View
14.408
Download
14
Embed Size (px)
DESCRIPTION
IBM InfoSphere Guardium provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center (SAP, PeopleSoft, Cognos, Siebel, etc.) and reducing costs by automating the entire compliance auditing process in heterogeneous environments.
Citation preview
© 2009 IBM Corporation
Guardium Database Monitoring & Protection
Karl Wehden IBM Infosphere Worldwide Data Governance Team 28 September 2010
1
© 2009 IBM Corporation
Guardium Value Proposition: Continuously Monitor Access to High-Value Databases to …
1. Prevent data breaches Mitigate external & internal threats
2. Assure data governance Prevent unauthorized
changes to sensitive data
3. Reduce cost of compliance Automate & centralize controls → Across DBMS platforms & applications → Across SOX, PCI, SAS70, …
Simplify processes
© 2009 IBM Corporation
Perimeter Defenses No Longer Sufficient
3
“A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.”
Outsourcing
Web-Facing Apps
Legacy App Integration/SOA
Employee Self-Service, Partners & Suppliers
Insiders (DBAs, developers, outsourcers, etc.)
Stolen Credentials (Zeus, etc.)
- William J. Lynn III, U.S. Deputy Defense Secretary
© 2009 IBM Corporation
Defense in Depth Strategy for Privacy and Security:
4
User access monitoring
Prevention of unauthorized access
Production data encryption
Unstructured data redaction
Non-production data masking
Archiving and retention compliance
© 2009 IBM Corporation
Balanced Control Objectives
Visibility into Risk Costs Money:
• The Introduction of unchecked detective controls can introduce significant cost
• The lack of detective controls can create a comfortably underestimated level of risk
• Evaluate the total cost of Control introduction:
– Operational Cost – Risk mitigation cost
– Risk Avoidance benefit – Model out for longer than the benefit of the tools selected
5
© 2009 IBM Corporation
Top Data Protection Challenges
© 2009 IBM Corporation
• Gonzalez sentenced to xx years for Operation Get Rich or Die Tryin’ – Heartland, 7-Eleven, Hannaford: Stole 130M cards via SQL injection, network
reconnaissance, malware, sniffers
– Dave & Buster’s: Stole admin password file from POS service provider
– TJX, OfficeMax + 6 other retailers: Stole 40M cards via SQL injection & war driving Aided by former Barclay’s network security manager (“healthy childhood, white-collar success”)
– San Diego case: International ring (Ukraine, Estonia, PRC, Philippines, Thailand) “Maksik” Yastremskiy sentenced to 30 years in Turkish prison; hacked 11 Turkish banks
• “Our most formidable challenge is getting companies to detect they have been compromised ...” Kimberly Kiefer Peretti, senior counsel, DoJ
“Largest Hacking Case Ever Prosecuted”
7
Albert Gonzalez, aka soupnazi
Stephen Watt, author of “blabla” sniffer: 2 years in prison & $170M in restitution
“Maksik” Yastremskiy: 30 years in Turkish prison
© 2009 IBM Corporation
Chosen by Leading Organizations Worldwide • 5 of the top 5 global banks • 2 of the top 3 global retailers • 4 of the top 6 global insurers • 2 of the world’s favorite beverage brands • The most recognized name in PCs • 25 of the world’s leading telcos
• Top government agencies • Top 3 auto maker • #1 dedicated security company • Leading energy suppliers • Major health care providers • Media & entertainment brands
© 2009 IBM Corporation
Key Drivers for Guardium • SOX (Health Care payers)
– Prevent unauthorized changes to financial data
• Consumer privacy – Prevent unauthorized viewing of personal data, especially by privileged users
(DBAs, developers, outsourcers) – New Massachusetts law requires monitoring controls to be in place for all
Personally Identifiable Information (PII) – HITECH adds teeth to HIPAA regulations
• PCI – Track and monitor all access to cardholder data (Req.10) – Protect stored cardholder data (Req. 3) – Identify unpatched systems & enforce change controls (Req. 6) – Compensating control for network segmentation (Req. 7) & column-level
encryption (Req. 3)
• Cost savings – Streamline compliance with automated & centralized controls – < 6 months payback (typical)
© 2009 IBM Corporation
Addressing the Full Database Security Lifecycle
10
Critical Data
Infrastructure
Audit &
Report
Assess &
Harden
Discover &
Classify
Monitor &
Enforce
© 2009 IBM Corporation
Real-Time Database Security & Monitoring
SQL Server
• Non-invasive architecture • Outside database • Minimal performance impact (2-3%) • No DBMS or application changes
• Cross-DBMS solution • 100% visibility including local DBA access
• Enforces separation of duties • Does not rely on DBMS-resident logs that can
easily be erased by attackers or rogue insiders • Granular, real-time policies & auditing
• Who, what, when, how • Automated compliance reporting, sign-offs &
escalations (SOX, PCI, NIST, etc.)
