Download - 3 guiding priciples to improve data security
Thought Leadership White PaperIBM Software October 2012
Three guiding principles to improve data security and complianceA holistic approach to data protection for a complex threat landscape
2 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Executive summaryNews headlines about the increasing frequency of information and identity theft have focused awareness on data security and privacy breaches — and their consequences. In response to this issue, regulations have been enacted around the world. Although the specifics of the regulations may differ, failure to ensure compliance can result in significant financial penalties, criminal prosecution and loss of customer loyalty.
In addition, the information explosion, the proliferation of endpoint devices, growing user volumes, and new computing models like cloud, social business and big data have created new vulnerabilities. To secure sensitive data and address compliance requirements, organizations need to adopt a more proactive and systematic approach.
Since data is a critical component of daily business operations, it is essential to ensure privacy and protect data no matter where it resides. Different types of information have different protection requirements; therefore, organizations must take a holistic approach to safeguarding information:
• Understand where the data exists: Organizations can’t protect sensitive data unless they know where it resides and how it’s related across the enterprise.
• Safeguard sensitive data, both structured and unstructured: Structured data contained in databases must be protected from unauthorized access. Unstructured data in documents, forms, image files, GPS systems and more requires privacy policies to redact (remove) sensitive information while still allowing needed business data to be shared.
• Protect non-production environments: Data in nonproduction, development, training and quality assurance environments needs to be protected, yet still usable during the application development, testing and training processes.
• Secure and continuously monitor access to the data: Enterprise databases, data warehouses, file shares and Hadoopbased systems require realtime monitoring to ensure data access is protected and audited. Policybased controls based on access patterns are required to rapidly detect unauthorized or suspicious activity and alert key personnel. In addition, sensitive data repositories need to be
protected against new threats or other malicious activity and continually monitored for weaknesses.
• Demonstratecompliancetopassaudits: It’s not enough to develop a holistic approach to data security and privacy; organizations must also demonstrate and prove compliance to thirdparty auditors.
IBM® solutions for data security and privacy are designed to support this holistic approach and incorporate intelligence to proactively address IT threats and enterprise risks. IBM has developed three simple guiding principles (Understand and Define, Secure and Protect, and Monitor and Audit) to help organizations achieve better security and compliance without impacting production systems or straining alreadytight budgets.
Making sense of the buzz: Why the growing focus on data protection?Data security is a moving target; as data grows, more sophisticated threats emerge, the number of regulations increase, and changing economic times make it difficult to secure and protect data. New attack vectors including cyber security threats (worms, trojans, rootkits, rogues, dialers and spyware) and security complexities resulting from changing IT architectures (virtualization, big data, open enterprise initiatives, consumerization and employee mobility) challenge organizations to focus on data protection (see Figure 1).
According to the October 2011 report “Databases are More at Risk Than Ever,” which surveyed 355 data security professionals, onefourth of respondents felt that a data breach in 2012 was likely or inevitable. Only 36 percent of organizations have taken steps to ensure their applications are not subject to SQL injection attacks, and over 70 percent take longer than three months to apply critical patch updates, giving attackers the opportunity they are looking for. Most respondents are unable to tell whether there has been unauthorized access or changes to their databases. In many cases, a breach would go undetected for months or longer, as only 40 percent of organizations audit their databases on a regular basis.
Prevention strategies are almost nonexistent at most companies. Only onefourth of respondents say they are able
IBM Software 3
to stop abuse of privileges by authorized database users, especially highly privileged users such as database administrators, before it happens. Only 30 percent encrypt sensitive and personally identifiable information in all their databases, despite data privacy regulations worldwide requiring encryption for data at rest. Additionally, most admit to having sensitive data in nonproduction environments that is accessible to developers, testing and even third parties.
Changes in IT environments and evolving business initiativesSecurity policies and corresponding technologies must evolve as organizations embrace new business initiatives such as outsourcing, virtualization, cloud, mobile, Enterprise 2.0, big data and social business. This evolution means organizations need to think more broadly about where sensitive data resides and how it is accessed. Organizations must also consider a broad array of both structured and unstructured sensitive data, including customer information, trade secrets, intellectual property, development plans, competitive differentiators and more.
