Innovatum DLP WP

Data Loss Prevention
For
IBM i
WHITE PAPER: Data Loss Prevention
Introduction
Data and information—whether trade secrets, intellectual property, customer
records, patient information, credit card numbers, social security numbers,
sales figures or manufacturing specs—is as valuable to business as treasure.
……. the company Technology has further increased the value of such information, allowing it to
said 45.6 million be stored, accessed and shared. However, open system technology has also
credit and debit introduced real threats to data; making loss—whether from theft, malicious
card numbers were manipulation or inadvertent misuse—easier than before.
stolen from one of
its systems over a
period of more than Consider as an example the theft of data from the TJX companies, as reported
18 months by an in Computer world
unknown number of “In filings with the U.S. Securities and Exchange Commission
intruders. yesterday, the company said 45.6 million credit and debit card
numbers were stolen from one of its systems over a period of more
than 18 months by an unknown number of intruders. That number
eclipses the 40 million records compromised in the mid-2005 breach
at CardSystems Solutions and makes the TJX compromise the worst
ever involving the loss of personal data.”
Data security breaches were up almost 50 percent in 2008 compared with
2007. The consequences of a data breach, whether due to the insider threat or
malicious activity can be extremely damaging to any company by affecting
brand image, impacting consumer confidence and reducing shareholder
wealth.
In addition, direct costs associated with data loss include internal
investigations, notification/crisis management and regulatory compliance
audits. Heavy fines for violating compliance requirements can directly affect
the bottom line. Businesses can also be sidetracked by expensive computer
forensics, remediation and notification efforts. In its study of 43 companies
that suffered a data breach, the Ponemon Institute found the total cost of
coping with the consequences rose to $6.6 million per breach, up from $6.3
million in 2007 and $4.7 million in 2006. The cost per compromised record in
2008 rose 2.5% over the year before to $202 per record, according to the
same study.
Beyond direct costs, organizations must comply with regulatory requirements
and corporate policies or face costly disruptions to operations. Since many
companies have limited data security expertise, it can be expensive to
maintain the required skill sets to address issues as they arise. A lack of
________________________________________________________________________________________________
Version: 1.1 Innovatum, Inc Page 2 of 9
Date: 03/22/10 1400 Buford Highway Sugar Hill, GA 30518
www.Innovatum.com Tel: 770 945 4595
knowledge or reliance on outdated information can make a company more

vulnerable to data breaches and non-compliance.
In the real world, you need visibility into your information and how it is
handled in order to protect sensitive data against loss and unauthorized
access.
Imagine for a moment a database table that contains customer number,
customer name, phone number and credit card information. How this table is
An SQL statement accessed will impact the level of exposure to data loss. An approved
that reads the application program that is known to handle the credit card information
entire table and appropriately is of very low risk. An SQL statement that reads the entire table
writes it to a copied and writes it to a copied table, however, should sound alarms all over the
table, however, place. Because of this type of complexity it becomes difficult to lockdown this
should sound sensitive file and at the same time enable users to do their job.
alarms all over the
place. DLP automation is an important component of a data protection strategy, and
it is essential to find a DLP solution that will not introduce complexity and
management headaches into the IT environment. It necessitates a best-of-
breed technology and a simple, proven approach to protecting critical
information.
Data-Centric Data Loss Prevention

The goal of an effective DLP solution is to provide broad and rapid protection
against transmission of sensitive data beyond the corporate network and to
prevent unauthorized traffic within the organization. In effect, DLP must
combat threats to data from inside the organization—and even those caused
by accident. Whether the source is flawed policy, malicious behavior or
improper actions taken by otherwise well-meaning employees, DLP is a pivotal
part of any effective security strategy.
One of the most common reasons data assurance technologies are not as
firmly entrenched as solutions such as firewalls or intrusion prevention
systems (IPS) is confusion about where to begin. One can approach DLP via
the data or the network/endpoint or a combination of both, with the combined
solution providing the most comprehensive degrees of protection against data
leakage. Many organizations do not have clear view of how their data is
accessed and used, who has access, and whether IT policies are being properly
enforced. This can be mitigated by using a data-centric DLP solution installed
at the database layer which can help identify usage patterns. Start by focusing
on sensitive data in one place and then see how and by whom it is accessed.
This is a simpler, more strategic approach, taking the guesswork out of
discovery while saving time and cost. To do this, organizations can follow a
________________________________________________________________________________________________
simple data-centric assurance strategy:

1. Classify sensitive data
2. Discover access paths to the data
3. Set access rules and policies
4. Monitor for, review, and process exceptions
5. Retain audit data for compliance
The IBM i has exceptional audit capabilities making it one of the most secure
The IBM i has technology platforms. At its most verbose level, the operating system can
exceptional audit generate audit records for virtually any activity occurring on the system.
capabilities making Because of this immense volume of data, using it in a meaningful way on a
it one of the most continuous basis can be a costly and time consuming task for IT personnel.
secure technology Usually someone only goes “digging” for audit data after an event has come to
platforms. their attention; but all of this audit data is a direct reflection of a business’
daily operations, how they do business. If you can gain visibility into this
information and harness it for DLP through automation, costs associated with
proper monitoring and awareness are dramatically reduced. Visibility also
becomes strategic for gaining competitive advantage in other areas not related
to DLP.
On the IBM i manually implementing a data centric DLP means several tasks
must performed.
1) Classify Sensitive Data – You probably have a good handle on your most
sensitive data and know where it resides. In this step data needs to be
grouped or classified as sensitive to facilitate monitoring and reporting for all
sensitive data. An integrated approach to classifying and grouping data is
crucial to a cost effective implementation of data-centric DLP.
2) Discover Access Paths to Data - The next step is identifying how that
data is accessed. Reporting against database journals can provide this
information. For example; do you know exactly who has accessed sensitive
data, and how they did so just in the last hour? 24 hours? Can you do it
without having someone “dig” for it? This visibility is important for data loss
prevention but can be difficult to manage if users access sensitive files via
applications that do not display certain sensitive data.
________________________________________________________________________________________________
3) Set access rules and policies – Based on the previous discovery step
access methods need to be reviewed and approved or rejected. These rules
then need to be incorporated in reporting and real time alerting to identify
exceptions.
4) Monitor for, review and process exceptions – The process for dealing
with exceptions to policy is usually labor intensive as they must be reviewed
and approved. This process is handled manually via paper in many IT
departments and the time consuming administrative burden is an important
compliance requirement for many regulations.
5) Retention of audit data for compliance – Many regulations have
retention requirements for audit data and exceptions. Managing the archiving
and retention of audit data is a prevalent and often overlooked regulatory
requirement. More importantly, you will need to be able to access the long-
With the right term historical data for inquiry and reporting purposes.
solution you can
eliminate much of Implementing an automated data-centric
the manual
discovery tasks
approach to DLP
associated with With the right solution you can eliminate much of the manual discovery tasks
implementing data- associated with implementing data-centric DLP. As an example, can you see
centric DLP. the 10 different ways your customer master file was accessed in the last 24
hours? Can you see that 7 methods were OK, and 3 were outside the rules
governing access? This discovery of how data is actually being used is a time
consuming and costly task, and must be repeated to stay up with changes in
the system, i.e. new users, new applications etc. Data Loss Prevention
powered by DataThread for IBM i tracks and records critical data access,
providing complete visibility into data usage allowing business and IT
managers to make real-time decisions about data assurance.
Business and IT managers using a DLP powered by DataThread, can
implement an automated data-centric approach to assuring data in just a few
steps. These are:
1. Automatically discover and record sensitive data access based on actual
user activity. Take the guess work out of how to classify people and
methods of access to your sensitive data.
2. Use the discovered intelligence to build your policy list of approved and
forbidden paths to data, and processes for exceptions.
3. Apply policy-driven data monitoring to alert you of any breach or data
________________________________________________________________________________________________
access outside of the approved paths to sensitive data.

