM monitors 13 billion
operating systems, including IBM DB2®, Oracle, Teradata,           security events per day in more than 130 countries and holds
Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM         more than 3,000 security patents.
IMS™,  IBM DB2 for z/OS, IBM Virtual Storage Access
Method (VSAM), Microsoft Windows, UNIX, Linux and IBM              For more information
z/OS®. InfoSphere also supports key ERP and CRM                    For more information on IBM security, please visit:
applications — Oracle E-Business Suite, PeopleSoft Enterprise,
JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as
well as most custom and packaged applications. IBM supports        To learn more about IBM InfoSphere solutions for protecting
access monitoring for file sharing software such as Microsoft      data security and privacy, please contact your IBM sales
SharePoint and IBM FileNet. IBM also supports Hadoop-              representative or visit:
based systems such as Cloudera and InfoSphere BigInsights.
                                                                   To learn more about the new IBM DB2 for z/OS security
About IBM InfoSphere                                               features, download the Redbook at
IBM InfoSphere software is an integrated platform for defining,    Redbooks.nsf/RedbookAbstracts/sg247959.html
integrating, protecting and managing trusted information across
your systems. The IBM InfoSphere platform provides the             Additionally, financing solutions from IBM Global Financing
foundational building blocks of trusted information, including     can enable effective cash management, protection from
data integration, data warehousing, master data management         technology obsolescence, improved total cost of ownership and
and information governance, all integrated around a core of        return on investment. Also, our Global Asset Recovery Services
shared metadata and models. The portfolio is modular, allowing     help address environmental concerns with new, more energy-
you to start anywhere, and mix and match IBM InfoSphere            efficient solutions. For more information on IBM Global
software building blocks with components from other vendors,       Financing, visit:
© Copyright IBM Corporation 2012
IBM Corporation
Software Group
Route 100
Somers, NY 10589

Produced in the United States of America
October 2012

IBM, the IBM logo,, DB2, Guardium, IMS, Informix, InfoSphere,
Optim, Tivoli, and z/OS are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at “Copyright and trademark
information” at

Linux is a registered trademark of Linus Torvalds in the United States,
other countries or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks
of Microsoft Corporation in the United States, other countries or both.

Netezza is a trademark or registered trademark of Netezza Corporation,
an IBM Company.

UNIX is a registered trademark of The Open Group in the United States
and other countries.

This document is current as of the initial date of publication and may
be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.

NON-INFRINGEMENT. IBM products are warranted according
to the terms and conditions of the agreements under which they
are provided.

         Please Recycle


More Related Content

What's hot

Dev Lakhani, Data Scientist at Batch Insights "Real Time Big Data Applicatio...
Dev Lakhani, Data Scientist at Batch Insights  "Real Time Big Data Applicatio...Dev Lakhani, Data Scientist at Batch Insights  "Real Time Big Data Applicatio...
Dev Lakhani, Data Scientist at Batch Insights "Real Time Big Data Applicatio...Dataconomy Media
Moving Health Care Analytics to Hadoop to Build a Better Predictive Model
Moving Health Care Analytics to Hadoop to Build a Better Predictive ModelMoving Health Care Analytics to Hadoop to Build a Better Predictive Model
Moving Health Care Analytics to Hadoop to Build a Better Predictive ModelDataWorks Summit
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...DataWorks Summit/Hadoop Summit
Big Data Analytics with Hadoop, MongoDB and SQL Server
Big Data Analytics with Hadoop, MongoDB and SQL ServerBig Data Analytics with Hadoop, MongoDB and SQL Server
Big Data Analytics with Hadoop, MongoDB and SQL ServerMark Kromer
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...DataWorks Summit
Operating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environmentOperating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environmentDataWorks Summit
Deep Learning vs. Cheap Learning
Deep Learning vs. Cheap LearningDeep Learning vs. Cheap Learning
Deep Learning vs. Cheap LearningMapR Technologies
Continuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseContinuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseDataWorks Summit
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access SecurityCloudera, Inc.
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud Cloudera Analytics and Machine Learning Platform - Optimized for Cloud
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud Stefan Lipp
Big data introduction, Hadoop in details
Big data introduction, Hadoop in detailsBig data introduction, Hadoop in details
Big data introduction, Hadoop in detailsMahmoud Yassin
Oncrawl elasticsearch meetup france #12
Oncrawl elasticsearch meetup france #12Oncrawl elasticsearch meetup france #12
Oncrawl elasticsearch meetup france #12Tanguy MOAL
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopDataWorks Summit
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with HadoopCloudera, Inc.
Hadoop core concepts
Hadoop core conceptsHadoop core concepts
Hadoop core conceptsMaryan Faryna
Hadoop and big data
Hadoop and big dataHadoop and big data
Hadoop and big dataYukti Kaura
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18Cloudera, Inc.
When Streaming Becomes Strategic
When Streaming Becomes StrategicWhen Streaming Becomes Strategic
When Streaming Becomes StrategicMapR Technologies
Introduction to Big Data Analytics on Apache Hadoop
Introduction to Big Data Analytics on Apache HadoopIntroduction to Big Data Analytics on Apache Hadoop
Introduction to Big Data Analytics on Apache HadoopAvkash Chauhan

