Data security in the cloud

Data Security in the Cloud
Kathryn Zeidenstein, InfoSphere Guardium Evangelist

© 2013 IBM Corporation

Agenda

•
•
•
•

2

Background
Data security 101
Challenges for data protection in the cloud
How InfoSphere Guardium solutions address cloud
challenges


Security incidents are on the rise

3

IBM X-Force 2013 Midyear Trend and Risk Report


Sensitive Data Is at Risk

70%

$188

of organizations surveyed use live
customer data in non-production
environments (testing, Q/A, development)

per record
cost of a data breach

Database Trends and Applications. Ensuring Protection for Sensitive Test Data

The Ponemon Institute. 2013 Cost of Data Beach Study

$5.4M
Average cost of a data breach

50%

The Ponemon Institute. 2013 Cost of Data Breach Study

of organizations surveyed have no way
of knowing if data used in test was
compromised

52%
of surveyed organizations
outsource development

The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis

The Ponemon Institute. The Insecurity of Test Data: The Unseen Crisis

4


Virtualization has fundamentally changed the data center
Operational and business benefits
Reduce total cost of ownership
•
•
•
•

Fewer servers
Less floor space needed
Reduced power and cooling costs
Increased utilization of server resources

Deploy server images faster compared to physical
server hardware
• Virtual machines can be created very quickly
• Minutes to provision, rather than weeks to
request, procure, install and test

Achieve higher return on investment
Standardize and optimize IT infrastructure to allow
for scalability and reliability
Achieve greater IT and business agility to respond
faster
5


Traditional IT infrastructures
IT security is obtained through the Demilitarized Zone (DMZ)
Trusted Intranet

DMZ

Untrusted Internet

Online Banking
Application

Employee
Application

6


Cloud IT infrastructure
Enterprise security is obtained through “application zones”
Trusted Intranet

DMZ

Untrusted Internet

Online Banking
Application

Employee
Application

Leverage Public Clouds

Investment
API Services

7

Deliver Mobile App

Consume Apps and Services


The new era of computing has arrived
Data Explosion

Consumerization
of IT

Moving from traditional perimeterbased security…

Everything is
Everywhere

Attack
Sophistication

…to logical “perimeter” approach to
security—focusing on the data and
where it resides

Antivirus
IPS
Firewall

• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
• Focus needs to shift from the perimeter to the data that needs to be protected

8


Data Security Vision
• Protect data in any form, anywhere, from internal or external threats
• Streamline regulation compliance process
• Reduce operational costs around data protection

Data Classification
Data Classification
Type of data

PCI data
SOX data
Video
Document
Proprietary Data

Data Discovery

Data Repository
Data Repository
Repository

Databases
DW/Hadoop
Hadoop
No-SQL
File Shares

Data Consumers
Data C onsumers
Location

On premise
Private cloud
Public cloud
Managed

Data at Rest

Stored
(Databases, File Servers, Big
Data, Data Warehouses,
Application Servers,
Cloud/Virtual ..)

9

Encryption
Tokenization
Redaction
Masking
Storage

Consumer

Customers (anyone)
Outsourced (3rd party)
Employees (internal)
Role-based (trusted)
Data in Motion

Over Network
(SQL, HTTP, SSH, FTP, email,. …)

Channel

Hosted applications
Cloud applications
Mobile

Activity Monitoring
Real-time Alerting
Dynamic Masking
Blocking
Activity Reporting


Our philosophy:

You need to understand the data in order to
protect it
How old is it?
When was it last used?
Who owns the data?

Relevanc
e
Value

Is it used?
How often?
By who?

DAT
DAT
A
A

Risk

Sensitivity
Exposure
Volumes

Lifecycle
Production
Test/Dev
Archive
Analysis
10


Investment 101

Higher RISK  possible higher returns
In other words…
we are willing to take risks if there is sufficient value behind it

11


Data Security 101
Data Security 101
Need Valu
to understand the data in order to protect it
e For the Business
High Value, Low Risk
Table with no sensitive
data that is used often
by an important
business application

Below the line

Above the line

Risk levels are too high
given the business value
of the data

High value data with low
(or at least acceptable)
risk levels

DAT
DAT
A
A
Low Value, Low Risk
Temp table with no sensitive
data
12

Value Risk

High Value, High Risk
Table with sensitive data
that is used often by
business application

Low Value, High Risk
Dormant table with sensitive
data

To the business

Understanding the Data – Value vs. Risk
Understanding the Data – Value vs. Risk
Value to the
Business

The Goal:

Reduce the risk and get all data
element above the ‘risk’ line

How?

