Guardium101 Slidesonly PDF

Joe DiPietro – Center of Excellence lead
Kathy Zeidenstein – Guardium Evangelist

21 Feb 2013
IBM InfoSphere Guardium Tech Talk:

Guardium 101
Information Management
© 2013 IBM Corporation

Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?

Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
2 21 Feb 2013 IBM InfoSphere Guardium Tech Talk © 2013 IBM Corporation
Data is the key target for security breaches…..

… and Database Servers Are the Primary Source of Breached Data
Database servers contain your clients’

most valuable information
– Financial records
WHY?
– Customer information
– Credit card and other account records
– Personally identifiable information
– Patient records
High volumes of structured data
Easy to access
2012 Data Breach Report from Verizon Business RISK Team

http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
“Go where the money is… and go

there often.” - Willie Sutton
Typical home grown solutions are costly and ineffective
Native
Database Manual
Logging remediation
Native dispatch
Database and tracking
Logging • Pearl/UNIX Scripts/C++
• Scrape and parse the data
• Move to central repository
Native
Database Create Manual
Logging reports review
Native
Database • Significant labor cost to review data and maintain process
Logging • High performance impact on DBMS from native logging
• Not real time
• Does not meet auditor requirements for Separation of Duties
• Audit trail is not secure
• Inconsistent policies enterprise-wide
50,000 Foot Overview
Constraints Data Security & Risk (DSR) Goals
•Reduced cost across the lifecycle
•Higher quality
•Improved understanding
•Lowered risk
•Improved compliance Increase
Define Life-cycle Protection
Metrics
Classify
Data Growth &
Acquisitions Find Monitor
$
Cost
Enforce DSR Analyze
Increased Risk
Harden Audit
Assess Empower
users
Outsourced &
Contractor Access
Measure
Results
Challenges
Stay out of
Time to $ the papers…
understanding Where is Unauthorized Security Rising
sensitive data? Changes
Threats Costs
Historical perspective: What is Guardium?
Guardium, the company, was founded in 2002

–Innovated a non-invasive solution for
continuous database auditing
Guardium was acquired by IBM in 2009
The ‘Guardium’ name was extended to other products
in the IBM Information Management portfolio that focus
on data security and protection (that’s how good it is!)
The ‘original’ Guardium InfoSphere Guardium Data Activity Monitoring

and our focus for InfoSphere Guardium Vulnerability Assessment
today’s talk InfoSphere Guardium Data Encryption
InfoSphere Guardium Data Redaction
And where does it fit?
InfoSphere Information Governance

Products and capabilities
InfoSphere Guardium Data InfoSphere Guardium

Activity Monitoring (DAM) Vulnerability Assessment (VA)
For data security & compliance Best practice & secure configuration
• Data discovery and classification • Configuration assessment
• Real-time activity monitoring • Vulnerability assessments
• Application end-user identification • Vulnerability reports
• Security alerts and audit reports • Suggested remediation steps
• Compliance workflow • Data Protection Subscription
• Blocking unauthorized access •Configuration audit system (CAS)

Hardware, virtual or
• Masking sensitive data software appliances •Entitlement reporting (VA Advanced)
Central Management & Aggregation

Manage and use large deployments as a single federated system
Discovery and Classification Included with DAM

Find cardholder data Included with VA
Guardium Agentless
Network Scan
10.10.9.*
No Agent
Database Discovery
Classifier (Sensitive Data Discovery)
Vulnerability Assessment (VA)
Entitlement reports
Agent Required
Auditing
Real time alerting
Blocking
Dynamic Data Masking (DDM)
Discovery and Classification

Find cardholder data
When sensitive data is discovered:

•Alert and log
•Automatically update security
policies
Actions •Automatically update compliance
reports