What's hot (20)

Big data analytics - hadoop
Big data analytics - hadoopBig data analytics - hadoop
Big data analytics - hadoop
Dev Lakhani, Data Scientist at Batch Insights "Real Time Big Data Applicatio...
Dev Lakhani, Data Scientist at Batch Insights  "Real Time Big Data Applicatio...Dev Lakhani, Data Scientist at Batch Insights  "Real Time Big Data Applicatio...
Dev Lakhani, Data Scientist at Batch Insights "Real Time Big Data Applicatio...
Moving Health Care Analytics to Hadoop to Build a Better Predictive Model
Moving Health Care Analytics to Hadoop to Build a Better Predictive ModelMoving Health Care Analytics to Hadoop to Build a Better Predictive Model
Moving Health Care Analytics to Hadoop to Build a Better Predictive Model
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...
A Tale of Two Regulations: Cross-Border Data Protection For Big Data Under GD...
Big Data Analytics with Hadoop, MongoDB and SQL Server
Big Data Analytics with Hadoop, MongoDB and SQL ServerBig Data Analytics with Hadoop, MongoDB and SQL Server
Big Data Analytics with Hadoop, MongoDB and SQL Server
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Beyond Kerberos and Ranger - Tips to discover, track and manage risks in hybr...
Operating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environmentOperating a secure big data platform in a multi-cloud environment
Operating a secure big data platform in a multi-cloud environment
Deep Learning vs. Cheap Learning
Deep Learning vs. Cheap LearningDeep Learning vs. Cheap Learning
Deep Learning vs. Cheap Learning
Continuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the EnterpriseContinuous Data Ingestion pipeline for the Enterprise
Continuous Data Ingestion pipeline for the Enterprise
Hadoop and Data Access Security
Hadoop and Data Access SecurityHadoop and Data Access Security
Hadoop and Data Access Security
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud Cloudera Analytics and Machine Learning Platform - Optimized for Cloud
Cloudera Analytics and Machine Learning Platform - Optimized for Cloud
Big data introduction, Hadoop in details
Big data introduction, Hadoop in detailsBig data introduction, Hadoop in details
Big data introduction, Hadoop in details
Oncrawl elasticsearch meetup france #12
Oncrawl elasticsearch meetup france #12Oncrawl elasticsearch meetup france #12
Oncrawl elasticsearch meetup france #12
Bringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache HadoopBringing Trus and Visibility to Apache Hadoop
Bringing Trus and Visibility to Apache Hadoop
Big Data Security with Hadoop
Big Data Security with HadoopBig Data Security with Hadoop
Big Data Security with Hadoop
Hadoop core concepts
Hadoop core conceptsHadoop core concepts
Hadoop core concepts
Hadoop and big data
Hadoop and big dataHadoop and big data
Hadoop and big data
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
What’s New in Cloudera Enterprise 6.0: The Inside Scoop 6.14.18
When Streaming Becomes Strategic
When Streaming Becomes StrategicWhen Streaming Becomes Strategic
When Streaming Becomes Strategic
Introduction to Big Data Analytics on Apache Hadoop
Introduction to Big Data Analytics on Apache HadoopIntroduction to Big Data Analytics on Apache Hadoop
Introduction to Big Data Analytics on Apache Hadoop

Similar to 3 guiding priciples to improve data security

Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligencewbesse
Big data security
Big data securityBig data security
Big data securityAnne ndolo
Big data security
Big data securityBig data security
Big data securityAnne ndolo
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gapxband
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk ManagementDMIMarketing
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” EMC
The Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityThe Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityMarkLogic
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekkoDMI
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessSirius
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data SecurityImperva
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckNetIQ
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix LLC
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptxDolchandra
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Microsoft
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEMJoseph DeFever

Similar to 3 guiding priciples to improve data security (20)

Protective Intelligence
Protective IntelligenceProtective Intelligence
Protective Intelligence
Big data security
Big data securityBig data security
Big data security
Big data security
Big data securityBig data security
Big data security
Bridging the Data Security Gap
Bridging the Data Security GapBridging the Data Security Gap
Bridging the Data Security Gap
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
Big Data for Security
Big Data for SecurityBig Data for Security
Big Data for Security
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data”
The Three Pitfalls of Data Security
The Three Pitfalls of Data SecurityThe Three Pitfalls of Data Security
The Three Pitfalls of Data Security
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko5 steps-to-mobile-risk-management-whitepaper-golden-gekko
5 steps-to-mobile-risk-management-whitepaper-golden-gekko
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
The Business Case for Data Security
The Business Case for Data SecurityThe Business Case for Data Security
The Business Case for Data Security
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS DeckProven Practices to Protect Critical Data - DarkReading VTS Deck
Proven Practices to Protect Critical Data - DarkReading VTS Deck
Opteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdfOpteamix_whitepaper_Data Masking Strategy.pdf
Opteamix_whitepaper_Data Masking Strategy.pdf
Abhishek kurre.pptx
Abhishek kurre.pptxAbhishek kurre.pptx
Abhishek kurre.pptx
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Cyber Security Conference - A deeper look at Microsoft Security Strategy, Tec...
Guide to high volume data sources for SIEM
Guide to high volume data sources for SIEMGuide to high volume data sources for SIEM
Guide to high volume data sources for SIEM

