bridging the data security gap

IBM Software

Bridging the data security gapUnified data protection for four key data environments

Bridging the data security gap

2

1 2 3 4 5 6 7Introduction Diversity

of data Understand where sensitive and business-critical data resides

Big data security Turn big data environments into secure platforms for growth

Cloud and virtual environment data securityPrevent data leakage from private and cloud infrastructures

Enterprise data securityProtect heterogeneous data sources

Enterprise application securitySecure multitier enterprise applications

Why IBM InfoSphere GuardiumDeploy next-generation activity monitoring and audit protection solutions

Comprehensive data protection for physical, virtual and cloud infrastructures


3

Introduction

Data security presents a multidimensional challenge in today’s complex IT environment. Multiple access paths and permission levels have resulted in a broad array of security threats and vulnerabilities. Traditional “for-tress approaches” such as firewalls and IDS/IPS systems are no longer sufficient to defend against attackers who can easily bypass perimeter defenses. These security measures can’t differentiate or prevent unauthorized traffic that appears to be legitimate.

Organizations need to adopt a more proactive and systematic approach to securing sensitive data and addressing compliance require-ments amid the digital information explosion. This approach must span across complex, geographically dispersed systems.

Sensitive data is found in commercial databases, such as Oracle, Microsoft SQL Server, IBM DB2® and Sybase, in warehouses like Teradata and IBM PureData™/Netezza, and also in big data environments including Hadoop, IBM BigInsights™ and Cloudera platforms.

Senior-level IT executives, corporate governance officers and business leaders are all focused on establishing a data security strategy with the appropriate policies and controls to diligently safeguard enterprise data, meet compliance requirements and support a sustainable governance program.

Compliance starts with having the information that auditors require at your fingertips and ensuring the process is in place to make it repeatable. Many privacy regulations including

HIPAA, PCI-DSS, Sarbanes-Oxley (SOX), and EU Protection Directive require organizations to demonstrate data security and privacy protection with standardized processes, automated controls and regular reports.

Most organizations currently employ some form of manual data security such as turning on native logging, writing custom scripts to extract and transform data, implementing policies on physical devices, or ignoring security concerns all together. These traditional methods are considered to be labor intensive, error prone, risky and costly. Other disadvantages include high performance overhead, as well as insufficient separation of duties (DBAs can easily tamper with the contents of database logs, thereby affecting non-repudiation).

1. Introduction 2. Diversity of data 3. Big data security 4. Cloud and virtual environment data security

5. Enterprise data security 6. Enterprise application security

7. Why IBM InfoSphere Guardium


4

Siloed implementations by data source are also extremely risky. Organizations that lack the proper security controls for their data infrastructures or analytics platforms increase their risk of a negative event, and could potentially suffer devastating effects such as losing customers, market share, brand equity or revenue.

According to the IBM X-Force 2012 Mid Year Trend and Risk Report, “a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their

social networking, but also their choices of mobile application selection and usage. As an increasing trend, mobile applications are requiring a significant amount of permissions that dilute the ability of users to discern potentially malicious intent.”

Fortunately, next-generation data activity monitoring and audit protection solutions are available today to provide granular, DBMS-independent auditing with minimal impact on performance, while reducing operational costs.

Security breaches, compliance issues, and security threats can occur in all environments. Poorly controlled and monitored user access privileges, coupled with a lack of visibility into the misuse or abuse of user privileges and a lack of data security controls will cause an organization to quickly find itself faced with increased security risks, whether the environment is big data, enterprise, virtual or cloud. The key to protecting data is to understand and implement an effective data security and privacy solution for all environments.

1. Introduction 2. Diversity of data 3. Big data security

4. Cloud and virtual environment data security




5

Since data is a critical component of daily business operations, it is essential to ensure privacy and protect data no matter where it resides. Different types of information have different protection and privacy requirements. When developing a data security and privacy strategy, it is important to consider all data types across the enterprise.

Structured data: This data is based on a data model and is available in structured formats like databases or XML.

Unstructured data: This data is in forms or documents which may be handwritten or typed, such as word processing documents, email messages, pictures, digital audio and video.

Diversity of data

Online data: This is data used daily to support the business, including metadata, configuration data or log files.

Offline data: This is data in backup tapes or on storage devices.

Not all data has to be protected in the same manner, some may be considered low risk and not worth the time and effort required to secure it. Also, high-value data such as design specifications or intellectual property may not

require protection under legal mandates, but organizations will most certainly want to protect it with stringent security controls.

Organizations should consider an automated process to ensure data integrity by identifying data relationships and defining business objects, since this can take months of manual analysis—with no assurance of completeness or accuracy.


5. Enterprise data security

6. Enterprise application security



6

Data security and compliance requirements across the entire enterprise

Sensitive data discovery and classificationDiscover and understand sensitive data and relationships before the data is moved, so that the right policies can be established downstream.

Data access and change controls Establish policies regarding which users and applications can access or change data.

Real-time data activity monitoring and auditingUnderstand the who, what, when, how and where of data access, and report on it for compliance purposes.

Data protection Transform data through masking or encryption.

