Discovery and Sensitive Data Finder Tech Talk final...Granular, real-time policies Who, what, when,...

© 2013 IBM Corporation

Information Management

IBM InfoSphere Guardium Tech Talk:Database Discovery and Sensitive Data Finder

Dan Goodes – Guardium Technical Sales Engineer

July 2013


Information Management – InfoSphere Guardium

IBM InfoSphere Guardium Tech Talk

Logistics This tech talk is being recorded. If you object, please hang up and

leave the webcast now.

We’ll post a copy of slides and link to recording on the Guardiumcommunity tech talk wiki page: http://ibm.co/Wh9x0o

You can listen to the tech talk using audiocast and ask questions inthe chat to the Q and A group.

We’ll try to answer questions in the chat or address them atspeaker’s discretion.

– If we cannot answer your question, please do include your emailso we can get back to you.

When speaker pauses for questions:– We’ll go through existing questions in the chat




Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Data security and protection for IBM i usingInfoSphere Guardium

Speakers: Scott Forstie and Larry Burroughs

Date &Time: Thursday, August 29, 2013

11:30 AM Eastern (90 minutes)

Register here: http://bit.ly/13anSA2


Information Management

IBM InfoSphere Guardium Tech Talk:Database Discovery and Sensitive Data Finder

Dan Goodes – Guardium Technical Sales Engineer

July 2013




What we’ll cover today

What is Guardium and what problems does it address?

Overview of some capabilities– Database Discovery– Sensitive Data Finder

Use Cases

Integration

Where to find more information

Q&A

5

Hello Everyone and welcome to TechTalk Tuesday

Here is what we will cover today, starting with a quick introduction to Guardium



The world is becoming more digitized and interconnected,opening the door to emerging threats and leaks…

Organizations continue to move to newplatforms including cloud, virtualization,mobile, social business and more

EVERYTHINGIS EVERYWHERE

With the advent of Enterprise 2.0 and socialbusiness, the line between personal andprofessional hours, devices and data hasdisappeared

CONSUMERIZATIONOF IT

The age of Big Data – the explosion of digitalinformation – has arrived and is facilitated bythe pervasiveness of applications accessedfrom everywhere

DATAEXPLOSION

The speed and dexterity of attacks hasincreased coupled with new motivations fromcyber crime to state sponsored to terrorinspired

ATTACKSOPHISTICATION

…making security a top concern, from the boardroom down

6

First lets talk about where we are coming from before we give you ourperspectives on data security. In IT and business, we are experiencing anunprecedented openness in the use of technology, which is both an opportunityfor new business, but also a challenge for IT, operationally and from the securityperspective.

The amount of data generated and handled is exploding, giving rise totechnologies like Big Data to help us make sense of it. IT walls are coming downmaking room for better communication with the consumers anywhere. And onthe security side, we are seeing more targeted sophisticated attacks to getaccess to that critical asset, SENSITIVE DATA.



Data is the key target for security breaches…..… and Database Servers Are The Primary Source of Breached Data

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf

2012 Data Breach Report from Verizon Business RISK Team

Database servers contain your client’smost valuable information

– Financial records

– Customer information

– Credit card and other account records

– Personally identifiable information

– Patient records

High volumes of structured data

Easy to access

“Go where the money is… and go thereoften.” - Willie Sutton

WH

Y?

7

The most critical data that organizations havetoday are inside of the databases. Because,for the most part it is structured it is easy tofind.This is why its most important to understandour data, where it lives, who has access to it,what are they doing with it, etc.Finding all of the sensitive data can be difficultand that is what we will focus on today.

Although Guardium’s origins are around real-time database activity monitoring for securityand compliance, it has the ability to discoverand classify sensitive data in order to knowwhat data to protect.

7

888



Key Characteristics

IBM InfoSphere Guardium provides real-time data activity monitoring forsecurity & compliance

Single Integrated Appliance

Non-invasive/disruptive, cross-platform architecture

Dynamically scalable

SOD enforcement for DBA access

Auto discover sensitive resources and data

Detect or block unauthorized & suspicious activity

Granular, real-time policies

Who, what, when, how

Continuous, policy-based, real-timemonitoring of all data traffic activities,including actions by privileged users

Database infrastructure scanning formissing patches, mis-configured privilegesand other vulnerabilities

Data protection compliance automation CollectorAppliance

Host-basedProbes (S-TAPs)

Data Repositories(databases, warehouses,

file shares, Big Data)

100% visibility including local DBA access

Minimal performance impact

Does not rely on resident logs that can easily beerased by attackers, rogue insiders

No environment changes

Prepackaged vulnerability knowledge base andcompliance reports for SOX, PCI, etc.

