ibm infosphere guardium tech talk: guardium implementation ...€¦ · ibm infosphere guardium tech...
TRANSCRIPT
© 2013 IBM Corporation
Information Management
IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z
Ernie Mancill – Executive IT SpecialistRoy Panting – Guardium Technical Specialist16 May 2013
© 2013 IBM Corporation2
Information Management – InfoSphere Guardium
LogisticsThis tech talk is being recorded. If you object, please hang up and leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group.
We’ll try to answer questions in the chat or address them at speaker’s discretion.
– If we cannot answer your question, please do include your email so we can get back to you.
When speaker pauses for questions: – We’ll go through existing questions in the chat – Raise your hand in the SmartCloud meeting room if you want to
ask a question verbally and we’ll call your name – You will need *6 to unmute phone line if you are dialed in
© 2013 IBM Corporation3
Information Management – InfoSphere Guardium
Reminder: Upcoming Guardium Tech Talks
Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o
Title: Integrating QRadar and Guardium
Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis
Date &Time: Wed, June 5, 2013
11:30 AM EDT
Register here: http://bit.ly/ZWznwA
Title: Planning a deployment
Speakers: Boaz Barkai and YosefRozenblit
Date &Time: Thursday, Jun 20, 2013
11:30 AM EDT
Register here: http://bit.ly/Yf2TwY
Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB CompanyRegister at http://www.10gen.com/events/webinar/secure-protect-mongodb-data-partner
© 2013 IBM Corporation4
Information Management – InfoSphere Guardium
Polling Question
At what stage is your InfoSphere Guardium implementation for DB2 for z/OS?
1. We don't have this product yet; we are just learning
2. We have Version 8.2 and are planning our deployment / upgrade to Version 9
3. We are planning a new deployment with Version 9
4. We have Version 9 deployed
5. None of the above
© 2013 IBM Corporation
Information Management
IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z/OS
Ernie Mancill – Executive IT SpecialistRoy Panting – Guardium Technical Specialist16 May 2013
© 2013 IBM Corporation6
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation7
Information Management – InfoSphere Guardium
7
““Inconsistent dataInconsistent data””
Healthcare Insurer: “My team is responsible for sending data externally to many of our business partners and other entities. The number of these requests has grown significantly over the years and they are becoming increasingly involved and complicated. We need a policy and process to handle these requests to ensure we comply with all privacy/security regulations. We also need appropriate executive-level review and approval to ensure that each request for sharing our data externally is the right thing for us to do from a business perspective.”
““We need a policy and process to ensure we are protecting our datWe need a policy and process to ensure we are protecting our dataa””
United States Government Agency: “Our team is responsible for the trustworthiness of data to the field analysts but we have no control over the quality of data that flows into our Financials from SAP R/3 to BW.”
““We have no control over the quality of dataWe have no control over the quality of data””
North American Multi-Line Insurer: “Our new CEO became the most ardent supporter of Data Governance when he discovered that reports from different parts of the organization had inconsistent data.”
““We keep everything foreverWe keep everything forever””A large chemical manufacturer fails to destroy content and records in accordance with their corporate retention policy and are now burdened with the high cost of managing storage and eDiscovery with no visibility into what to destroy and when. “During eDiscovery, we spent over $12 million dollars reviewing documents that were already past their retention dates and should have been disposed of … and this was on just 4 cases … at any point in time we have over 100 cases pending.
Our clients say…
““We need a systematic way to manage this growth.We need a systematic way to manage this growth.””CFO Survey: Current state & future direction, IBM Business Consulting Services. The top challenge for 43% of CFOs is improving governance, controls, and risk management.
© 2013 IBM Corporation8
Information Management – InfoSphere Guardium
8
Orchestrate people, process and technology toward a common goal
– Promotes collaboration – Derive maximum value from
information
Information Governance creates order out of information chaos
Information Governance is the exercise of decision rights to Information Governance is the exercise of decision rights to optimize, secure and leverage data as an enterprise asset.optimize, secure and leverage data as an enterprise asset.
