View on-demand recording: http://securityintelligence.com/events/how-vulnerable-is-your-critical-data/
Data infrastructures are highly dynamic, with changes in accounts, configurations and patches occurring regularly. Within your data infrastructure you need to understand the data. Not all data is the same. You need to protect the data that is considered high risk. However, most organizations lack the centralized control or skilled resources to review changes systematically to determine if they have introduced security gaps. While there are no silver bullets, there are key steps organizations can take to understand and reduce their risk and lower TCO.
In this presentation, Luis Casco-Arias, Senior Product Manager for IBM Security Guardium, describes best practices for:
- Assessing vulnerabilities and exposures
- Locking down critical data in various environments
- Aligning remediation workflows to prevent breaches and policy violations
2. Agenda : How Vulnerable Is Your Critical Data?
Data Security: Market & Customer Trends
Is the world upside down?
How Guardium Solves Today’s Data Security Challenges Holistically
Questions ?
1
5. more than
half a billion records
of personally identifiable information (PII) were leaked in 2013
4
$5.5M+
6. BIGGEST BANK HEIST EVER!
5
What did they Steal ?
~$1B
Customer Data
PCI Data
How did they Steal ?
Used Botnets(to track
user activity)
Privileged User
Credentials
Missing Patches
CNN Money
7. Doing nothing about data compliance is NOT optional
6
Company Data
Security approach
Audit
events/year
Average cost/
audit
Data loss
events/year
Average cost/
data loss
Total cost
(adjusted per TB)
w/o data security 6.3
$24K
2.3
$130K
$449K/TB
w/ data security 1.7 1.4 $223K/TB
Annual Cost of not implementing data security $226K/TB
Total annual cost of doing nothing in BIG DATA compliance:
(for average Big Data organization with 180 TB of business data) $40+ M
Source: Aberdeen Group. Why Information Governance Must be Addressed Right Now.
Source: The True Cost of Compliance, The
Cost of a Data Breach, Ponemon Institute,
$3.5MYearly average cost of
Compliance
8. The Security Landscape is changing rapidly
7
Data Explosion
Everything is
Everywhere
Attack
Sophistication
Extending the perimeter; focus shifts to protecting the DATA
Moving from traditional perimeter-
based security…
…to logical “perimeter” approach to
security—focusing on the data and
where it resides
Firewall
Antivirus
IPS
Consumerization
of IT
9. Data is the key target for security breaches…..
8
Data Breach Report from Verizon Business RISK Team
Database servers contain your
client’s most valuable information
– Financial records
– Customer information
– Credit card and other account
records
– Personally identifiable information
– Patient records
High volumes of structured data
Easy to access
“Go where the money is… and go there often.”
- Willie Sutton
WHY?
… & Database Servers Are The Primary Source of Breached Data
10. Goal: Close the data exposure gap
9
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Guardium Discovery
Guardium DAM
Guardium VA
Guardium for Applications
Guardium Encryption
92% of breaches are discovered by an external party
11. Home-grown compliance is costly and ineffective
10
• Scripting maintenance
• Expertise to parse logs
• Centralize collection
• Stove-piped approach
Performance impact on the data repository
No tamper-proof repository
Redundant work / Siloed solutions
No central management
No automation or company-wide policies
High expertise to implement/maintain (technology, regulation)
No separation of duties
Inaccurate/obsolete results and delayed delivery
After-the-fact response
Create
reports
Manual review
• Approval
• Reject
• Escalate
Manual
remediation
dispatch
and tracking
Native Data
Logging
Data Compliance Burden
Spreadsheet
Evaluation
12. Why is Data Vulnerable?
11
• The difficulty of enforcing consistent controls and
reporting on systems from a variety of vendors across
multiple releases
• Development systems that get replicated to
production without proper lock down & Application
packages that get deployed with default settings with
no understanding of security implications
• The shortage of resources with required database and
security skills
• Web Application Attacks, Malware tracks user
activities and credentials
• No Real Time Monitoring on Privilege users activities
and access to Sensitive Data
• Data in all its forms are exploding while resources to
manage it are limited & number of systems to be
secured can range in the thousands
BigData
Mobile
Cloud
14. IBM’s Approach to Data Security,
Compliance and Privacy
13
• Understanding the Risks and
Uncovering Exposure
• Define and Share: Business and IT
agree on relative data risk, value
• Discover and Classify: Exploring data
sources and plotting the sources for
value and risk
• Mitigating Risk with Data Protection
• Mask, Redact, Encrypt: Moving the risk
areas above the line
• Cleanse risky data and configurations
• Maintaining a Tolerant Risk Level
• Monitor Data Activity: Keeping Risk-
prone areas above the line
• Dynamically remove risk
• Expansion to the Enterprise
ValuetotheBusiness
Risk
Understanding the data: Risk vs. Value
15. IBM Security Guardium Value Proposition:
14
Reduce cost of compliance
– Automate and centralize controls
– Simplify the audit review processes
1
2
3
Continuously monitor access to sensitive DATA including databases, data
warehouses, big data environments and file shares to...
