slide 1 slide 2 slide 3
TRANSCRIPT
Slide 1
© 2015 IBM Corporation
What's new in Guardium DAM V10: A technical overview
David RozenblatDirector, Guardium DevelopmentIBM Security
Kathy ZeidensteinGuardium Evangelist and Community AdvocateIBM Security
September 17, 2015
IBM Security Guardium Tech Talk
This call is being recorded.
Please leave the web conference if you object.
Slide 2
2© 2015 IBM Corporation
This tech talk is being recorded. If you object, please hang up
and leave the webcast now.
We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
You can listen to the tech talk using audiocast and ask questions
in the chat to the Q and A group.
We’ll try to answer questions in the chat or address them at
speaker’s discretion. – If we cannot answer your question, please do include your email so we
can get back to you.
When speaker pauses for questions: – We’ll go through existing questions in the chat
Logistics
Slide 3
3© 2015 IBM Corporation
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
This is proably the best place to find content. It
atttempts to provide links to all available
resources. Also, by signing up, you can get the
emails for new tech talks or other critical
events.
Slide 4
4© 2015 IBM Corporation
Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
Next tech talk: A Technical Overview of IBM Security Activity Monitor for Files
Speakers: Daniel Stanca, Product Manager Sagi Shechter, Guardium Development Manager
Date and time: Thursday, October 15th11:30 AM US Eastern (60 minutes)
Register here: https://ibm.biz/BdX5cZ
Reminder: Next Guardium Tech Talk
Slide 5
5© 2015 IBM Corporation
Agenda
Business overview
Enhancement that support analysis
Enhancements that support adaptability
Enhancements that support protection
Platform changes and upgrade roadmap - Important survey question
As you’ll see in this presentation, IBM has simplified the messaging around data protection to three key themes: Analyze, adapt, and protect. And that’s how we’ve grouped together the related V10 enhancements as well. We’ll also do a quick overview of the appliance platform changes because it has implications for upgrade. We have an important survey question at the end about migration and upgrade, so please try to stay through to the end. If you cannot, please post in the chat that you would be interested in migration services.
Slide 6
6© 2015 IBM Corporation
Data is challenging to secure
DYNAMICData multiplies
continuously andmoves quickly
DISTRIBUTEDData is everywhere,across applicationsand infrastructure
IN DEMANDUsers need to constantly access and share data to do their jobs
Dynamic nature of the data Data is multiplying, it’s dynamic (moving
around – all over the place) – in and out
of your infrastructure. Disparate and distributed data Disparate data platforms and formats. ,
Small security teams, lots of applications; Developers lack secure coding skills;
Demand for the data is increasing Bottleneck trying to control the usage; data
is everywhere; needs to be accessed
Slide 7
7© 2015 IBM Corporation
Guardium uses intelligence and automation to safeguard data
PROTECTComplete protection for sensitive
data, including compliance automation
ADAPTSeamlessly handle
changes within your IT environment
ANALYZEAutomatically
discover critical data and uncover risk
IBM CONFIDENTIAL: NDA until August 25, 2015
At the highest level, Guardium offers complete data protection, using analytics to help automate risk identification and by providing broad coverage and ability to dynamically adapt and scale to a wide variety of IT environments.
Slide 8
8© 2015 IBM Corporation
ANALYZE. PROTECT. ADAPT.
IBM CONFIDENTIAL: NDA until August 25, 2015
Discovery, classification,vulnerability assessment, entitlement management
Encryption, masking, and redaction
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
The analyze, protect and adapt themes are manifested through a broad set of data security capabilities, which are all under one umbrella and are integrated with each other to help you implement a complete solution. Analytics makes it possible to deal with the quantity of data you have, the quantity and velocity of data access to track, and being unable to uncover patterns and detect and pinpoint suspicious activities. Centralization is the glue that makes the whole data security functions manageable within a whole array of heterogeneous data sources required to run the IT environment. This is the beauty of this approach: You get a central place to ask the common data security questions (for security, privacy or compliance) across all the enterprise data resources in a normalized way. And you can start at any point in accordance to your needs, maybe with simple compliance reporting, …. and grow..
Slide 9
© 2015 IBM Corporation
Analyze
So let’s look at the set of new DAM capabilities that fall under the theme of analysis.
Slide 10
10© 2015 IBM Corporation
Analyze
New navigation and user experience
Quick Search for Enterprise and Investigation Dashboard
Classifier enhancements (backup)
David will be doing a demo of some of the new capabilities in the user interface and also the enterprise quick search and investigation dashboard. There are additional enhancements that are included in backup slides.
Slide 11
11© 2015 IBM Corporation
UI simplification and modernization
Assignable
tasks with
SOD
Customizable
Reports
Guided
Processes
At a glance
operational
dashboards
Enterprise wide
Quick Search
Drill-down
analytics
Before I turn it over to David, I just want to briefly give an overview. The new UI has evolved and will continue to evolve along the lines of simplicity and modernization. The design is more task-oriented and provides guided processes such as the end to end discovery scenario that David will demonstrate. IT’s also much easier to customize the UI, as David will demonstrate. For example to create a view-only user with limited access is very easy to do.
Slide 12
© 2015 IBM Corporation
Demo
Slide 13
13© 2015 IBM Corporation
Banner
Use to navigate through the
UI or to search data or files
(Quick Search) To-do list
Notifications
The banner is a powerful control center with alerts, to-dos and an enhanced search bar. The UI search bar will be your best friend in helping you find a tool or report quickly by name. Notifications are covered in more detail in backup slide.
Slide 14
14© 2015 IBM Corporation
Customizable navigation
Common navigation
Tools and reports related to
the task
The left hand navigation is now simplified and normalized across both administrator and user roles.