Growing integration with broader security andcompliance management vision

8

Lets take a quick look at an overview of Guardium’s benefits: Some of these have to do more with Database Activity Monitoring which we won’t be coveringtoday but for those of you unfamiliar with

Guardium’s capabilities, this is a high-level introduction

Guardium provides a continuous policy based real-time database monitoring



Extend real-time Data Activity Monitoring to protect sensitive data indatabases, data warehouses, Big Data environments and file shares

Integration withLDAP, IAM,SIEM, TSM,Remedy, …

Big DataEnvironments

DATA

InfoSphereBigInsights

9

NEW

Guardium would not be a complete data security solution if it only covered a fewdatabases, so we have expanded our scope from all major database vendors, todata warehouses, ECM, file systems, and now to Big Data environments basedon Hadoop, and NoSQL, such as IBM InfoSphere BigInsights , Greenplum,Cloudera, Cassandra, MongoDB, CouchDB, Hortonworks, just to name a few,with more being added all the time. We aim to satisfy all data security andcompliance needs in heterogeneous and large scale environments.

9







Use Cases

Integration


Q&A

10

Now that we have had some background and an introduction to Guardium

We are going to concentrate on these today’s main topics


IBM Software Group

• Vulnerability assessment• Configuration assessment

• Behavioral assessment• Configuration lock-down

& change tracking

• 100% visibility• Policy-based actions

• Anomaly detection• Real-time prevention

• Granular access controls• Privileged user monitoring

• Application monitoring toidentify end-user fraud

• Monitor encrypted connections• Monitor mainframe activity

• SIEM integration

• Centralizedgovernance

• Compliance reporting• Sign-off management

• Automated escalations• Secure audit repository

• Data mining for forensics• Long-term retention

Guardium 9: Addressing the Full Lifecycle forDatabase Security, Risk Management & Governance

• Discover all databases,applications & clients• Discover & classify

sensitive data• Automatically update

access policies whensensitive data found

Discover&

Classify

Assess&

Harden

Monitor&

Enforce

Audit&

Report

CriticalData

Infrastructure

11

Guardium addresses a full lifecycle of database security, its modular based andcan be deployed in parts to satisfy current and future data security projects.Before you know what to monitor and enforce, before you can report and reviewdata security for every source in your infrastructure, even before you can addressdatabase vulnerabilities and configurations.Its always best to start at the ground floor, the foundation, to find where mysensitive data is. Then efforts can be spent protecting the “RIGHT” data.

11

12

In order to protect your information, you first need to understand where your sensitive data lives. This is why Guardium suppor

Database discovery to identify where your databases are located on your network. The agentless network scan is in both the VA (

There is also the ability to do Instance discovery which requires an agent on the database server, it will discovery when new in

It can automatically configure the inspection engines (process names, directory structures, etc) for monitoring, alerting and po

With Sensitive data finder - Guardium can locate databases via network IP scan and open datalocate matching patterns. e.g. Creditcard, SSN, License Number, Phone Number, National ID, etc

Any pattern can be written by a regular expression and Guardium can match these expressions to objects in a database.

Actions can then be taken AUTOMATICALLY; e.g. log a policy violation, send a real time alert, create a workflow report for sign

First lets talk about Database Discovery

12



Guardium Auto-Discovery Feature

Even in stable environments, where cataloging processes havehistorically existed

•Uncontrolled instances can inadvertently be introduced•Developers that create “temporary” test environments•Business units seeking to rapidly implement local applications•Purchases of new applications with embedded databases.•Acquisitions and Mergers

The Auto-discovery application can be configured to probespecified network segments on a scheduled or on-demand basis,and can report on all databases

13

Even in stable environments, where cataloging processes have historicallyexisted, uncontrolled instances can inadvertently be introduced throughmechanisms, including developers that create “temporary” test environments;business units seeking to rapidly implement local applications; and purchases ofnew applications with embedded databases.