4. Automatically archive and retain audit data based on retention period
and easily restore for inquiry
Whether vendor supplied or homegrown applications, across all databases, a
Whether vendor DLP solution powered by DataThread, can monitor, log, warn and, if necessary,
supplied or block prohibited actions.
homegrown
applications, across How it works
all databases, a As users access data, their activity and method are recorded and will be
DLP solution available for review and disposition. Legitimate accesses are put on an
powered by approved list and are no longer viewed as an exception. Unapproved means of
DataThread, can access are eligible for immediate notification and action. A period of time is
monitor, log, warn used to gather access data in silent mode while patterns are established and
and, if necessary, reactions are defined.
block prohibited
actions.
________________________________________________________________________________________________
Acceptable Access
The employee master file contains social security number and is accessed by
program PAY500, an inquiry program that does not show social security
Monitoring data number or other sensitive data. Although the object is sensitive the access
access and usage method is not. This would normally generate false positives. The problem is
on an ongoing basis how to reconcile and eliminate false positives and focus on true exceptions.
can help IT make Identifying the acceptable patterns of access provides assurance that sensitive
the right objects are not breached while not interfering with normal business operations.
adjustments as
business needs Questionable Access
change and A new business partnership or process necessitates sharing data and hence a
technology evolves. new policy is required. With this data centric approach the new access is
automatically discovered and the policy review process is automatically
initiated. It becomes very easy to establish policies in an ongoing basis as
business activity changes and evolves; and it always does.
Prohibited Access
DataThread discovers that the employee master table is being accessed by
SQL as a previously undefined method. During the silent data gathering period
this intelligence is simply logged for review and policy definition. Otherwise
notifications are sent about this event, and more dramatic automated
intervention can be configured.
As baseline policies are maintained automatically, the opportunity to expand
out to reduce risks for items that had been deemed a lower priority earlier now
Adjustments to
presents itself.
ongoing DLP
policies can only be Additionally this improved visibility allows for the hardening of OS security at
made when data the object level. Now that the objects used to access data are visible, adjusting
usage is tracked. security settings in a more granular fashion without fear of disrupting business
processes can be attained.
Minimizing system impact

Monitoring data access and usage on an ongoing basis can help IT make the
right adjustments as business needs change and technology evolves.
Adjustments to ongoing DLP policies can only be made when data usage is
tracked. For most organizations, to turn on the IBM i’s logging capabilities in
order to record key audit data as required by compliance mandates can create
enormous overhead both in terms of CPU utilized and DASD consumed.
________________________________________________________________________________________________
DataThread’s DLP solution mitigates the impact of this type of monitoring

through a series of efficiency innovations that have been in operations for
almost a decade:
“What is measured 1. No programming changes are needed to the business applications.
can be improved.”
Six Sigma and 2. Only very specific System Audit Journal monitoring is activated and just
other protocols like the pertinent data elements are retained in databases that have no
it rely heavily on dependency on the journal itself.
quantifying the 3. Audit of legitimate activity can, through configuration, be discarded.
variables under
consideration. It is 4. Database Journal or optionally Triggers are used to capture data level
no different in a activity.
DLP project. 5. The process is moved to the background minimizing impact to the
business process.
6. Only very specific fields are retained for audit purposes and there is no
dependency on keeping the audit journals. Imagine a file of 200 fields
where only a handful are worthy of auditing. Most solutions keep the
entire before an after image of the entire record. This solution keeps
only the fields needed and only if they were changed.
7. Given the compactness of the archived history, years of data can be
retained in the active environment for immediate access and
investigation.
8. All historical data can be archived to external media with an on-line
catalogue identifying location of data. This tool allows for rapid access to
long-term history when investigations are initiated.
Summary
“What is measured can be improved.” Six Sigma and other protocols like it
rely heavily on quantifying the variables under consideration. It is no different
in a DLP project. We need to have a clear picture of patterns of data access
and to segregate these into various levels of acceptability and reaction.
In order to quantify these patterns, automation is essential.
Automated solutions will need to sift through volumes of data, only a small
portion of which is pertinent.
Usage of data needs to be recorded to provide visibility into risky behavior or
unnecessary processes. The more efficiently you are able to do this, the lower
the cost drag on your bottom line. If you can easily and effectively manage
________________________________________________________________________________________________
monitoring, capturing, archiving and the policy exception processing for

compliance, you stand to gain significant competitive advantage and return on
investment.
Through automation and centralization, in general you can expect to enjoy the
following cost reductions and benefits;
1. Minimal impact on your system.
2. Reduced DASD usage.
3. Reduced discovery time and cost.
4. Reduced policy establishment time and cost.
5. Ensure policy enforcement and new access discovery.
6. Ensure exception processes are always followed.
7. Easily retain and restore audit data.
8. Quickly respond to audit requests.
DataThread’s simple and proven technology allows you to quickly implement a
robust solution and realize the benefits and cost savings.
For More Information

For more information about DataThread and
Innovatum Professional Services, call (877) 277-3016
or visit Innovatum’s Web site at:
www.innovatum.com
________________________________________________________________________________________________

Innovatum DLP WP

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Innovatum DLP WP

Uploaded by

Copyright:

Available Formats

Data Loss Prevention

knowledge or reliance on outdated information can make a company more

Data-Centric Data Loss Prevention

simple data-centric assurance strategy:

access outside of the approved paths to sensitive data.

Minimizing system impact

DataThread’s DLP solution mitigates the impact of this type of monitoring

monitoring, capturing, archiving and the policy exception processing for

For More Information

You might also like