IBM Software Bridging the data security gap

Transcription

1 IBM Software Bridging the data gap Unified data protection for four key data environments

2 2 Bridging Comprehensive the data data protection gap for physical, virtual and cloud infrastructures Introduction Diversity of data Understand where sensitive and business-critical data resides Big data Turn big data environments into secure platforms for growth Cloud and virtual environment data Prevent data leakage from private and cloud infrastructures Enterprise data Protect heterogeneous data sources Enterprise application Secure multitier enterprise applications Why IBM InfoSphere Deploy nextgeneration activity monitoring and audit protection solutions

3 3 Bridging the data gap Introduction Data presents a multidimensional challenge in today s complex IT environment. Multiple access paths and permission levels have resulted in a broad array of threats and vulnerabilities. Traditional fortress approaches such as firewalls and IDS/ IPS systems are no longer sufficient to defend against attackers who can easily bypass perimeter defenses. These measures can t differentiate or prevent unauthorized traffic that appears to be legitimate. Organizations need to adopt a more proactive and systematic approach to securing sensitive data and addressing compliance requirements amid the digital information explosion. This approach must span across complex, geographically dispersed systems. Sensitive data is found in commercial databases, such as Oracle, Microsoft SQL Server, IBM DB2 and Sybase, in warehouses like Teradata and IBM PureData /Netezza, and also in big data environments including Hadoop, IBM BigInsights and Cloudera platforms. Senior-level IT executives, corporate governance officers and business leaders are all focused on establishing a data strategy with the appropriate policies and controls to diligently safeguard enterprise data, meet compliance requirements and support a sustainable governance program. Compliance starts with having the information that auditors require at your fingertips and ensuring the process is in place to make it repeatable. Many privacy regulations including HIPAA, PCI-DSS, Sarbanes-Oxley (SOX), and EU Protection Directive require organizations to demonstrate data and privacy protection with standardized processes, automated controls and regular reports. Most organizations currently employ some form of manual data such as turning on native logging, writing custom scripts to extract and transform data, implementing policies on physical devices, or ignoring concerns all together. These traditional methods are considered to be labor intensive, error prone, risky and costly. Other disadvantages include high performance overhead, as well as insufficient separation of duties (DBAs can easily tamper with the contents of database logs, thereby affecting non-repudiation). 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

4 4 Bridging the data gap Siloed implementations by data source are also extremely risky. Organizations that lack the proper controls for their data infrastructures or analytics platforms increase their risk of a negative event, and could potentially suffer devastating effects such as losing customers, market share, brand equity or revenue. According to the IBM X-Force 2012 Mid Year Trend and Risk Report, a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage. As an increasing trend, mobile applications are requiring a significant amount of permissions that dilute the ability of users to discern potentially malicious intent. Fortunately, next-generation data activity monitoring and audit protection solutions are available today to provide granular, DBMSindependent auditing with minimal impact on performance, while reducing operational costs. Security breaches, compliance issues, and threats can occur in all environments. Poorly controlled and monitored user access privileges, coupled with a lack of visibility into the misuse or abuse of user privileges and a lack of data controls will cause an organization to quickly find itself faced with increased risks, whether the environment is big data, enterprise, virtual or cloud. The key to protecting data is to understand and implement an effective data and privacy solution for all environments. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application 7. Why IBM InfoSphere

5 5 Bridging the data gap Diversity of data Since data is a critical component of daily business operations, it is essential to ensure privacy and protect data no matter where it resides. Different types of information have different protection and privacy requirements. When developing a data and privacy strategy, it is important to consider all data types across the enterprise. Structured data: This data is based on a data model and is available in structured formats like databases or XML. Unstructured data: This data is in forms or documents which may be handwritten or typed, such as word processing documents, messages, pictures, digital audio and video. Online data: This is data used daily to support the business, including metadata, configuration data or log files. Offline data: This is data in backup tapes or on storage devices. Not all data has to be protected in the same manner, some may be considered low risk and not worth the time and effort required to secure it. Also, high-value data such as design specifications or intellectual property may not require protection under legal mandates, but organizations will most certainly want to protect it with stringent controls. Organizations should consider an automated process to ensure data integrity by identifying data relationships and defining business objects, since this can take months of manual analysis with no assurance of completeness or accuracy. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application 7. Why IBM InfoSphere