Governing the creation, management and usage of Governing the creation, management and usage of enterprise data is not an option any longer. It is:enterprise data is not an option any longer. It is:
Expected by your customers Demanded by the executives Enforced by regulators/auditors
Leverage data as an enterprise asset to drive opportunities
– Safeguards information – Ensure highest quality– Manage it throughout
lifecycle
© 2013 IBM Corporation9
Information Management – InfoSphere Guardium
Threats to database and legacy data
Privileged User access to data from outside of the DBMS–Access to DB2 Linear VSAM datasets
Privileged User access to DBMS Data via SQL/DL1 –Abuse of privilege without business Need to Know
External Threats –SQL Injection (Hacking)
Movement of data outside of the DBMS–Unloads–Clones–Test Data–Replication
© 2013 IBM Corporation10
Information Management – InfoSphere Guardium
10
10
Defense in depth of DBMS data
10
Level 1: Encryption - Access to clear text data must be in the form of a DBMS statement
Level 2: Database Activity Monitoring - Ensures each DBMS statement is inspected, audited, and subject to security policy control
Level 3: Audit access to VSAM linear datasets
Level 4: Implement business need to know control for critical data Reduce abuse of privilege access
Level 5: Protect the use of unloads and extracts
© 2013 IBM Corporation11
Information Management – InfoSphere Guardium
But…System z is already secure….why do we need more?
Separation of duties –Privileged users “need to know” vs abuse or
mistake–Trace-based auditing controlled by privileged users–SAF plays a vital role in protection of data on z/OS,
but is not tamper-resistant and actionable
Achieving audit readiness is labor-intensive and introduces latency
–RACF lacks sufficient granularity for reporting–DB2 Audit Trace significantly improved in V10, but
still requires externalization to SMF and customer provided reporting infrastructure
Real time event collection – Batch processing of audit data from external
sources prevents real time alerts
© 2013 IBM Corporation12
Information Management – InfoSphere Guardium
Meta-Data (configuration)Meta-Data (configuration)
Dynamic Data (in motion)Dynamic Data (in motion)
Static Data(at rest)Static Data(at rest)
12
MainframeNetwork
Infrastructure
Availability Performance Security
ITDBAApplicationNetwork
ITDBAApp AdminNetwork Admin
Focused on the Infrastructure It’s all about the DATA
ITDBAAppNetwork
SecurityCompliance CISO
ClassificationClassificationDiscoveryDiscovery
PrivacyPrivacy IntegrityIntegrity
ComplianceComplianceSecuritySecurity
Vulnerability AssessmentGuardium VA
InfoSphere Guardium for DB2 on z/OS, IMS and VSAM
Guardium DAM
InfoSphere Guardium Encryption Tool
Guardium Encryption
Capabilities for a layered “defense in depth”
© 2013 IBM Corporation13
Information Management – InfoSphere Guardium
InfoSphere Guardium value proposition
Prevent data breachesMitigate external and internal threats
11
22
33 Reduce cost of compliance- Automate and centralize controls- Simplify audit review processes
Ensure the integrity of sensitive dataPrevent unauthorized changes to data, data infrastructure, configuration files and logs
Continuously monitor access to sensitive data in databases, data warehouses, Hadoop big data environments and file shares to:
13
© 2013 IBM Corporation14
Information Management – InfoSphere Guardium
InfoSphere Guardium value proposition (cont.)