Discovery and Classification

Find cardholder data
Guardium Agentless
Network Scan
10.10.9.*
Table and column of

location of sensitive data
12 © 2013 IBM Corporation

Vulnerability and Configuration Assessment Architecture

Included with VA
Based on industry standards: DISA STIG and CIS Benchmark
Extensive library of pre-built tests for all supported platforms
Customizable tests to address your specific corporate security policies
– Via custom scripts, SQL queries, environment variables, etc.
Combination of tests ensures comprehensive coverage:

1.Database settings
2.Operating system
3.Observed behavior Tests
• Permissions
DB Tier • Roles
(Oracle, SQL • Configurations
Server, DB2,
Informix, Sybase, • Versions
MySQL, Netezza,
Teradata)
• Custom tests
Database
User Activity
OS Tier • Configuration files
(Windows, • Environment variables
Solaris, AIX, HP- • Registry settings
UX, Linux, z/OS)
• Custom tests

Guardium Assessment Results
Overall score
Are you
making
Detailed progress?
scoring matrix
Recommendations
on how to fix the
failure

Continuous Database Activity Monitoring Included with DAM
• PCI and SOX accelerators included with DAM (guidance, reports, and
more)
• Application monitoring (SAP, EBS, Siebel, Peoplesoft, Cognos, etc)
15
• Authorized application access only © 2013 IBM Corporation
Fine-Grained Policies with Real-Time Alerts Included with DAM
EmployeeTable
SELECT
Application Database
Server Server
10.10.9.244 10.10.9.56
Heterogeneous
support including
System z and
IBM i data servers

S-GATE: Blocking Access Included with DAM

Advanced
“DBMS software does not protect data from administrators, so DBAs today have the ability to
view or steal confidential data stored in a database.” Forrester, “Database Security: Market Overview,” Feb. 2009
Application Servers
SQL
Privileged
Users Oracle, DB2,
Issue SQL MySQL, Sybase,
etc.
S-GATE
S-GATE
Hold SQL
Outsourced DBA Connection terminated
Check Policy
On Appliance
Policy Violation:
Drop Connection
Session Terminated
Mask Unauthorized Access To Sensitive Information Included with DAM

Cross-DBMS Dynamic Data Masking (DDM) Advanced
9 Cross-DBMS policies
Application Servers
SQL 9 Mask sensitive data
Oracle, DB2,
Unauthorized MySQL, 9 No database changes
Users Sybase, etc.
9 No application changes
Issue SQL
S-TAP
S-TAP Actual data
stored in the
Outsourced DBA database
Redact and Mask

Sensitive Data
User view of the data in the database

InfoSphere Guardium Data Encryption

Clear Text Block-Level MetaClear
File Name: Jsmith.doc fAiwD7nb$ Name: Jsmith.doc

System Created: 6/4/99 Nkxchsu^j2 Created: 6/4/99
Metadata
Modified: 8/15/02 3nSJis*jmSL Modified: 8/15/02
Name: J Smith dfjdNk%(Amg dfjdNk%(Amg

CCN:60115793892 8nGmwlNskd 9f 8nGmwlNskd 9f
File Data Exp Date: 04/04 Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nd&9Dm*Ndd
Bal: $5,145,789 xIu2Ks0BKsjd
SSN: 514-73-8970 Nac0&6mKcoS Nac0&6mKcoS
qCio9M*sdopF qCio9M*sdopF
File File File File
Data Data Data Data
• Protects Sensitive Information Without Disrupting Data Management

• High-Performance Encryption
• Root Access Control
• Data Access as an Intended Privilege

Entitlement Reporting: Included with VA

Reducing the Cost of Managing User Rights Advanced
Provides a simple means of aggregating and
understanding entitlement information
–Scans and collects information on a
scheduled basis, including group and role
information
Out-of-the box reports for common views
–Report writer for custom views
Integrated with all other modules including
workflow, etc.
Eliminates resource intensive and error prone process

of manually examining each database and stepping
through roles
DB2 Entitlement Reports

