Bridging the Data Security Gap

IBM Software
Bridging the data security gap
Unified data protection for four key data environments

2
1 2 3 4 5 6 7Introduction Diversity
of data
Understand where
sensitive and
business-critical
data resides
Big data
security
Turn big data
environments into
secure platforms
for growth
Cloud and
virtual
environment
data security
Prevent data
leakage from
private and cloud
infrastructures
Enterprise
data security
Protect
heterogeneous
data sources
Enterprise
application
security
Secure multitier
enterprise
applications
Why IBM
InfoSphere
Guardium
Deploy next-
generation activity
monitoring and
audit protection
solutions
Comprehensive data protection for physical, virtual and cloud infrastructures

3
Introduction
Data security presents a multidimensional
challenge in today’s complex IT environment.
Multiple access paths and permission levels
have resulted in a broad array of security
threats and vulnerabilities. Traditional “for-
tress approaches” such as firewalls and IDS/
IPS systems are no longer sufficient to defend
against attackers who can easily bypass
perimeter defenses. These security measures
can’t differentiate or prevent unauthorized
traffic that appears to be legitimate.
Organizations need to adopt a more proactive
and systematic approach to securing sensitive
data and addressing compliance require-
ments amid the digital information explosion.
This approach must span across complex,
geographically dispersed systems.
Sensitive data is found in commercial
databases, such as Oracle, Microsoft SQL
Server, IBM DB2®
and Sybase, in warehouses
like Teradata and IBM PureData™
/Netezza, and
also in big data environments including Hadoop,
IBM BigInsights™
and Cloudera platforms.
Senior-level IT executives, corporate governance
officers and business leaders are all focused on
establishing a data security strategy with the
appropriate policies and controls to diligently
safeguard enterprise data, meet compliance
requirements and support a sustainable
governance program.
Compliance starts with having the information
that auditors require at your fingertips and
ensuring the process is in place to make it
repeatable. Many privacy regulations including
HIPAA, PCI-DSS, Sarbanes-Oxley (SOX), and
EU Protection Directive require organizations
to demonstrate data security and privacy
protection with standardized processes,
automated controls and regular reports.
Most organizations currently employ some form
of manual data security such as turning on
native logging, writing custom scripts to extract
and transform data, implementing policies on
physical devices, or ignoring security concerns
all together. These traditional methods are
considered to be labor intensive, error prone,
risky and costly. Other disadvantages include
high performance overhead, as well as
insufficient separation of duties (DBAs can
easily tamper with the contents of database
logs, thereby affecting non-repudiation).
1. Introduction 2. Diversity of data 3. Big data security 4. Cloud and virtual
environment data security
5. Enterprise data security 6. Enterprise application
security
7. Why IBM InfoSphere
Guardium

4
Siloed implementations by data source are
also extremely risky. Organizations that lack
the proper security controls for their data
infrastructures or analytics platforms increase
their risk of a negative event, and could potentially
suffer devastating effects such as losing
customers, market share, brand equity or revenue.
According to the IBM X-Force 2012 Mid Year
Trend and Risk Report, “a more holistic
approach to the entire ecosystem is required.
Users should become more aware of how visible
their personal data is online, more aware of who
has access to it, and more aware of how it can
be used against them. This affects not only their
social networking, but also their choices of
mobile application selection and usage. As an
increasing trend, mobile applications are
requiring a significant amount of permissions
that dilute the ability of users to discern
potentially malicious intent.”
Fortunately, next-generation data activity
monitoring and audit protection solutions are
available today to provide granular, DBMS-
independent auditing with minimal impact on
performance, while reducing operational costs.
Security breaches, compliance issues, and
security threats can occur in all environments.
Poorly controlled and monitored user access
privileges, coupled with a lack of visibility into
the misuse or abuse of user privileges and a
lack of data security controls will cause an
organization to quickly find itself faced with
increased security risks, whether the environment
is big data, enterprise, virtual or cloud. The key to
protecting data is to understand and implement
an effective data security and privacy solution for
all environments.
1. Introduction 2. Diversity of data 3. Big data
security
4. Cloud and virtual
5. Enterprise data security 6. Enterprise
application security
7. Why IBM
InfoSphere Guardium