6 6 Bridging the data gap Data and compliance requirements across the entire enterprise Sensitive data discovery and classification Data access and change controls Real-time data activity monitoring and auditing Data protection Data loss prevention Vulnerability management Compliance management Discover and understand sensitive data and relationships before the data is moved, so that the right policies can be established downstream. Establish policies regarding which users and applications can access or change data. Understand the who, what, when, how and where of data access, and report on it for compliance purposes. Transform data through masking or encryption. Establish an audit trail for data access and usage to ensure data is not lost. Understand weaknesses and put policies in place to remediate. Build a compliance reporting framework to manage report generation, distribution and signoff. Given the certainty that data will continue to grow and the data structures become more complex, a unified and integrated approach will minimize risks, vulnerabilities and exposures. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

7 7 Bridging the data gap Big data As big data environments ingest more data, organizations will face significant risks and threats to the repositories containing this data. Failure to balance data and quality reduces confidence in decision making. In fact, research shows that business leaders who feel uncertain about analytical outputs will find reasons to reject them unless they develop high levels of trust in the data and know the data is secure. A paradox exists where organizations are able to process more information than at any other point in history, yet they are unable to understand what data exists and how to protect it from both internal and external attacks. Big data projects harness data flowing through organizations at lightning speed in new formats such as social networks, unstructured data repositories, web feeds, sensors, RFID tags, smartphones, videos and GPS data, to name a few. The risk of unauthorized access, data breaches and cyber attacks to big data environments can t be ignored. Big data environments are difficult to protect, and present unique challenges: Schema-less distributed environments, where data from multiple sources can be joined and aggregated in arbitrary ways, makes it challenging to establish access controls. The nature of big data comprised of large-scale data sets high volume, variety and velocity makes it difficult to ensure data integrity. Aggregation of data from across the enterprise means sensitive data is in a repository. Big data repositories present another data source to secure, and most existing data and compliance approaches will not scale. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

8 8 Bridging the data gap According to the IBM X-Force 2012 Mid Year Trend and Risk Report, a more holistic approach to the entire ecosystem is required. Users should become more aware of how visible their personal data is online, more aware of who has access to it, and more aware of how it can be used against them. This affects not only their social networking, but also their choices of mobile application selection and usage. As an increasing trend, mobile applications are requiring a significant amount of permissions that dilute the ability of users to discern potentially malicious intent. Security for big data systems is not optional; it s imperative. Big data environments allow organizations to aggregate more and more data; however, there are limited built-in controls, and chances are you may not realize a breach has occurred until serious damage has already been done. Your data strategy must include big data to help: Improve decision-making based on prioritized, actionable insight derived from monitoring big data environments, like Hadoop. Identify when an advanced targeted attack has bypassed traditional controls and penetrated the organization. Build confidence in the integrity of your business data for competitive advantage. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

9 9 Bridging the data gap Cloud and virtual environment data With workloads moving to private clouds, securing data in virtual environments is becoming more important than ever. Data centers must become more flexible, especially as workloads of different trust levels are combined to run on the same physical hardware. Private clouds deliver capabilities that expand what s possible in business model innovation. For example, the private cloud can make new offerings and services available instantly on a global scale to accelerate monetization, while at the same time lowering IT and infrastructure costs. While private clouds offer many benefits, they also present a new attack vector. So how can your organization embrace cloud benefits while also securing sensitive data? To ensure data is protected in virtualized and cloud environments, organizations need to understand what data is going into these environments, how access to this data can be monitored, what types of vulnerabilities exist and how to demonstrate compliance. Protections should be built into virtual and cloud environments from the start. Organizations should look to centralize controls in private cloud environments and ensure a separation of duties so that the data administrator doesn t also become the administrator or auditor. Holistic protection strategies for private cloud environments should provide alerts to administrators of suspicious behaviors such as unusual network activity. Data processes need to continuously track data across the private cloud environment and provide insight into who is accessing the data across applications, databases, warehouses and file shares. Such an approach ensures a 360-degree lockdown of all organizational data, no matter where it resides, in every stage of its utilization. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

