how vulnerable is your critical data?
TRANSCRIPT
© 2015 IBM Corporation
How Vulnerable Is Your Critical Data?A Risk-Based Approach to Data Security and Privacy
Luis Casco-AriasProduct Manager IBM Security [email protected]
2
Agenda : How Vulnerable Is Your Critical Data?
Data Security: Market & Customer Trends Is the world upside down?
How Guardium Solves Today’s Data Security Challenges Holistically
Questions ?
Data Security - Market and Customer Trends
4
Security is growing in importance
5
more than
half a billion recordsof personally identifiable information (PII) were leaked in 2013
$5.5M+
6
BIGGEST BANK HEIST EVER!
What did they Steal ? ~$1B Customer Data PCI Data
How did they Steal ? Used Botnets(to track user activity) Privileged User Credentials Missing Patches
CNN Money
7
Doing nothing about data compliance is NOT optional
Company Data Security approach
Audit events/year
Average cost/ audit
Data loss events/year
Average cost/ data loss
Total cost (adjusted per TB)
w/o data security 6.3$24K
2.3$130K
$449K/TB
w/ data security 1.7 1.4 $223K/TB
Annual Cost of not implementing data security $226K/TB
Total annual cost of doing nothing in BIG DATA compliance:(for average Big Data organization with 180 TB of business data) $40+ M
Source: Aberdeen Group. Why Information Governance Must be Addressed Right Now.
Source: The True Cost of Compliance, The Cost of a Data Breach, Ponemon Institute,
$3.5M
Yearly average cost of Compliance
8
The Security Landscape is changing rapidly
Data ExplosionEverything is
Everywhere
Attack Sophistication
Extending the perimeter; focus shifts to protecting the DATA
Moving from traditional perimeter-based security…
…to logical “perimeter” approach to security—focusing on the data and
where it resides
Firewall
Antivirus
IPS
Consumerization of IT
9
Data is the key target for security breaches…..
Data Breach Report from Verizon Business RISK Team
Database servers contain your client’s most valuable information
– Financial records– Customer information– Credit card and other account
records– Personally identifiable information– Patient records
High volumes of structured data Easy to access
“Go where the money is… and go there often.” - Willie Sutton
WH
Y?
… & Database Servers Are The Primary Source of Breached Data
10
Goal: Close the data exposure gap
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf?CMP=DMC-SMB_Z_ZZ_ZZ_Z_TV_N_Z038
Guardium DiscoveryGuardium DAM
Guardium VAGuardium for Applications
Guardium Encryption
92% of breaches are discovered by an external party
11
Home-grown compliance is costly and ineffective
• Scripting maintenance• Expertise to parse logs• Centralize collection• Stove-piped approach
Performance impact on the data repository No tamper-proof repository Redundant work / Siloed solutions No central management No automation or company-wide policies High expertise to implement/maintain (technology, regulation) No separation of duties Inaccurate/obsolete results and delayed delivery After-the-fact response
Create reports
Manual review• Approval• Reject• Escalate
Manual remediation dispatch and tracking
Native Data Logging
Data Compliance Burden
Spreadsheet Evaluation
12
Why is Data Vulnerable?
• The difficulty of enforcing consistent controls and reporting on systems from a variety of vendors across multiple releases
• Development systems that get replicated to production without proper lock down & Application packages that get deployed with default settings with no understanding of security implications
• The shortage of resources with required database and security skills
• Web Application Attacks, Malware tracks user activities and credentials
• No Real Time Monitoring on Privilege users activities and access to Sensitive Data
• Data in all its forms are exploding while resources to manage it are limited & number of systems to be secured can range in the thousands
BigData
Mobile
Cloud
How Guardium Solves Today’s Data Security Challenges
14
IBM’s Approach to Data Security, Compliance and Privacy
• Understanding the Risks and Uncovering Exposure
• Define and Share: Business and IT agree on relative data risk, value
• Discover and Classify: Exploring data sources and plotting the sources for value and risk
• Mitigating Risk with Data Protection• Mask, Redact, Encrypt: Moving the risk
areas above the line
• Cleanse risky data and configurations
• Maintaining a Tolerant Risk Level• Monitor Data Activity: Keeping Risk-
prone areas above the line
• Dynamically remove risk
• Expansion to the Enterprise
Val
ue
to t
he
Bu
sin
ess
Risk
Understanding the data: Risk vs. Value
15
IBM Security Guardium Value Proposition:
Reduce cost of compliance– Automate and centralize controls– Simplify the audit review processes
1
2
3
Continuously monitor access to sensitive DATA including databases, data warehouses, big data environments and file shares to...