5
Since data is a critical component of daily
business operations, it is essential to ensure
privacy and protect data no matter where it
resides. Different types of information have
different protection and privacy requirements.
When developing a data security and privacy
strategy, it is important to consider all data
types across the enterprise.
Structured data: This data is based on a data
model and is available in structured formats like
databases or XML.
Unstructured data: This data is in forms or
documents which may be handwritten or typed,
such as word processing documents, email
messages, pictures, digital audio and video.
Diversity of data
Online data: This is data used daily to support
the business, including metadata, configuration
data or log files.
Offline data: This is data in backup tapes or on
storage devices.
Not all data has to be protected in the same
manner, some may be considered low risk
and not worth the time and effort required to
secure it. Also, high-value data such as design
specifications or intellectual property may not
require protection under legal mandates, but
organizations will most certainly want to protect
it with stringent security controls.
Organizations should consider an automated
process to ensure data integrity by identifying
data relationships and defining business objects,
since this can take months of manual analysis—
with no assurance of completeness or accuracy.
5. Enterprise data
security
6. Enterprise
application security
7. Why IBM
InfoSphere Guardium

6
Data security and compliance requirements across the entire enterprise
Sensitive data discovery and classification
Discover and understand sensitive data and relationships before the data is moved, so that the
right policies can be established downstream.
Data access and change controls Establish policies regarding which users and applications can access or change data.
Real-time data activity monitoring and auditing
Understand the who, what, when, how and where of data access, and report on it for
compliance purposes.
Data protection Transform data through masking or encryption.
Data loss prevention Establish an audit trail for data access and usage to ensure data is not lost.
Vulnerability management Understand weaknesses and put policies in place to remediate.
Compliance management Build a compliance reporting framework to manage report generation, distribution and signoff.
security
Guardium
Given the certainty that data will continue to grow
and the data structures become more complex,
a unified and integrated approach will minimize
risks, vulnerabilities and exposures.

7
As big data environments ingest more data,
organizations will face significant risks and threats
to the repositories containing this data. Failure
to balance data security and quality reduces
confidence in decision making. In fact, research
shows that business leaders who feel uncertain
about analytical outputs will find reasons to reject
them unless they develop high levels of trust in the
data and know the data is secure.
A paradox exists where organizations are able
to process more information than at any other
point in history, yet they are unable to understand
what data exists and how to protect it from both
internal and external attacks.
Big data projects harness data flowing through
organizations at lightning speed in new formats
such as social networks, unstructured data
repositories, web feeds, sensors, RFID tags,
smartphones, videos and GPS data, to name
a few. The risk of unauthorized access, data
breaches and cyber attacks to big data
environments can’t be ignored.
Big data security
Big data environments are difficult to protect,
and present unique challenges:
• Schema-less distributed environments, where
data from multiple sources can be joined and
aggregated in arbitrary ways, makes it
challenging to establish access controls.
• The nature of big data comprised of large-scale
data sets—high volume, variety and velocity—
makes it difficult to ensure data integrity.
• Aggregation of data from across the enterprise
means sensitive data is in a repository.
• Big data repositories present another data
source to secure, and most existing data
security and compliance approaches will
not scale.
security
Guardium

8
According to the IBM X-Force 2012 Mid Year Trend and
Risk Report,“a more holistic approach to the entire ecosystem is
required. Users should become more aware of how visible their
personal data is online, more aware of who has access to it, and
more aware of how it can be used against them.This affects not
only their social networking, but also their choices of mobile
application selection and usage.As an increasing trend, mobile
applications are requiring a significant amount of permissions that
dilute the ability of users to discern potentially malicious intent.”
Security for big data systems is not optional;
it’s imperative. Big data environments allow
organizations to aggregate more and more
data; however, there are limited built-in security
controls, and chances are you may not realize
a breach has occurred until serious damage
has already been done.
Your data security strategy must include big
data security to help:
• Improve security decision-making based on
prioritized, actionable insight derived from
monitoring big data environments, like Hadoop.
• Identify when an advanced targeted attack
has bypassed traditional security controls and
penetrated the organization.
• Build confidence in the integrity of your
business data for competitive advantage.
security
Guardium

9
With workloads moving to private clouds, securing
data in virtual environments is becoming more
important than ever. Data centers must become
more flexible, especially as workloads of different
trust levels are combined to run on the same
physical hardware.
Private clouds deliver capabilities that expand
what’s possible in business model innovation.
For example, the private cloud can make new
offerings and services available instantly on a
global scale to accelerate monetization, while at
the same time lowering IT and infrastructure
costs. While private clouds offer many benefits,
they also present a new attack vector. So how
can your organization embrace cloud benefits
while also securing sensitive data?
Cloud and virtual environment data security
Holistic protection strategies for private cloud
environments should provide alerts to security
administrators of suspicious behaviors such as
unusual network activity. Data security processes
need to continuously track data across the
private cloud environment and provide insight into
who is accessing the data across applications,
databases, warehouses and file shares.
Such an approach ensures a 360-degree
lockdown of all organizational data, no matter
where it resides, in every stage of its utilization.
To ensure data is protected in virtualized and
cloud environments, organizations need to
understand what data is going into these
environments, how access to this data can
be monitored, what types of vulnerabilities
exist and how to demonstrate compliance.
Protections should be built into virtual and
cloud environments from the start.
Organizations should look to centralize security
controls in private cloud environments and
ensure a separation of duties so that the data
administrator doesn’t also become the
security administrator or auditor.
security
Guardium