Heterogeneous Database Entitlement Reports – Oracle Sample Reports

Audit Process Overview Included with DAM

Included with VA
Create a process to review entitlement reports and new connections to the database
Use separation of duties to validate the process
Entitlement Report can be

used to identify “new”
connections to the database

Audit Process Overview
Business Owner approves or rejects Guardium Admin only makes changes

new connections to database for “authorized” connections
Business Owner Information Security Guardium Admin

(PCI Role) (InfoSec Role) (Admin Role)
Information Security confirms
Business Owner recommendation
If there are no new connections, report will

be empty and automatically approved…
(ie. Don’t waste anyone’s time)

Audit Process Trail Created For Authorization Process
Here are the

connections
that need to be
approved.

Audit Process Trail Created For Authorization Process
Reviewer can
add comments.

Use Guardium API linkage with Reports to Automatically Add Connections
Four
connections
added to
group

InfoSphere Guardium Architecture Application Servers

(SAP, Oracle EBS,
Custom Apps, etc)
Role Based GUI

Provides access to
audit data
(Information Security,
Auditors, DBA, etc)
S-TAP – Software Tap
(Light weight probe which
Guardium
copies information to the appliance) Appliance
Secure Audit
Records
Agent Required Support Separation of Duties

Auditing Collect and normalize data for
Real time alerting efficient storage
Blocking
Dynamic Data Masking (DDM) Single repository for all audit data
Data is immediately available and
highly secure
What Can Be Audited?

Key Message
Information is based on a database session
Typical Database
Session Understand what needs to be audited
Database Server
Activity from the DB client Activity from the DB
to the DB server Server to the DB Client
Client/Server network Failed Login What needs to be audited?

connections Messages Session information
Session starts (log in) SQL Errors User information
SQL Requests SQL statements
Result sets
(commands)
Responses
Session ends (log out) – Failed Events
– Result Sets
Database Client
Capture and Parsing Overview Information is copied

and sent to appliance
Select name, cardid Guardium
from Creditcard
Collector
S-TAP
Analysis
engine Parse SQL Select name, cardid
Database
Statements from Creditcard
Server
Select name, cardid
from Creditcard Read Only
Hardened Repository
(no direct access)
Sessions Commands
Joe Select
Joe Database
SQL Columns/Fields
Client Objects
Select name, cardid name
How do you get access from Creditcard Creditcard cardid
to this information?
Reports/Query Builder
Entities and Attributes
Query builder for reports
Read Only
Hardened Repository
(no direct access)
Sessions Commands Exceptions
Returned Entities and
Data
attributes
SQL Columns/Fields
Objects
Parsed, analyzed,
logged in repository
Traffic is filtered at
Network Packet different stages
1.1.1.1 23345 10.12.1.12 1433 select name, cardid from Creditcard; based on policy
rules
Policy Primer - Accessing the Policy Builder
3 Types of Policy Rules
Exception (SQL Errors and more)

3
Result Set
2
SQL Query 1
Database Server
There are three types of rules:

1. An access rule applies to client requests
2. An extrusion rule evaluates data returned by the server
3. An exception rule evaluates exceptions returned by the server

SAP PCI Policy Overview

One Unauthorized Access Violates 4 Security Rules

Quiz question!
What are the three types of policy rules? Pick

the best answer from below:
1. Masking, extrusion, access
2. Access, PCI, compliance
3. Access, exception, extrusion
4. None of the above


38 21 Feb 2013 © 2013 IBM Corporation

IBM InfoSphere Guardium Tech Talk
Deployment flexibility and scalability

Central Manager (CM) contains central
location for policies and definitions for
Standalone unit the entire federated system
Collector Central Manager and
Aggregator (“Manager unit”)
Central Manager
Aggregator Aggregator
Collectors
(“Managed units”)
Collectors Collectors
“Aggregation”=Nightly audit
data uploaded from Collectors
Central Manager provides
Built in redundancy for audit “Enterprise Views”
data (collector and aggregator)
Central Manager Included with CM/AGG