Discover the DATA
Discover the DATA

1. Understand the VALUE
1. Understand the VALUE
2. Determine the RISK
Risk
1. Determine the VALUE
1. Determine the VALUE

3. Reduce the RISK
3. Reduce the RISK


Activity Monitoring
How often?
What data?

Discovery & Classification
- What data is out there?
- How sensitive is it?

Integrations
Who uses the data?

Activity Monitoring
- How exposed is the data?
- What data is being extracted?

Business Glossary
Insights on how data
is used by the business
13

Vulnerability Assessment
- How secure is the repository?
- Is it fully patched?
- Best practice configuration?

3. Reduce the RISK
3. Reduce the RISK
Activity Monitoring
- Alert/Block suspicious Activities
- Prevent unauthorized access to data
- Report and Review all data activities
Vulnerability Assessment
- Assessments & Remediation Steps
- Configuration “lock down”
- Purge dormant data
Encryption
- Encrypt data at rest
Test Data Management
2013 IBM
- Declassify data on©test/devCorporation
env.

Data security is an ongoing process




Discovery
Assessment
Identity
Classification Masking/Encryption Access Mgmt

Discover
Find sensitive
data

Harden
Secure the
repository

Where is my sensitive
data?

Activity
Monitoring

Monitor
Control
access

Blocking
Quarantine

Block
Prevent
unauthorized
activities

Record
events

123

XJE

Masking/
Encryption

Mask
Protect
sensitive data

Who has privileged access? Are
there dormant entitlements?
Who is accessing the data and
what are they doing?

How can I check for
known vulnerabilities?
How do I encrypt sensitive data?
14

How to prevent unauthorized
access?
How to can I mask sensitive
data going to the Cloud?

Key challenges to protecting data in virtualized and cloud environments


Compliance
• Limited time, lots of regulation, growing costs of compliance
• Audits require monitoring and reporting on database activities

 Access
• Ability to know who’s accessing your data when, how and why
• Complex role based data access requirements

 Productivity
• Manual approaches lead to higher risk and inefficiency
• Centralized security management required for maximum efficiency

 Vulnerability
• Complex database vulnerabilities
• New sources of threats: outsourcing, web applications, stolen credentials

15


Streamline compliance in virtualized and cloud environments

Receive alerts of suspicious activity
Audit all database activities
• user activity
• object creation
• database configuration
• entitlements
Enforce separation of duties – creation of policies vs.
reporting on application of policies
Trace users between applications, databases
Automate compliance with sign-off and escalation
procedures
Integrate with enterprise security systems (SIEM)

16


Data access is both an external and internal issue
Prevent “power users” from abusing their access to sensitive data (separation of
duties)
• DBA and power users
Prevent authorized users from misusing sensitive data
• For example, third-party or off-shore developers
Prevent intrusion and theft of data
• For example, someone walking off with a back-up tape
• Hacker
• Block suspicious network traffic

17


InfoSphere Guardium Value Proposition:
Continuously monitor access to sensitive data including databases,
data warehouses, big data environments and file shares to….
1
1

Prevent data breaches
• Prevent disclosure or leakages of sensitive data

2
2

3
3

Ensure the integrity of sensitive data
• Prevent unauthorized changes to data, database structures,
configuration files and logs

Reduce cost of compliance
• Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy regulations,
HIPAA/HITECH etc.
o Across heterogeneous environments such as databases, applications, data
warehouses and Big Data platforms like Hadoop

• Simplify the audit review processes

18


InfoSphere Guardium value proposition (cont.)
4
4

Protect data in an efficient, scalable,
and cost effective way
Increase operational efficiency

Automate & centralize internal controls
Across heterogeneous & distributed environments
Identify and help resolve performance issues & application errors
Highly-scalable platform, proven in most demanding data center
environments worldwide

