IBM Security Guardium

PoC Scope Document

Deployment Scope Prepared for:

NIBSS

2021.04.28

IBM InfoSphere Guardium PoC - Scope Document

Page 1 of 13
Reviewers
Note: Reviewers are those who are impacted by changes to this document. The document cannot move to a new release without
the reviewers having had an opportunity to comment.

Company Name Comments

NIBSS

Revision History
Revision Date Author Notes

IBM InfoSphere Guardium PoC - Scope Document

Page 2 of 13
Contents

Purpose...........................................................................................................................................4
Stakeholders and Team..................................................................................................................4
Executive Summary........................................................................................................................5
Key Solution Criteria.......................................................................................................................5
PoC Scope......................................................................................................................................5
Environment....................................................................................................................................5
Prerequisites................................................................................................................................6
Required Personnel.....................................................................................................................6
Success Criteria...........................................................................................................................7
Approach......................................................................................................................................9
Assumptions....................................................................................................................................9
Deployment Tasks........................................................................................................................10
Pre-Site-Consultation.................................................................................................................10
PoC Scope Signoff........................................................................................................................12
PoC Completion Signoff................................................................................................................13

IBM InfoSphere Guardium PoC - Scope Document

Page 3 of 13
POC SCOPE DOCUMENT

Purpose
The purpose of this PoC scope document is to define the approach and project management
methodology that will be applied to the IBM Security Guardium PoC being conducted by BOCH for
NIBSS

Stakeholders and Team

NIBSS Team:
Role Name
Project Coordinator
Security Administrator
System Administrator
Network Administrator
DBA

BOCH Team:
Role Name
Account Manager
Engineer
Engineer

IBM InfoSphere Guardium PoC - Scope Document

Page 4 of 13
Executive Summary

Guardium is part of the IBM Security Suite, an integrated platform for defining, integrating, protecting and
managing trusted information across NIBSS’s systems.
BOCH will deploy Guardium at NIBSS’s premises to integrate the IBM Security Guardium with NIBSS’s
databases in order to ensure that the databases are secure and can only be accessed by those
authorized to do so.

IBM Security Guardium is an appliance consisting of system software, hardware and the SQL Guard
Security Suite. Upon installation and connection to the network, SQL Guard immediately begins
monitoring and capturing valuable information about who, what, when, where and how of activity between
users and relational databases. To better understand the components of the IT environment, IBM Security
Guardium’s auto-discovery capability builds an interactive, real-time graphical map of the infrastructure
configuration including database and network connections.

Key Solution Criteria

The deployment should achieve the following results:

1. Train NIBSS personnel in the deployment and management of Guardium
2. Deploy IBM Security Guardium Physical/Virtual appliance in NIBSSCustomerName’s environment.
3. BOCH and NIBSS personnel install appliance and DB agents and verify initial data collection.
4. Create or modify reports and views required by specified success criteria
5. Verify reports and views with NIBSSCustomerName’s representative
6. Integrate Guardium with existing access control systems (e.g. Microsoft AD) and existing SIEM
solutions
7. Present PoC report to NIBSSCustomerName’s management team

PoC Scope

The development and documentation of mutually agreed-upon success criteria is critical to measuring the
effectiveness of the deployment. IBM Security Guardium can collect a lot of information related to
database access, so it is important to know - before the Deployment starts - what information is of interest
to NIBSSCustomerName. Post-Deployment, the data IBM Security Guardium has collected will be
reviewed and discussed.

Environment

IBM InfoSphere Guardium PoC - Scope Document

Page 5 of 13
The following information must be provided to BOCH by NIBSS prior to shipment of the IBM Security
Guardium appliance.

The Database Inventory Spreadsheet and the Pre-Installation Questionnaire are used to identify the
number of databases and applications that are within the scope of the evaluation. The second worksheet
is needed to determine the preferred type of network connectivity to be used, as well as to configure the
Guardium appliance. The network information needed to configure the appliance is:

IP address and mask for Guardium system x.x.x.x/24

Guardium Host Name and DNS Domain e.g. guard.company.com

Default Route (IP only) x.x.x.y

DNS Resolver(s) (IP only) x.x.x.x

Network time server ( IP only) y.y.y.z

Prerequisites

 Hardware Installation: The unit will be installed in the server room, ideally connected to the same
switch that the database server is using. Authorization will be needed to install the unit, connect
it to the network, and connect it to any SPAN/mirror ports (if used).
 Agent Installation: For each database server lightweight GIM/S-TAP Guardium agent will be
installed and configured to monitored local and network activity.
 Firewall configuration: S-TAP software, ports between the database server and the collector
need to be opened to allow the S-TAP agent to communicate with the collector. For UNIX/Linux
systems, this defaults to port 16016 (TCP, both directions), for Windows, this defaults to ports
8075 (UDP, both directions) and 9500 (TCP, both directions). More information about port
requirements can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21569674
 A NIBSS PC for web-based management of the appliance (port 8443 HTTPS)
 Detailed information on existing access control systems and SIEM solution

Required Personnel
At a minimum, the people or roles identified as the NIBSSCustomerName team are required to be
available for the duration of the deployment. At least 1 BOCH personnel will be available at all times to
lead and execute the deployment tasks.