Increase operational efficiencyAutomate & centralize internal controlsAcross heterogeneous & distributed
environmentsIdentify and help resolve performance
issues & application errorsHighly-scalable platform, proven in
most demanding data center environments worldwide
No degradation of infrastructure or business processes
Non-invasive architectureNo changes required to applications or
databases
Do it all in an efficient, scalable, and cost effective way
44
14
© 2013 IBM Corporation15
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring for security & compliance – DB2 for z/OS high level architecture
Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users
Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities
Data protection compliance automation
InfoSphere Guardium Collector (Hardened repository)
InfoSphere Guardium S-TAP for DB2 on z/OS
DataSQL requests
Web-based UI
DataDB2 Data
Alerts and reports
© 2013 IBM Corporation16
Information Management – InfoSphere Guardium
Guardium integrates with IT Infrastructure for seamless operations
Directory Services(Active Directory, LDAP, TDS, etc)
SIEM(IBM QRadar, Arcsight, RSA
Envision, etc) SNMP Dashboards(Tivoli Netcool, HP Openview, etc)
Change Ticketing Systems
(Tivoli Request Mgr, Remedy, Peregrine, etc)
Vulnerability Standards
(CVE, STIG, CIS Benchmark)
Data Classification and Leak Protection
(Credit Card, Social Security, phone, custom, etc)
Application Servers(IBM Websphere, IBM Cognos, Oracle
EBS, SAP, Siebel, Peoplesoft, etc )
Long Term Storage(IBM TSM, IBM Nettezza, EMC Centera,
FTP, SCP, etc)
Software Deployment(IBM Tivoli Provisioning Manager, RPM, Native
Distributions)
Security Management Platforms
(IBM QRadar, McAfee ePO )
Authentication(RSA SecurID, Radius, Kerberos,
LDAP)
Send Alerts (CEF, CSV, Syslog, etc) Send
Events
• STAP
© 2013 IBM Corporation17
Information Management – InfoSphere Guardium
Polling Question
What is the primary reason you are considering a monitoring solution?
1. Meeting regulatory compliance including PCI DSS, SOX, HIPPA, etc.
2. Monitoring privileged user activity
3. Monitoring data stored in sensitive tables
4. We have not defined a primary reason yet
5. N/A
© 2013 IBM Corporation18
Information Management – InfoSphere Guardium
A sidebar discussion – Performance and product evolution
(2006) AME-Local Repository on z/OS-Performance (20+%)
(2009 STAP 8.1 Phase 1)FTP Based ExchangePerformance (9 – 15%)
(2011 STAP 8.1 Phase 2)Real-time streamingPerformance (~5 – 7%)
2012 STAP 9Revamped ArchitecturePerformance (2 – 4%)
Note: Performance metrics are workload dependent, IBM IRWW workload used. Any performance data contained in this document were determined in various controlled laboratory environments and are for reference purposes only. Customers should not adapt these performance numbers to their own environments as system performance standards. The results that may be obtained in other operating environments may vary significantly.
© 2013 IBM Corporation19
Information Management – InfoSphere Guardium
The benefits of shared collectionUtilizing Shared Collector technology, the Monitoring and Auditing products work together.
– Common processes are used to minimize overhead.– Coordinated use of algorithms, memory, and gathered information reduces the
impact on the statement being observed.– This results in lower CPU consumption and better elapsed time.– Shared Collector code is also more reliable and stability is improved
SQL Statement ExecutionNon-Shared CollectionAP AP
SQL Statement ExecutionShared CollectionP+A P+A
© 2013 IBM Corporation20
Information Management – InfoSphere Guardium
Query Collector Manager
CaptureTask
Query CollectorManager
AuditTask
Advantages of Query Common CollectorMinimum resources / minimum overhead / maximum usability / maximum reliability and serviceability
DB2ASubsystem
z/OS
Query Collector Manager
MonitorTask
Query Common
Collector
TCP/IP Stream
TCP/IP Stream
GuardiumCollector
OQCR
WEB SERVER
SUPPORT
SERVICES
ADDRESS
SPACE
DB2 Query Monitor
© 2013 IBM Corporation21
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation22
Information Management – InfoSphere Guardium
Planning that first implementation
Start with the basics– Identify a non-production DB2 environment– Determine how many DB2 systems to audit– Identify the support people (systems programmer, security administrator, auditor)– Obtain management approval– Establish agreement on the implementation schedule
Establish the Guardium details– Determine what type of collector will be used (VM or hardware)– Identify what features are needed (redundant collectors, zIIP availability, integration
with distributed Guardium systems, etc.)– Identify the TCP/IP addresses– Coordinate the Guardium training and professional services– Size the environment for a collector, aggregator and central manager– Determine what groups to be used to simplify the Guardium implementation
Identify success criteria– What needs to be audited (very important!)?– What reports are required and desired?– Is integration with another product, like a SIEM product, required?– Is a performance test required?– Are Vulnerability Assessments and Entitlement Reports required?