No degradation of infrastructure or business processes
Non-invasive architecture
No changes required to applications or databases

19


InfoSphere Guardium Architecture

Application Servers
(SAP, Oracle EBS,
Custom Apps, etc)

Role-based GUI

S-TAP – Software Tap
(Light weight probe which
copies information to the appliance)

Guardium
Appliance

 Continuous, policy-based, real-time

Secure Audit
Records

Audit data – reports, quick
search, and outlier detection

monitoring of all data traffic activities,
including actions by privileged users

 Database infrastructure scanning for
missing patches, mis-configured privileges
and other vulnerabilities

 Data protection compliance automation
20
20

Real-time alerts can be integrated
with SIEM systems


21 Feb 2013
IBM InfoSphere Guardium Tech Talk

InfoSphere Guardium database security
Comprehensive data protection for virtual and cloud infrastructures
Administer databases
Access applications
DBA

End User

Virtual Servers

Application Servers

•Database Activity Monitor
•Database Vulnerability Assessment
•Data Encryption
•Data Redaction
•Dynamic Data Masking

Repository

Manage security policies
Security
administrator
21


Guardium provides data security and privacy on the cloud
InfoSphere Guardium is “cloud ready”
Virtualized
Guardium appliances are available as virtual appliances

Secured
Designed for Multitenancy, with a tamper-resistant repository, builtin data level security, granular division/security for auditing results

Automated
Database and instance discovery for private/hybrid clouds
Data source discovery for Amazon RDS instances
Scripting and APIs – including new REST API

Securing Cloud Data with Guardium

Agile
Deployment flexibility using load-balancing
and ‘Grid’ technology
Embedded/Certified (on PureSystems Appliances)
IBM PureData for Hadoop
IBM PureData for Analytics
IBM PureData for Transactions

22

Guardium Data Encryption
Encrypting on for data rest in the cloud
Dynamic Data Masking
Redact/mask sensitive data when used by priv. users
Additional cloud masking capabilities are on roadmap
Document Redaction
Redact sensitive data before documents are uploaded to
the cloud or extracted from content management systems

Extend real-time Data Activity Monitoring to also protect sensitive data in
data warehouses, Big Data Environments and file shares

InfoSphere
BigInsights

HANA

CIC
S
FTP
23
InfoSphere Guardium


Organizations are moving towards virtualization & cloud computing
Build data protection in from the start
IBM InfoSphere Guardium can help with:
• Automatic discovery and classification of
cloud data
• Virtualized security
•Database activity monitoring, database vulnerability
assessments, data redaction and data encryption

• Static and dynamic data masking to ensure a
least privileged access model to cloud resources
• Automated compliance reports customized for
different regulations to demonstrate compliance
in the cloud

24


Chosen by the leading organizations worldwide to secure their most
critical data
5 of the top 5 global banks XX
Protecting access to Billions of
dollars in financial assets

2 of the top 3 global
retailers XX

Safeguarding the integrity of
2.5 billion credit card or personal
information transactions per year

5 of the top 6 global insurers
Protecting more than 100,000
databases with personal and
private information

4 of the top 4 global managed
healthcare providers
Protecting access to
136 million patients
private information

Top government agencies
Safeguarding the
integrity of the
world’s government
information and
defense

8 of the top 10 telcos worldwide
Maintaining the privacy of over
1,100,000,000 subscribers

The most recognized name
in PCs Protecting over 7 million
25

credit card transactions per year


Santiago Stock Exchange
tightens security of its core
applications
Need
• Maintain data integrity and protect confidentiality
of data generated in core applications and
systems to comply with government regulations
in a “software-as-a-service” environment

Benefits
• Provides comprehensive database monitoring
and automated audit reporting, without affecting
application performance
• Automatically audits data access, supports
compliance with government regulations for data
security, and helps avoid costly sanctions
• Monitors all user activity, even privileged users,
and limits database access to only those who
are authorized

26
26


Leading Healthcare Payer
supports data security and
compliance
Need
• Find a cost-effective means to protect information
for over 500,000 members and comply with SOX
and HIPAA regulatory requirements

Benefits
• Monitors user access to critical financial,
customer, and patient application databases,
including privileged insiders
• Centralizes and automates audit controls and
regulatory reporting across distributed,
heterogeneous database environments
• Provides proactive security via real-time alerts for
critical events without affecting performance or
requiring changes to databases or applications
27
27