DB2
© 2009 IBM Corporation
Scalable Multi-Tier Architecture
Integration with LDAP/AD, IAM,
change management, SIEM, archiving, …
© 2009 IBM Corporation
© 2009 IBM Corporation
Thank You!
© 2009 IBM Corporation
Reduces DBA workload
Real-time monitoring & alerting
Enforces Separation of Duties (SoD)
Minimal performance impact or changes
Heterogeneous support
Oracle Database Vault, Oracle Audit Vault IBM/Guardium
Extrusion/data leakage monitoring
Application monitoring (EBS, PeopleSoft, SAP, etc.)
IBM/Guardium vs. Oracle Database Security
Oracle is a registered trademark of Oracle Corporation and/or its affiliates.
© 2009 IBM Corporation
Appendix
16
© 2009 IBM Corporation
Blue Cross Blue Shield Case Study • Who: BCBS organization with 475,000 members
• Need: Secure financial data for SOX; secure patient data for HIPAA; adhere to NIST – Monitor all access to critical databases, including access by privileged users – Create a centralized audit trail for all database systems – Produce detailed compliance reports for auditors – Implement proactive security via real-time alerts
• Environment: – Oracle, SQL Server 2003/2005, IBM DB2, Sybase – AIX & Windows – LDAP & Microsoft MOM
• Alternatives considered – Native logging: Rejected due to performance overhead & need for centralized management – Application Security Inc (AppSec): Preferred Guardium’s appliance model
• Results: – Monitoring 130 database instances on 100 servers (3 week implementation) – Guardium helped client to interpret regulations and implement policies – Integrated with Tivoli Storage Manager (TSM) for archiving of audit data
17
© 2009 IBM Corporation
Global Manufacturer with 239% ROI
• Who: F500 consumer food manufacturer ($15B revenue)
• Need: Secure SAP & Siebel data – Enforce change controls & implement consistent auditing across platforms
• Environment: – SAP, Siebel, Manugistics, IT2 + 21 other Key Financial Systems (KFS)
– Oracle & IBM DB2 on AIX; SQL Server on Windows
• Results: 239% ROI & 5.9 months payback, plus: – Proactive security: Real-time alert when changes made to critical tables
– Simplified compliance: Passed 4 audits (internal & external) “The ability to associate changes with a ticket number makes our job a lot easier …
which is something the auditors ask about.” [Lead Security Analyst]
– Strategic focus on data security “There’s a new and sharper focus on database security within the IT organization.
Security is more top-of-mind among IT operations people and other staff such as developers.”
Commissioned Forrester Consulting Case Study
© 2009 IBM Corporation
Safeguarding Customer Information for Washington Metropolitan Area Transit Authority (Metro)
• Who: Operates 2nd largest U.S. rail transit system and transports more than a third of the federal government to work
• Need: Metro needed to safeguard sensitive customer data and simplify compliance with PCI-DSS -- without impacting performance or changing database configurations – Protecting customer data – Passing audits more quickly and easily
– Monitoring for potential fraud in PeopleSoft system
• Environment: – More than 9 million transactions per year (Level 1 merchant)
– Complex, multi-tier heterogeneous environment
• Alternatives considered: Native logging and auditing impractical
• Customer Impact: “Our customers trust us to transport them safely and safeguard their personal information.” – “We looked at native DBMS logging and auditing, but it’s impractical because of its high overhead,
especially when you’re capturing every SELECT in a high-volume environment like ours. In addition, native auditing doesn’t enforce separation of duties or prevent unauthorized access by privileged insiders.”