More from Keith Braswell

Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...
Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...
Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...Keith Braswell
IBM System i Security Study 2013
IBM System i Security Study 2013IBM System i Security Study 2013
IBM System i Security Study 2013Keith Braswell
Cashing in on customer insight
Cashing in on customer insightCashing in on customer insight
Cashing in on customer insightKeith Braswell
IBV - Collective Intelligence
IBV - Collective IntelligenceIBV - Collective Intelligence
IBV - Collective IntelligenceKeith Braswell
Frontiers of Cloud Computing
Frontiers of Cloud ComputingFrontiers of Cloud Computing
Frontiers of Cloud ComputingKeith Braswell
5 steps to healthy data
5 steps to healthy data5 steps to healthy data
5 steps to healthy dataKeith Braswell

More from Keith Braswell (6)

Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...
Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...
Automated Asset Tracking in the Data Center: How IBM Reduced the Time/Cost of...
IBM System i Security Study 2013
IBM System i Security Study 2013IBM System i Security Study 2013
IBM System i Security Study 2013
Cashing in on customer insight
Cashing in on customer insightCashing in on customer insight
Cashing in on customer insight
IBV - Collective Intelligence
IBV - Collective IntelligenceIBV - Collective Intelligence
IBV - Collective Intelligence
Frontiers of Cloud Computing
Frontiers of Cloud ComputingFrontiers of Cloud Computing
Frontiers of Cloud Computing
5 steps to healthy data
5 steps to healthy data5 steps to healthy data
5 steps to healthy data

Recently uploaded

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024Stephanie Beckett
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backElena Simperl
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsStefano
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1DianaGray10
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupCatarinaPereira64715
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationZilliz
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCzechDreamin
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyJohn Staveley
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaCzechDreamin
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀DianaGray10
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfChristopherTHyatt
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...CzechDreamin

Recently uploaded (20)

What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
ODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User GroupODC, Data Fabric and Architecture User Group
ODC, Data Fabric and Architecture User Group
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Introduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG EvaluationIntroduction to Open Source RAG and RAG Evaluation
Introduction to Open Source RAG and RAG Evaluation
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya HalderCustom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Custom Approval Process: A New Perspective, Pavel Hrbacek & Anindya Halder
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi"Impact of front-end architecture on development cost", Viktor Turskyi
"Impact of front-end architecture on development cost", Viktor Turskyi
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Exploring UiPath Orchestrator API: updates and limits in 2024 🚀
Agentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdfAgentic RAG What it is its types applications and implementation.pdf
Agentic RAG What it is its types applications and implementation.pdf
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...Integrating Telephony Systems with Salesforce: Insights and Considerations, B...
Integrating Telephony Systems with Salesforce: Insights and Considerations, B...