Admin Console -> System
Need same shared secret to register
Central Manager Included with CM/AGG

Admin Console -> System
Need same shared secret to register
Install Policy
Patch Distribution
Registration
etc
Included with CM/AGG
Enterprise S-TAP View Included with CM/AGG
Scale from small to VERY large
Enterprise Architecture with

dynamic scalability
Non-invasive/disruptive,
cross-platform architecture
No environment changes
Integration with:
•LDAP
•SIEM
•Change Mgt
•Archiving
•and more…
Failover, Load Balancing, and “Grid”
1. Basic 3. Load Balancing
2. Failover
Same
collector
settings
2. Failover 4. Grid for all
s-taps
sqlguard_ip=virtual IP
sqlguard_port=16016
primary=1
Test with Load

Balancers from
F5 & Cisco

http://www.f5.com/pdf/deployment-guides/ibm-guardium-dg.pdf
Same
collector
settings
2. Failover 4. Grid for all
s-taps
sqlguard_ip=virtual IP
sqlguard_port=16016
primary=1
Test with Load

Balancers from
F5 & Cisco
Quiz question!
If you need to create corporate audit reports

as well as manage a large number of
Collectors, which configuration do you
need? Pick BEST answer:
1. Central Manager directly managing Collectors
2. Aggregator connected to Collectors
3. A web application to roll up your reports
4. A Central Manager and one or more
Aggregators


Where to find more information?
Roles and responsibilities – The TEAM
Access Provide DBA level

control understanding and
review
Guardium
Access Manager Database
Advisor
Data Provide application

collection and level understanding
reporting and review
Guardium Admin Application
Advisor
System health Identify requirements

for compliance
Guardium System Compliance

Administrator Advisor
Getting started on a monitoring project
0.
0. Education
Education and
and 1.
1. Installation
Installation 2.
2. Appliance
Appliance
training
training Planning
Planning Installation
Installation
Project Manager Project Manager

DBA Advisor Network Administrator
Security Guardium Administrator
Auditor
Network Admin
System Admin
Guardium administrator
3.
3. S-TAP
S-TAP agent
agent 4.
4. Monitoring
Monitoring 5.
5. Guardium
Guardium
Installation
Installation Requirements
Requirements Operations
Operations
Guardium Administrator Those responsible for IT infrastructure

DBA Advisor monitoring, security and Guardium SysAdmin
Database server system review of the logged data. Disk storage Admin
administrator This typically includes:
Information Security
Audit
DBA Advisor
Data Stewards/Architects

Where to find more information?
Default user view Search,

Map and
Navigate Help
tabs
Navigate
menus
Portlets
Default user view – Quick Start

One-page quick start to generate and install a policy, define
vulnerability tests (if licensed) and define an audit process.
Portlets
Default user view – Quick Start

Governance, risk and compliance heat map
Double-click for
detailed reports
Default user view VA and

configuration
Build policies, DB discovery and access (if
reports classification licensed)
Create audit process
workflows…
Create policies,
alerts and see policy
violations
Tip: Use Portal Map or Portal Search to quickly find what you need
Map
Search
Someone’s custom portlet
Help System
The Appendices
Help book has
useful reference
info such as APIs,
entities and
attributes, etc
Download a
help pdf for
offline reading
Default admin user view

Create groups,
policies,
workflows…. Reports for daily Policy violations and
monitoring alerts here
Configuration
Double-click
for tabular
report
Default access manager

Add users Configure
and roles data-level
security
Granularity and flexibility in roles

Ability to create your own roles
Ability to create user hierarchies to ensure
automatic filtering of results based on user’s
database

