Upload
ibm-security
View
785
Download
2
Embed Size (px)
Citation preview
© 2015 IBM Corporation
Avoiding the Data Compliance “Hot Seat”
Christina Thompson - Portfolio Marketing Manager, Guardium Vikalp Paliwal - Product Manager, Guardium Steve Tallant - Senior Product Manager, Guardium
IBM Security Webinar
2 © 2015 IBM Corporation
Data is challenging to secure
DYNAMIC Data multiplies
continuously and moves quickly
DISTRIBUTED Data is everywhere, across applications and infrastructure
IN DEMAND Users need to constantly access and share data to do their jobs
3 © 2015 IBM Corporation
Guardium uses intelligence and automation to safeguard data
PROTECT Complete protection for sensitive
data, including compliance automation
ADAPT Seamlessly handle
changes within your IT environment
ANALYZE Automatically
discover critical data and uncover risk
IBM CONFIDENTIAL: NDA until August 25, 2015
4 © 2015 IBM Corporation
Managing compliance for sensitive data is stressful
Monitoring
Auditing
Classification
Discovery
Assessment
File Analysis
Configuration
Entitlement
Compliance
PCI - DSS
SOX
HIPPA
CIS CVE STIG NIST
5 © 2015 IBM Corporation
Guardium makes the compliance burden manageable, less painful, and less costly through:
COLLECTOR
! Automation for change management
! Pre-packaged knowledge
! Integration
! Performance and Scalability
! Centralization
6 © 2015 IBM Corporation 2
Data at Rest
Configuration
Data in Motion
Where is the sensitive data?
How to protect sensitive data to
reduce risk?
How to secure the repository?
Entitlements Reporting
Activity Monitoring Blocking Dynamic Data
Masking Vulnerability Assessment
Who should have access?
What is actually happening?
Encryption Discovery Classification
How to prevent unauthorized
activities?
How to protect sensitive data?
Harden Monitor Protect Discover
Before getting started, consider these data security best practices
7 © 2015 IBM Corporation
Managing vulnerabilities in data repositories is the first step to compliance
Default Username
and Password
Excessive Privilege
Default settings
and misconfigu
rations
Un-patched
Databases
Non supported
product versions
Unknown sensitive
data
Non Compliance
Audit Fail
Insider Theft
Data breach
Implications
8 © 2015 IBM Corporation
IBM Security Guardium Vulnerability Assessment : Analyze risk, automate compliance and harden your data environment
• Compliance Workflow • Exception management • Export to other security tools
Sensitive Data Discovery
Extensible design
• Identifies Sensitive Data (credit cards, transactions or PII)
• Reporting on sensitive objects • Discover database instances • Entitlement reporting
• Using industry best-practices and primary research • 2000+ Predefined tests to uncover database and OS
vulnerabilities • Recommendations for remediation • Vulnerability Assessment scorecard • Configuration audit system (CAS) monitors
configuration changes • View graphical representation of trends • Includes Quarterly DPS Updates
• Enables custom designed defined tests • Tuning existing tests to match needs • Report builder for custom reports
Comprehensive testing and reporting
Collaborate to protect
9 © 2015 IBM Corporation
Key best practices to consider when assessing vulnerabilities
• Zero impact on performance
Identify gaps:
Using privilege, configuration, patch, password policy, and OS-level file permission tests
Enforce best practices: Such as DoD STIG, CIS, CVE
Create a baseline:
With custom or out-of-the-box tests for your Organization, Industry or Application
Be analytical: And apply advanced forensics & analytics to understand
sensitive data risk and exposure
Perform: Using a solution that has zero performance impact
10 © 2015 IBM Corporation
Risk Reduction : Identify Risk And Harden the data assets using Remediation
Identify and protect critical data sources configurations and access privileges, identify missing patches and check latest versions & follow Remediation best practices
IBM Security Guardium Vulnerability Assessment Use Cases
Protect sensitive and critical data without impacting your business
Compliance Concerns : Manage Compliance and Policy Mandates Baseline
Manage compliance baseline from STIG, CIS, CVE, PCI, HIPPA
Reduce Compliance Cost : Manage Risk , Security and Reduce compliance costs
Secure known database vulnerabilities and manage compliance and reduce cost using automation
Ease of Management: Discover sensitive data, identify dormant entitlement, assess & manage vulnerabilities
Get a full picture of ownership and access for your data. Gain visibility into all entitlements and assess risk and open vulnerabilities
11 © 2015 IBM Corporation
IBM Security Guardium value
Protect all data against unauthorized access and enable organiza3ons to comply with government regula3ons and industry standards
Prevent data breaches Prevent disclosure or leakages of sensitive data
Ensure data privacy Prevent unauthorized changes to data
Reduce the cost of compliance Automate and centralize controls across diverse regulations and heterogeneous environments
Identify Risk Discovery sensitive information, identify dormant data, assess configuration gaps and vulnerabilities
On Premise On Cloud
Data at Rest Data in Mo4on
Data Repositories
Sensitive Documents
OS Files
1
2
3
4
12 © 2015 IBM Corporation
Audit Requirements PCI DSS COBIT (SOX) ISO 27002
Data Privacy & Protection
Laws
NIST SP 800-53 (FISMA)