3 guiding priciples to improve data security

  • 1. IBM Software October 2012 Thought Leadership White Paper Three guiding principles to improve data security and compliance A holistic approach to data protection for a complex threat landscape
  • 2. 2 Three Guiding Principles to Improve Your Data Security and Compliance Strategy Executive summary protected against new threats or other malicious activity and News headlines about the increasing frequency of information continually monitored for weaknesses. and identity theft have focused awareness on data security and • Demonstrate compliance to pass audits: It’s not enough privacy breaches — and their consequences. In response to this to develop a holistic approach to data security and privacy; issue, regulations have been enacted around the world. organizations must also demonstrate and prove compliance Although the specifics of the regulations may differ, failure to to third-party auditors. ensure compliance can result in significant financial penalties, criminal prosecution and loss of customer loyalty. IBM® solutions for data security and privacy are designed to support this holistic approach and incorporate intelligence to In addition, the information explosion, the proliferation of proactively address IT threats and enterprise risks. IBM has endpoint devices, growing user volumes, and new computing developed three simple guiding principles (Understand and models like cloud, social business and big data have created Define, Secure and Protect, and Monitor and Audit) to help new vulnerabilities. To secure sensitive data and address organizations achieve better security and compliance without compliance requirements, organizations need to adopt a more impacting production systems or straining already-tight budgets. proactive and systematic approach. Making sense of the buzz: Why the Since data is a critical component of daily business operations, growing focus on data protection? it is essential to ensure privacy and protect data no matter Data security is a moving target; as data grows, more where it resides. Different types of information have different sophisticated threats emerge, the number of regulations protection requirements; therefore, organizations must take a increase, and changing economic times make it difficult to holistic approach to safeguarding information: secure and protect data. New attack vectors including cyber security threats (worms, trojans, rootkits, rogues, dialers and • Understand where the data exists: Organizations can’t spyware) and security complexities resulting from changing IT protect sensitive data unless they know where it resides and architectures (virtualization, big data, open enterprise how it’s related across the enterprise. initiatives, consumerization and employee mobility) challenge • Safeguard sensitive data, both structured and organizations to focus on data protection (see Figure 1). unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in According to the October 2011 report “Databases are More at documents, forms, image files, GPS systems and more Risk Than Ever,” which surveyed 355 data security professionals, requires privacy policies to redact (remove) sensitive informa­ one-fourth of respondents felt that a data breach in 2012 was tion while still allowing needed business data to be shared. likely or inevitable. Only 36 percent of organizations have taken • Protect non-production environments: Data in non- steps to ensure their applications are not subject to SQL production, development, training and quality assurance injection attacks, and over 70 percent take longer than three environments needs to be protected, yet still usable during months to apply critical patch updates, giving attackers the the application development, testing and training processes. opportunity they are looking for. Most respondents are unable • Secure and continuously monitor access to the data: to tell whether there has been unauthorized access or changes to Enterprise databases, data warehouses, file shares and their databases. In many cases, a breach would go undetected for Hadoop-based systems require real-time monitoring to months or longer, as only 40 percent of organizations audit their ensure data access is protected and audited. Policy-based databases on a regular basis. controls based on access patterns are required to rapidly detect unauthorized or suspicious activity and alert key Prevention strategies are almost non-existent at most personnel. In addition, sensitive data repositories need to be companies. Only one-fourth of respondents say they are able
  • 3. IBM Software 3 to stop abuse of privileges by authorized database users, of the cases) followed by backdoor malware (26 percent), especially highly privileged users such as database use of stolen credentials (24 percent), exploiting backdoor administrators, before it happens. Only 30 percent encrypt or command and control channels (23 percent), and keyloggers sensitive and personally identifiable information in all their and spyware (18 percent). SQL injection attacks accounted databases, despite data privacy regulations worldwide requiring for 13 percent of the breaches. As for the targets, 90 percent encryption for data at rest. Additionally, most admit to having of the breaches Verizon investigated went after servers, sensitive data in non-production environments that is mainly point-of-sale servers, web and app servers, and accessible to developers, testing and even third parties. database servers. Changes in IT environments and evolving Regulatory compliance mandates business initiatives The number and variety of regulatory mandates are too Security policies and corresponding technologies must evolve numerous to name here, and they affect organizations around as organizations embrace new business initiatives such as the globe. Some of the most prevalent mandates include the outsourcing, virtualization, cloud, mobile, Enterprise 2.0, Sarbanes-Oxley Act (SOX), the Health Insurance Portability big data and social business. This evolution means and Accountability Act (HIPAA), the Payment Card Industry organizations need to think more broadly about where Data Security Standard (PCI-DSS) (enforcement of which has sensitive data resides and how it is accessed. Organizations firmly started expanding beyond North America), the Federal must also consider a broad array of both structured and Information Security Management Act (FISMA), and the EU unstructured sensitive data, including customer information, Data Privacy Directive. Along with the rising number of trade secrets, intellectual property, development plans, regulatory mandates is the increased pressure to show competitive differentiators and more. immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to the Smarter, more sophisticated hackers business and shareholders, or face reputation damage and stiff Many organizations are now struggling with the widening gap financial penalties. between hacker capabilities and security defenses. The changing nature, complexity and larger scale of outside attacks Information explosion are cause for concern. Previously, the most critical concern was The explosion in digital information is mind-boggling. In virus outbreaks or short denial-of-service attacks, which would 2009, the world had about 0.8 zettabytes of data. In 2012, create a temporary pause in business operations. Today, hackers it is estimated to be 1.8 ZBs. This is an amazing number, are becoming more savvy and interconnected; they leverage considering a zettabyte