Smarter, more sophisticated hackersMany organizations are now struggling with the widening gap between hacker capabilities and security defenses. The changing nature, complexity and larger scale of outside attacks are cause for concern. Previously, the most critical concern was virus outbreaks or short denialofservice attacks, which would create a temporary pause in business operations. Today, hackers are becoming more savvy and interconnected; they leverage social networks, purchase prepackaged “hacking” applications and might even be state sponsored. By penetrating the perimeter and infiltrating the network, new advanced persistent threats (APTs) exploit employee knowledge gaps and process weaknesses and technology vulnerabilities in random combinations to steal customer data or corporate data, such as trade secrets, resulting in the potential for billions of dollars of lost business, fines and lawsuits, and irreparable damage to an organization’s reputation.
According to the 2012 Verizon Data Breach Investigations Report, the most commonly used venue for breaches was exploiting default or easily guessed passwords (with 29 percent
of the cases) followed by backdoor malware (26 percent), use of stolen credentials (24 percent), exploiting backdoor or command and control channels (23 percent), and keyloggers and spyware (18 percent). SQL injection attacks accounted for 13 percent of the breaches. As for the targets, 90 percent of the breaches Verizon investigated went after servers, mainly pointofsale servers, web and app servers, and database servers.
Regulatory compliance mandatesThe number and variety of regulatory mandates are too numerous to name here, and they affect organizations around the globe. Some of the most prevalent mandates include the SarbanesOxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCIDSS) (enforcement of which has firmly started expanding beyond North America), the Federal Information Security Management Act (FISMA), and the EU Data Privacy Directive. Along with the rising number of regulatory mandates is the increased pressure to show immediate compliance. Enterprises are under tremendous time pressure and need to show immediate progress to the business and shareholders, or face reputation damage and stiff financial penalties.
Information explosionThe explosion in digital information is mindboggling. In 2009, the world had about 0.8 zettabytes of data. In 2012, it is estimated to be 1.8 ZBs. This is an amazing number, considering a zettabyte is a trillion gigabytes. The information explosion has made access to public and private information a part of everyday life. The digital explosion also brings an increase in the volume, variety and velocity of data. Organizations need to understand the unique challenges that big data brings, such as largescale cloud infrastructures, diversity of data sources and formats, the streaming nature of data acquisition, and highvolume data aggregation.
Critical business applications typically collect this information for legitimate purposes; however, given the interconnected nature of the Internet and information systems, as well as enterprise ERP, CRM and custom business applications, sensitive data is easily subject to theft and misuse.
4 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Insider threatsA high percentage of data breaches actually emanate from internal weaknesses. These breaches range from employees who may misuse payment card numbers and other sensitive information to those who save confidential data on laptops that are subsequently stolen. Furthermore, organizations are also accountable for protecting data no matter where the data resides — be it with business partners, consultants, contractors, vendors or other third parties.
In summary, organizations are focusing more heavily on data security and privacy concerns. They are looking beyond developing point solutions for specific pains and toward building security and privacy policies and procedures into the enterprise. Building security into business and IT policies is especially important as they embrace the new era of computing.
Security versus privacy
Security and privacy are related, but they are distinct concepts. Security is the infrastructure-level lockdown that prevents or grants access to certain areas or data based on authorization. In contrast, privacy restrictions control access for users who are authorized to access a particular set of data. Data privacy ensures those who have a legitimate business purpose to see a subset of that data do not abuse their privileges. That business purpose is usually defined by job function, which is defined in turn by regulatory or management policy, or both.
Some examples of data security solutions include database activity monitoring and database vulnerability assessments. Some examples of data privacy solutions include data redaction and data masking. In a recent case illustrating this distinction, physicians at UCLA Medical Center were caught going through celebrity Britney Spears’ medical records. The hospital’s security policies were honored since physicians require access to medical records, but privacy concerns exist since the physicians were accessing the file out of curiosity and not for a valid medical purpose.