Prevent data breaches
– Prevent disclosure or leakages of sensitive data
Ensure the integrity of sensitive data
– Prevent unauthorized changes to data, database
structures, configuration files and logs
Protect Data in an efficient, scalable, and cost effective way4
Increase operational efficiency
Automate & centralize internal controls
Across heterogeneous & distributed environments
Identify and help resolve performance issues &
application errors
Highly-scalable platform, proven in most demanding
data center environments worldwide
No degradation of infrastructure or
business processes
Non-invasive architecture
No changes required to applications or
databases
16. Guardium enhances and differentiates
most security solutions
Guardium Data
Activity Monitoring
Guardium Vulnerability
Assessment
Guardium Encryption
and Privacy
SecurityServices
ConsultingManagedServices
Strategic
Outsourcing
SystemIntegration
Total Visibility: Product Portfolio, Services and Research
17. How does Guardium do it?
16
Data at Rest Configuration Data in Motion
Where is the
sensitive data?
How to protect
sensitive data
to reduce risk?
How to secure
the repository?
Entitlements
Reporting
Activity
Monitoring
Blocking
Quarantine
Dynamic Data
Masking
Vulnerability
Assessment
Who should
have access?
What is actually
happening?
Masking
Encryption
Discovery
Classification
How to prevent
unauthorized
activities?
How to protect
sensitive data?
Security Policies
Dormant Data
Dormant Entitlements
Harden Monitor ProtectDiscover
Compliance Reporting
Security Alerts / Enforcement
18. Data Security solutions protect structured and
unstructured sensitive data
17
Entitlements
Reporting
Activity
Monitoring
Blocking
Quarantine
Dynamic Data
Masking
Vulnerability
Assessment
Masking
Encryption
Discovery
Classification
Vulnerability
Assessment
Assessment reports
Data Protection Subscription
Configuration Changes
Data Encryption
File-level encryption
Role-based access control
File access auditing
Static Data Masking
Static masking
Semantic and format preserving
Standard DAM
Data Activity Monitoring
Real-time alerts
App end-user identification
Normalized audit creation
Compliance reporting
Compliance workflow
Advanced DAM
Blocking access
Masking sensitive data
Users Quarantine
“Base Product”
DB and Data Discovery
Data Classification
Enterprise Integrator
Entitlement Reporting
Queries & Reports
Threshold Alerts
Compliance Workflow
Group Management
Security Integrations
IT Integrations
Data Level Security
Incident Management
User/Roles Management
HR Integrations
Portal Management
Self Monitoring
Data Export Options
Data Imports Options
Data Redaction
Redact sensitive documents
Packaged discovery, masking, and monitoring for Hadoop or Data Warehouses
Masking for
Applications
Masking on the browser
Discover Harden Monitor Protect
Federate large deployment
Central control
Central audit collection
19. Guardium
Understand & Define your Distributed Data Landscape
Discover
• Locate and inventory data
sources across the
enterprise
• Identify sensitive data and
classify
• Understand relationships
• Centrally document security
policies and propagate
across the data lifecycle
• What databases do I
have and where are they?
• Where is my sensitive
data?
Requirements
Benefits
Discovery
18
On Premise
Sensitive Data
Sensitive Data
Sensitive Data
Sensitive Data
20. On Premise
Guardium
Database Hardening and Compliance Made Simple
Discover Harden
• Reduce risk on data
infrastructure
• Assure compliance with
regulatory mandates
• Minimize operational
costs through automated
and centralized controls
• Vulnerability assessment
on up to date database
exposures
• Vulnerability assessment
on OS mis-configurations
• Periodic configuration
checking and change
auditing
Requirements
Benefits
Vulnerability Assessment
19
21. Guardium
Data Access Protection and Compliance Made Simple
• Assure compliance with
regulatory mandates
• Protect against threats
from legitimate users and
potential hackers
• Minimize operational
costs through automated
and centralized controls
• Continuous, real-time
database access and
activity monitoring
• Policy-based controls to
detect unauthorized or
suspicious activity
• Prevention of data loss
Requirements
Benefits
Real time data monitoring,
auditing, and protection
Monitor ProtectDiscover
20
22. IBM Security Guardium real-time data
activity monitoring
21
Discovery and Classification
Activity Monitoring
Continuous, policy-based, real-time monitoring of all
data traffic activities, including actions by privileged users
Blocking & Masking
Preventive data protection in real time
Compliance Automation
Collector
Appliance
Host-based
Probes
(S-TAP)
Data Repositories
(databases,
warehouses, file
shares, Big Data)
Key Characteristics
Single Integrated Appliance
Non-invasive/disruptive, cross-platform architecture
Dynamically scalable
SOD enforcement for DBA access
Auto discover sensitive resources and data
Detect or block unauthorized & suspicious activity
Granular, real-time policies
Who, what, when, how
100% visibility including local DBA access
Minimal performance impact
Does not rely on resident logs that can easily be
erased by attackers, rogue insiders
No environment changes
Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc.