One of the hardest areas to understand sensitive data is when data sources areacquired through acquisitions and mergers

The Auto-discovery application can be configured to probe specified networksegments on a scheduled or on-demand basis, and can report on all databasesdiscovered—solving the problem of identifying both legacy and newly introduceddatabases. Similarly, the Auto-discovery application can be used to demonstratethat a process exists to identify all new instances.

This is generally a requirement with Industry and Corporate regulations

13



Guardium Auto-Discovery

IBM InfoSphere Guardium Tech Talk14

Lets go ahead and started

I will be walking though the setup and configuration

select New and build a new Auto-Discovery process

14



Single PortNumber orRange

Single IP orRange

15

After selecting new you are presented with the database discovery configurationscreen.

Here is where you will set the IP addresses or Range of IPs to scan. As well as aport or range of ports

We will talk about best practices later in the Techtalk

Check the “Run Probe after Scan” box to send database calls to that port toidentify which database is listening on that port.

You can separate the database IP scan and the Probe if needed.

Manually this could be run right away or at a later time.

An automated schedule can also be set up, so depending on the criteria of thescan you could run this after hours on a daily, weekly, monthly, quarterly basis tofit your needs

15




16

While the job is running you can check the progress by clicking this button.

This window will show you all the statistics of the current process.

Whether the scan is running, how many hosts were scanned, how many openports where found, how many where probed, how long the prob process took, etc

The report Databases Discovered will be populated during this discoveryprocess.

Here you can see some databases that were found at 10.10.9.56.

Now lets look at how we can interact with this discovered information

16




17

In almost all breaches or audit findings its been unknown systems, with unknownconnections, and unknown sensitive data elements.

Now that we have discovered some new database, decisions need to be made,These are databases with potentially sensitive information.

Do we ignore them and hope they go away?

Do we shut them down because they break policy, maybe they were created byaccident that might have licensing implications?

Do we decide they are important and now need to be monitored for regulatorycompliances or corporate data security policies.

With the databases that are discovered, APIs can be invoked to help reduceadministration time and reduce overall costs.

Lets explore some of these built in functions.

17





For example the ability to create an inspection engine so the configurations tomonitor that data source are already set up and ready for when the monitoringagent is installed, this also has automation capabilities to further reduceadministration time, time is money.

Here we are going to create a data source definition so we can run some of theschedule job functions like Classification Sensitive Data Finder or a VulnerabilityAssessment scan or Least Privileges Entitlement Reporting.

If you have to import hundreds of data sources, there is an API for that as well.For security purposes the username and password can even be encrypted so noplain text is stored.

Again further automating implementation and administration for corporateefficiency.

18





There is also the ability to discover new instances that are created on alreadyexisting database servers.

Using the Guardium installation manager and the Discovery module, once a newinstance is created it will automatically report on all new instances that arecreated.

And the same question can be answered around whether to keep theseinstances or not.

With the auto instance discovery, all the pertinent information is already capturefor configuring a new inspection engine for the existing STAP agent formonitoring.

This again will help reduce administration costs.

19





To help with automation of sign off for efficient process management, Guardiumhas a built in audit compliance workflow where any report for example thediscovered databases can automatically be sent to recipients to take action.

This will help close gaps in current processes, like where DBA managers have toreport on all database instances. Traditionally information security offices have torely on database managers to accurately report on all

Database instances. What happens in organizations where the application teamsown the databases and the DBA team has no control of what databases getcreated?

To automate this process and accurately report on all database instances willhelp further reduce administration costs.

20







Use Cases

Integration


Q&A

21

Now lets look at Guardium’s Sensitive Data Finder



Guardium Sensitive Data Finder


•The task of securing sensitive data begins with identifying it•The Challenge

• Database environments are highly dynamic• In large percentages of incidents, unknown data played a role in the

compromise.

•The InfoSphere Guardium solution provides a complete meansfor addressing the entire database security and compliance lifecycle.•When a match is found, the rule can specify a wide variety ofresponsive actions, including:

• Logging the match.• Sending a real-time alert detailing the match to an oversight team.• Automatically adding the object to an existing privacy set or group• Inserting a new-access rule into an existing security-policy definition.

22

The task of securing sensitive data begins with identifying it. This can bechallenging, because database environments are highly dynamic: the content ofknown instances is constantly changing and most organizations lack an effectivemeans of identifying and understanding the content of unknown instances. Inmature organizations, existing databases deployed before change controlmechanisms had been implemented are not uncommon. Larger organizationsgrowing through acquisition often struggle to gauge with certainty, sensitive datarisk in acquired infrastructures.