The stakes are high: Risks associated with insufficient data security and privacyCorporations and their officers may face fines from USD5,000 to USD1 million per day, and possible jail time if data is misused. According to the Ponemon Institute, “2011: Cost of Data Breach Study” (published March 2012), the average organizational cost of a data breach in 2011 was USD5.5 million. Data breaches in 2011 cost their companies an average of USD194 per compromised record. The number of breached records per incident in 2011 ranged from approximately 4,500 records to more than 98,000 records. In 2011, the average number of breached records was 28,349.
The most expensive breach studied by Ponemon Institute (2010 Annual Study: U.S. Cost of a Data Breach, 2011) took USD35.3 million to resolve, up USD4.8 million (15 percent) from 2009. The least expensive data breach was USD780,000, up USD30,000 (4 percent) from 2009. As in prior years, data breach cost appears to be directly proportional to the number of records compromised.
Hard penalties are only one example of how organizations can be harmed; other negative impacts include erosion in share price caused by investor concern and negative publicity resulting from a data breach. Irreparable brand damage identifies a company as one that cannot be trusted.
Five common sources of risk include:
• Excessive privileges and privileged user abuse. When users (or applications) are granted database privileges that exceed the requirements of their job function, these privileges may be used to gain access to confidential information.
• Unauthorized privilege elevation. Attackers may take advantage of vulnerabilities in database management software to convert lowlevel access privileges to highlevel access privileges.
• SQL injection. SQL injection attacks involve a user who takes advantage of vulnerabilities in frontend web applications and stored procedures to send unauthorized database queries, often with elevated privileges. Using SQL injection, attackers could even gain unrestricted access to an entire database.
IBM Software 5
• Denial of service. Denial of service (DoS) may be invoked through many techniques. Common DoS techniques include buffer overflows, data corruption, network flooding and resource consumption. The latter is unique to the database environment and frequently overlooked.
• Exposure of backup data. Some recent highprofile attacks have involved theft of database backup tapes and hard disks which were not encrypted.
few organizations have the funding or resources to implement another processheavy initiative. Organizations need to build security and privacy policies into their daily operations and gather support for these policies across the enterprise including IT staff, business leaders, operations, and legal departments. Privacy requirements do vary by role, and understanding who needs access to what data is not a trivial task. Third, the manual or homegrown data protection approaches many organizations use today lead to higher risk and inefficiency. Manual approaches typically don’t protect a diverse set of data types in both structured and unstructured settings, and do not scale as organizations grow. Finally, the rising number of compliance regulations with timesensitive components adds more operational stress, rather than clarifying priorities.
Organizations require a fresh approach to data protection — one which ensures that they build security and privacy rules into their best practices, and helps, rather than hinders, their bottom line. Numerous driving factors combined with high stakes make figuring out how to approach data security and privacy an important priority.
Leveraging a holistic data security and privacy approachOrganizations need a holistic approach to data protection. This approach should protect diverse data types across physical, cloud and big data environments, and include the protection of structured and unstructured data in both production and nonproduction (development, test and training) environments. Such an approach can help focus limited resources without added processes or increased complexity. A holistic approach also helps organizations to demonstrate compliance without interrupting critical business processes or daily operations.
To get started, organizations should consider six key questions. These questions are designed to help focus attention to the most critical data vulnerabilities:
1. Where does sensitive data reside across the enterprise? 2. How can access to your enterprise databases be protected,
monitored and audited?
Figure 1: Analysis of malicious or criminal attacks experienced according to the 2011 Cost of Data Breach Study conducted by the Ponemon Institute (published March 2012)
Barriers to implementation: Challenges associated with protecting dataSo with the market focused on security and the risks clearly documented, why haven’t organizations adopted a holistic approach to data protection? Why are organizations overwhelmed by new threats?
The reality is that significant challenges and complexities exist. For one, there are numerous vendor solutions available that are focused on one approach or one aspect of data protection. Few look across the range of threats and data types and sources to deliver a holistic strategy which can be flexible as new threats arise and new computing models are embraced. Next,
6 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
3. How can data be protected from both authorized and unauthorized access?
4. Can confidential data in documents be safeguarded while still enabling the necessary business data to be shared?
5. Can data in nonproduction environments be protected, yet still be usable for training, application development and testing?