is a trillion gigabytes. The information social networks, purchase pre-packaged “hacking” applications explosion has made access to public and private information and might even be state sponsored. By penetrating the a part of everyday life. The digital explosion also brings perimeter and infiltrating the network, new advanced an increase in the volume, variety and velocity of data. persistent threats (APTs) exploit employee knowledge gaps and Organizations need to understand the unique challenges process weaknesses and technology vulnerabilities in random that big data brings, such as large-scale cloud infrastructures, combinations to steal customer data or corporate data, such as diversity of data sources and formats, the streaming nature trade secrets, resulting in the potential for billions of dollars of of data acquisition, and high-volume data aggregation. lost business, fines and lawsuits, and irreparable damage to an organization’s reputation. Critical business applications typically collect this information for legitimate purposes; however, given the interconnected According to the 2012 Verizon Data Breach Investigations nature of the Internet and information systems, as well as Report, the most commonly used venue for breaches was enterprise ERP, CRM and custom business applications, exploiting default or easily guessed passwords (with 29 percent sensitive data is easily subject to theft and misuse.
  • 4. 4 Three Guiding Principles to Improve Your Data Security and Compliance Strategy Insider threats The stakes are high: Risks associated with A high percentage of data breaches actually emanate from insufficient data security and privacy internal weaknesses. These breaches range from employees Corporations and their officers may face fines from USD5,000 who may misuse payment card numbers and other sensitive to USD1 million per day, and possible jail time if data is information to those who save confidential data on laptops that misused. According to the Ponemon Institute, “2011: Cost of are subsequently stolen. Furthermore, organizations are also Data Breach Study” (published March 2012), the average accountable for protecting data no matter where the data organizational cost of a data breach in 2011 was USD5.5 resides — be it with business partners, consultants, contractors, million. Data breaches in 2011 cost their companies an average vendors or other third parties. of USD194 per compromised record. The number of breached records per incident in 2011 ranged from approximately 4,500 In summary, organizations are focusing more heavily on data records to more than 98,000 records. In 2011, the average security and privacy concerns. They are looking beyond number of breached records was 28,349. developing point solutions for specific pains and toward building security and privacy policies and procedures into The most expensive breach studied by Ponemon Institute the enterprise. Building security into business and IT (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took policies is especially important as they embrace the new USD35.3 million to resolve, up USD4.8 million (15 percent) era of computing. from 2009. The least expensive data breach was USD780,000, up USD30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised. Security versus privacy Security and privacy are related, but they are distinct Hard penalties are only one example of how organizations can concepts. Security is the infrastructure-level lockdown be harmed; other negative impacts include erosion in share that prevents or grants access to certain areas or data price caused by investor concern and negative publicity based on authorization. In contrast, privacy restrictions resulting from a data breach. Irreparable brand damage control access for users who are authorized to access a identifies a company as one that cannot be trusted. particular set of data. Data privacy ensures those who have a legitimate business purpose to see a subset of that Five common sources of risk include: data do not abuse their privileges. That business purpose is usually defined by job function, which is defined in turn • Excessive privileges and privileged user abuse. When by regulatory or management policy, or both. users (or applications) are granted database privileges that Some examples of data security solutions include exceed the requirements of their job function, these privileges database activity monitoring and database vulnerability may be used to gain access to confidential information. assessments. Some examples of data privacy solutions • Unauthorized privilege elevation. Attackers may take include data redaction and data masking. In a recent case advantage of vulnerabilities in database management illustrating this distinction, physicians at UCLA Medical software to convert low-level access privileges to high-level Center were caught going through celebrity Britney access privileges. Spears’ medical records. The hospital’s security policies • SQL injection. SQL injection attacks involve a user who were honored since physicians require access to medical takes advantage of vulnerabilities in front-end web records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid applications and stored procedures to send unauthorized medical purpose. database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.
  • 5. IBM Software 5 • Denial of service. Denial of service (DoS) may be invoked few organizations have the funding or resources to implement through many techniques. Common DoS techniques include another process-heavy initiative. Organizations need to build buffer overflows, data corruption, network flooding and security and privacy policies into their daily operations and resource consumption. The latter is unique to the database gather support for these policies across the enterprise environment and frequently overlooked. including IT staff, business leaders, operations, and legal • Exposure of backup data. Some recent high-profile attacks departments. Privacy requirements do vary by role, and have involved theft of database backup tapes and hard disks understanding who needs access to what data is not a trivial which were not encrypted. task. Third, the manual or homegrown data protection approaches many organizations use today lead to higher risk and inefficiency. Manual approaches typically don’t protect a diverse set of data types in both structured and unstructured settings, and do not scale as organizations grow. Finally, the rising number of compliance regulations with time-sensitive components adds more operational stress, rather than clarifying priorities. Organizations require a fresh approach to data protection —  one which ensures that they build security and privacy rules into their best practices, and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority. Leveraging a holistic data security and Figure 1: Analysis of malicious or criminal attacks experienced according to privacy approach the 2011 Cost of Data Breach Study conducted by the Ponemon Institute Organizations need a holistic approach to data protection. This (published March 2012) approach should protect diverse data types across physical, cloud and big data environments, and include the protection of structured and unstructured data in both production and Barriers to implementation: Challenges non-production (development, test and training) environments. associated with protecting data Such an approach can help focus limited resources without So with the market focused on security and the risks clearly added processes or increased complexity. A holistic approach documented, why haven’t organizations adopted a holistic also helps organizations to demonstrate compliance without approach to data protection? Why are organizations interrupting critical business processes or daily operations. overwhelmed by new threats? To get started, organizations should consider six key questions. The reality is that significant challenges and complexities exist. These questions are designed to help focus attention to the For one, there are numerous vendor solutions available that most critical data vulnerabilities: are focused on one approach or one aspect of data protection. Few look across the range of threats and data types and sources 1. Where does sensitive data reside across the enterprise? to deliver a holistic strategy which can be flexible as new 2. How can access to your enterprise databases be protected, threats arise and new computing models are embraced. Next, monitored and audited?