Command Line Interface (CLI) and APIs (GuardAPI)
Command line interface used for configuration, troubleshooting and

management of Guardium System
The extensive set of GuardAPIs can be used by a user with either admin
or CLI Role for automation of repetitive tasks or for ongoing maintenance
– Creating datasources, adding user/members to groups, connection profiling, entitlement
report automation and more
– Many are invokable from reports in the UI!
GuardAPIs are documented in the Appendices help book or from the Cli
–To see a list of all grdapi commands, enter:
CLI> grdapi
–To see the parameters for a particular command:
CLI> grdapi list_entry_location --help=true
APIs enable automation and ease maintenance

Example: Add a member to a group from a report
Invoke API
to add
member to
This example shows how you can use group
the API to add an ‘authorized’
MapReduce job to a group so it won’t
appear in this report anymore.
APIs enable automation and ease maintenance

Example: Add a member to a group from a script
-- Create group and members of the group
grdapi create_group desc=SensitiveObjectsMonitored type=objects appid=Public
owner=admin
grdapi create_member_to_group_by_desc desc=SensitiveObjectsMonitored
member=creditcard
grdapi create_member_to_group_by_desc desc="Cardholder Objects" member=creditcard
grdapi create_member_to_group_by_desc desc="Authorized Client IPs"
member="10.10.9.56"
grdapi create_member_to_group_by_desc desc="Authorized Client IPs"
member="10.10.9.251"
This example shows how you can use

the API to quickly get up and running
with groups for PCI compliance.

Information and training
InfoSphere Guardium YouTube Channel – includes overviews and technical demos

InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a myriad of sources, articles, etc)
Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
Technical training courses (classroom and self-paced)
Business Partner bootcamps
Hands on! Ask your IBM sales rep about

upcoming Proof of Technologies. For example:
March 12, KC, MO
March 19, Tulsa, OK
Next Guardium Tech Talk
Next tech talk: Roadmap to a successful V9 upgrade

Speakers: Vlad Langman and Abdiel Santos
Date &Time: Wednesday March 14, 2013
11:30 AM Eastern
Register here: http://bit.ly/Vkc8g2
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Dziękuję
Polish
Traditional Chinese
Thai
Gracias Spanish
Merci
French
Russian
Arabic
Obrigado
Brazilian Portuguese
Danke
German
Tack
Swedish
Simplified Chinese
Japanese
Grazie
Italian
Backup
Information Management

Discovering Sensitive Data in Databases

• Discover database instances on network
• Catalog Search: Search the database
catalog for table or column name
– Example: Search for tables where
column name is like “%card%”
• Search by Permission: Search for the types
of access that have been granted to users
or roles
• Search for Data: Match specific values or
patterns in the data
– Example: Search for objects matching
guardium://CREDIT_CARD (a built-in
pattern defining various credit card
patterns)
• Search for Unstructured Data: Match
specific values or patterns in an
unstructured data file (CSV, Text, HTTP,
70 HTTPS, Samba) © 2013 IBM Corporation
Identifying Fraud at the Application Layer
Joe Marc
Issue: Application server uses generic service account to access DB

– Doesn’t identify who initiated transaction (connection
pooling)
Solution: Guardium tracks access to application user associated with
specific SQL commands
– Out-of-the-box support for all major enterprise applications
(Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects,
User Cognos…) and custom applications (WebSphere,
WebLogic, ….)
– Deterministic vs. time-based “best guess”
– No changes to applications
Application Database
Server Server
Enforcing Change Controls + Integrating with Change Management

Systems
Identify
unauthorized
Tag DBA actions changes (red)
with ticket ID or changes with
invalid ticket IDs
Compare observed
changes to
approved changes
Monitoring Data Leakage from High-Value Databases

Should my customer service rep view 99 records in an hour?
Is this
normal?
What exactly
did Joe see?
Tracking privileged users who switch accounts Privileged

User
1. Joe logs in to User activity
Linux
2. He switches to
the Oracle
shell account
3. Logs into
Oracle as
system
4. Gives himself a
big bonus! What InfoSphere Guardium shows you:
Query Based Test Results

Test the database to validate that all triggers are actually owned by the table owner
SQL = Select count(*) from all_triggers where owner<> table_owner
If the count exceeds a threshold of 7 items, fail the test