6. What types of data encryption are appropriate?
The answers to these questions provide the foundation for a holistic approach to data protection and scales as organizations embrace the new era of computing. The answers also help organizations focus in on key areas they may be neglecting with current approaches.
1. Organizations can’t protect data if they don’t know it exists. Sensitive data resides in structured and unstructured formats in production environments and nonproduction environments. Organizations need to document and define all data assets and relationships, no matter what the source. It is important to classify enterprise data, understand data relationships and define service levels. The data discovery process analyzes data values and data patterns to identify the relationships that link disparate data elements into logical units of information, or “business objects” (such as customer, patient or invoice).
2. Activity monitoring provides privileged and nonprivileged user and application access monitoring that is independent of native database logging and audit functions. It can function as a compensating control for privileged user separationofduties issues by monitoring all administrator activity. Activity monitoring also improves security by detecting unusual database, data warehouse, file share or Hadoop systems read and update activities from the application layer. Event aggregation, correlation and reporting provide an audit capability without the need to enable native audit functions. Activity monitoring solutions should be able to detect malicious activity or inappropriate or unapproved privileged user access.
3. Data should be protected through a variety of data transformation techniques including encryption, masking and redaction. Defining the appropriate business use for enterprise
data will dictate the appropriate data transformation policy. For example, a policy could be established to mask data on screen or on the fly to prevent call center employees from viewing national identification numbers. Another example could be masking revenue numbers in reports shared with business partners or thirdparty vendors.
4. Data redaction can remove sensitive data from forms and documents based on job role or business purpose. For example, physicians need to see sensitive information such as symptoms and prognosis data, whereas a billing clerk needs the patient’s insurance number and billing address. The challenge is to provide the appropriate protection, while meeting business needs and ensuring that data is managed on a “needtoknow” basis. Data redaction solutions should protect sensitive information in unstructured documents, forms and graphics.
5. Deidentifying data in nonproduction environments is simply the process of systematically removing, masking or transforming data elements that could be used to identify an individual. Data deidentification enables developers, testers and trainers to use realistic data and produce valid results, while still complying with privacy protection rules. Data that has been scrubbed or cleansed in such a manner is generally considered acceptable to use in nonproduction environments and ensures that even if the data is stolen, exposed or lost, it will be of no use to anyone.
6. Data encryption is not a new technology, and many different approaches exist. Encryption is explicitly required by many regulations including PCI DSS, and also enables safe harbor provisions in many regulatory mandates. This means organizations are exempt from disclosing data breaches if the data is encrypted. It is challenging for an organization to identify the best encryption approach due to prolific offerings from various vendors. For encrypting structured data, consider a filelevel approach. This will protect both structured data in the database management system (DBMS) and also unstructured files such as DBMS log or configuration files, and is transparent to the network, storage and applications. Look for encryption offerings which provide a strong separation of duties and a unified policy and key management system to centralize and simplify data security management.
IBM Software 7
Meeting data security and compliance challenges What makes IBM’s approach to data protection unique? Expertise. The alignment of people, process, technology and information separates the IBM data security and privacy solutions from the competition. The goal of the IBM portfolio is to help organizations meet legal, regulatory and business obligations without adding additional overhead. This helps organizations support compliance initiatives, reduce costs, minimize risk and sustain profitable growth. In addition, IBM has integrated data security into a broader security framework. The IBM Security Framework (see Figure 2) and associated best practices provide the expertise, data analysis, and maturity models to give IBM’s clients the opportunity to embrace innovation with confidence.
To address data security and compliance, IBM has defined three guiding principles to ensure a holistic data protection approach: Understand and Define, Secure and Protect, and Monitor and Audit. By following these three principles, organizations can improve their overall security posture and help meet compliance mandates with confidence.
Understand and defineOrganizations must discover where sensitive data resides, classify and define data types, and determine metrics and policies to ensure protection over time. Data can be distributed over multiple applications, databases and platforms with little documentation. Many organizations rely too heavily on system and application experts for this information. Sometimes, this information is built into application logic, and hidden relationships might be enforced behind the scenes.