  • 6. 6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy 3. How can data be protected from both authorized and data will dictate the appropriate data transformation policy. unauthorized access? For example, a policy could be established to mask data on 4. Can confidential data in documents be safeguarded while screen or on the fly to prevent call center employees from still enabling the necessary business data to be shared? viewing national identification numbers. Another example 5. Can data in non-production environments be protected, could be masking revenue numbers in reports shared with yet still be usable for training, application development business partners or third-party vendors. and testing? 4. Data redaction can remove sensitive data from forms and 6. What types of data encryption are appropriate? documents based on job role or business purpose. For example, physicians need to see sensitive information such as The answers to these questions provide the foundation for a symptoms and prognosis data, whereas a billing clerk needs holistic approach to data protection and scales as organizations the patient’s insurance number and billing address. The embrace the new era of computing. The answers also help challenge is to provide the appropriate protection, while organizations focus in on key areas they may be neglecting meeting business needs and ensuring that data is managed with current approaches. on a “need-to-know” basis. Data redaction solutions should protect sensitive information in unstructured documents, 1. Organizations can’t protect data if they don’t know it exists. forms and graphics. Sensitive data resides in structured and unstructured formats 5. De-identifying data in non-production environments is in production environments and non-production simply the process of systematically removing, masking or environments. Organizations need to document and define transforming data elements that could be used to identify an all data assets and relationships, no matter what the source. individual. Data de-identification enables developers, testers It is important to classify enterprise data, understand data and trainers to use realistic data and produce valid results, relationships and define service levels. The data discovery while still complying with privacy protection rules. Data that process analyzes data values and data patterns to identify the has been scrubbed or cleansed in such a manner is generally relationships that link disparate data elements into logical considered acceptable to use in non-production units of information, or “business objects” (such as customer, environments and ensures that even if the data is stolen, patient or invoice). exposed or lost, it will be of no use to anyone. 2. Activity monitoring provides privileged and non-privileged 6. Data encryption is not a new technology, and many different user and application access monitoring that is independent approaches exist. Encryption is explicitly required by many of native database logging and audit functions. It can regulations including PCI DSS, and also enables safe harbor function as a compensating control for privileged user provisions in many regulatory mandates. This means separation-of-duties issues by monitoring all administrator organizations are exempt from disclosing data breaches if the activity. Activity monitoring also improves security by data is encrypted. It is challenging for an organization to detecting unusual database, data warehouse, file share or identify the best encryption approach due to prolific Hadoop systems read and update activities from the offerings from various vendors. For encrypting structured application layer. Event aggregation, correlation and data, consider a file-level approach. This will protect both reporting provide an audit capability without the need to structured data in the database management system (DBMS) enable native audit functions. Activity monitoring solutions and also unstructured files such as DBMS log or should be able to detect malicious activity or inappropriate configuration files, and is transparent to the network, storage or unapproved privileged user access. and applications. Look for encryption offerings which 3. Data should be protected through a variety of data provide a strong separation of duties and a unified policy and transformation techniques including encryption, masking and key management system to centralize and simplify data redaction. Defining the appropriate business use for enterprise security management.
  • 7. IBM Software 7 Meeting data security and compliance To address data security and compliance, IBM has defined challenges three guiding principles to ensure a holistic data protection What makes IBM’s approach to data protection unique? approach: Understand and Define, Secure and Protect, and Monitor Expertise. The alignment of people, process, technology and and Audit. By following these three principles, organizations information separates the IBM data security and privacy can improve their overall security posture and help meet solutions from the competition. The goal of the IBM portfolio compliance mandates with confidence. is to help organizations meet legal, regulatory and business Understand and define obligations without adding additional overhead. This helps Organizations must discover where sensitive data resides, organizations support compliance initiatives, reduce costs, classify and define data types, and determine metrics and minimize risk and sustain profitable growth. In addition, IBM policies to ensure protection over time. Data can be distributed has integrated data security into a broader security framework. over multiple applications, databases and platforms with little The IBM Security Framework (see Figure 2) and associated documentation. Many organizations rely too heavily on system best practices provide the expertise, data analysis, and maturity and application experts for this information. Sometimes, this models to give IBM’s clients the opportunity to embrace information is built into application logic, and hidden innovation with confidence. relationships might be enforced behind the scenes. Finding sensitive data and discovering data relationships requires careful analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete Security Intelligence, landscape can organizations define proper enterprise data Analytics and GRC security and privacy policies. Professional Services IBM InfoSphere® Discovery is designed to identify and document what data you have, where it is located and how it’s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification Cloud and Managed and definition of data relationships across complex, heterogeneous environments. Services Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis —  with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately Software and Applicances identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchical Figure 2: IBM is the only vendor providing a sophisticated security framework with security intelligence across people, data, applications databases and any structured data source represented in and infrastructure. text file format.