© 2013 IBM Corporation23
Information Management – InfoSphere Guardium
Sample implementation timeline
1. Perform parallel activities – 2 days– Obtain S-TAP software and maintenance
from Shop z– Obtain collector software and maintenance
from Passport Advantage– Coordinate implementation activities
2. Install S-TAP and collector software – 1 day
3. Begin collecting basic auditing – 2 days
4. Refine auditing and create custom reports – 8 days
5. Integrate InfoSphere Guardium with other products – 5 days
Total deployment of first implementation = 18 days(Your mileage may vary)
© 2013 IBM Corporation24
Information Management – InfoSphere Guardium
Guardium for DB2 on z/OS architecture
z/OS
Audited DB2 SubsystemAudited DB2 Subsystem
InfoSphere GuardiumS-TAP Collector Agent
Data
SQL Collector
IFI Collector
Define Audit
Policy
View Reports
SQL data
IFI data
Filter Manager
Workstation
Guardium Appliance
DataData
Filter
Filter
Policy push-down
Persisted Policy
© 2013 IBM Corporation25
Information Management – InfoSphere Guardium
DB2 collection policy definition
Identifies what activity is to be sent to the Guardium collector for auditing
Uses groups to simplify administration
Key component in performance. For example:– Granular control over connection type– Connection type provides efficient filtering
© 2013 IBM Corporation26
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation27
Information Management – InfoSphere Guardium
Conducting that first implementationInstall the Guardium collector / aggregator / central manager
–Install the software and maintenance–Configure the installation–Power up the collector
Install the Guardium STAP–Install the STAP and maintenance on all DB2
systems to be audited–Configure the installation and start STAP
Validate auditing–Create a simple audit collection policy–Use reports to validate that DB2 activity is being
stored in the repository
Refine the auditing –Filter unneeded audit data using policy–Create custom reports, Vulnerability
Assessment, integration, etc.
© 2013 IBM Corporation28
Information Management – InfoSphere Guardium
Conducting that first implementationMeet all functional requirements
– Develop detailed custom reports– Modify the collection profile for efficiency, alerts,
exceptions, etc.– Develop an archive strategy– Implement report workflow
Conduct performance testing– Build a repeatable performance test– Run the test– Review the results and make modifications until
results are satisfactory
Plan for ongoing maintenance– Recommendation: Use same maintenance
philosophy that you use for DB2 (eg LPAR or group level)
Plan for the next stages– Obtain approvals to migrate software to production– Schedule migration to next stage– Coordinate migration plan
© 2013 IBM Corporation29
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation30
Information Management – InfoSphere Guardium
Rolling Guardium into production
Building the production Guardium solution–Size Guardium for the number of STAPs, collectors, aggregators, etc.–Size the number of collectors based on estimated audit data volume
and include failover contingency • And plan for the unexpected!
–Integrate Guardium into your disaster recovery strategy
Post production deployment–Monitor the collector usage closely for the first few weeks –Validate reports are meeting business requirements–Adjust collector sizing as appropriate–Adjust collection policy as appropriate–Deploy the archive strategy
© 2013 IBM Corporation31
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z Provides Value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation32
Information Management – InfoSphere Guardium
Getting started with database monitoring
Produce the audit reports–Identify the contents of the report–See if there is a pre-built report that meets your
requirements–Use the Guardium GUI to build a custom report
Monitor the system for "expected" results - make sure things are reasonable and expected
Apply changes based on experience
© 2013 IBM Corporation33
Information Management – InfoSphere Guardium
Building the Guardium reports from the collected data
Guardium has over 100 pre-built reports including accelerators for PCI, HIPAA, SOX
Copy and modify existing reports or build your own using rich custom report builder
Use runtime parameters for rapid subsetting of the data:
–Changing the date ranges Changing the DBMS subsystem names
–Changing the user(s) ID that submitted the requests
–Many more options
Query builder for reports
Entities and attributes
© 2013 IBM Corporation34
Information Management – InfoSphere Guardium
Sample DB2 for z/OS Audit Report
Can mask values to avoid sensitive data leakage
Reports can be automated and run on a schedule
Reports can be routed to reviewers and approvers
34
Network vs local traffic
SQL with bind values
SQL with redacted values
© 2013 IBM Corporation35
Information Management – InfoSphere Guardium
Automating reviews and signoffs - ExampleBusiness Owner
(PCI Role)Information Security
(InfoSec Role)Guardium Admin
(Admin Role)
Reviewer can add comments, which are saved in audit
trail.