Finding sensitive data and discovering data relationships requires careful analysis. Data sources and relationships should be clearly understood and documented so no sensitive data is left vulnerable. Only after understanding the complete landscape can organizations define proper enterprise data security and privacy policies.
IBM InfoSphere® Discovery is designed to identify and document what data you have, where it is located and how it’s linked across systems by intelligently capturing relationships and determining applied transformations and business rules. It helps automate the identification and definition of data relationships across complex, heterogeneous environments.
Without an automated process to identify data relationships and define business objects, organizations can spend months performing manual analysis — with no assurance of completeness or accuracy. IBM InfoSphere Discovery, on the other hand, can help automatically and accurately identify relationships and define business objects in a fraction of the time required using manual or profiling approaches. It accommodates a wide range of enterprise data sources, including relational databases, hierarchical databases and any structured data source represented in text file format.
Security Intelligence,Analytics and GRC
Software andApplicances
Clo
ud a
nd M
anag
edS
ervi
ces
Pro
fess
iona
lS
ervi
ces
Figure 2: IBM is the only vendor providing a sophisticated security framework with security intelligence across people, data, applications and infrastructure.
8 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
In summary, IBM InfoSphere Discovery helps organizations:
• Locate and inventory the data sources across the enterprise • Identify and classify sensitive data • Understand data relationships • Define and document privacy rules • Document and manage ongoing requirements and threats
Secure and protectData security and privacy solutions should span a heterogeneous enterprise, and protect both structured and unstructured data across production and nonproduction environments (see Figure 3). IBM InfoSphere solutions help protect sensitive data in ERP/CRM applications, databases, warehouses, file shares and Hadoopbased systems, and also in unstructured formats such as forms and documents. Key technologies include activity monitoring, data masking, data redaction and data encryption. InfoSphere Guardium provides enterprisewide controls and capabilities across many platforms and data sources, enhancing the investments made in platforms, such as RACF on System z, that provide builtin security models that leverage data sources such as DB2 for z/OS, IMS,
and VSAM. A holistic data protection approach ensures a 360degree lockdown of all organizational data.
For each type of data (structured, unstructured, offline and online), we recommend different technologies to keep it safe. Keep in mind that the various data types exist in both production and nonproduction environments.
Structured data: This data is based on a data model, and is available in structured formats like databases or XML.
Unstructured data: This data is in forms or documents which may be handwritten, typed or in file repositories, such as word processing documents, email messages, pictures, digital audio, video, GPS data and more.
Online data: This is data used daily to support the business, including metadata, configuration data or log files.
Offline data: This is data in backup tapes or on storage devices.
Data in heterogeneous databases(Oracle, DB2, Netezza, Informix, Sybase, Sun MySQL, Teradata)
• Activity Monitoring• Vulnerability Assessment• Data Masking• Data Encryption
Data not in databases(Hadoop, File Shares, ex. SharePoint,.TIF, .PDF, .doc, scanned documents)
• Data Redaction• Activity Monitoring
• Data Masking
StructuredData
UnstructuredData
OfflineData
OnlineData
Data in daily use
• Activity Monitoring• Vulnerability Assessment
• Data Masking • Data Encryption
Data extracted from databases
• Data Encryption
Prod
uct
ion
& Non-Production System
s
Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments
IBM Software 9
Keep in mind these four basic data types are exploding in terms of volume, variety and velocity. Many organizations are looking to include these data types in big data systems such as Netezza or Hadoop for deeper analysis.
IBM InfoSphere Guardium® Activity Monitor and Vulnerability Assessment provide a security solution which addresses the entire database security and compliance life cycle with a unified web console, backend data store and workflow automation system, enabling you to:
• Assess database and data repository vulnerabilities and configuration flaws
• Ensure configurations are locked down after recommended changes are implemented
• Provide 100percent visibility and granularity into all data source transactions — across all platforms and protocols — with a secure, tamperproof audit trail that supports separation of duties
• Monitor and enforce policies for sensitive data access, privileged user actions, change control, application user activities and security exceptions such as failed logins
• Automate the entire compliance auditing process — including report distribution to oversight teams, signoffs and escalations — with preconfigured reports for SOX, PCI DSS and data privacy
• Create a single, centralized audit repository for enterprisewide compliance reporting, performance optimization, investigations and forensics
• Easily scale from safeguarding a single database to protecting thousands of databases, data warehouses, file shares or Hadoopbased systems in distributed data centers around the world
Traditionally, protecting unstructured information in forms, documents and graphics has been performed manually by deleting electronic content and using a black marking pen on paper to delete or hide sensitive information. But this manual process can introduce errors, inadvertently omit information and leave behind hidden information within files that exposes sensitive data. Today’s high volumes of electronic forms and documents make this manual process too burdensome for practical purposes, and increase an organization’s risk of exposure.