Slide 15
15© 2015 IBM Corporation
See tabular
report Mark as favorite
Customize
display
Configure runtime
parameters Same chart,
customized
Report dashboard example
Guardium includes hundreds of built-in reports as well as a flexible reporting capability to let you create as many custom reports as you need. The sheer number of reports can make finding your own important reports a bit more challenging. Version 10 introduces the concept of “My Dashboards”. A dashboard is a user-personalized space in which you can drop reports and organize reports for easy access. Each user can name the dashboards and create as many dashboards as they need. Using favorites enables you to filter reports in audit processes or when creating new dashboards so you don’t need to scroll down through hundreds of reports or devising your own naming scheme to ensure that your reports filter to the top of the list. When adding a report to a dashboard you can find them easily by name by typing in the first few characters in a field that requires selection from a list
Slide 16
16© 2015 IBM Corporation
Report dashboard creation
Type-ahead filter to quickly find reports / charts
Additional filters – Favorites
– Charts
– User defined (not pre-defined) reports
Select report / chart to add it to dashboard
Slide 17
17© 2015 IBM Corporation
Dashboard layout
Customize layout into 1, 2, or 3 columns
Drag and drop to move reports / charts
Slide 18
18© 2015 IBM Corporation
Services Status: before and after
Setup Tools and Views Services Status
Centralized
view of services
Direct access to
enable or disable
the service
V9
V10
Administrators will love this new central location to see the status of Guardium services. And it provides one-stop launchpad to get to where you need to go to configure the service.
Slide 19
19© 2015 IBM Corporation
Access Manager User with SOX and PCI roles
Accelerators
navigation menu
Add roles to a
user
Accelerators now included in the base
Prior to V10, the compliance accelerators (PCI, SOX, Basel II, and Data Privacy) had to be installed using separate patches. Now they are part of the base product offering and can be added to user interface simply by configuring users with any of the corresponding roles (pci, sox, etc). The first screenshot above shows that the Guardium Access Manager is giving a user the PCI and SOX roles. When that user next logs into Guardium, she sees the Accelerators navigation menu and can see the content for both accelerators.
Slide 20
20© 2015 IBM Corporation
Managing permissions has never been easier!
The process to customize the user interface and manage permissions for different roles has been dramatically simplified in Version 10. Everything is in one central location and uses a simple "slushbucket" approach. For example, if you want to create a very simple interface with only a few read only reports for a particular auditor, it can be done quickly and easily. The Guardium access manager creates a new role called "Myfavoriteauditor". For the role, she goes to Manage Permissions and gives very limited permissions to the user as shown below, which includes report builder, results viewing and audit to-do lists.
Slide 21
21© 2015 IBM Corporation
Specify what will show up in
navigation
Customizing navigation is a snap
Then, the access manager goes to Customize Navigation Menu for that role and specifies which specific reports that Myfavoriteauditor can see.
Slide 22
22© 2015 IBM Corporation
Default navigation Customized navigation
Simplified, targeted layout
for specific roles.
Customized navigation
The resulting navigation is simple and targeted for that role.
Slide 23
23© 2015 IBM Corporation
Lifecycle workflow: Discover, review, schedule, protect
Creates a classification
process and policy
Creates a security policy
Creates an audit process
with receivers and a
schedule.
An example of the direction that the Guardium UI is taking can be seen in a new task flow that takes you end to end through a guided workflow that goes from sensitive data discovery, to data protection (defining security policies), to compliance (defining audit process), without requiring users to jump from place to place in the user interface. If you go through the entire workflow, relevant artifacts are created such as a classification policy, an audit process to schedule the classification and even a security policy with the relevant access rules to protect discovered sensitive data.
Slide 24
24© 2015 IBM Corporation
Investigation Dashboard•Color depth represents Intensity of
usage
•Hover over cells for details
•Click a cell or title for interactive
filtering
Click to view details in
Quick Search without
losing context.
We leverage the analytic tools to provide better ways to understand activity flows, even in a multi-dimensional environment. This allows for drill downs on specific areas of activity and to see how they affect other attributes in the environment. You will see in the demo how a set of two dimensional heat maps can give you a glimpse of where most activity happens, and then filter from there into how other relationships are affected.
Slide 25
25© 2015 IBM Corporation
Animation chart
Size of bubble
reflects amount of
data
Hover over circle
to see details.
Activity over the
last 48 hours is
replayed.
Adds a time dimension to the investigation dashboard.
New animation chart The animation chart adds an important dimension, time, to the Investigation Dashboard. This helps analysts to visualize activity behavior over time using data in motion. This chart uses animated bubbles to represent activity over the last 48 hours (at most). The data is “auto-played”, where each frame is an hour in time, and can be paused, much as you would when watching any video. All 4 dimensions used in the chart are configurable: The bubbles, their sizes, as well as the X and Y axes. For example, a bubble can be defined as a DB User, its area to the number of client IPs, its horizontal position to ACCESS activity, and its vertical position to the number of ERRORS, as shown in the following image. This view supports drill down; clicking on a
bubble adds the data elements selected to the filters and all charts are filtered accordingly.
Slide 26
© 2015 IBM Corporation
Adapt
A key focus this release has been in making Guardium more adaptable and easier to administer.
Slide 27
27© 2015 IBM Corporation
Adapt
Enterprise load balancing
GIM improvements for deployment and security
Enhanced instance discovery
S-TAP enhancements for performance and capability
Auto-run dependent jobs for scheduled processes (backup)
Database platform enhancements (backup)
MongoDB as an audit repository (backup)
Softlayer backup (backup)
Troubleshooting enhancements (backup)
Some of the capabilities are covered in the backup slides.