SAP PreDefined PCI Policy Rule (Access Rule)

Track - PCI CardHolder Data

Unauthorized Users Accessing Credit Cards -- Guardium Verifies

Credit Card Validity With Luhn Algorithm

PCI Track Data…

Guardium Tracks PCI “Track Data”
DO NOT store the full contents of

any track from the magnetic stripe
DO NOT store the card-validation
code (three-digit or four-digit value
printed on the front or back of a
payment card (e.g., CVV2 and
CVC2 data))
DO NOT store the PIN Verification
Value (PVV)

Guardium101 Slidesonly PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Guardium101 Slidesonly PDF

Uploaded by

Copyright:

Available Formats

Joe DiPietro – Center of Excellence lead

Kathy Zeidenstein – Guardium Evangelist

IBM InfoSphere Guardium Tech Talk:

© 2013 IBM Corporation

What we’ll cover today

 What is Guardium and what problems does it address?

Data is the key target for security breaches…..

 Database servers contain your clients’

2012 Data Breach Report from Verizon Business RISK Team

“Go where the money is… and go

Typical home grown solutions are costly and ineffective

Historical perspective: What is Guardium?

 Guardium, the company, was founded in 2002

The ‘original’ Guardium InfoSphere Guardium Data Activity Monitoring

And where does it fit?

InfoSphere Information Governance

What we’ll cover today

 What is Guardium and what problems does it address?

Products and capabilities

InfoSphere Guardium Data InfoSphere Guardium

• Real-time activity monitoring • Vulnerability assessments

• Application end-user identification • Vulnerability reports

• Security alerts and audit reports • Suggested remediation steps

• Compliance workflow • Data Protection Subscription

• Blocking unauthorized access •Configuration audit system (CAS)

Central Management & Aggregation

Discovery and Classification Included with DAM

Discovery and Classification

When sensitive data is discovered:

© 2013 IBM Corporation

Discovery and Classification

Table and column of

12 © 2013 IBM Corporation

Vulnerability and Configuration Assessment Architecture

 Combination of tests ensures comprehensive coverage:

13 © 2013 IBM Corporation

Guardium Assessment Results

14 © 2013 IBM Corporation

Continuous Database Activity Monitoring Included with DAM

Fine-Grained Policies with Real-Time Alerts Included with DAM

16 © 2013 IBM Corporation

S-GATE: Blocking Access Included with DAM

Outsourced DBA Connection terminated

Mask Unauthorized Access To Sensitive Information Included with DAM

Redact and Mask

User view of the data in the database

18 © 2013 IBM Corporation

InfoSphere Guardium Data Encryption

File Name: Jsmith.doc fAiwD7nb$ Name: Jsmith.doc

Name: J Smith dfjdNk%(Amg dfjdNk%(Amg

• Protects Sensitive Information Without Disrupting Data Management

© 2013 IBM Corporation

Entitlement Reporting: Included with VA

Eliminates resource intensive and error prone process

DB2 Entitlement Reports

© 2013 IBM Corporation

Heterogeneous Database Entitlement Reports – Oracle Sample Reports

© 2013 IBM Corporation

Audit Process Overview Included with DAM

Entitlement Report can be

© 2013 IBM Corporation

Audit Process Overview

Business Owner approves or rejects Guardium Admin only makes changes

What is Guardium and what problems does it address?

Database servers contain your clients’

Guardium, the company, was founded in 2002

What is Guardium and what problems does it address?

Combination of tests ensures comprehensive coverage:

What is Guardium and what problems does it address?

Agent Required Support Separation of Duties

What is Guardium and what problems does it address?

Enterprise Architecture with

What is Guardium and what problems does it address?

Project Manager Project Manager

Guardium Administrator Those responsible for IT infrastructure

What is Guardium and what problems does it address?

Granularity and flexibility in roles

What is Guardium and what problems does it address?