IBM InfoSphere Guardium Data Redaction protects sensitive information buried in unstructured documents and forms from unintentional disclosure. The automated solution lends efficiency to the redaction process by detecting sensitive information and automatically removing it from the version of the documents made available to unprivileged readers. Based on industryleading software redaction techniques, InfoSphere Guardium Data Redaction also offers the flexibility of human review and oversight if required.
IBM InfoSphere Optim™ Data Masking Solution provides a comprehensive set of data masking techniques that can support your data privacy compliance requirements on demand, including:
• Applicationaware masking capabilities help ensure that masked data, like names and street addresses, resembles the look and feel of the original information. (see Figure 4)
• Contextaware, prepackaged data masking routines make it easy to deidentify elements such as payment card numbers, Social Security numbers, street addresses and email addresses.
• Persistent masking capabilities propagate masked replacement values consistently across applications, databases, operating systems and hardware platforms.
• Static or dynamic data masking supports both production and nonproduction environments.
With InfoSphere Optim, organizations can deidentify data in a way that is valid for use in development, testing and training environments, while protecting data privacy.
Mask
Figure 4: Personal identifiable information is masked with realistic but fictional data
10 Three Guiding Principles to Improve Your Data Security and Compliance Strategy
IBM InfoSphere Guardium Data Encryption provides a single, manageable and scalable solution to encrypt enterprise data without sacrificing application performance or creating key management complexity. InfoSphere Guardium Data Encryption helps solve the challenges of invasive and point approaches through a consistent and transparent approach to encrypting and managing enterprise data security. Unlike invasive approaches such as column level database encryption, PKIbased file encryption or native point encryption, IBM InfoSphere Guardium Data Encryption offers a single, transparent solution that is also easy to manage. This unique approach to encryption provides the best of both worlds: seamless support for information management needs combined with strong, policybased data security. Agents provide a transparent shield that evaluates all information requests against easily customizable policies and provides intelligent decryptionbased control over reads, writes, and access to encrypted contents. This highperformance solution is ideal for distributed environments, and agents deliver consistent, auditable and noninvasive datacentric security for virtually any file, database or application — anywhere it resides.
In summary, InfoSphere Guardium Data Encryption provides:
• A single, consistent, transparent encryption method across complex enterprises
• An auditable, enterpriseexecutable, policybased approach • Among the fastest implementation processes achievable,
requiring no application, database or system changes • Simplified, secure and centralized key management across
distributed environments • Intelligent, easytocustomize data security policies for
strong, persistent data security • Strong separation of duties• Topnotch performance with proven ability to meet SLAs
for missioncritical systems
IBM Tivoli® Key Lifecycle Manager helps IT organizations better manage the encryption key life cycle by enabling them to centralize and strengthen key management processes. It can manage encryption keys for IBM selfencrypting storage
devices as well as nonIBM encryption solutions that use the Key Management Interoperability Protocol (KMIP). IBM Tivoli Key Lifecycle Manager provides the following data security benefits:
• Centralize and automate the encryption key management process
• Enhance data security while dramatically reducing the number of encryption keys to be managed
• Simplify encryption key management with an intuitive user interface for configuration and management
• Minimize the risk of loss or breach of sensitive information • Facilitate compliance management of regulatory standards
such as SOX and HIPAA • Extend key management capabilities to both IBM and
nonIBM products • Leverage open standards to help enable flexibility and
facilitate vendor interoperability
Monitor and auditAfter data has been located and locked down, organizations must prove compliance, be prepared to respond to new internal and external risks, and monitor systems on an ongoing basis. Monitoring of user activity, object creation, data repository configurations and entitlements help IT professionals and auditors trace users between applications and databases. These teams can set finegrained policies for appropriate behavior and receive alerts if these policies are violated. Organizations need to quickly show compliance and empower auditors to verify compliance status. Audit reporting and signoffs help facilitate the compliance process while keeping costs low and minimizing technical and business disruptions. In summary, organizations should create continuous, finegrained audit trails of all database activities, including the “who, what, when, where and how” of each transaction.