19
© 2009 IBM Corporation
How Does Guardium Complement Tivoli? • Guardium is part of the “Data and Information”
layer of the IBM Security Framework
• Integrates with Tivoli Security & Information Event Manager (TSIEM) for sharing of policy violation alerts & selected log information
• Use TSIEM for: – Collecting logs & events from wide range of systems
(UNIX, Windows, z/OS, firewalls, etc.)
– Enterprise-wide dashboard & reports; correlation
• Use Guardium for: – All database-related security & compliance functions:
real-time monitoring & auditing (including privileged user monitoring), vulnerability assessment, data discovery, configuration auditing, compliance reporting & workflow automation
– Feeding policy violations & audit logs to TSIEM
20
© 2009 IBM Corporation
IBM Acquires Guardium (11/30/09)
• Joining IBM's Information Management business
• Why Guardium? Unique ability to: Safeguard critical enterprise information Reduce operational costs by automating compliance processes Simplify governance with centralized policies for heterogeneous infrastructures Continuously monitor access and changes to high-value databases
• Trusted information lies at the center of today’s business transformations Guardium enables organizations to maintain trusted information infrastructures Business analytics and trusted information drive smarter business outcomes This supports IBM’s vision of creating a Smarter Planet: Smarter energy,
smarter healthcare, smarter cities, smarter finance, smarter IT, and more
© 2009 IBM Corporation
How Guardium Fits with IBM’s IM Portfolio: Governance
22
Relating Information
Mastering Information
Integrating Information
Governing Information
Guardium
Optim InfoSphere
© 2009 IBM Corporation
How Guardium Fits with IBM’s Security Portfolio
23
Tivoli Identity Manager, Access Manager, zSecure, SIEM, …
Guardium DB Monitoring, Optim TDM & DP, AME, SIEM, …
Rational AppScan, Ounce Suite, WebSphere DataPower, …
Server Protection, Network Intrusion Prevention System (IPS, …
© 2009 IBM Corporation
PCI Compliance for McAfee.com • Who: World’s largest dedicated security company • Need: Safeguard millions of PCI transactions
– Maintain strict SLAs with ISP customers (Comcast, COX, etc.) – Automate PCI controls
• Environment: Guardium deployed in less than 48 hours – Multiple data centers; clustered databases – Integrated with ArcSight SIEM – Expanding coverage to SAP systems for SOX
• Previous Solution: Central database audit repository with native DBMS logs – Massive data volumes; performance & reliability issues; SOD issues
• Results: – “McAfee needed a solution with continuous real-time visibility into all sensitive
cardholder data – in order to quickly spot unauthorized activity and comply with PCI-DSS – but given our significant transaction volumes, performance and reliability considerations were crucial.”
– “We were initially using a database auditing solution that collected information from native DBMS logs and stored it in an audit repository, but granular logging significantly impacted our database servers and the audit repository was simply unable to handle the massive transaction volume generated by our McAfee.com environment.”
© 2009 IBM Corporation
Financial Services Firm with 1M+ Sessions/Day • Who: Global NYSE-traded company with 75M customers • Need: Enhance SOX compliance & data governance
– Phase 1: Monitor all privileged user activities, especially DB changes. – Phase 2: Focus on data privacy.
• Environment: 4 data centers managed by IBM Global Services – 122 database instances on 100+ servers – Oracle, IBM DB2, Sybase, SQL Server on AIX, HP-UX, Solaris, Windows – PeopleSoft plus 75 in-house applications
• Alternatives considered: Native auditing – Not practical because of performance overhead; DB servers at 99% capacity
• Results: Now auditing 1M+ sessions per day (GRANTs, DDL, etc.) – Caught DBAs accessing databases with Excel & shared credentials – Producing daily automated reports for SOX with sign-off by oversight teams – Automated change control reconciliation using ticket IDs – Passed 2 external audits
© 2009 IBM Corporation
Securing Customer Data for European Telco • Who: Global telco with 70M mobile customers; €30B revenue.