Growing integration with broader security and
compliance management vision
Central Manager Appliance
23. Dynamic Data masking for Web Applications
22
Web Server
Data Servers
HTTP/HTTPS
Dynamic Data masking for
Applications
Guardium for Applications
Application Security
Application Owners
Dynamic Data Masking for Apps
Data Privacy
Database Activity
Monitoring and
Database Protection
Guardium for Databases
Database Security
Database Administrators
Activity Monitoring
Access blocking
Dynamic Data Masking for SQL
Data Integrity and Privacy
STAP
STAP
Collector
Collector
Aggregator
Easily share only the right type of data, even with mobile devices
Facilitates outsourcing securely and with privacy
Browser Masking: Shield sensitive application data from unauthorized users
Application Server
(incl Hue, Slr, Web-HDFS)
24. Comprehensive support for structured and unstructured sensitive data:
23
InfoSphere
BigInsights
Guardium
DATABASES
Exadata
D AT AB AS E
HANA
Optim
Archival
Siebel,
PeopleSoft,
E-Business
Master Data
Management
Data
Stage
CICS
z/OS Datasets
Pure Data Analytics
FTP
with BLU Acceleration
DB2®
with BLU Acceleration
DB2®
DB
Databases, Data Warehouses, Big Data, Applications and File Shares
25. Guardium complements your IT operations
Directory Services
(Active Directory, LDAP, IBM Security Directory Service, etc)
SIEM
(IBM QRadar, IBM zSecure Audit, Arcsight,
RSA Envision, etc)
SNMP Dashboards
(Tivoli Netcool, HP Openview, etc)
Change Ticketing
Systems
(Tivoli Request Mgr, Tivoli Maximo
Remedy, Peregrine, etc)
Vulnerability Standards
(CVE, STIG, CIS Benchmark, SCAP)
(IBM QRadar QVM)
Data Classification and
Leak Protection
(InfoSphere Discovery, Business
Glossary, Optim Data Masking - Credit
Card, Social Security, phone, custom, etc)
Security Management
Platforms
(IBM QRadar, McAfee ePO )
Application Servers
(IBM Websphere, IBM Cognos, Oracle EBS,
SAP, Siebel, Peoplesoft, etc )
Long Term Storage
(IBM TSM, IBM Pure Data -
Netezza, EMC Centera, FTP, SCP,
Optim Archival etc)
Authentication
(RSA SecurID, Radius, Kerberos, LDAP)
Software Deployment
(IBM Tivoli Provisioning Manager, RPM,
Native Distributions)
Send Alerts
(LEEF, CEF,
CSV,
Syslog, etc) Send
Events
Web Application
Firewalls
(F5 ASM)
Endpoint Configuration
and Patch Management
(BM Endpoint Manager)
Database tools
(Change Data Capture, Query Monitor,
Optim Test Data Manager, Optim
Capture Replay)
Static Data Masking
(Optim Data Masking)
Analytic Engines
(InfoSphere Sensemaking)
Load Balancers
(F5 , CISCO)
Risk
Alerts
Remediate
Scale
• STAP
Database
Server
26. IBM is THE Leader in the Data Protection Market
25
• ONLY vendor offering a COMPREHENSIVE data security and privacy
All controls for lifecycle data protection and privacy
Widest range of data sources & packaged apps on any platform
Compliance automation for data
Synergistic with IT Operations and Security solutions
• Most PROVEN data protection and privacy technology
Pervasively used in the industry worldwide
Leading data protection capabilities
– First to market with leading features
– Comprehensive and innovative vision
• Most FLEXIBLE and COST EFFECTIVE data protection
Seamless scalability to support the largest organizations
Documented ROI returns based on TCO savings and compliance automation
Non-intrusive and less environmentally impactful operation
Database Audit Wave:
IBM #1 Leader -
“InfoSphere Guardium offers
support for almost any of the
features one might find in an
auditing and real-time
protection solution.”
Data Masking MQ:
IBM #1 Leader -
“Most frequently
referenced by
customers.”
27. Chosen by the leading organizations worldwide
to secure their most critical data
Top government agencies
8 of the top 10 telcos worldwide
2 of the top 3 global
retailers XX
5 of the top 6 global insurers
5 of the top 5 global banks 4 of the top 4 global managed
healthcare providersProtecting access to over
$10,869,929,241 in financial
assets
Protecting access to
136 million patients
private information
Safeguarding the integrity of
2.5 billion credit card or personal
information transactions per year
Protecting more than 100,000
databases with personal and
private information
Safeguarding the
integrity of the
world’s government
information and
defense
Maintaining the privacy of over
1,100,000,000 subscribers
28. What to do next?
1. Listen to the next Guardium Tech Talk on June 25th:
• Practical tips for managing data security risk:
https://ibm.biz/BdXzdN
2. Learn about Guardium: ibm.com/guardium
3. Join the Guardium Community on developerWorks: bit.ly/guardwiki