10
Databases and data warehouses containing an
organization’s most sensitive data—including
financial records, credit card information, and
citizen or customer data—continue to be the
number one source of breaches, and that’s why
they are increasingly subject to regulations such
as SOX, PCI-DSS, HIPAA and other data protection
and privacy regulations.
These large repositories include huge volumes of
structured data that are easy to access, making
these databases an increasingly popular target for
malicious attacks. In addition, as database
platforms have advanced in functionality over the
past 30 years, large-scale implementations have
developed an extremely large number of
configuration options, all of which need to be
well understood and then secured to avoid
data breaches.
As a result, protecting against fraud, insider threats
and external attacks has compelled organizations
to streamline compliance processes in order to
protect their most vital information assets.
Unfortunately, many organizations are struggling
to discover where sensitive data exists and
how to protect it.
Enterprise data security
The smarter alternative to the type of fragmented,
inadequate data protection that exists at many
organizations today is unified data security and
integrity operations. This approach can be
accomplished with solutions that interface with
the diverse data sources and data types across
the enterprise and in heterogeneous environments
to improve data security and integrity operations.
security
Guardium

11
Steps for a proactive and systematic approach to secure sensitive data
and address compliance requirements
Understand where the
data exists
Organizations can’t protect sensitive data unless they know
where it resides and how it’s related across the enterprise.
Safeguard sensitive data,
both structured and
unstructured
Structured data contained in databases must be protected from
unauthorized access. Unstructured data in documents and forms
requires privacy policies to redact sensitive information while still
allowing needed business data to be shared.
Protect nonproduction
environments
Data in nonproduction (development, training and quality assurance)
environments needs to be protected, yet still usable during
application development, testing and training processes.
Secure and continuously
monitor access to the
data
Enterprise databases, data warehouses and file shares require real-time
insight to ensure data access is protected and audited. Policy-based
controls are required to rapidly detect unauthorized or suspicious
activity and alert key personnel. In addition, databases and file
shares need to be protected against new threats and other
malicious activity, and continually monitored for weaknesses.
Demonstrate compliance
to pass audits
It’s not enough to develop a holistic approach to data security and
privacy. Organizations must also demonstrate and prove compliance
to third-party auditors.
Protect nonproduction environments
While a lot of time and focus is given to mission-
critical production systems, organizations should
keep in mind that sensitive data resides in many
other places. How many times is your production
database cloned? Are copies available for test,
development, quality assurance or disaster
recovery? Do these nonproduction environments
get the same treatment as production systems?
If they have the same data in them, then they
should be considered as part of the overall data
security approach. Your organization must
protect data in nonproduction, training and
quality assurance environments while ensuring
it is also usable during application development,
testing and training processes.
Organizations need a data security solution that
optimizes operational efficiency across the entire
database infrastructure.
security
Guardium

12
Protecting your enterprise applications and
their associated data repositories is a matter of
extreme importance, particularly when the data
in question is sensitive personal information
subject to external regulations such as PCI
DSS, SOX and HIPAA.
However, multitier enterprise applications are
often the most difficult to secure because they
are highly distributed and designed to allow
web-based access from insiders and outsiders
such as customers, suppliers and partners.
Organizations need a data security platform
that includes real-time monitoring, application-
level fraud detection, and user-specific rules for
enterprise applications such as Oracle E-Business
Suite, PeopleSoft, SAP and in-house systems. By
going beyond existing application logs, an auto
mated and centralized approach provides fraud
monitoring to help your organization meet even the
most stringent regulatory and audit requirements.
Organizations face unique challenges when it comes to protecting sensitive SAP data, such as:
Enterprise application security
Dispersed data: Sensitive information
may occur in hundreds of different
database columns, making it extremely
difficult to conduct column-level
monitoring or encryption.
Performance: SAP database
environments need to maintain maximum
responsiveness, even while security
measures are being implemented.
Data variety: Both structured data and
unstructured data need to be protected.
Supportability: Modifying SAP applications
or altering database tables jeopardizes
support agreements.
Expense and total cost of ownership:
Custom encryption development may be
extremely expensive, due to the wide
breadth of SAP applications.
Privileged user access: Insiders with
privileged access to SAP data could
potentially harm the data without their
actions being tracked.
security
Guardium

13
Your data security strategy must include
application security to monitor, track and report
on the activities of users who access critical
tables with multitier enterprise applications
rather than direct access to the database. This
is required because enterprise applications
typically use an optimization mechanism called
“connection pooling.” In a pooled environment,
all user traffic is aggregated in a few database
connections that are identified only by a generic
application account name, thereby masking the
user identities.
For compliance requirements and fraud
preventative measures, you need to identify
application users associated with specific
database queries and transactions, as well as
identify direct access by privileged users.
security
Guardium
Also, for business decision making, you need
to gain a deeper understanding of data activity
insights by integrating activity monitoring with
IT Security Information and Event Management
(SIEM) tools for more accurate and effective
security intelligence.