Slide 28
28© 2015 IBM Corporation
Enterprise load balancing
Removes the headache of manually
managing collector allocation for new S-
TAPs
– Configure S-TAP to connect to a Load Balancer
on CM and let load balancer find an appropriate
Managed Unit
Dynamically rebalances workloads based
on relatively current load data (such as sniffer
queues)
Complete redesign of 9.5 deliverable
Dynamic load balancing is available in centrally managed environments and reduces the workload on Guardium administrators by automating several tasks that required previously manual tracking and intervention. Dynamic load balancing: Eliminates the need to manually evaluate the load of managed units before assigning those managed units to an S-TAP agent. Eliminates the need to define fail-over managed units as part of post-installation S-TAP configuration because the load balancer dynamically manages fail-over scenarios. Eliminates the need to manually relocate S-TAP agents from loaded managed units to less loaded managed units. Restrictions: Dynamic load balancing is not supported for z/OS and IBM i S-TAPs.
Slide 29
29© 2015 IBM Corporation
Enterprise load balancer keeps track of how busy the collectors are
MU 1
Central Manager
Load
Balancer
Load Map
MU 1=loaded
…
MU n= vacant
Change
tracker
MU
DB
MU n
Change
tracker
MU
DB
Two types of collection:
• Full load collection
• Single MU load collection
Full load collection happens
dynamically (recommended)
or statically
Single MU collection when
load characteristics change
(such as number of S-TAPs)
Rebalancing occurs only
after full load collection
Load balancer is a servlet running on the Central Manager Change trackers are running on the managed units (MUs) Load balancer dynamically reallocates Mus based on current load • Collects a variety of statistics from each
MU to make a determination of ‘loaded’ vs. ‘vacant’.
The dynamic load balancer is an application that runs only in the Central Manager. It requires no special configuration to run. The load balancer application is enabled on the Central Manager by setting LOAD_BALANCER_ENABLED=1. It will affect the behavior only of those S-TAPs that are installed with the load_balancer_IP (the Central Manager IP) specified. The dynamic load balancer performs “load collection” periodically, which entails getting a snapshot of current activity load for all active managed units and storing it in a load map. This load collection does not affect other activity on the Central Manager. You can specify the load collection to happen using a fixed interval or dynamically. Dynamic collection is the default and recommended setting. With dynamic collection, intervals will be determined by the number of Managed
Units (1 additional hour for every 10 managed units). Dynamic intervals will guarantee more accurate load map without the overhead of loading the CM with unnecessary load collections. When is single load collection triggered? • Used when load patterns have been
changed on the MU. (e.g. If the number of STAPs connected to specific MU has changed)
Load change tracker agents on each MU track load-contributing factor changes • A tracker agent is a load balancer
instance (servlet) running on each MU.. This (mostly dormant) agent tracks specific 'load change tracker' factors changes (e.g. the SOFTWARE_TAP_PROPERTY table)
Load Balancer transparently supports two types of collections • Full Load Collection
– Load Information collection from all the managed units in the site
• Single MU Load Collection
– Load Information collection from a single MU caused by 'load-contributing' factor changes.
If something changes for a particular managed unit that affects its load, such as a reduction or increase in the number of S-TAPs connected to it, the load balancer will be notified through a change tracker on the MU, updated information will be sent to the load balancer. Once the load balancer has the load map, it can make informed decisions about which collectors are best suited to failover, new allocations, or for rebalancing of S-TAPs. (Note that rebalancing can only happen after a full load collection and is controllable via a load balancer configuration parameter.)
Slide 30
30© 2015 IBM Corporation
Using groups to create load balancing zones
Central Manager
Load
Balancer
Load Map
MU 1=loaded
…
MU n= vacant
STAP 1
STAP 2
STAP 3
STAP A
STAP B
STAP F
STAP n
MU _Group1
MU _Group2
S-TAP
Group 1
S-TAP
Group 2
Zone 1
Zone 2
It’s likely that you have different ‘zones’ for different groupings of database servers/S-TAPs and managed units. You can use the following two types of groups to set up your environment for load balancing: S-TAP groups MU groups You can create and associate these groups ahead of time in the Central Manager interface. The group names are case-sensitive. For the S-TAP groups, you must specify exactly what you will use to install the S-TAP itself (either the host name or IP). You can use wildcards in your IP addresses, such as 192.168.1.*. You can also specify these groups during S-TAP installation. (The MU group must exist already. For S-TAP groups, if it doesn’t already exist, Guardium will create it for you. )
Slide 31
31© 2015 IBM Corporation
Guardium installation manager (GIM) enhancements
Easier deployment of GIM clients
– From GIM server, remotely activate GIM clients
that were installed in “listener” mode
– Use GIM listener ‘auto discovery’ to find any
servers that have GIM clients and activate (next
slide)
– Guardium admins don’t need access to the
database server
Improved security using remote certification authority
– Install the GIM client with the relevant certificate
information or update it using the GIM GUI or API.