The unavailability of any of these resources will be a potential risk to the success of the project.

IBM InfoSphere Guardium PoC - Scope Document

Page 6 of 13
Success Criteria

Critical Success Factors

The critical success factors to meet the objectives of the deployment are:
 Strong executive sponsorship and management support of the project objectives and project
team
 Active project involvement and representation from the functional end-user community and
NIBSSCustomerName team
 Adequate project staffing for the expected goals and timeline to be met
 A committed and well-informed project manager and project team having a thorough
understanding of the project objectives
 A thorough understanding of known project risks and assumptions throughout management and
project team

Critical Success Measures / Requirements

Below is a feature and capability list of the solution that is being proposed to NIBSS as a complete
solution for database monitoring and auditing. The list can be extended based on customer requirements.
The unavailability of any of the items under the heading “ NIBSS DELIVERABLES” constitutes a risk to
this deployment.

DEPLOYMENT TASKS NIBSS DELIVERABLES

KEY
REQUIREME
NT

1. Database  Initial and continuous scan of NIBSS  DBA will be required to run
discovery and environment to discover new databases as Guardium scripts to create
vulnerability they are installed or old undocumented usernames with required
assessment databases credentials for Guardium
 Assess discovered databases for assessment tests
vulnerability  IP address range for NIBSS
 Classify discovered data and identify infrastructure and proposed
sensitive data based on data masks and Guardium appliances
other information provided by NIBSS  List of databases to be protected
2. Archiving  Implement Guardium data archiving  Access and credentials for NIBSS
process (secure copy protocol) SCP
storage pool
 If no SCP server is available at
NIBSS, one must be provided for
Guardium backups with a minimum
of 1TB total storage space
3. Real-time  Implement real-time alerts via dashboard  Email administrator to provide
alerting  Realtime email alerts access credentials to email server
 Policy violation alerts  Email server parameters
 Alerts on access to sensitive data  List of sensitive data

IBM InfoSphere Guardium PoC - Scope Document

Page 7 of 13
  Threshold alerts
 Repeated failed logins
 Alert on database server changes (e.g.
/etc/passwd or
$ORACLE_HOME/network/admin/tnsname
s.ora)
4. Reporting  Capture and report on data definition
language (DDL) commands.
 Capture and report on data manipulation
language (DML) commands
 Report on detailed SQL
 Custom report creation
 Demonstrate summary reports in
dashboard and drill-down
 Modify required predefined reports
5. Audit and  Compliance reporting based on global
Compliance standards
 Per user and per activity auditing
 Audit review process
6. Monitoring  Track administrative commands
 Track failed logins
 SQL exceptions (including failed
commands)
 Check internal database occupation during
deployment period. (~MB/day) and
determine optimal retention
 Check CPU/Memory usage of the agent
used to monitor network and/or local
activity
7. Integration  Integrate Guardium with existing AD /
LDAP server
 Integrate Guardium with existing SIEM
solution
8. Policy  Deploy required built-in policies
management  Create custom policies
IBM InfoSphere Guardium PoC - Scope Document
 Structure of sensitive data fields
 Systems administrator to provide
system credentials
 Sysadmin required to install
Guardium agent on servers
utilizing “root” credentials
 DB credentials
 Define required report
 NIBSS security standards
 NIBSS configuration baseline for
database servers
 DBA
 Sysadmin
 DB and system credentials
 Sysadmin to create Guardium user
for AD / LDAP integration with
required credentials
 Sysadmin to create or identify
Guardium-specific groups to be
imported to the Guardium
appliance for management
 Sysadmin to provide required
information on directory structure
including full qualified names of all
required groups and users
 SIEM administrator to provide data
structure, IP address and port for
SIEM integration
 High level NIBSS policy on
database access
Page 8 of 13
Approach

The BOCH project team will approach the deployment with the following perspectives in mind:

 Provide a practical approach to deployment

 Maintain discipline and structure without constraining the deployment effort
 Frame the project within the strategies of NIBSSCustomerName’s business requirements

BOCH has separated the effort into two logical phases:

 Pre-Site-Consultation
 Onsite Implementation

Please see the Project Tasks section of this document for a listing of Pre-Site Consultation and Onsite
Implementation tasks.