• Need: Ensure privacy of call records for compliance with data privacy laws. – Phase 1: Safeguard OSS systems
– Phase 2: Safeguard BSS systems
• Environment: 15 heterogeneous, geographically-distributed data centers – Oracle, SQL Server, Informix, Sybase
– HP-UX, HP Tru64, Solaris, Windows, UNIX
– SAP, Remedy plus in-house applications (billing, Web portal, etc.)
• Alternatives considered: Native auditing; Oracle Audit Vault. – Not practical because of performance overhead; lack of granularity;
non-support for older versions; need for multi-DBMS support.
• Results: – Deployed to 12 initial data centers in only 2 weeks! – Now auditing all traffic in high-traffic environment; centrally managed.
– Passed several external audits
– Future plans: Implement application user monitoring; 2-factor authentication; expand scope to other applications.
© 2009 IBM Corporation
Simplifying Enterprise Security for Dell
• Need: – Improve database security for SOX, PCI & SAS70 – Simplify & automate compliance controls
• Guardium Deployment: – Phase 1: Deployed to 300 DB servers in 10 data centers
(in 12 weeks) – Phase 2: Deployed to additional 725 database servers
• Environment : – Oracle & SQL Server on Windows, Linux; Oracle RAC, SQL Server clusters – Oracle EBS, JDE, Hyperion plus in-house applications
• Previous Solution: Native logging (MS) or auditing (Oracle) with in-house scripts – Supportability issues; DBA time required; massive data volumes; SOD issues.
• Results: Automated compliance reporting; real-time alerting; centralized cross-DBMS policies; closed-loop change control with Remedy integration – Guardium “successfully met Dell’s requirements without causing outages to any databases;
produced a significant reduction in auditing overhead in databases.”
Published case study in Dell Power Solutions
© 2009 IBM Corporation
Addressing the Full Database Security Lifecycle
28
Critical Data
Infrastructure
Audit &
Report
Assess &
Harden
Discover &
Classify
Monitor &
Enforce
© 2009 IBM Corporation
Granular Policies with Detective & Preventive Controls
Application Server
10.10.9.244
Database Server
10.10.9.56
© 2009 IBM Corporation
Enforcing Change Control Policies
30
Tag DBA actions with ticket IDs
Compare observed changes to approved changes
Identify unauthorized changes (red)
or changes with invalid ticket IDs
© 2009 IBM Corporation
Auditing Database Configuration Changes
• Tracks changes to files, environment variables, registry settings, scripts, etc. that can affect security posture
• 200+ pre-configured, customizable templates for all major OS/DBMS configurations
31
© 2009 IBM Corporation
Cross-DBMS, Data-Level Access Control (S-GATE)
S-GATE Hold SQL
Connection terminated
Policy Violation: Drop
Connection
Privileged Users
Issue SQL
Check Policy On Appliance
Oracle, DB2,
MySQL, Sybase,
etc.
SQL Application Servers
Outsourced DBA
Session Terminated
Cross-DBMS policies Block privileged user actions No database changes No application changes Without risk of inline
appliances that can interfere with application traffic
© 2009 IBM Corporation
Discovering & Classifying Sensitive Data
33
Discover databases Discover sensitive data Policy-based actions
Alerts Add to group of
sensitive objects
© 2009 IBM Corporation 34
Identifying Fraud at the Application Layer
• Issue: Application server uses generic service account to access DB
– Doesn’t identify who initiated transaction (connection pooling)
• Solution: Guardium tracks access to application user associated with specific SQL commands
– Out-of-the-box support for all major enterprise applications (Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects, Cognos…) and custom applications (WebSphere …)
– No changes required to applications – Deterministic tracking of user IDs
Does not rely on time-based “best-guess”
Application Server
Database Server
Joe Marc
User (Generic)
© 2009 IBM Corporation
Automated Sign-offs & Escalations for Compliance
• Automates entire compliance workflow • Report distribution to oversight team • Electronic sign-offs • Escalations • Comments & exception handling
• Addresses auditors’ requirements to document oversight processes • Results of audit process stored with audit data in secure audit repository • Streamlines and simplifies compliance processes
© 2009 IBM Corporation
Database Servers = Majority of Compromised Records
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
2009 Data Breach Report from Verizon Business RISK Team
SQL injection played a role in 79% of records
compromised during 2009
breaches