Data loss prevention Establish an audit trail for data access and usage to ensure data is not lost.

Vulnerability management Understand weaknesses and put policies in place to remediate.

Compliance management Build a compliance reporting framework to manage report generation, distribution and signoff.




Given the certainty that data will continue to grow and the data structures become more complex, a unified and integrated approach will minimize risks, vulnerabilities and exposures.


7

As big data environments ingest more data, organizations will face significant risks and threats to the repositories containing this data. Failure to balance data security and quality reduces confidence in decision making. In fact, research shows that business leaders who feel uncertain about analytical outputs will find reasons to reject them unless they develop high levels of trust in the data and know the data is secure.

A paradox exists where organizations are able to process more information than at any other point in history, yet they are unable to understand what data exists and how to protect it from both internal and external attacks.

Big data projects harness data flowing through organizations at lightning speed in new formats such as social networks, unstructured data repositories, web feeds, sensors, RFID tags, smartphones, videos and GPS data, to name a few. The risk of unauthorized access, data breaches and cyber attacks to big data environments can’t be ignored.

Big data security

Big data environments are difficult to protect, and present unique challenges:

• Schema-less distributed environments, where data from multiple sources can be joined and aggregated in arbitrary ways, makes it challenging to establish access controls.

• The nature of big data comprised of large-scale data sets—high volume, variety and velocity—makes it difficult to ensure data integrity.

• Aggregation of data from across the enterprise means sensitive data is in a repository.

• Big data repositories present another data source to secure, and most existing data security and compliance approaches will not scale.





8

According to the IBM X-Force 2012 Mid Year Trend and Risk Report, “a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage. As an increasing trend, mobile applications are requiring a significant amount of permissions that dilute the ability of users to discern potentially malicious intent.”

Security for big data systems is not optional; it’s imperative. Big data environments allow organizations to aggregate more and more data; however, there are limited built-in security controls, and chances are you may not realize a breach has occurred until serious damage has already been done.

Your data security strategy must include big data security to help:

• Improve security decision-making based on prioritized, actionable insight derived from monitoring big data environments, like Hadoop.

• Identify when an advanced targeted attack has bypassed traditional security controls and penetrated the organization.

• Build confidence in the integrity of your business data for competitive advantage.





9

With workloads moving to private clouds, securing data in virtual environments is becoming more important than ever. Data centers must become more flexible, especially as workloads of different trust levels are combined to run on the same physical hardware.

Private clouds deliver capabilities that expand what’s possible in business model innovation. For example, the private cloud can make new offerings and services available instantly on a global scale to accelerate monetization, while at the same time lowering IT and infrastructure costs. While private clouds offer many benefits, they also present a new attack vector. So how can your organization embrace cloud benefits while also securing sensitive data?

Cloud and virtual environment data security

Holistic protection strategies for private cloud environments should provide alerts to security administrators of suspicious behaviors such as unusual network activity. Data security processes need to continuously track data across the private cloud environment and provide insight into who is accessing the data across applications, databases, warehouses and file shares.

Such an approach ensures a 360-degree lockdown of all organizational data, no matter where it resides, in every stage of its utilization.

To ensure data is protected in virtualized and cloud environments, organizations need to understand what data is going into these environments, how access to this data can be monitored, what types of vulnerabilities exist and how to demonstrate compliance. Protections should be built into virtual and cloud environments from the start.

Organizations should look to centralize security controls in private cloud environments and ensure a separation of duties so that the data administrator doesn’t also become the security administrator or auditor.





10

Databases and data warehouses containing an organization’s most sensitive data—including financial records, credit card information, and citizen or customer data—continue to be the number one source of breaches, and that’s why they are increasingly subject to regulations such as SOX, PCI-DSS, HIPAA and other data protection and privacy regulations.

These large repositories include huge volumes of structured data that are easy to access, making these databases an increasingly popular target for malicious attacks. In addition, as database

platforms have advanced in functionality over the past 30 years, large-scale implementations have developed an extremely large number of configuration options, all of which need to be well understood and then secured to avoid data breaches.

As a result, protecting against fraud, insider threats and external attacks has compelled organizations to streamline compliance processes in order to protect their most vital information assets. Unfortunately, many organizations are struggling to discover where sensitive data exists and how to protect it.

Enterprise data security

The smarter alternative to the type of fragmented, inadequate data protection that exists at many organizations today is unified data security and integrity operations. This approach can be accomplished with solutions that interface with the diverse data sources and data types across the enterprise and in heterogeneous environments to improve data security and integrity operations.





11

Steps for a proactive and systematic approach to secure sensitive data and address compliance requirements

Understand where the data exists

Organizations can’t protect sensitive data unless they know where it resides and how it’s related across the enterprise.

Safeguard sensitive data, both structured and unstructured

Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents and forms requires privacy policies to redact sensitive information while still allowing needed business data to be shared.

Protect nonproduction environments

Data in nonproduction (development, training and quality assurance) environments needs to be protected, yet still usable during application development, testing and training processes.

Secure and continuously monitor access to the data

Enterprise databases, data warehouses and file shares require real-time insight to ensure data access is protected and audited. Policy-based controls are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, databases and file shares need to be protected against new threats and other malicious activity, and continually monitored for weaknesses.