In large percentages of incidents, unknown data played a role in the compromise.To minimize this risk, organizations need a systematic way to identify alldatabase instances and to determine on an ongoing basis which instancescontain sensitive data, so that appropriate controls can be implemented.

The InfoSphere Guardium solution provides a complete means for addressing theentire database security and compliance life cycle. Once database instances ofinterest are identified by Auto-discovery, Sensitive Data Finder can be used toexamine the content of each, to determine whether sensitive data is included,and then take appropriate action. When a match is found, the rule can specify awide variety of responsive actions, including:

● Logging the match.

● Sending a real-time alert detailing the match to an oversight team.

● Automatically adding the object to an existing privacy set or group (objects with similar properties, such as those containing payment card data), ensuring relatedsecurity policies are automatically applied to the newly discovered object.

● Inserting a new-access rule into an existing security-policy definition.

Classification policies can be run against any specified database group on a22

23



23

Discovering Sensitive Data in Databases

• Catalog Search: Search the databasecatalog for table or column name

– Example: Search for tables wherecolumn name is like “%card%”

• Search for Data: Match specific values orpatterns in the data

– Example: Search for objects matchingguardium://CREDIT_CARD (a built-inpattern defining various credit cardpatterns)

• Search for Unstructured Data: Matchspecific values or patterns in anunstructured data file (CSV, Text, HTTP,HTTPS, Samba)

Now that we have discovered new databases, we need to find out if there is any sensitive data inside.

This will help determine whether we can ignore this data source from a data security perspective or if we need to take measure t

Like installing a Guardium STAP agent for real-time monitoring, alerting and blocking capabilities.

The reverse also applies, the sensitive data finder will also prove that no sensitive data resides on that data source.

Most auditors today are familiar with the Guardium capabilities, Imagine being able to give your auditors a report that instantl

They can move on to the more critical applications and databases

This will reduce the audit time and again further reduce costs.





Now lets step through the process of creating a Classification Policy

24





Give some details to the Classification Policy

A Name

You can specify a Category and Classification so they are easily identified duringautomation

As well as adding descriptions so maybe the user responsible for signing off onthis workflow will have all of the necessary details.

Roles can be assigned to this operation further securiting and specifying who cando what with the Guardium product

25





Next we can add the rules for what specific data we want to classify

And the action that will fire once a specified match is found

26





Again further classifying the operation with category and classification process

In this example we are looking for some creditcard information.

We can specify if we are searching for Data or a Catalog search, this can beuseful when looking for specific tables of a newly acquired data source.

Find those Tables or wildcard the name %credit%. This will reduce the time ittakes to actually search for data.

If I know there is a table named Creditcard, I know this data source is of interestand will continue with a more specified search.

However if I don’t find any tables of interest I can set up a scan for a later dateand concentrate on the low hanging fruit data sources.

Also we have the ability to search for patterns in some unstructured data files,like CSV, Text, HTTP, HTTPS, Samba

27





Here are a set of rules that this job will execute, specifically targeting criteriabased on financial institution’s formatting.Looking for VISA, Mastercard, American Express, etc.

When you specify more detailed information in your search criteria you willreduce the false positives and increase the hit percentages of what data you arelooking for.

This is important for performance and overall classification projects

28





Inside the Classification Rule,

You can search Synonyms, System Tables, Schema Tables, as well as views,this is important for not only knowing if there is sensitive data but how itspresented to users.

Here you can see the search expression for this Visa rule, using the caret orcircumflex character with a 4 you can specify that you want to find just numbersthat start with a 4, which may be Visa numbers

When trying to reduce false positives its important to specify a more complexregular expressions to find exactly what you are looking for.

I will go into best practices around performance of these jobs and false positivesin a later section.

Once a match is found there are Classification Rule Actions that can be set toautomatically fire.

29




An example would be to automatiicaly populate a group, for instance theCardholder Sensitive Object or Discovered CreditCards group.

This way when doing reporting, alerting or policy management for databaseactivity monitoring it reduces administration costs to use grouping in Guardium

30





Once the Sensitive Data Finder, Classification job is configured it can be run rightaway manually, or it can be scheduled as part of the compliance workflow forautomation.