Installer enhancements to specify failover GIM server
when installing GIM Client for first time
– --failover_sqlguardip <ip or hostname>'
What is GIM? GIM eases the burden of maintaining modules that reside on the database server such as CAS, S-TAP and Discovery GIM Modules: Consists of GIM Server (on Guardium appliance) and GIM Client, a set of Perl scripts that run on each managed server. GIM: Checks for updates to installed software Transfers and installs new software Uninstalls software Updates software parameters Monitors and stops processes running on the database server Easier deployment of GIM clients Before V10, whenever a new database server was configured with the GIM client on it, it was required to know the IP address of the Guardium appliance it was connecting to. For organizations that stand up new database servers, this required additional communication between the DBA and the Guardium administrator, slowing down the deployment of the database server with Guardium monitoring. Now, using remote activation, a database server can be installed without specifying a Guardium IP address, thereby putting the GIM Client in “listener” mode. Any GIM
client in listener mode can be remotely activated from a collector) without requiring additional configuration changes on the database server. You can also auto-discover any servers that have GIM clients in listener mode and then remotely activate any or all of those discovered clients. In sum, this enhancement enables IT organizations to roll out Guardium on all new servers without requiring further interactions with the Guardium team, which can activate Guardium on the database server on their own Prior to V10, GIM connections between the database server and the GIM server used Guardium self-signed certificates. With V10, you can now use an external certificate authority to authenticate these connections. It is fully backward compatible with older GIM clients. GIM client bundles are pre-installed with Guardium self-signed certificates. By default, new installations of GIM clients will attempt to establish secure and authenticated connections with GIM server over port 8446. You can use your own keys and certificates either by installing the GIM client with the relevant certificate information or by updating it using the GIM GUI or API. Updating key/certificates throughout a large site can be a long process. During that time there might be a mismatch between GIM server and GIM client's certificates/keys. When GIM client fails to connect to a GIM server (appliance) over port 8446 (secured and authenticated), it will switch to the traditional secured port 8444 and write an event in the GIM Events report.
Slide 32
32© 2015 IBM Corporation
GIM Auto-discovery process results in support of listener
The original
scanned IP
range/port
Specific IP where GIM
listener is running
Host name where
listener is running
“Check” to
activate
Auto-populated
collector
(default:localhost)
Make the
association
This shows the output of a GIM auto discovery process.
Slide 33
33© 2015 IBM Corporation
Enhanced instance discovery using S-TAP
Removed dependency on Java and external libraries
Enable on S-TAP installation:
– Noninteractive install flag --use-discovery
– GIM install – set STAP_USE_DISCOVERY to 1
When S-TAP is installed, inspection engines will be configured for discovered instances
After install, invoke process from S-TAP control
Can also invoke inspection engine creation via API from Discovered Instances report
Guardium with auto-discovery enabled, lets you use the power of S-TAP to discover running instances on that server, including the information you need to automatically populate the inspection engine definitions. V10 makes it much easier by not requiring Java or any external libraries to accomplish this task. To enable instance discovery, use the following flags during S-TAP installation: Noninteractive install flag --use-discovery GIM install – set STAP_USE_DISCOVERY to 1 When installation is completed, S-TAP will be configured with Inspection Engines for all running databases.
To invoke instance discovery after installation, go to Manage > Activity Monitoring > S-TAP Control and select the Send Command icon as shown in the screenshot below. Notice that you can optionally replace all inspection engines in that S-TAP with the newly discovered configurations. The other option is to review the results in the Discovered Instances report and invoke the create_stap_inspection_engine API for one or more discovered instances.
Slide 34
34© 2015 IBM Corporation
S-TAP enhancements S-TAP multithreading for intensive workloads such as warehouse
– Preserves ‘threadedness’ from point of interception through to the collector
– Configure using participate_in_load_balancing = 4 and specify sql_guard sections up to 5 - this
determines number of main threads
– No failover support in this release.
64-bit UNIX/Linux binaries, which increases amount of data that can be buffered (approx.
2GB per collector IP)
Recommended performance parameters turned on by default
– ktap_fast_tcp_verdict: Port information loaded into K-TAP on startup
– ktap_fast _shmem_verdict: Used for DB2 shared memory improvements
New platforms
– RHEL 7 x86_64
– SUSE 12 x86_64
– Ubuntu 14 x86_64
– Debian (supported via Ubuntu installer)
– Dropped support for AIX 5.3, SLES 9, Solaris 9
S -TAP multithreading S-TAP multithreading can be used in certain workloads to prevent overrunning buffers in the S-TAP and associated K-TAP. It works by preserving multiple threads from the point of traffic interception through to the point at which traffic is sent to the appliance. To enable S-TAP multithreading, configure the guard_tap.ini file with participate_in_load_balancing=4 and specify multiple sqlguard sections. The number of sqlguard sections determines the number of main threads up to a maximum of 5. When used with pooled connections, the total number of threads to handle data can be up to 50 (10 * 5). Considerations for use: In this configuration, no one Guardium receives all the data from the S-TAP. The distribution is similar to that used when participate_in_load_balancing is set to 1. However, when a Guardium system becomes unavailable, no failover is provided in this release. Data will be queued until the reconnection occurs or the buffer is full. Important: Although participate_in_load_balancing 1 and 4 are similar, they do notsend the same sessions to the same place, so if you are using 1 and switch to 4, your sessions will move machines and you'll lose the access information for those sessions. Also, as when participate_in_load_balancing is set to 1, encrypted and unencrypted A-TAP traffic may not be sent to the same Guardium system. Make sure to use the same policy on all the connected Guardium systems. If the policies are different, there's no guarantee which policy is in effect on a given session. 64bit session keys reduce the likelihood of collisions causing dropped traffic - Part of the improvement for STAP multi-threading improvements and the change to 64bit - multi-threading preserves some of the threadedness from the kernel side through to the collector to reduce lock contention and improve the amount of traffic we're able to collect - multi-threading helps primarily when there
are large numbers of sessions, but a 32bit session key has an increased likelihood of colliding on an existing session and causing a loss of interception in this environment - switching to a 64bit session key reduces the chances of a collision impacting the traffic collected ktap_fast_tcp_verdict: This is an existing parameter that is now on by default. When set to 1, the TCP port information is loaded into K-TAP when S-TAP starts up. The result is that K-TAP is no longer dependent on S-TAP to determine which TCP connections should be monitored, which reduces the likelihood of experiencing database performance degradation if S-TAP becomes slow . For more information about this parameter, see the IBM Redbook, Deployment Guide for InfoSphere Guardium. ktap_fast _shmem_verdict: Similar to the behavior that is already supported Informix, this is a new parameter that pushes the recommended information for DB2 shared memory configurations to the K-TAP. This means that K-TAP is not dependent on S-TAP to determine which shared memory connections should be monitored. In general, don't turn this off.