Demonstrate compliance to pass audits

It’s not enough to develop a holistic approach to data security and privacy. Organizations must also demonstrate and prove compliance to third-party auditors.

Protect nonproduction environmentsWhile a lot of time and focus is given to mission-critical production systems, organizations should keep in mind that sensitive data resides in many other places. How many times is your production database cloned? Are copies available for test, development, quality assurance or disaster recovery? Do these nonproduction environments get the same treatment as production systems? If they have the same data in them, then they should be considered as part of the overall data security approach. Your organization must protect data in nonproduction, training and quality assurance environments while ensuring it is also usable during application development, testing and training processes.

Organizations need a data security solution that optimizes operational efficiency across the entire database infrastructure.





12

Protecting your enterprise applications and their associated data repositories is a matter of extreme importance, particularly when the data in question is sensitive personal information subject to external regulations such as PCI DSS, SOX and HIPAA.

However, multitier enterprise applications are often the most difficult to secure because they are highly distributed and designed to allow web-based access from insiders and outsiders such as customers, suppliers and partners.

Organizations need a data security platform that includes real-time monitoring, application-level fraud detection, and user-specific rules for enterprise applications such as Oracle E-Business Suite, PeopleSoft, SAP and in-house systems. By going beyond existing application logs, an auto mated and centralized approach provides fraud monitoring to help your organization meet even the most stringent regulatory and audit requirements.

Organizations face unique challenges when it comes to protecting sensitive SAP data, such as:

Enterprise application security

Dispersed data: Sensitive information may occur in hundreds of different database columns, making it extremely difficult to conduct column-level monitoring or encryption.

Performance: SAP database environments need to maintain maximum responsiveness, even while security measures are being implemented.

Data variety: Both structured data and unstructured data need to be protected.

Supportability: Modifying SAP applications or altering database tables jeopardizes support agreements.

Expense and total cost of ownership: Custom encryption development may be extremely expensive, due to the wide breadth of SAP applications.

Privileged user access: Insiders with privileged access to SAP data could potentially harm the data without their actions being tracked.





13

Your data security strategy must include application security to monitor, track and report on the activities of users who access critical tables with multitier enterprise applications rather than direct access to the database. This is required because enterprise applications typically use an optimization mechanism called “connection pooling.” In a pooled environment, all user traffic is aggregated in a few database connections that are identified only by a generic application account name, thereby masking the user identities.

For compliance requirements and fraud preventative measures, you need to identify application users associated with specific database queries and transactions, as well as identify direct access by privileged users.




Also, for business decision making, you need to gain a deeper understanding of data activity insights by integrating activity monitoring with IT Security Information and Event Management (SIEM) tools for more accurate and effective security intelligence.


14

Why IBM InfoSphere Guardium

Today, many organizations are starting to realize that building an effective database security platform is not a one-time event, but rather a process that occurs over time. Data security solutions from IBM InfoSphere® Guardium® can help your organization simplify that process by providing preconfigured rules and policies that help take the guess work out of securing a database environment.

IBM InfoSphere Guardium• Provides the simplest, most robust solution for

assuring the privacy and integrity of trusted information in your data center and reducing costs by automating the entire compliance auditing process in heterogeneous environ-ments. By using InfoSphere Guardium to secure your entire organization’s data environment, your organization can monitor user activity to detect and respond to fraud without causing large-scale disruption of IT operations.

• Is the most widely used solution for preventing information leaks from the data center and ensuring the integrity of enterprise data. InfoSphere Guardium has the ability to identify and protect against internal and external threats through a distinctive combination of robust monitoring and auditing, vulnerability management, data transformation, real-time security policies, and intelligent reporting.

• Helps protect valuable data assets such as PII, customer data, business data, corporate secrets and more, foster secure and efficient collaboration, and effectively integrate security into existing business processes.

IBM InfoSphere data security and privacy solutions are open, modular and support all aspects of data security and privacy, including structured, semi-structured and unstructured data, no matter where the data is.

IBM InfoSphere provides an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The InfoSphere Platform provides all the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The InfoSphere Platform provides an enterprise-class foundation for information-intensive projects, providing the performance, scalability, reliability and acceleration you need to simplify difficult challenges and deliver trusted information to your business faster.

For more information: ibm.com/guardium




http://www.ibm.com/guardium


15

© Copyright IBM Corporation 2013

IBM Corporation Software Group Route 100 Somers, NY 10589 U.S.A.

Produced in the United States of America May 2013 All Rights Reserved

IBM, the IBM logo, ibm.com, DB2, InfoSphere, Guardium and Optim are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol (® or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data discussed herein is presented as derived under specific operating conditions. Actual results may vary. It is the user’s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD-ING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Actual available storage capacity may be reported for both uncompressed and compressed data and will vary and may be less than stated. Statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.

Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.

Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Other company, product or service names may be trademarks or service marks of others.

NIB03018-USEN-00

http://www.ibm.com/legal/us/en/copytrade.shtml

http://www.twitter.com/IBM_Guardium

bridging the data security gap

Technology