  • 8. 8 Three Guiding Principles to Improve Your Data Security and Compliance Strategy In summary, IBM InfoSphere Discovery helps organizations: and VSAM.  A holistic data protection approach ensures a 360-degree lockdown of all organizational data. • Locate and inventory the data sources across the enterprise • Identify and classify sensitive data For each type of data (structured, unstructured, offline and • Understand data relationships online), we recommend different technologies to keep it safe. • Define and document privacy rules Keep in mind that the various data types exist in both • Document and manage ongoing requirements and threats production and non-production environments. Secure and protect Data security and privacy solutions should span a heterogeneous enterprise, and protect both structured and Structured data: This data is based on a data model, and is unstructured data across production and non-production available in structured formats like databases or XML. environments (see Figure 3). IBM InfoSphere solutions help Unstructured data: This data is in forms or documents which protect sensitive data in ERP/CRM applications, databases, may be handwritten, typed or in file repositories, such as word warehouses, file shares and Hadoop-based systems, and also in processing documents, email messages, pictures, digital audio, unstructured formats such as forms and documents. Key video, GPS data and more. technologies include activity monitoring, data masking, data redaction and data encryption. InfoSphere Guardium provides Online data: This is data used daily to support the business, enterprise-wide controls and capabilities across many platforms including metadata, configuration data or log files. and data sources, enhancing the investments made in platforms, Offline data: This is data in backup tapes or on storage devices. such as RACF on System z, that provide built-in security models that leverage data sources such as DB2 for z/OS, IMS, Data in heterogeneous databases Data not in databases (Oracle, DB2, Netezza, Informix, (Hadoop, File Shares, ex. SharePoint, Sybase, Sun MySQL, Teradata) .TIF, .PDF, .doc, scanned documents) Structured Unstructured • Data Redaction • Activity Monitoring Data Data • Activity Monitoring • Vulnerability Assessment N on-Produc • Data Masking • Data Masking & t io • Data Encryption duction n Systems Pro Data extracted from Data in daily use databases • Activity Monitoring • Vulnerability Assessment • Data Encryption Offline Online • Data Masking Data • Data Encryption Data Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments
  • 9. IBM Software 9 Keep in mind these four basic data types are exploding in IBM InfoSphere Guardium Data Redaction protects terms of volume, variety and velocity. Many organizations are sensitive information buried in unstructured documents and looking to include these data types in big data systems such as forms from unintentional disclosure. The automated solution Netezza or Hadoop for deeper analysis. lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version of IBM InfoSphere Guardium® Activity Monitor and the documents made available to unprivileged readers. Based Vulnerability Assessment provide a security solution which on industry-leading software redaction techniques, InfoSphere addresses the entire database security and compliance life cycle Guardium Data Redaction also offers the flexibility of human with a unified web console, back-end data store and workflow review and oversight if required. automation system, enabling you to: IBM InfoSphere Optim™ Data Masking Solution provides • Assess database and data repository vulnerabilities and a comprehensive set of data masking techniques that can configuration flaws support your data privacy compliance requirements on • Ensure configurations are locked down after recommended demand, including: changes are implemented • Provide 100-percent visibility and granularity into all data • Application-aware masking capabilities help ensure that source transactions — across all platforms and masked data, like names and street addresses, resembles the protocols — with a secure, tamper-proof audit trail that look and feel of the original information. (see Figure 4) supports separation of duties • Context-aware, prepackaged data masking routines make • Monitor and enforce policies for sensitive data access, it easy to de-identify elements such as payment card privileged user actions, change control, application user numbers, Social Security numbers, street addresses and activities and security exceptions such as failed logins email addresses. • Automate the entire compliance auditing • Persistent masking capabilities propagate masked process — including report distribution to oversight teams, replacement values consistently across applications, sign-offs and escalations — with preconfigured reports for databases, operating systems and hardware platforms. SOX, PCI DSS and data privacy • Static or dynamic data masking supports both production • Create a single, centralized audit repository for enterprise- and non-production environments. wide compliance reporting, performance optimization, investigations and forensics With InfoSphere Optim, organizations can de-identify data in • Easily scale from safeguarding a single database to a way that is valid for use in development, testing and training protecting thousands of databases, data warehouses, file environments, while protecting data privacy. shares or Hadoop-based systems in distributed data centers around the world Traditionally, protecting unstructured information in forms, documents and graphics has been performed manually by Mask deleting electronic content and using a black marking pen on paper to delete or hide sensitive information. But this manual process can introduce errors, inadvertently omit information and leave behind hidden information within files that exposes sensitive data. Today’s high volumes of electronic forms and documents make this manual process too burdensome for Figure 4: Personal identifiable information is masked with realistic but practical purposes, and increase an organization’s risk of exposure. fictional data