1. Access to Sensitive Data (Successful/Failed SELECTs) ! ! ! !
2. Schema Changes (DDL) (Create/Drop/Alter Tables, etc.) ! ! ! ! !
3. Data Changes (DML) (Insert, Update, Delete) ! !
4. Security Exceptions (Failed logins, SQL errors, etc.) ! ! ! ! !
5. Accounts, Roles & Permissions (DCL) (GRANT, REVOKE)
! ! ! ! !
The Compliance Mandate – What do you need to monitor?
DDL = Data Definition Language (aka schema changes) DML = Data Manipulation Language (data value changes) DCL = Data Control Language
13 © 2015 IBM Corporation
Recommendations
1. Understand where your crown jewels are located and
calculate the risk
2. Look for (DAM) suspicious activity
– Hackers are inside networks long before organizations
understands what’s going on with their data
3. Have a plan for when data is exfiltrated
4. Encryption covers a multitude of sins
Greater than 200 Days!!
2015 Ponemon Study
14 © 2015 IBM Corporation
3 Security Controls Required For “Crown Jewels”
1. Application security controls Separation of duties for Privilege Application User & Application User access
2. Database security Controls Continuously monitor direct access to the database which will bypass the application controls
3. System administrators security controls
Operating System controls to monitor file access, copy, and modification
Risk By Type of User
15 © 2015 IBM Corporation
Database Controls Can Cover 3 Types of Rules
SQL Query
Result Set
Database Server Database
Exception (ie. SQL Errors & more)
There are three types of rules: 1. An access rule applies to client requests
2. An extrusion rule evaluates data returned by the server
3. An exception rule evaluates exceptions returned by the server
1
2
3
16 © 2015 IBM Corporation
Protect Databases: What is Fine Grain Access Control?
16
• Dynamic Masking and Fine Grained Access Control for databases (DB2, MSSQL, Oracle)
Row-Level Masking (only dept #20)
Column-Level Masking (only dept#)
NEW!
17 © 2015 IBM Corporation
Guardium for Fine Grained Access Control Use Cases
17
Outsourcing production DB
access
Need to open up production DB without affecting DB access controls or compromise private information
Protect sensitive and critical data without impacting your business.
Protect PII from privileged users
(insiders like employees,
contractors, business partner,
administrators…) Need to Enforce access to PII to comply with PCI, HIPAA. Keep track of who requested masked data.
Real time application
testing (non-production)
Need to transform data (anonymization) without affecting application logic, but protecting original data privacy. .
Create a honey pot to track attackers
Provide fictitious data to possible attackers to allow time for investigation
TEST
18 © 2015 IBM Corporation
Application Dynamic Data Masking Sample Use Case: Call Center Outsourcing
Outsourced Call Center
Name: SSN:
Balance:
John Smith 111-11-1111 $127.50
Name: SSN:
Balance:
John Smith
$127.50 * * * -**-1111 Guardium
Application Dynamic
Data Masking
Data Center
Name: SSN:
Balance:
John Smith
$115.50 * * * -**-1111
Updated balance written back Balance
Updated
19 © 2015 IBM Corporation
ANALYZE. PROTECT. ADAPT.
Discovery, classification, vulnerability assessment, entitlement reporting
Encryption, masking, and redaction
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
20 © 2015 IBM Corporation
Guardium supports the whole data protection journey
Perform vulnerability assessment, discovery and classification
Dynamic blocking, alerting, quarantine, encryption and integration with security intelligence
Comprehensive data protection
Big data platforms, file systems or other platforms also require monitoring, blocking, reporting
Find and address PII, determine who is reading data, leverage masking
Database monitoring focused on changed data, automated reporting
Acute compliance
need
Expand platform coverage
Address data privacy
Sensitive data discovery
21 © 2015 IBM Corporation
133 countries where IBM delivers managed security services
20 industry analyst reports rank IBM Security as a LEADER
TOP 3 enterprise security software vendor in total revenue
10K clients protected including…
24 of the top 33 banks in Japan, North America, and Australia
Learn more about IBM Security
Visit our website ibm.com/guardium
Watch our videos https://ibm.biz/youtubeguardium
Read new blog posts SecurityIntelligence.com
Follow us on Twitter @ibmsecurity
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU www.ibm.com/security