IBM InfoSphere Guardium Activity Monitor provides granular, database management system (DBMS) — independent auditing with minimal impact on performance. InfoSphere Guardium is also designed to help organizations reduce operational costs via automation, centralized crossDBMS policies and audit repositories, and filtering and compression.
IBM Software 11
Conclusion: Better Data Security and Compliance Protecting data security and privacy is a detailed, continuous responsibility which should be part of every best practice. IBM provides an integrated data security and privacy approach delivered through these three guiding principles.
1. Understand and Define2. Secure and Protect3. Monitor and Audit
Protecting data requires a 360degree, holistic approach. With deep, broad expertise in the security and privacy space, IBM can help your organization define and implement such an approach.
IBM solutions are open, modular and support all aspects of data security and privacy, including structured, semistructured and unstructured data, no matter where it resides. IBM solutions support virtually all leading enterprise databases and operating systems, including IBM DB2®, Oracle, Teradata, Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM IMS™, IBM DB2 for z/OS, IBM Virtual Storage Access Method (VSAM), Microsoft Windows, UNIX, Linux and IBM z/OS®. InfoSphere also supports key ERP and CRM applications — Oracle EBusiness Suite, PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as well as most custom and packaged applications. IBM supports access monitoring for file sharing software such as Microsoft SharePoint and IBM FileNet. IBM also supports Hadoopbased systems such as Cloudera and InfoSphere BigInsights.
About IBM InfoSphereIBM InfoSphere software is an integrated platform for defining, integrating, protecting and managing trusted information across your systems. The IBM InfoSphere platform provides the foundational building blocks of trusted information, including data integration, data warehousing, master data management and information governance, all integrated around a core of shared metadata and models. The portfolio is modular, allowing you to start anywhere, and mix and match IBM InfoSphere software building blocks with components from other vendors,
or choose to deploy multiple building blocks together for increased acceleration and value. The IBM InfoSphere platform provides an enterpriseclass foundation for informationintensive projects, providing the performance, scalability, reliability and acceleration needed to simplify difficult challenges and deliver trusted information to your business faster.
About IBM SecurityIBM’s security portfolio provides the security intelligence to help organizations holistically protect their people, infrastructure, data and applications. IBM offers solutions for identity and access management, database security, application development, risk management, endpoint management, network security and more. IBM operates the world’s broadest security research and development and delivery organization. This consists of nine security operations centers, nine IBM Research centers, 11 software security development labs and an Institute for Advanced Security with chapters in the United States, Europe and Asia Pacific. IBM monitors 13 billion security events per day in more than 130 countries and holds more than 3,000 security patents.
For more informationFor more information on IBM security, please visit: ibm.com/security.
To learn more about IBM InfoSphere solutions for protecting data security and privacy, please contact your IBM sales representative or visit: ibm.com/guardium.
To learn more about the new IBM DB2 for z/OS security features, download the Redbook at www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247959.html
Additionally, financing solutions from IBM Global Financing can enable effective cash management, protection from technology obsolescence, improved total cost of ownership and return on investment. Also, our Global Asset Recovery Services help address environmental concerns with new, more energyefficient solutions. For more information on IBM Global Financing, visit: ibm.com/financing.
Please Recycle
© Copyright IBM Corporation 2012 IBM Corporation Software Group Route 100 Somers, NY 10589
Produced in the United States of America October 2012
IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere, Optim, Tivoli, and z/OS are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States, other countries or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries or both.
Netezza is a trademark or registered trademark of Netezza Corporation, an IBM Company.
UNIX is a registered trademark of The Open Group in the United States and other countries.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR MPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NONINFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
IMW14568USEN05