Prevent data breaches– Prevent disclosure or leakages of sensitive data
Ensure the integrity of sensitive data– Prevent unauthorized changes to data, database
structures, configuration files and logs
Protect Data in an efficient, scalable, and cost effective way4
Increase operational efficiencyAutomate & centralize internal controlsAcross heterogeneous & distributed environmentsIdentify and help resolve performance issues & application errorsHighly-scalable platform, proven in most demanding data center environments worldwide
No degradation of infrastructure or business processesNon-invasive architectureNo changes required to applications or databases
Guardium enhances and differentiates most security solutions
Guardium Data Activity Monitoring
Guardium Vulnerability Assessment
Guardium Encryption and Privacy
Se
cu
rity S
erv
ice
s
Consulting
Managed S
ervicesS
trategic O
utsourcingS
ystem Integration
Total Visibility: Product Portfolio, Services and Research
17
How does Guardium do it?
Data at Rest Configuration Data in Motion
Where is the sensitive
data?
How to protect
sensitive data to reduce
risk?
How to secure the
repository?
Entitlements Reporting
Activity Monitoring
BlockingQuarantine
Dynamic DataMasking
Vulnerability Assessment
Who should have access?
What is actually
happening?
MaskingEncryption
DiscoveryClassification
How to prevent
unauthorized activities?
How to protect
sensitive data?
Security Policies
Dormant Data
Dormant Entitlements
Harden Monitor ProtectDiscover
Compliance Reporting
Security Alerts / Enforcement
Data Security solutions protect structured and unstructured sensitive data
18
Entitlements Reporting
Activity Monitoring
BlockingQuarantine
Dynamic DataMasking
Vulnerability Assessment
MaskingEncryption
DiscoveryClassification
Vulnerability AssessmentAssessment reportsData Protection SubscriptionConfiguration Changes
Data EncryptionFile-level encryptionRole-based access controlFile access auditing
Static Data MaskingStatic maskingSemantic and format preserving
Standard DAMData Activity MonitoringReal-time alertsApp end-user identificationNormalized audit creationCompliance reportingCompliance workflow
Advanced DAM Blocking access Masking sensitive data Users Quarantine
“Base Product” DB and Data Discovery Data Classification Enterprise Integrator Entitlement Reporting Queries & Reports Threshold Alerts Compliance Workflow Group Management Security Integrations IT Integrations Data Level Security Incident Management User/Roles Management HR Integrations Portal Management Self Monitoring Data Export Options Data Imports Options
Data Redaction Redact sensitive documents
Packaged discovery, masking, and monitoring for Hadoop or Data Warehouses
Data Privacy and Security for Hadoop/Warehousing
Masking for Applications Masking on the browser
Discover Harden Monitor Protect
Federate large deploymentCentral controlCentral audit collection
19
Guardium
Understand & Define your Distributed Data Landscape
Discover
• Locate and inventory data sources across the enterprise
• Identify sensitive data and classify
• Understand relationships
• Centrally document security policies and propagate across the data lifecycle
• What databases do I
have and where are they?
• Where is my sensitive
data?
Requirements
Benefits
Discovery
On Premise
Sensitive Data
Sensitive Data
Sensitive Data
Sensitive Data
20
On Premise
Guardium
Database Hardening and Compliance Made Simple
Discover Harden
• Reduce risk on data infrastructure
• Assure compliance with regulatory mandates
• Minimize operational costs through automated and centralized controls
• Vulnerability assessment on up to date database exposures
• Vulnerability assessment on OS mis-configurations
• Periodic configuration checking and change auditing
Requirements
Benefits
Vulnerability Assessment
21
Guardium
Data Access Protection and Compliance Made Simple
• Assure compliance with regulatory mandates
• Protect against threats from legitimate users and potential hackers
• Minimize operational costs through automated and centralized controls
• Continuous, real-time database access and activity monitoring
• Policy-based controls to detect unauthorized or suspicious activity
• Prevention of data loss
Requirements
Benefits
Real time data monitoring, auditing, and protection
Monitor ProtectDiscover
22
IBM Security Guardium real-time data activity monitoring
Discovery and Classification
Activity Monitoring Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users
Blocking & Masking Preventive data protection in real time
Compliance Automation
Collector Appliance
Host-based
Probes
(S-TAP)
Data Repositories (databases,
warehouses, file shares, Big Data)
Key Characteristics
Single Integrated Appliance Non-invasive/disruptive, cross-platform architecture Dynamically scalable SOD enforcement for DBA access Auto discover sensitive resources and data Detect or block unauthorized & suspicious activity Granular, real-time policies