There is a Guardium Job Queue which will show you all running processes

The data sources to scan can be configured manually, or as one of the shareddata sources that was already discovered in the Auto-Discovery process.

That was the example we walked through earlier

31




This is an example of the results, the schema name, column name, table name ofthe matched object, and a comments field with all of the information will bepresented.

In the comments field you can see the object was added to a group called AllCredit Cards Discovered.

We had rules set up for the specific Card companies, but not for objects where aplan 16 digit number was found.

There are many scenarios that can be used to reduce false positives.

This custom authentication process table could hold transaction or ticket numbersthat are 16 digits maybe requiring some addition scans now that we know theremay be a similarity.

Regular expressions can be very customizable

32




And if we check that group, you will see the matching information.

Schema name, table name, column name.

Now anytime a report, an alert or a policy rule references this group the newlydiscovered object will be referenced.

33





Now the sensitive data object is in the right group it can be applied to the real-time policies,

In this case we are applying a blocking rule, anytime someone who isn’t in theapplication schema users (like a privilege user)

Is committing a select statement against the group of discovered credit cards,apply the SGATE which will terminate their connection.

34



Guardium Sensitive Data Finder - Automation


Further automating processes and sign off management, the Sensitive DataFinder Classification process can be kicked off by our Audit ComplianceWorkflow.

This will be sent off to recipients for their review and signatures. Comments,Escalation, rejection and further review operations can apply.

35







Use Cases

Integration


Q&A

36

Now lets talk about some use cases, For example Deployments, best practicesaround performance and lowering false positives



Use Cases


Deployments - TechTalk

37

The last two techtalks were around successful deployments and from thatstandpoint;

Guardium Sensitive Data Finder can be used to accelerate the deploymentprocess, Because knowing the data is important for building Relevant reports,alerts and Policy rules to apply.

Deployment services uses a lot of the extrusion rules in the activity monitoring todetermine and review the objects as part of their services.

However with growth and acquisition of data sources, Sensitive data finder will bea useful tool as for identifying those new sensitive objects. Making the productgrow with your infrastructure.

37

38



The Compliance Mandate – What do you need to monitor?

DDL = Data Definition Language (aka schema changes)DML = Data Manipulation Language (data value changes)DCL = Data Control Language

38

And there’s the Compliance Factor of

You HAVE to do this!

HIPAA, SOX, PCI, they require that you CERTIFY that your company isdoing this!

You NEED granular visibility!

This is mostly around DAM however in order to know what data applies tothese activities, you need to discover what data matches,For example, HIPAA is all about PII/PHI data how do you know what DDL,DML, and DCL is happening on HIPAA sensitive objects if they haven’tbeen identified yet.



Use Cases


Deployments – Compliance Accelerators

39

To accelerate the real-time database activity monitoring capabilities of Guardiumone needs to understand how the sensitive data is accessed.

Guardium comes with out of the box compliance regulation accelerators. Firststep is understanding the PCI sensitive data that exists in the database.

Once the Sensitive Data Finder Classification process is complete, those PCIobjects have automatically been grouped together so that these out of the boxreports can be relevant.

Lets take a look at an example.

39



Use Cases



40

For instance, regulation 10.2.2 is about admin activity.

Does it need to see all admin activity? NO just the admin activity that pertains tothe PCI regulations.

So grouping the admins, with the PCI servers including only that activity thatpertains to the PCI sensitive objects will be reported.

This will instantaneously give your PCI auditors precisely what they need for theaudit. No more having to rifle through hundreds of lines of activity to find what youneed.

Eliminating the needle in the haystack scenario

40



Use Cases



41

Here we see an example of that precision grouping capability within theSarbanes-Oxley Accelerator

All of the DML activity on the SOX relevant Financial servers where it affectsSOX sensitive data is reported,

How do we know its SOX sensitive information? Because we ran a SOX specificSensitive Data Finder Classification job, looking for financial information and putthose objects into that group

Further enhancing the automation and driving down those corporate Costs.

41



Use Cases


PCI, SOX, HIPAA, ETCRegular Expression Examples

42

Here are some use case examples for Regular Expressions that can be use forall Regulatory Compliances.

Its not just about PCI, SOX and HIPAA, it can be any industry, government orcorporate regulation.