10 10 Bridging the data gap Enterprise data Databases and data warehouses containing an organization s most sensitive data including financial records, credit card information, and citizen or customer data continue to be the number one source of breaches, and that s why they are increasingly subject to regulations such as SOX, PCI-DSS, HIPAA and other data protection and privacy regulations. These large repositories include huge volumes of structured data that are easy to access, making these databases an increasingly popular target for malicious attacks. In addition, as database platforms have advanced in functionality over the past 30 years, large-scale implementations have developed an extremely large number of configuration options, all of which need to be well understood and then secured to avoid data breaches. As a result, protecting against fraud, insider threats and external attacks has compelled organizations to streamline compliance processes in order to protect their most vital information assets. Unfortunately, many organizations are struggling to discover where sensitive data exists and how to protect it. The smarter alternative to the type of fragmented, inadequate data protection that exists at many organizations today is unified data and integrity operations. This approach can be accomplished with solutions that interface with the diverse data sources and data types across the enterprise and in heterogeneous environments to improve data and integrity operations. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

11 11 Bridging the data gap Steps for a proactive and systematic approach to secure sensitive data and address compliance requirements Understand where the data exists Safeguard sensitive data, both structured and unstructured Protect nonproduction environments Secure and continuously monitor access to the data Demonstrate compliance to pass audits Organizations can t protect sensitive data unless they know where it resides and how it s related across the enterprise. Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents and forms requires privacy policies to redact sensitive information while still allowing needed business data to be shared. Data in nonproduction (development, training and quality assurance) environments needs to be protected, yet still usable during application development, testing and training processes. Enterprise databases, data warehouses and file shares require real-time insight to ensure data access is protected and audited. Policy-based controls are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, databases and file shares need to be protected against new threats and other malicious activity, and continually monitored for weaknesses. It s not enough to develop a holistic approach to data and privacy. Organizations must also demonstrate and prove compliance to third-party auditors. Protect nonproduction environments While a lot of time and focus is given to missioncritical production systems, organizations should keep in mind that sensitive data resides in many other places. How many times is your production database cloned? Are copies available for test, development, quality assurance or disaster recovery? Do these nonproduction environments get the same treatment as production systems? If they have the same data in them, then they should be considered as part of the overall data approach. Your organization must protect data in nonproduction, training and quality assurance environments while ensuring it is also usable during application development, testing and training processes. Organizations need a data solution that optimizes operational efficiency across the entire database infrastructure. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

12 12 Bridging the data gap Enterprise application Protecting your enterprise applications and their associated data repositories is a matter of extreme importance, particularly when the data in question is sensitive personal information subject to external regulations such as PCI DSS, SOX and HIPAA. However, multitier enterprise applications are often the most difficult to secure because they are highly distributed and designed to allow web-based access from insiders and outsiders such as customers, suppliers and partners. Organizations need a data platform that includes real-time monitoring, applicationlevel fraud detection, and user-specific rules for enterprise applications such as Oracle E-Business Suite, PeopleSoft, SAP and in-house systems. By going beyond existing application logs, an auto mated and centralized approach provides fraud monitoring to help your organization meet even the most stringent regulatory and audit requirements. Organizations face unique challenges when it comes to protecting sensitive SAP data, such as: Dispersed data: Sensitive information may occur in hundreds of different database columns, making it extremely difficult to conduct column-level monitoring or encryption. Performance: SAP database environments need to maintain maximum responsiveness, even while measures are being implemented. Data variety: Both structured data and unstructured data need to be protected. Supportability: Modifying SAP applications or altering database tables jeopardizes support agreements. Expense and total cost of ownership: Custom encryption development may be extremely expensive, due to the wide breadth of SAP applications. Privileged user access: Insiders with privileged access to SAP data could potentially harm the data without their actions being tracked. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