Assumptions
 NIBSSCustomerName provides sufficient access to the hardware and software environments being
used for the deployment, including network connectivity and required authorizations.
 NIBSSCustomerName ensures sufficient participation from all team members as described earlier
in this document. Especially from:
 Information Security administrator
 Network and security administrator, and
 DBA.
 NIBSSCustomerName will test the software according to the schedule and procedures outlined.

IBM InfoSphere Guardium PoC - Scope Document

Page 9 of 13
Deployment Tasks
This section defines the tasks for each phase of the deployment.

Pre-Site-Consultation

This phase is a critical element in the initiation of the project. Time properly spent during this phase
manifests itself in time savings throughout the project. To ensure that NIBSSCustomerName receives
the full benefits of the time we are onsite, BOCH has created a checklist of items that need to be
completed prior to our arrival.

TASK PARTICIPANTS
 Prepare the onsite environment
1  Have all systems installed and ready NIBSSCustomerName
 Have all databases ready with BOCH

2 Provide information on network information needed to NIBSSCustomerName

configure the appliance Technical Staff

3 Engage in a pre-visit call to confirm that these pre- NIBSSCustomerName

requisites have been completed and to verify all with BOCH
assumptions.

Deployment Agenda

1. System Installation
Staff required: Network Admin, Guardium Sys Admin (delegated by NIBSS)
Time: 1-8 hours per site (total number of sites indicated in diagram above)
Required: Guardium appliances, access to NIBSS server racks, access to min 1Gbps network
interfaces for each appliance.
Steps:
a. Install appliance in NIBSS environment
b. Configure appliance with IP information above
c. Connect to Management LAN
d. Configure network traffic capture (Inspection Engines)
e. Verify (ping to gateway)

2. S-TAP Installation
Staff required: System Admin, DBA, and Guardium Sys Admin
Time: 1-4 hours per database + database restart schedule (if required)
Required: Root level access to the database server. 150 Mb hard drive space. The system will
normally not need to be rebooted during this process (depending on OS).
Steps:
a. Copy software to server (available on CD and USB drive)

IBM InfoSphere Guardium PoC - Scope Document

Page 10 of 13
 b. Execute install (150 Mb space required)
c. Configure Collector IP
d. Verify Firewall is configured to allow traffic (see Admin Guide)
e. Configure traffic capture using GUI interface

3. Traffic Capture
Staff required:DBA, Guardium Sys Admin
Time: 1-4 hours (if no connectivity issues are encountered)
Required: Local and network access to the monitored databases.
Steps:
a. Generate local database traffic
b. Generate network database traffic
c. Verify all traffic capture

4. Alerting
Staff required:SMTP or SNMP Admin, Guardium Sys Admin
Time: 1 hour (if no connectivity issues are encountered)
Required: SMTP or SNMP server configured to receive messages.
Steps:
a. Create test policy, send alert
b. Verify Firewall is configured to allow traffic
c. Verify message received

5. Integration
Staff required:Guardium Sys Admin, AD / LDAP admin, SIEM Admin
Time: 8 hours (if no connectivity issues are encountered)
Required: SIEM server configured to receive messages. May create Guardium-specific AD group
Steps:
a. Connect Guardium to LDAP server, test
b. Verify Firewall is configured to allow traffic
c. Import LADP users and information
d. Configure Guardium to send syslog messages to SIEM
e. Review syslog messages to determine correct format

6. Reporting and Policies

Staff required:Guardium Sys Admin
Time: 4-16 hours
Required: Intermittent local and network access to the monitored databases (may need DBA).
Steps:
a. Show relevant standard reports
b. Develop custom reports
c. Develop Policies
d. Verify alerting

IBM InfoSphere Guardium PoC - Scope Document

Page 11 of 13
PoC Scope Signoff

BOCH and NIBSSCustomerName agree to the statement of work as defined in this document.

NIBSSCustomerName Stakeholder:

Name:____________________________

Signed: ___________________________

Date: _____________________________

BOCH Stakeholder:

Name:____________________________

Signed: ___________________________

Date: _____________________________

BOCH Stakeholder:

Name:____________________________

Signed: ___________________________

Date: _____________________________

IBM InfoSphere Guardium PoC - Scope Document

Page 12 of 13
PoC Completion Signoff

 NIBSSCustomerName confirms that the deployment was concluded successfully in accordance to

plan and the details of the critical success measures are included in the attached supplement

Name:____________________________

Signed: ___________________________

Date: _____________________________

IBM InfoSphere Guardium PoC - Scope Document

Page 13 of 13