42



Use Cases - Best Practices


Performance

Network and Database ImpactRuntimeReducing False PositivesCorrect Configurations

43

Just like with poorly constructed queries and database performance

Guardium auto-discovery and Sensitive data finder are processes that take avery small amount of resource to complete.

Whether they are network, file system or database its important to understandthese functions, create the correctly configured job and run during time framesthat make sense to the business.

43



44

From an Auto-Discovery process,

Guardium is running a regular nmap type process here nothing particularlyproprietary as far as our scanning technology goes.

We go out and scan a single IP or a Range looking for open ports and DBlisteners on those ports.

It’s a simple operation however can have impact on your network, this operationwill be seen by your network folks.

So it make sense to do proper planning for these scans.

There is something like 65,000 available ports on a server so its not a good ideato go scan 10.10.9.* and not specify a port or port range.

It is a good idea to put some port numbers in that make sense, looking for DB2?Use a range of 50,000 to 60,000, looking for Oracle use 1000-2000,

And so forth. Initially if you want to do a large amount of Ips and Ports plan forafter hours work

44





Performance

45

When using the Sensitive Data Finder

The Comprehensive search check box; is only relevant when the number ofrecords in a table exceeds the Sample size

This is a high quality search because the results are more likely to berepresentative of the data. Unchecking Comprehensive search will search thefirst "Sample size" records for a match. This type of search can be much fasterthan a comprehensive search but it may sacrifice the quality of the results.

Enter a Sample size when searching for data, if the number of records in a tableis <= to "Sample size", then all those records are searched for a match. When thenumber of records in a table exceeds "Sample size", then Comprehensivesearch, as defined above, may be used.

When a classification process runs, it should have very little impact on thedatabase server.

It begins by scanning sets of 50 consecutive rows returned by the databaseserver, beginning with the first row. The second set of 50 begins with the 1000throw. Thereafter, it skips ahead by powers of two, such that the next block of 50begins at 2K, 4K, 8K, 16K, 32K, and so forth. During this process, if any querytakes longer than 10 seconds, the skip interval is multiplied by 10, so if thecurrent sequence is 640K, the next will be 6.4M, and so forth

The Classifier also throttles itself to periodically idle so that it does not overwhelmthe database server with requests.

If any one query takes longer than 12 minutes, the query will be cancelled, a45





Eliminate False Positives

46

Configurations within the Classification process will help with performance bestpractices, as these scans can be more targeted,

However, generalized scans may take longer to complete as they have lessspecifications.

For Instance

Doing catalog searches first will help identify the sensitive tables, try a wild cardwith Credit, or account, or social or SSN.

These scans will take seconds and since its identifying sensitive tables, they canautomatically be added to those groups of sensitive objects

Once those tables have be identified its time to create more in depthclassification rules, these specified scans will look for the unique patterns of data,this is where you can find potentially sensitive information in tables where theyaren’t clearly marked or are coded with non-descriptive table names or in tableswhere they don’t belong like Comment fields.

When a rule name begins with "guardium:// for this example we useCREDIT_CARD", and there is a valid credit card number pattern in the SearchExpression box, the classification policy will use the Luhn algorithm

Specify or wild card the table and column name and the scan will be moretargeted.

For testing purposes this is a good way to see if your rules will fire as you alreadyknow that table contains those matching patterns

This can also help with understanding how long your scans will take as you may

46



Use Cases – Special Projects


Risk Based Approach to Data Security – Dark Reading Webinar

Helping to Quantify the Risk and Protection Value

List the top 10 assets you have in your organization

Assign a value to these assets

Identify specific threats to these assets

Identify vulnerabilities with these assets

Calculate your risk score and compare it to the asset value

Risk is dependent on the asset values, threats and vulnerabilities

Let’s use a simple example as it relates to the databases

PCI is a very common example and we’ll relate this to credit card processing

47

https://www.techwebonlineevents.com/ars/eventregistration.do?mode=eventreg&F=1004756&K=6IK

Last year there was a webinar that we did in conjunction with The Dark ReadingGroup regarding Risk Base approach to data security.

Building out a score matrix for high risk, applications, databases, users,connections, will help organizations realize the risk factors quicker.

One of the most important aspects of this approach is to score your top 10assets, these are the assets that would cost your organization the most

If there was a breach or audit finding.

Locating these assets will be quicker when using Guardium’s Sensitive DataFinder.