Information, training, and community
•
•
•
•
•
•

InfoSphere Guardium YouTube Channel
InfoSphere Guardium newsletter
developerWorks forum
Guardium DAM User Group on Linked-In
Community on developerWorks
Technical training courses

Visit: www.ibm.com/guardium

E-book: Comprehensive data protection for physical, virtual and cloud infrastructures

28


Intelligent Security – for the cloud and from the cloud
Differentiated Security Capabilities…
Security analytics and intelligence
Establish a platform with real-time correlation and
detection across the cloud with IBM QRadar SIEM
Manage distributed identities and user access
Protect user access to cloud assets with IBM Identity
and Access Management
Scan, monitor and audit applications and data
Deliver secure mobile and web apps, and monitor data
access in real time with AppScan and Guardium
Professional, Managed,
and Cloud Services

Protect the network from threats
Protect servers, endpoints and networks against threats
with IBM Network Security

… based on open standards

29


Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response
to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed or misappropriated
or can result in damage to or misuse of your systems, including to attack others. No IT system or product should be considered completely secure
and no single product or security measure can be completely effective in preventing improper access. IBM systems and products are designed to
be part of a comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems,
products or services to be most effective. IBM DOES NOT WARRANT THAT SYSTEMS AND PRODUCTS ARE IMMUNE FROM THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

www.ibm.com/security

© Copyright IBM Corporation 2013. All rights reserved. The information contained in these materials is provided for informational purposes
only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use
of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any
warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement
governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in
all countries in which IBM operates. Product release dates and/or capabilities referenced in these materials may change at any time at IBM’s sole
discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any
way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United
States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
30

InfoSphere Guardium protects NoSQL data sources, like Mongo DB,
with its non-intrusive scalable architecture

Lightweight agent sits on MongoDB routing servers (mongos) and shards (mongod)

Network traffic is copied and sent to a hardened appliance where parsing, analysis,
and logging occurs, minimizing overhead on the MongoDB cluster
Separation of duties is enforced – no direct access to audit data
Monitoring Reports

InfoSphere
Guardium
Collector

Mongos

Clients

S-TAPs
Shards

MongoDB Sharded Cluster
(Routing servers and Shards)

31

Real-time alerts can be integrated
with SIEM systems


Encrypt or else… (poor John and Jane Doe)

32

32


Cloud is an opportunity for enhanced security

Manage your risk across cloud apps, services
1
2

Know your user

4

33

Protect your data

3

Professional, Managed,
and Cloud Services

Establish your risk posture

Gain assurance of your apps

5

Protect against threats and fraud

Addressing the full data security and compliance lifecycle

34


International Telecom
automates audit reporting and
enforces data privacy policies
Need
• Monitor access to sensitive customer data in
thousands of Operational Support (OSS) and
Business Support (BSS) system databases in
data centers across a wide geographic area

Benefits
• Monitors OSS and BSS database activity in realtime across heterogeneous operating
environments in 16 data centers
• Automates audit reporting and provides detailed
audit trail of all access to sensitive data
• Provides real-time blocking and alerts to help
ensure that privacy policies are strictly enforced
35
35

Home


Leverage experts to help manage your security
Security Event
and Log
Management
Application
Security
Management

Help reduce data
loss, financial loss
and website
downtime

Offsite
management of
security logs
and events

Managed
Web and Email
Security

Help protect against
spam, worms, viruses,
spyware, adware and
offensive content

Cloud delivered services –
IBM Managed Security Services
Security Intelligence ● People ● Data ● Apps ● Infrastructure

Managed DDOS
Protection

Preparation,
protection, monitoring
and response,
leveraging Akamai
36

IBM X-Force® Threat
Analysis Service
Vulnerability
Management Service

Help provide
proactive discovery
and remediation of
vulnerabilities

Customized security threat
intelligence based on
IBM X-Force®
research and development

Data security in the cloud

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Data security in the cloud

Ähnlich wie Data security in the cloud (20)

Mehr von IBM Security

Mehr von IBM Security (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Data security in the cloud

Hinweis der Redaktion