13 13 Bridging the data gap Your data strategy must include application to monitor, track and report on the activities of users who access critical tables with multitier enterprise applications rather than direct access to the database. This is required because enterprise applications typically use an optimization mechanism called connection pooling. In a pooled environment, all user traffic is aggregated in a few database connections that are identified only by a generic application account name, thereby masking the user identities. For compliance requirements and fraud preventative measures, you need to identify application users associated with specific database queries and transactions, as well as identify direct access by privileged users. Also, for business decision making, you need to gain a deeper understanding of data activity insights by integrating activity monitoring with IT Security Information and Event Management (SIEM) tools for more accurate and effective intelligence. 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

14 14 Bridging the data gap Why IBM InfoSphere Today, many organizations are starting to realize that building an effective database platform is not a one-time event, but rather a process that occurs over time. Data solutions from IBM InfoSphere can help your organization simplify that process by providing preconfigured rules and policies that help take the guess work out of securing a database environment. IBM InfoSphere Provides the simplest, most robust solution for assuring the privacy and integrity of trusted information in your data center and reducing costs by automating the entire compliance auditing process in heterogeneous environments. By using InfoSphere to secure your entire organization s data environment, your organization can monitor user activity to detect and respond to fraud without causing large-scale disruption of IT operations. Is the most widely used solution for preventing information leaks from the data center and ensuring the integrity of enterprise data. InfoSphere has the ability to identify and protect against internal and external threats through a distinctive combination of robust monitoring and auditing, vulnerability management, data transformation, real-time policies, and intelligent reporting. Helps protect valuable data assets such as PII, customer data, business data, corporate secrets and more, foster secure and efficient collaboration, and effectively integrate into existing business processes. IBM InfoSphere data and privacy solutions are open, modular and support all aspects of data and privacy, including structured, semi-structured and unstructured data, no matter where the data is. IBM InfoSphere provides an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The InfoSphere Platform provides all the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match InfoSphere software building blocks with components from other vendors, or choose to deploy multiple building blocks together for increased acceleration and value. The InfoSphere Platform provides an enterprise-class foundation for informationintensive projects, providing the performance, scalability, reliability and acceleration you need to simplify difficult challenges and deliver trusted information to your business faster. For more information: ibm.com/guardium 1. Introduction 2. Diversity of data 3. Big data 4. Cloud and virtual environment data 5. Enterprise data 6. Enterprise application

15 15 Bridging the data gap Copyright IBM Corporation 2013 IBM Corporation Software Group Route 100 Somers, NY U.S.A. Produced in the United States of America May 2013 All Rights Reserved IBM, the IBM logo, ibm.com, DB2, InfoSphere, and Optim are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries or both. If these and other IBM trademarked terms are marked on their first occurrence in this information with a trademark symbol ( or TM), these symbols indicate U.S. registered or common law trademarks owned by IBM at the time this information was published. Such trademarks may also be registered or common law trademarks in other countries. A current list of IBM trademarks is available on the web at Copyright and trademark information at ibm.com/legal/copytrade.shtml This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates. The performance data discussed herein is presented as derived under specific operating conditions. Actual results may vary. It is the user s responsibility to evaluate and verify the operation of any other products or programs with IBM products and programs. THE INFORMATION IN THIS DOCUMENT IS PROVIDED AS IS WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUD- ING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided. Actual available storage capacity may be reported for both uncompressed and compressed data and will vary and may be less than stated. Statements regarding IBM s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only. Linux is a registered trademark of Linus Torvalds in the United States, other countries or both. Microsoft, Windows, Windows NT and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product or service names may be trademarks or service marks of others. NIB03018-USEN-00