Slide 35
35© 2015 IBM Corporation
Guardium supports complex IT environments …Examples of supported databases, Big Data environments, file shares,
etc
Applications Databases
DB2Informix
IMS
Data Warehouses
NetezzaPureData for AnalyticsDB2 BLU
CICSWebSphere
SiebelPeopleSoftE-Business
Database ToolsEnterprise
Content Managers
Big Data Environments
Files
VSAMz/OS Datasets
FTP
DB
Cloud Environments
Windows, Linux,
Unix
In V10, Guardium has expanded its DAM capabilities to keep current with new releases. In addition, there are sometimes significant enhancements in our support, such as improved support for Teradata encryption and improved capabilities for parsing and logging Hadoop activity. Please read the release notes or the what’s
new article for more details. And of course, the biggest enhancement was in adding support for files beyond what we have already on z/OS. This is a whole new offering, and our next tech talk will cover that in much more detail.
Slide 36
© 2015 IBM Corporation
Protect
Now we’ll look at the capabilities that fall under the category of data protection and which are available with advanced versions of DAM.
Slide 37
37© 2015 IBM Corporation
Protect (Advanced)
Fine grained access control
Blocking and redaction for Hadoop queries from Hive and Impala (Backup)
The biggest enhancement in this space is called fine-grained access control, which is a dynamic, policy-based method to change queries on the way to the database. You may hear this called ‘query rewrite’ since that is what we call the tooling inside Guardium. We’ve also added blocking and redaction for hive and impala queries in Hadoop. We already support both for big sql, so now it’s included also for Hive queries and impala, which is Cloudera’s query language. That is covered in the backup.
Slide 38
38© 2015 IBM Corporation
Fine-grained access control Protect sensitive data without impacting your business
Row-Level Masking (only dept #20)
Column-Level Masking (only dept#)
Use cases:
• Outsource production DB access
• Protect PII from privileged users
• Testing on production data
• Honey pot
Supported databases: DB2 (LUW), Oracle,
SQL Server
With Guardium’s implementation of fine-grained access control, administrators have the ability to protect sensitive data without making database changes. Basically, it provides the ability to modify the SQL statement that gets sent to the database, based on the current runtime user and the other policy conditions you specify, such as client IP, database object, time of day, etc.
For a classic dynamic data masking scenario, you can mask which columns are returned, so you can make sure that salary and commission data are not returned to unauthorized users. Or you can hide the rows that are returned by adding a WHERE clause for example, In this case you could evaluate the dbuser and ensure that the managers of the relevant departments see only data from their departments. In both cases shown here, you can see that the statement entered by the user is the same. All the magic happens behind the scenes. This is extremely powerful. You can even use this capability to RESTRICT activity. For example, to prevent deletions from a database, you could always change a delete statement to be a noop. . Use cases could be: • Need to open up production DB
perhaps to an outsourced DBA without affecting DB access controls or compromise private information
• Need to Enforce access to PII to comply with PCI, HIPAA. Keep track of who requested masked data
Need to transform data (anonymization) without affecting application logic, but protecting original data privacy.
Provide fictitious data to possible attackers to allow time for investigation .
Slide 39
39© 2015 IBM Corporation
Fine-grained access control architecture
Rewritten SQL
Select * from
Employee
Check Guardium policy:When DBuser=DB2INST and
Object=Employee, apply query rewrite definition
DB2INST
1. User issues SQL
2. STAP holds SQL and
checks policy rules for
conditions.
3. If conditions are met,
Guardium rewrites
query and sends to S-
TAP
4. S-TAP releases
rewritten query to
database server.
5. Results are sent back
to user.
Results of rewritten SQL
1
2 3
Select EMPNO,
FRSTNAME,
LASTNAME
From EMPLOYEE
4
Guardium
Collector
5
S-TAP
qrw_installed=1
qrw_default_state=0
qrw_force_watch=NULL
qrw_force_unwatch=NULL
Firewall_timeout=10
Rule actions: query rewrite attach, query rewrite apply
definition, query rewrite detach
FGAC and firewall cannot be used on
same session.
Here’s the runtime architecture for the solution. For those of you familiar with S-GATE terminate, it’s much the same. You need to set up the S-TAP ahead of time to enable query rewrite. The flow is, the user enters a SQL statement for
one of the supported databases. We can assume in this case that this particular user session has put a query rewrite “watch” on their session.
When this user enters a SQL statement in a watched session, the STAP holds the statement and checks against the policy rules.
If the conditions are met –maybe in this case the object is employee and the user is DB2inst, Guardium rewrites the query and sends it back to the S-TAP. It rewrites the query based on query definitions that the administrator has already defined. The query rewrite policy rule points to that definition.
The S-TAP releases it to the database server.
The results from the rewritten query are sent back to the user.
Output: a modified SQL based on the user-specified QRW definitions User gets the query results evaluated by the modified SQL New rule actions in v10 - Query Rewrite Attach - Query Rewrite Detach - Query Rewrite: Apply Definition Triggered by installed access policy rules.