Who, what, when, how
100% visibility including local DBA access Minimal performance impact Does not rely on resident logs that can easily be
erased by attackers, rogue insiders No environment changes Prepackaged vulnerability knowledge base and
compliance reports for SOX, PCI, etc. Growing integration with broader security and
compliance management vision
Central Manager Appliance
23
Dynamic Data masking for Web Applications
Web Server
Data ServersSQL
HTTP/HTTPS
HTTP/HTTPS
Dynamic Data masking for Applications
Guardium for Applications Application SecurityApplication OwnersDynamic Data Masking for AppsData Privacy
Database Activity Monitoring and
Database Protection
Guardium for Databases Database SecurityDatabase AdministratorsActivity MonitoringAccess blockingDynamic Data Masking for SQLData Integrity and Privacy
STAP
STAP
Collector
Collector
Aggregator
Easily share only the right type of data, even with mobile devices
Facilitates outsourcing securely and with privacy
Browser Masking: Shield sensitive application data from unauthorized users
Application Server (incl Hue, Slr, Web-HDFS)
Comprehensive support for structured and unstructured sensitive data:
24
DATA
InfoSphere BigInsights
Guardium
DATABASES DATA WAREHOUSES
UNSTRUCTURED DATA
BIG DATA ENVIRONMENTS
FILE SHARES
Exadata
D ATA B A S E
HANA
APPLICATIONS
Optim Archival
Siebel, PeopleSoft, E-Business
DATABASETOOLS
Master Data Management
Data Stage
CICS
z/OS Datasets
Pure Data Analytics
FTP
with BLU Acceleration
DB2®
with BLU Acceleration
DB2®
DB
Databases, Data Warehouses, Big Data, Applications and File Shares
Guardium complements your IT operations
Directory Services(Active Directory, LDAP, IBM Security Directory Service, etc)
SIEM(IBM QRadar, IBM zSecure Audit, Arcsight,
RSA Envision, etc) SNMP Dashboards(Tivoli Netcool, HP Openview, etc)
Change Ticketing Systems
(Tivoli Request Mgr, Tivoli Maximo Remedy, Peregrine, etc)
Vulnerability Standards(CVE, STIG, CIS Benchmark, SCAP)
(IBM QRadar QVM)
Data Classification and Leak Protection
(InfoSphere Discovery, Business Glossary, Optim Data Masking - Credit
Card, Social Security, phone, custom, etc)
Security Management Platforms
(IBM QRadar, McAfee ePO )
Application Servers(IBM Websphere, IBM Cognos, Oracle EBS,
SAP, Siebel, Peoplesoft, etc )
Long Term Storage(IBM TSM, IBM Pure Data -
Netezza, EMC Centera, FTP, SCP, Optim Archival etc)
Authentication(RSA SecurID, Radius, Kerberos, LDAP)
Software Deployment(IBM Tivoli Provisioning Manager, RPM,
Native Distributions)
Send Alerts (LEEF, CEF,
CSV, Syslog, etc) Send
Events
Web Application Firewalls
(F5 ASM)
Endpoint Configuration and Patch Management
(BM Endpoint Manager)
Database tools(Change Data Capture, Query Monitor,
Optim Test Data Manager, Optim Capture Replay)
Static Data Masking(Optim Data Masking)
Analytic Engines(InfoSphere Sensemaking)
Load Balancers(F5 , CISCO)
Risk Alerts
Remediate
Scale
• STAPDatabase
Server
26
IBM is THE Leader in the Data Protection Market
• ONLY vendor offering a COMPREHENSIVE data security and privacy All controls for lifecycle data protection and privacy Widest range of data sources & packaged apps on any platform Compliance automation for data Synergistic with IT Operations and Security solutions
• Most PROVEN data protection and privacy technology Pervasively used in the industry worldwide Leading data protection capabilities
– First to market with leading features
– Comprehensive and innovative vision
• Most FLEXIBLE and COST EFFECTIVE data protection Seamless scalability to support the largest organizations Documented ROI returns based on TCO savings and compliance automation Non-intrusive and less environmentally impactful operation
Database Audit Wave: IBM #1 Leader -
“InfoSphere Guardium offers support for almost any of the features one might find in an
auditing and real-time protection solution.”
Data Masking MQ: IBM #1 Leader - “Most frequently
referenced by customers.”
Chosen by the leading organizations worldwide to secure their most critical data
Top government agencies
8 of the top 10 telcos worldwide
2 of the top 3 global retailers XX
5 of the top 6 global insurers
5 of the top 5 global banks 4 of the top 4 global managed healthcare providersProtecting access to over
$10,869,929,241 in financial assets Protecting access to
136 million patients private information
Safeguarding the integrity of 2.5 billion credit card or personal information transactions per year
Protecting more than 100,000 databases with personal and private information
Safeguarding the integrity of the world’s government information and defense
Maintaining the privacy of over 1,100,000,000 subscribers
What to do next?
1. Listen to the next Guardium Tech Talk on June 25th: • Practical tips for managing data security risk:
https://ibm.biz/BdXzdN 2. Learn about Guardium: ibm.com/guardium3. Join the Guardium Community on developerWorks: bit.ly/
guardwiki
Thank YouYour feedback is
important!
.