  • 10. 10 Three Guiding Principles to Improve Your Data Security and Compliance Strategy IBM InfoSphere Guardium Data Encryption provides devices as well as non-IBM encryption solutions that use the a single, manageable and scalable solution to encrypt Key Management Interoperability Protocol (KMIP). IBM enterprise data without sacrificing application performance Tivoli Key Lifecycle Manager provides the following data or creating key management complexity. InfoSphere security benefits: Guardium Data Encryption helps solve the challenges of invasive and point approaches through a consistent and • Centralize and automate the encryption key management transparent approach to encrypting and managing enterprise process data security. Unlike invasive approaches such as column- • Enhance data security while dramatically reducing the level database encryption, PKI-based file encryption or native number of encryption keys to be managed point encryption, IBM InfoSphere Guardium Data • Simplify encryption key management with an intuitive user Encryption offers a single, transparent solution that is also interface for configuration and management easy to manage. This unique approach to encryption provides • Minimize the risk of loss or breach of sensitive information the best of both worlds: seamless support for information • Facilitate compliance management of regulatory standards management needs combined with strong, policy-based data such as SOX and HIPAA security. Agents provide a transparent shield that evaluates • Extend key management capabilities to both IBM and all information requests against easily customizable policies non-IBM products and provides intelligent decryption-based control over • Leverage open standards to help enable flexibility and reads, writes, and access to encrypted contents. This high- facilitate vendor interoperability performance solution is ideal for distributed environments, and agents deliver consistent, auditable and non-invasive Monitor and audit data-centric security for virtually any file, database or After data has been located and locked down, organizations application — anywhere it resides. must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis. In summary, InfoSphere Guardium Data Encryption provides: Monitoring of user activity, object creation, data repository configurations and entitlements help IT professionals and • A single, consistent, transparent encryption method across auditors trace users between applications and databases. These complex enterprises teams can set fine-grained policies for appropriate behavior • An auditable, enterprise-executable, policy-based approach and receive alerts if these policies are violated. Organizations • Among the fastest implementation processes achievable, need to quickly show compliance and empower auditors to requiring no application, database or system changes verify compliance status. Audit reporting and sign-offs help • Simplified, secure and centralized key management across facilitate the compliance process while keeping costs low and distributed environments minimizing technical and business disruptions. In summary, • Intelligent, easy-to-customize data security policies for organizations should create continuous, fine-grained audit strong, persistent data security trails of all database activities, including the “who, what, when, • Strong separation of duties where and how” of each transaction. • Top-notch performance with proven ability to meet SLAs for mission-critical systems IBM InfoSphere Guardium Activity Monitor provides granular, database management system (DBMS) —  independent auditing IBM Tivoli® Key Lifecycle Manager helps IT organizations with minimal impact on performance. InfoSphere Guardium is better manage the encryption key life cycle by enabling them also designed to help organizations reduce operational costs via to centralize and strengthen key management processes. It can automation, centralized cross-DBMS policies and audit manage encryption keys for IBM self-encrypting storage repositories, and filtering and compression.
  • 11. IBM Software 11 Conclusion: Better Data Security or choose to deploy multiple building blocks together for and Compliance increased acceleration and value. The IBM InfoSphere platform Protecting data security and privacy is a detailed, continuous provides an enterprise-class foundation for information- responsibility which should be part of every best practice. IBM intensive projects, providing the performance, scalability, provides an integrated data security and privacy approach reliability and acceleration needed to simplify difficult challenges delivered through these three guiding principles. and deliver trusted information to your business faster. 1. Understand and Define About IBM Security 2. Secure and Protect IBM’s security portfolio provides the security intelligence to 3. Monitor and Audit help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions for Protecting data requires a 360-degree, holistic approach. With identity and access management, database security, application deep, broad expertise in the security and privacy space, IBM can development, risk management, endpoint management, help your organization define and implement such an approach. network security and more. IBM operates the world’s broadest security research and development and delivery organization. IBM solutions are open, modular and support all aspects of This consists of nine security operations centers, nine IBM data security and privacy, including structured, semi-structured Research centers, 11 software security development labs and an and unstructured data, no matter where it resides. IBM Institute for Advanced Security with chapters in the United solutions support virtually all leading enterprise databases and States, Europe and Asia Pacific. IBM monitors 13 billion operating systems, including IBM DB2®, Oracle, Teradata, security events per day in more than 130 countries and holds Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM more than 3,000 security patents. IMS™,  IBM DB2 for z/OS, IBM Virtual Storage Access Method (VSAM), Microsoft Windows, UNIX, Linux and IBM For more information z/OS®. InfoSphere also supports key ERP and CRM For more information on IBM security, please visit: applications — Oracle E-Business Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as well as most custom and packaged applications. IBM supports To learn more about IBM InfoSphere solutions for protecting access monitoring for file sharing software such as Microsoft data security and privacy, please contact your IBM sales SharePoint and IBM FileNet. IBM also supports Hadoop- representative or visit: based systems such as Cloudera and InfoSphere BigInsights. To learn more about the new IBM DB2 for z/OS security About IBM InfoSphere features, download the Redbook at IBM InfoSphere software is an integrated platform for defining, Redbooks.nsf/RedbookAbstracts/sg247959.html integrating, protecting and managing trusted information across your systems. The IBM InfoSphere platform provides the Additionally, financing solutions from IBM Global Financing foundational building blocks of trusted information, including can enable effective cash management, protection from data integration, data warehousing, master data management technology obsolescence, improved total cost of ownership and and information governance, all integrated around a core of return on investment. Also, our Global Asset Recovery Services shared metadata and models. The portfolio is modular, allowing help address environmental concerns with new, more energy- you to start anywhere, and mix and match IBM InfoSphere efficient solutions. For more information on IBM Global software building blocks with components from other vendors, Financing, visit:
  • 12. © Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY 10589 Produced in the United States of America October 2012 IBM, the IBM logo,, DB2, Guardium, IMS, Informix, InfoSphere, Optim, Tivoli, and z/OS are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company. UNIX is a registered trademark of The Open Group in the United States and other countries. This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR MPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Please Recycle IMW14568-USEN-05