Professional Documents
Culture Documents
NIBSS
2021.04.28
Revision History
Revision Date Author Notes
Purpose...........................................................................................................................................4
Stakeholders and Team..................................................................................................................4
Executive Summary........................................................................................................................5
Key Solution Criteria.......................................................................................................................5
PoC Scope......................................................................................................................................5
Environment....................................................................................................................................5
Prerequisites................................................................................................................................6
Required Personnel.....................................................................................................................6
Success Criteria...........................................................................................................................7
Approach......................................................................................................................................9
Assumptions....................................................................................................................................9
Deployment Tasks........................................................................................................................10
Pre-Site-Consultation.................................................................................................................10
PoC Scope Signoff........................................................................................................................12
PoC Completion Signoff................................................................................................................13
Purpose
The purpose of this PoC scope document is to define the approach and project management
methodology that will be applied to the IBM Security Guardium PoC being conducted by BOCH for
NIBSS
BOCH Team:
Role Name
Account Manager
Engineer
Engineer
Guardium is part of the IBM Security Suite, an integrated platform for defining, integrating, protecting and
managing trusted information across NIBSS’s systems.
BOCH will deploy Guardium at NIBSS’s premises to integrate the IBM Security Guardium with NIBSS’s
databases in order to ensure that the databases are secure and can only be accessed by those
authorized to do so.
IBM Security Guardium is an appliance consisting of system software, hardware and the SQL Guard
Security Suite. Upon installation and connection to the network, SQL Guard immediately begins
monitoring and capturing valuable information about who, what, when, where and how of activity between
users and relational databases. To better understand the components of the IT environment, IBM Security
Guardium’s auto-discovery capability builds an interactive, real-time graphical map of the infrastructure
configuration including database and network connections.
PoC Scope
The development and documentation of mutually agreed-upon success criteria is critical to measuring the
effectiveness of the deployment. IBM Security Guardium can collect a lot of information related to
database access, so it is important to know - before the Deployment starts - what information is of interest
to NIBSSCustomerName. Post-Deployment, the data IBM Security Guardium has collected will be
reviewed and discussed.
Environment
The Database Inventory Spreadsheet and the Pre-Installation Questionnaire are used to identify the
number of databases and applications that are within the scope of the evaluation. The second worksheet
is needed to determine the preferred type of network connectivity to be used, as well as to configure the
Guardium appliance. The network information needed to configure the appliance is:
Prerequisites
Hardware Installation: The unit will be installed in the server room, ideally connected to the same
switch that the database server is using. Authorization will be needed to install the unit, connect
it to the network, and connect it to any SPAN/mirror ports (if used).
Agent Installation: For each database server lightweight GIM/S-TAP Guardium agent will be
installed and configured to monitored local and network activity.
Firewall configuration: S-TAP software, ports between the database server and the collector
need to be opened to allow the S-TAP agent to communicate with the collector. For UNIX/Linux
systems, this defaults to port 16016 (TCP, both directions), for Windows, this defaults to ports
8075 (UDP, both directions) and 9500 (TCP, both directions). More information about port
requirements can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21569674
A NIBSS PC for web-based management of the appliance (port 8443 HTTPS)
Detailed information on existing access control systems and SIEM solution
Required Personnel
At a minimum, the people or roles identified as the NIBSSCustomerName team are required to be
available for the duration of the deployment. At least 1 BOCH personnel will be available at all times to
lead and execute the deployment tasks.
The unavailability of any of these resources will be a potential risk to the success of the project.
The critical success factors to meet the objectives of the deployment are:
Strong executive sponsorship and management support of the project objectives and project
team
Active project involvement and representation from the functional end-user community and
NIBSSCustomerName team
Adequate project staffing for the expected goals and timeline to be met
A committed and well-informed project manager and project team having a thorough
understanding of the project objectives
A thorough understanding of known project risks and assumptions throughout management and
project team
Below is a feature and capability list of the solution that is being proposed to NIBSS as a complete
solution for database monitoring and auditing. The list can be extended based on customer requirements.
The unavailability of any of the items under the heading “ NIBSS DELIVERABLES” constitutes a risk to
this deployment.