Slide 40
40© 2015 IBM Corporation
Workflow through runtime
Rewritten
query
Do not return
rows of
Government
customers
Joe queries the Customer table…
1 Create query rewrite definition…
2 Create security policy…
When database type = Oracle and
User = Joe and Object =
Customer….then
3
This just shows the overall workflow and an example of the UI in which you create the query rewrite definitions. The UI provides an interface in which you can enter a model query and modify it by adding a WHERE clause, adding a UDF, or basically changing it any way. In this case, any select on customer is rewritten to add a WHERE clause to not return customers of type government. (hiding rows). That query write definition is applied in the query rewrite apply definition policy action by name. So only when the specific conditions are met will the query rewrite rule be applied on customer queries and only when Joe is the user and the database type is Oracle.
Slide 41
41© 2015 IBM Corporation
Use case: Production database for testing
Exposing a database to a production environment for testing purposes without
exposing private data
Before – Displaying all values in the database
After – Guardium uses fine grained access
control to change columns / mask data
Query rewrite report
shows actual
runtime queries.
You can see here that Guardium does record the input and output SQL when a query definition has been applied at runtime. In this example, we want to mask data for testing purposes … so you can call UDF to change the results.
Slide 42
42© 2015 IBM Corporation
Use case: Multi tenancy Scenario
Enhance access controls in which multiple users and applications share a
single database.
• Display data based on run
time parameters (eg
USER)
• Enhance existing access
controls
Rows and columns
returned for non-
government customers
User TSHIRAI cannot
see name or birth date
User ADMIN cannot see
name
Enforcing security in multi-tenancy scenarios where multiple users and applications share a single database, but where not all users and applications should have access to all data. In this case, we’ve restricted the rows that are returned to show only nongovernment customers for all users. Also, in this case user Tshirai is not allowed to see complete values for name or birthdate, but ADMIN is restricted only from name.
Slide 43
43© 2015 IBM Corporation
Benefits of fine-grained access control
IBM Confidential
Dynamic data masking at database layer
May reduce dependence on test data systems
Support multi-tenancy environments
Does not require the involvement of the DBA
Centralized policy for supported database types
(MS SQL, Oracle, and DB2)
So, Guardium has had dynamic data masking that allowed you to apply regular expressions based on results sets. The capability provided by query rewrite is much more powerful and flexible. We’ve demonstrated a few possible use cases. If you have SQL skills, you do not necessarily need to involve the DBA in this. And you can the centralized policy management capabilities provided by Guardium across all supported platforms.
Slide 44
© 2015 IBM Corporation
Upgrade/migration roadmap
We don’t have much time to spend on this and we’ll have a separate tech talk on this subject. But I wante to make sure we give you a brief overview of the new appliance specs and please do stick around for the survey question.
Slide 45
45© 2015 IBM Corporation
Appliance technical specs
Underlying appliance OS upgraded to RHEL v6.5 64-bit version (v9.5 RHEL 5.11)
MySQL DB version upgraded to v5.6.24
RAM -Minimum 24GB
CPU/vCPU – Minimum 4 cores
HD – Minimum 300 GB
– Upgraded system hard drive range (300 < 2 TB)
– Newly built system (300 GB to >2TB (MUCH GREATER)
Original v9.5 OS - RHEL 5.11 Original v9.5 MySQL – to v5.6.24 We’re enforcing the 24GB minimums. Hard drive support is vastly extended for those of you who do new installations on V10. GPT (GUID Partition Tables) allocates 64 bits for logical block addresses, therefore allowing a maximum disk size of 264 = 9.4 Zettabytes
Slide 46
46© 2015 IBM Corporation
Upgrade limitations
Upgrade procedure limitations
– V10 upgrade patch available only for 64-bit version appliances at GPU level
v9.0p200 or higher
– Upgrade procedure is not available for customers with customized partitions
– Upgrade procedure does not support resizing or realignments of the partitions.
Restore from system backup stored in previous version
– V10 supports restoring system backup file from any v9.x version.
Upgrade is a major procedure in V10 because of the new operating system and other reasons. Thus, there are some restrictions listed here.
Slide 47
47© 2015 IBM Corporation
Upgrade roadmap
Source appliance
Transition path to V10 appliance
Rebuild/Restore backup Upgrade
64-bit v9.0p200 or later yes yes
32-bit v9.0200 or later yes no
v9.0 - v9.0p100 yes no
v8.2 or earlier no no
See the V10 Knowledge Center upgrade topic for more details.
For a limited time: Customers on 64-bit 9.5 environments may be eligible for a
controlled upgrade program for a limited number of appliances. Send a note to
Carrie Rogers ([email protected]) to see if you are eligible.
This is a high level roadmap. Basically it says what I said before in terms of when you HAVE to use rebuild/ restore from backup vs an upgrade path. For those of you who are already yon a 64bit 9.5 environment, you may wish to get some added assistance from the lab to try the upgrade out on a limited number of appliances.
Slide 48
© 2015 IBM Corporation
Important survey question If you are currently running 32-bit Guardium, would you be
interested in having IBM services contact you about a migration to
Version 10?
1. Yes
2. No
3. N/A (We have 64-bit Guardium)
4. N/A (I am an IBMer or BP)
Slide 49
49© 2015 IBM Corporation
Guardium supports the whole data protection journey
Perform vulnerability assessment, discovery
and classification
Dynamic blocking, alerting, quarantine, encryption
and integration with security intelligence Comprehensivedata protection
Big data platforms, file systems or other platforms
also require monitoring, blocking, reporting
Find and address PII, determine who is reading
data, leverage masking
Database monitoring focused on changed data,
automated reporting
Acutecompliance
need
Expandplatform coverage
Addressdata privacy
Sensitivedata discovery
Today we’ve talked about one slice of the Guardium data protection suite and even with that we could have talked for hours. Guardium includes so much more to support your data protection roadmap, no matter where you are starting from, such as those who have an immediate compliance need through to those who grow to comprehensive data protection that includes full use of our analytics capabilities and integration with IBM Security intelligence capabilities.