© 2013 IBM Corporation36
Information Management – InfoSphere Guardium
Agenda
How Guardium on System z Provides Value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
© 2013 IBM Corporation37
Information Management – InfoSphere Guardium
Keys to a successful implementation
The more you plan the fewer surprises you will have –Know the difference between monitoring and
auditing–Log only what the business needs–Get the broader team involved as necessary
(network, DBA, infosec)
Take advantage of IBM Professional Services –Quickly and efficiently deploy Guardium while
minimizing disruption to ongoing projects–Create deployment plans and architecture that
can expand and scale–Deploy basic monitoring and provide step by step
guidance for advanced monitoring if required–Educate your team at every step to accelerate
self-sufficiency
© 2013 IBM Corporation38
Information Management – InfoSphere Guardium
Bottom line
SAF (IBM RACF and CA products) plays a vital role in protection of resources on z/OS, but you also need audit event collection/reporting which is tamper resistant, real-time, and actionable.
InfoSphere Guardium on z/OS provides– Real-time, actionable activity monitoring and alerting– Tamper resistant audit repository– Clear separation of Roles and Responsibilities– Granular insights into activity– Automation, process consistency, and unique security
insights
Bottom line…..you need both RACF and Guardium for a robust security environment on z/OS
© 2013 IBM Corporation39
Information Management – InfoSphere Guardium
Resources
Data Sheet:InfoSphere Guardium for z/OS http://public.dhe.ibm.com/common/ssi/ecm/en/imd14429usen/IMD14429USEN.PDF
Replay of webcast: InfoSphere Guardium 9.0 – Delivering Big Data Protection for System z and beyond. http://www-01.ibm.com/software/os/systemz/webcast/18dec/ (register to access replay.)
Short Youtube demo of InfoSphere Guardium monitoring on DB2 for z/OS: http://www.youtube.com/watch?v=UeYYvSJiTuM&feature=plcp
InfoSphere Guardium S-TAP for DB2 on z/OS User’s Guide – PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.db2tools.adhz.doc.ug/adhugb90.pdf
InfoSphere Guardium S-TAP for VSAM on z/OS User’s Guide - PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.imstools.auv.doc.ug/auvugh90.pdf
© 2013 IBM Corporation40
Information Management – InfoSphere Guardium
40
Information, training, and community
InfoSphere Guardium YouTube Channel – includes overviews and technical demos
InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
World of DB2 for z/OS Security, compliance and audit subgroup
Community on developerWorks (includes content and links to a myriad of sources, articles, etc)
Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group. Open, technical discussions with other users.
Send a note to [email protected] if interested.
© 2013 IBM Corporation41
Information Management – InfoSphere Guardium
Reminder: Upcoming Guardium Tech Talks
Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o
Title: Integrating QRadar and Guardium
Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis
Date &Time: Wed, June 5, 2013
11:30 AM EDT
Register here: http://bit.ly/ZWznwA
Title: Planning a deployment
Speakers: Boaz Barkai and YosefRozenblit
Date &Time: Thursday, Jun 20, 2013
11:30 AM EDT
Register here: http://bit.ly/Yf2TwY
Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB CompanyRegister at http://www.10gen.com/events/webinar/secure-protect-mongodb-data-partner
© 2013 IBM Corporation42
Information Management – InfoSphere Guardium
GraciasMerci
Grazie
ObrigadoDanke
Japanese
French
Russian
German
Italian
Spanish
Brazilian Portuguese
Arabic
Traditional Chinese
Simplified Chinese
Thai
TackSwedish
Danke
DziękujęPolish