The link is in the slide and is a very useful webinar to watch the replay.

47







Use Cases

Integration


Q&A

48

Now lets look at some integration points



monito

rend-u

ser

activity

InfoSphere Guardium integration with other IBM products

Master Data ManagementInfoSphere MDM

Web Application PlatformWebSphere

Databases•DB2 [LUW, i, z, native agent]

•Informix

•IMS

DatawarehousesNetezza

PureData

PureFlex

Big DataBig Insights

SIEMQRadar

Storage and Archival•Optim Archival

•Tivoli Storage Manager

Endpoint ConfigurationAssessment and Patch

ManagementTivoli Endpoint Manager

LDAP DirectorySecurity Directory Server

Static Data MaskingOptim Data Masking

Data Discovery/Classification•InfoSphere Discovery

•Business Glossary

Help DeskTivoli Maximo

Event MonitoringTivoli Netcool

Software DistributionTivoli Provisioning Manager

TransactionApplication

CICS

Database tools•Change Data Capture

•Query Monitor

•Optim Test Data Manager

•Optim Capture Replay

•InfoSphere Data Stage

Analytic EnginesInfoSphere Sensemaking

open

ticke

ts

SNMPalerts

distribute

STAPs

remediate vulnerability

send alert, audit, vulnerabilityuser and group mgmtmonitor end-user activity

monitor end-user activity

monito

rend-u

seract

ivity

end-user activity

leverage capture function

leverage audit change

share discovery & policies

share discovery

share discovery & classify.

monitor, audit, protect

monitor, audit

monito

r,audit

monitor,

audit,

arc

hiv

e

arc

hiv

ea

udit

share discovery

InfoSphereGuardium

BusinessIntelligence

Cognos49

Guardium Integrates with a number of other technologies inside and outside ofIBM.

Outbound messaging and the ability to consume justabout any data make Guardium a powerful activityreporting tool.

Sharing of information is important within organizations inorder to increase corporate efficiencies while drivingdown costs.

Lets look at a few of these integration points as itpertains to Discovery and classification projects

49

50



50Knowledge Transfer Material

InfoSphere Discovery Classified Columns View

Pattern Based Sensitive Data Discovery Example: SSN

50

InfoSphere Discovery is a tool which is unique in the industry. It removes theneed for manual analysis of your data and the relationships in yourenvironment. Discovery automatically, intelligently identifies and characterizesthe data elements within a source and groups data elements into businessentities based on the relationships between them. For example, Customer,Counterparty, and Invoice might represent a common business entity.

With InfoSphere discovery all sensitive data elements can be shared withGuardium.

You may have already invested in data discovery projects and have alreadycompleted some data classification, this information can easily be shared withGuardium so that the real-time policy rules, alerts and reports are alsomonitoring the data elements already defined by your organization.




Here we see an automated production of the CSV files, in the a consumableformat that will match the data structure inside the Guardium repository.

Quickly and easily share sensitive objects back and forth, to accelerate all datadesign and classification projects.

51



When to use Guardium and Discovery

InfoSphereGuardium

InfoSphereDiscovery

Find all databases & sensitive data then apply appropriate policies

Monitor database security and compliance in real-time throughoutthe lifecycle

Protect and control access to sensitive data

Validate compliance with security mandates

Business Needs / Project Types: Database Security, Compliance

Target roles: Data Protection groups, Security Departments, DBA,Auditors, IT Operation, Operations Group, Risk and Compliance

Gain an understanding of data content, data relationships, and datatransformations across multiple heterogeneous sources

Discover business objects across data sources

Identify sensitive data across data sources

Business Needs / Project Types: Archiving, Test Data Management,App. Consolidation, Information Integration (DHW, BI, MDM, etc)

Target Roles: Business Analysts, System Architects, Data Analysts,Data Steward, Application Development Groups

If your needs are to…

If your needs are to…

52

Both products can do sensitive data discovery based on regular expressionpattern matching, so when to use one over the other?

Guardium gives you the ability to quickly and easily point to a data source andscan it for sensitive data, this is usually because of a security project likedatabase activity monitoring.

Automatically updating groups and providing alerting capabilities when sensitivedata is located.

Infosphere discovery on the other hand is a VERY powerful data analytical toolfor helping organizations understand their data, the relationships inside thedatabase and the relationships of the data

In other databases. It does database model discovery and has powerfulalgorithms for find matching values, even inside of larger data sets.