Slide 50
50© 2015 IBM Corporation
Resources V10 Overview webcast (includes activity
monitoring for files)
Overview Solution Brief
DAM solution brief
Announcement letter
Detailed Release notes
System requirements
DeveloperWorks article – coming soon!
UI demo on YouTube (more coming)
High level Upgrade Roadmap
Activity Monitoring for Files resources:
Activity Monitoring for Files Demo on
YouTube
Supported files for FAM
Slide 51
51© 2015 IBM Corporation51
Information, training, and community cheat sheet
Guardium Tech Talks – at least one per month. Suggestions welcome!
Guardium YouTube Channel – includes overviews, technical demos, tech talk replays
developerWorks forum (very active)
Guardium DAM User Group on Linked In (very active)
Community on developerWorks (includes discussion forum, content and links to a myriad of sources, developerWorks articles, tech talk materials and schedules)
Guardium on IBM Knowledge Center (was Info Center)
Deployment Guide for InfoSphere Guardium Red Book
Technical training courses (classroom and self-paced)
IBM Security Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.
51
there are currently two Guardium certification
tests.
If you are looking into taking an IBM
professional product certification exam, you
may look into taking the 000-463 certification
(http://www-
03.ibm.com/certify/tests/ovr463.shtml).
Upon completion of the 000-463 certification,
you will become an IBM Certified Guardium
Specialist (http://www-
03.ibm.com/certify/certs/28000701.shtml).
The certification requires deep knowledge of the
IBM InfoSphere Guardium product. It is
recommended that the individual to have
experiences in implementing the product to take
the exam. You can view the detailed topics
here: http://www-
03.ibm.com/certify/tests/obj463.shtml
Details each topics are covered in the product
manuals. You will also find the Guardium
InforCenter a useful resource when you prepare
for the exam: http://www-
01.ibm.com/support/knowledgecenter/SSMPH
H/SSMPHH_welcome.html
Slide 52
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessari ly involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOUwww.ibm.com/security
Mandatory closing slide with copyright and legal disclaimers
Slide 53
53© 2015 IBM Corporation
Classifier enhancements
Classifier has seen an upsurge of interest from the user community
Improvements in user experience, performance, and management of false positives
Easy to set up exclusion groups
One match per column Classifier will record the first hit for any given column and ignore it thereafter for subsequent rules.
In addition to the incorporation of classification into an overall workflow as described above, the following enhancements are also included: Better controlling false positives by using “excluded groups” for schema, table, and table/column. Previously, it could be a complex process to set up Guardium to ignore false positive results for future classification scans. Now, when you review classifier results, you can easily add false positive results to an exclusion group as shown below, and add that group to the classification policy to ensure those results are ignored in future scans.
Slide 54
54© 2015 IBM Corporation
Database platform support highlights
Database Enhancement
DB2 LUW UID chain captured through DB2_Exit
DB2 for i TLS encryption to collector and S-tAP-based load balancing
z/OS
platforms
Multi-stream load balancing. Quarantine for DB2 users. (many more to be
covered in a separate talk).
Hadoop Improved collection/parsing (targeted inspection engines). Blocking and
redaction for Hive and Impala. (will be coveredin detail in a separate talk)
Informix New exit (ifxguard) for Informix shared memory processing (replaces A-TAP).
Supports firewall (blocking) and UID chaining. Informix 12.10xC5W1 and later.
Oracle Added SSL for 12c. Added ASO for Windows 12c
Sybase Added support for 16
Sybase IQ Added shared memory support via A-TAP
Teradata Added support for 15.10 including A-TAP for encrypted user names and traffic
NOT a complete list.
Current informix interception via standard IEs on UNIX and ATAP on Linux has a number of limitations (limitation of 50 or less shm connections per poll thread, occasional blank DB_USER and SOURCE_PROGRAM). New exit relieves those. KTAP and ATAP interception have been improved to significantly reduce the blank DB_USER and SOURCE_PROGRAM issues and other traffic loss issues - Improved Informix ATAP applicable only to Informix 11.50+ - Informix EXIT library developed in conjunction with Informix team for the most reliable interception - similar to DB2 exit - supports firewall and UID chain
- applicable to Informix 12.10xC5W1 and above Sybase ASE ATAP supports IPs and ports - Previously, IP and ports would not be populated in the decrypted session. ANALYZE_CLIENT_IP, unlike Oracle, would not get populated by the collector. - When ports are configured during ATAP configuration, real IPs and ports will be captured along with the decrypted traffic and sent to the collector for population in the tables - Classic Sybase ASE ATAP without IPs
and ports is still usable by not specifying the ports during configuration
Oracle 12 SSL ATAP (not just Linux) - Version 9 supports Oracle 12 with ATAP for ASO but not SSL - SSL requires instrumentation on all platforms (unlike previous Oracle versions which only required instrumentation on AIX)
Slide 55
55© 2015 IBM Corporation
MongoDB as audit repository
For uses cases such as:
– Post processing audit data
– For longer online retention requirements
Audit data is written simultaneously to Guardium repo and JSON files on collector
Use grdapi to send JSON data to a MongoDB database
Some organizations would like to write audit data outside of Guardium collector for reasons such as: To “post-process" the audit information for fraud and other analytic analysis To store information into another data store that can scale larger than our current collector capacity for longer on-line retention requirements. In Version 10, it’s possible to concurrently write audit data to both the collector database and JSON-formatted files that can be transferred to a MongoDB document database. Important: Unlike the Guardium collector, the MongoDB database is not a hardened repository. Access to the audit data should be carefully restricted and monitored using Guardium. How it works whn properly configured, the parsed audit data is sent simultaneously to the Guardium collector repository and written in JSON format to a file in the following directory: /var/IBM/Guardium/data/auditlog When a file is ready to be loaded into to MongoDB, it will be marked with the suffix .ready. Use the Guardium API command grdapi mongodb_load to send all ready files to MongoDB.