1. Database Initial and continuous scan of NIBSS DBA will be required to run
discovery and environment to discover new databases as Guardium scripts to create
vulnerability they are installed or old undocumented usernames with required
assessment databases credentials for Guardium
Assess discovered databases for assessment tests
vulnerability IP address range for NIBSS
Classify discovered data and identify infrastructure and proposed
sensitive data based on data masks and Guardium appliances
other information provided by NIBSS List of databases to be protected
2. Archiving Implement Guardium data archiving Access and credentials for NIBSS
process (secure copy protocol) SCP
storage pool
If no SCP server is available at
NIBSS, one must be provided for
Guardium backups with a minimum
of 1TB total storage space
3. Real-time Implement real-time alerts via dashboard Email administrator to provide
alerting Realtime email alerts access credentials to email server
Policy violation alerts Email server parameters
Alerts on access to sensitive data List of sensitive data
The BOCH project team will approach the deployment with the following perspectives in mind:
Pre-Site-Consultation
Onsite Implementation
Please see the Project Tasks section of this document for a listing of Pre-Site Consultation and Onsite
Implementation tasks.
Assumptions
NIBSSCustomerName provides sufficient access to the hardware and software environments being
used for the deployment, including network connectivity and required authorizations.
NIBSSCustomerName ensures sufficient participation from all team members as described earlier
in this document. Especially from:
Information Security administrator
Network and security administrator, and
DBA.
NIBSSCustomerName will test the software according to the schedule and procedures outlined.
Pre-Site-Consultation
This phase is a critical element in the initiation of the project. Time properly spent during this phase
manifests itself in time savings throughout the project. To ensure that NIBSSCustomerName receives
the full benefits of the time we are onsite, BOCH has created a checklist of items that need to be
completed prior to our arrival.
TASK PARTICIPANTS
Prepare the onsite environment
1 Have all systems installed and ready NIBSSCustomerName
Have all databases ready with BOCH
Deployment Agenda
1. System Installation
Staff required: Network Admin, Guardium Sys Admin (delegated by NIBSS)
Time: 1-8 hours per site (total number of sites indicated in diagram above)
Required: Guardium appliances, access to NIBSS server racks, access to min 1Gbps network
interfaces for each appliance.
Steps:
a. Install appliance in NIBSS environment
b. Configure appliance with IP information above
c. Connect to Management LAN
d. Configure network traffic capture (Inspection Engines)
e. Verify (ping to gateway)
2. S-TAP Installation
Staff required: System Admin, DBA, and Guardium Sys Admin
Time: 1-4 hours per database + database restart schedule (if required)
Required: Root level access to the database server. 150 Mb hard drive space. The system will
normally not need to be rebooted during this process (depending on OS).
Steps:
a. Copy software to server (available on CD and USB drive)
3. Traffic Capture
Staff required:DBA, Guardium Sys Admin
Time: 1-4 hours (if no connectivity issues are encountered)
Required: Local and network access to the monitored databases.
Steps:
a. Generate local database traffic
b. Generate network database traffic
c. Verify all traffic capture
4. Alerting
Staff required:SMTP or SNMP Admin, Guardium Sys Admin
Time: 1 hour (if no connectivity issues are encountered)
Required: SMTP or SNMP server configured to receive messages.
Steps:
a. Create test policy, send alert
b. Verify Firewall is configured to allow traffic
c. Verify message received
5. Integration
Staff required:Guardium Sys Admin, AD / LDAP admin, SIEM Admin
Time: 8 hours (if no connectivity issues are encountered)
Required: SIEM server configured to receive messages. May create Guardium-specific AD group
Steps:
a. Connect Guardium to LDAP server, test
b. Verify Firewall is configured to allow traffic
c. Import LADP users and information
d. Configure Guardium to send syslog messages to SIEM
e. Review syslog messages to determine correct format
BOCH and NIBSSCustomerName agree to the statement of work as defined in this document.
NIBSSCustomerName Stakeholder:
Name:____________________________
Signed: ___________________________
Date: _____________________________
BOCH Stakeholder:
Name:____________________________
Signed: ___________________________
Date: _____________________________
BOCH Stakeholder:
Name:____________________________
Signed: ___________________________
Date: _____________________________
Name:____________________________
Signed: ___________________________
Date: _____________________________