For example a social security number may be part of a larger transaction number.This larger number could be identified as sensitive and could be shared withGuardium for data security requirements.

To help accelerate a data relationship project Guardium’s sensitive data finderresults could also be shared with Infosphere Discovery.



53

Info Analyzer Extended Data Classification & Data Rules

53

While Discovery helps an organization to understand their data and the complexrelationships within their data, Information Analyzer provides the ability toexamine the quality of the data in terms of consistency, validity, redundancy, andintegrity. Information Analyzer allows for not only an initial assessment of dataquality, but on-going monitoring of data quality through established Data Rules.

53



54

EXPORT – Custom Dashboard and Reporting

Broad set of functions exposed through API beyond reporting needs

IBM InfoSphere Information Analyzer

XMLServer

GET …XSLT1

XSLT2

XSLT3

HTMLReport1

CSVReport

HTMLReport2

54

information analyzer is the trusted source for the classified data, its repositoryinformation can be shared with Guardium as well.

Any CSV could be imported into Guardium's repository for reporting purposes,Correlation alerts can even be set up to scan the imported data for thresholdvalues

55



Optim Archiving and Test Data Management

CurrentCurrent

Production

HistoricalHistorical

ArchiveArchive

RetrieveRetrieveRetrievedRetrieved

Universal Access to Application Data

ODBC /JDBC

XML ReportWriter

Application

Archives

Historical DataHistorical Data

Reference DataReference Data

Archiving is an intelligent process for moving inactive orinfrequently accessed data that still has value, whileproviding the ability to search and retrieve the data

Test DataTest Data Subset

Developers QA

TDM

Guardiumcan suggest

archivecandidates

Optim sendsaccess requests

to Guardium

Guardium andTDM can share

masking policies

55

Guardium integrates with Optim, mostly from an activity monitoring aspect where wecan see what jobs ran and who ran them, however

The Data objects that will be obfuscated or masked during a Test Data managementproject can be populated by Guardium Sensitive Data finder.

Again accelerating operational processes and driving down those corporate costs.

5656




Information, training, and community

InfoSphere Guardium YouTube Channel – includes overviews and technical demos

InfoSphere Guardium newsletter

developerWorks forum (very active)

Guardium DAM User Group on Linked-In (very active)

Community on developerWorks (includes content and links to a myriad of sources, articles,etc)

Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)

Technical training courses (classroom and self-paced)

New! InfoSphere Guardium Virtual User Group.Open, technical discussions with other users.

Send a note to [email protected] ifinterested.

56

there are currently two Guardium certification tests.If you are looking into taking an IBM professional product certification exam, youmay look into taking the 000-463 certification (http://www-03.ibm.com/certify/tests/ovr463.shtml).

Upon completion of the 000-463 certification, you will become an IBM CertifiedGuardium Specialist (http://www-03.ibm.com/certify/certs/28000701.shtml).

The certification requires deep knowledge of the IBM InfoSphere Guardiumproduct. It is recommended that the individual to have experiences inimplementing the product to take the exam. You can view the detailed topicshere: http://www-03.ibm.com/certify/tests/obj463.shtmlDetails each topics are covered in the product manuals. You will also find theGuardium InforCenter a useful resource when you prepare for the exam:http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp




Reminder: Guardium Tech Talks

Link to more information about this and upcoming tech talks can be found on the InfoSpereGuardium developerWorks community: http://ibm.co/Wh9x0o

Please submit a comment on this page for ideas for tech talk topics.

Next tech talk: Data security and protection for IBM i usingInfoSphere Guardium

Speakers: Scott Forstie and Larry Burroughs

Date &Time: Thursday, August 29, 2013

11:30 AM Eastern (90 minutes)

Register here: http://bit.ly/13anSA2

5858




GraciasMerci

Grazie

ObrigadoDanke

Japanese

French

Russian

German

Italian

Spanish

Brazilian Portuguese

Arabic

Traditional Chinese

Simplified Chinese

Thai

TackSwedish

Danke

DziękujęPolish

Thank you very much for time today.

Discovery and Sensitive Data Finder Tech Talk final...Granular, real-time policies Who, what, when,...

Documents

Transcript of Discovery and Sensitive Data Finder Tech Talk final...Granular, real-time policies Who, what, when,...