Slide 56
56© 2015 IBM Corporation
Job scheduling dependency management
Helps ensure accurate data before running a job (eg groups populated from classifier)
Applies to all ‘schedulable’ jobs (audit processes, policy installations, group population from
query…
Scheduler will automatically find all the subordinate jobs and run them in order
– For example, group population for groups in the policy should run first
There is a retry sequence in case of a failure (default is 3 tries)
APIs to list job dependency tree, scheduled jobs, job dependencies….
Job Dependency Scheduler The Guardium collector has many tasks such as Policy Installation, Audit Processes, Group updates, etc. that are scheduled to run periodically. The Job dependencies feature finds all jobs that have a direct relationship and impact on the success of the execution of the task you are trying to schedule. Unless you find the jobs that are defined as prerequisites for the job you are trying to schedule, there is a chance the task will relay on inaccurate data , which might lead to false or inaccurate results. Feature Highlights User marks a scheduled job to find and run dependencies at run time. When the scheduler runs the job, it automatically finds all the subordinate jobs and runs them in order. There is a retry sequence in case of a failure. Find dependencies Identify scenarios that require dependencies. Identify Runnable vs. Non-Runnable jobs. Calculate pre-defined job dependencies.
Slide 57
57© 2015 IBM Corporation
Softlayer as a backup store
Container Container
IBM SoftLayer Object
Storage
Container
Cluster
Container
Cluster
Object Storage Account
Guardium System
Backup and
Archive
Restore
RestoreBackup and
Archive
Guardium System
Long term storage is a critical consideration for satisfying audit requirements that may require storage of audit data for up to 7 years. The ability to archive and backup to the cloud gives you another option for storage off premises. In addition, backing up the configuration of Guardium appliances to the cloud is useful for maintaining a disaster recovery environment so that if a local data center has a failure, you can restore the configuration of the appliance from the image that is stored in the cloud. Guardium now supports SoftLayer Object Storage as a repository for both audit data and configurations, whether your Guardium system is in a local data center or in the cloud. SoftLayer object storage provides self-healing, storage for massive amounts of data. There are object storage centers around the world so you can avoid issues of moving sensitive data across country boundaries.
Slide 58
58© 2015 IBM Corporation
Supportability enhancements
Banner notifications
– Low system memory (RAM)
– Quick Search memory + CPU cores minimum
requirement
– Certificate expiration (mysql, GUI, GIM, etc.)
– Central Management failure
– SSLv3 enabled
– No License
Improved user-friendly license acceptance
process through UI
Centralized supportability and troubleshooting
tools in Manage>Maintenance
See tech talk “Best kept secrets of
Guardium supportability” for other items
you may not be aware of. Contact Kathy
Zeidenstein for replay links and slides.
Banner notification
License acceptance status
Troubleshooting tools
Update notifications filtered based on the relevancy to the specific customers appliance: Filtering based on the Guardium Appliance major version (only v10 or later) Filtering based on the GPU level of the appliance. – AdHoc patches dependent on the same
GPU level – Universal sniffer updates (no
dependency) – Security updates (no dependency) – More recent GPU patches
Slide 59
59© 2015 IBM Corporation
Hadoop blocking (Hive/Impala) (S-GATE TERMINATE)
Policy: Block privileged user access to customer data through Hive1
2
Privileged user attempts to read customer data and is blocked
3Access attempt is reported as a policy violation
Important: Because of the way Hive and Impala traffic is processed in Hadoop,
you must do the following in the blocking policy rules:
• Specify the DBTYPE in the blocking (S-GATE ATTACH and S-GATE
TERMINATE) policy rules; that is, either Impala or Hive.
• Ensure that ATTACH happens on a combination of user and object/command.
Slide 60
60© 2015 IBM Corporation
Hadoop Redaction (Hive / Impala)
Masked Hive data in Hue/Beeswax
Important: Specify Hive
or Impala in DBTYPE for
Redact rules
Masked Hive data command line
Redaction is configured by using extrusion rules in Guardium policies. Again, be sure to specify Hive or Impala in the DBTYPE for these rules. Here is an example of a Hive query in which social security and credit card numbers have been redacted.
Slide 61
61© 2015 IBM Corporation
Query rewrite workflowCreate query definitions based on
what you want to control
• Restrict columns
•Restrict rows
•Limit what users can do
•Restrict what user can access
•Completely replace part or all of a query
Query
Rewrite
Builder
Determine the conditions in which to
rewrite the query
•specific users, client IPs, objects,
commands?
Policy
Builder
Test the query rewrite definitions
with real test queries..
(Note, you will likely need to use
policies to fine tune the behavior)
Query
Rewrite
Builder
Validate runtime effect in a QA
environment
Query
rewrite
report
Slide 62 Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
Other company, product, or service names may be trademarks or service marks of others. A current list of IBM trademarks is available at “Copyright and trademark information” www.ibm.com/legal/copytrade.shtml
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS document is distributed "AS IS" without any warranty, either express or implied. In no event shall IBM be liable for any damage arising from the use of this information, including but not limited to, loss of data, business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to change or withdrawal without notice. Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary. References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
Legal notices and disclaimers
Mandatory legal notices and disclaimers slide for external presentations