14
Why IBM InfoSphere Guardium
Today, many organizations are starting to realize
that building an effective database security
platform is not a one-time event, but rather a
process that occurs over time. Data security
solutions from IBM InfoSphere®
Guardium®
can
help your organization simplify that process by
providing preconfigured rules and policies that
help take the guess work out of securing a
database environment.
IBM InfoSphere Guardium
• Provides the simplest, most robust solution for
assuring the privacy and integrity of trusted
information in your data center and reducing
costs by automating the entire compliance
auditing process in heterogeneous environ-
ments. By using InfoSphere Guardium to secure
your entire organization’s data environment,
your organization can monitor user activity to
detect and respond to fraud without causing
large-scale disruption of IT operations.
• Is the most widely used solution for preventing
information leaks from the data center and
ensuring the integrity of enterprise data.
InfoSphere Guardium has the ability to identify
and protect against internal and external
threats through a distinctive combination of
robust monitoring and auditing, vulnerability
management, data transformation, real-time
security policies, and intelligent reporting.
• Helps protect valuable data assets such as
PII, customer data, business data, corporate
secrets and more, foster secure and efficient
collaboration, and effectively integrate security
into existing business processes.
IBM InfoSphere data security and privacy
solutions are open, modular and support all
aspects of data security and privacy, including
structured, semi-structured and unstructured
data, no matter where the data is.
IBM InfoSphere provides an integrated platform
for defining, integrating, protecting and managing
trusted information across your systems. The
InfoSphere Platform provides all the foundational
building blocks of trusted information, including
data integration, data warehousing, master data
management and information governance, all
integrated around a core of shared metadata and
models. The portfolio is modular, allowing you to
start anywhere, and mix and match InfoSphere
software building blocks with components from
other vendors, or choose to deploy multiple
building blocks together for increased acceleration
and value. The InfoSphere Platform provides an
enterprise-class foundation for information-
intensive projects, providing the performance,
scalability, reliability and acceleration you need to
simplify difficult challenges and deliver trusted
information to your business faster.
For more information: ibm.com/guardium
security
Guardium

15
© Copyright IBM Corporation 2013
IBM Corporation
Software Group
Route 100
Somers, NY 10589 U.S.A.
Produced in the United States of America
May 2013
All Rights Reserved
IBM, the IBM logo, ibm.com, DB2, InfoSphere, Guardium and Optim are
trademarks or registered trademarks of International Business Machines
Corporation in the United States, other countries or both. If these and
other IBM trademarked terms are marked on their first occurrence in
this information with a trademark symbol (® or TM), these symbols
indicate U.S. registered or common law trademarks owned by IBM at
the time this information was published. Such trademarks may also be
registered or common law trademarks in other countries. A current list of
IBM trademarks is available on the web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml
This document is current as of the initial date of publication and may
be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates. The performance data discussed herein
is presented as derived under specific operating conditions. Actual results
may vary. It is the user’s responsibility to evaluate and verify the operation
of any other products or programs with IBM products and programs.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS”
WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD-
ING WITHOUT ANY WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY
OR CONDITION OF NON-INFRINGEMENT. IBM products are
warranted according to the terms and conditions of the agreements under
which they are provided. Actual available storage capacity may be reported
for both uncompressed and compressed data and will vary and may be less
than stated. Statements regarding IBM’s future direction and intent are
subject to change or withdrawal without notice, and represent goals and
objectives only.
Linux is a registered trademark of Linus Torvalds in the United States,
other countries or both.
Microsoft, Windows, Windows NT and the Windows logo are
trademarks of Microsoft Corporation in the United States, other
countries or both.
UNIX is a registered trademark of The Open Group in the United States
and other countries.
Other company, product or service names may be trademarks or service
marks of others.
NIB03018-USEN-00

Bridging the Data Security Gap

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Bridging the Data Security Gap

Similar to Bridging the Data Security Gap (20)

More from xband

More from xband (20)

Recently uploaded

Recently uploaded (20)

Bridging the Data Security Gap