160 likes | 309 Views
Expert de la sécurité des SI. Guardium Data Encryption La protection des données. Juillet 2014. What is IBM Infosphere Guardium Data Encryption?. Security for your structured and unstructured data High performance encryption , access control and auditing
E N D
Expert de la sécurité des SI Guardium Data Encryption La protection des données Juillet 2014
What is IBM Infosphere Guardium Data Encryption? • Security for your structured and unstructured data • High performance encryption, access control and auditing • Data privacy for both online and backup environments • Unified policy and key management for centralized administration across multiple data servers • Transparency to users, databases, applications, storage • No coding or changes to existing IT infrastructure • Protect data in any storage environment • User access to data same as before • Centralized administration • Policy and Key management • Audit logs • High Availability 2
Relationship to IBM Data Protection suite • Data Encryption is complimentary to other security products • Data Encryption Strength • Transparent Data Encryption • Key management • File Access Control GDE Server
Guardium Data Encryption Guardium Data Encryption Requirements Ensure compliance with data encryption Ensure compliance and protect enterprise data with encryption • Protect sensitive enterprise information and avoid data breaches • Minimize impact to production • Enforce separation of duties by keeping security and data administration separate • Meet government and industry regulations (eg. PCI-DSS) Benefits • Protect data from misuse • Satisfy compliance requirements including proactive separation of duties • Scale to protect structured and unstructured data across heterogeneous environments without enterprise changes 4
GDE Use Cases Database Encryption Unstructured Data Encryption Cloud Encryption • Usage: Encrypt Tablespace, Log, and other Database files • Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL… • Usage: Encrypt and Control access to any type of data used by LUW server • Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data… • Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc… • Usage: Encrypt and Control Access to data used by Cloud Instances • Common Cloud Providers: Amazon EC2, Rackspace, MS Azure 5
GDE Design Concept Typical Approaches InfoSphere Guardium Data Encryption centralizes encryption Full disk encryption on the endpoint systems Database Exports Databases Application Logs File/Print Servers Document Ingest Spreadsheets, PDFs, Scanned Images Staging areas FTP Servers
GDE Architecture Components: • GDE Security Server • GDE Secure File System Agent Users Application Web Administration Databases, Files OS FS Agent File System SAN, NAS, DAS Storage Policy is used to restrict access tosensitive data by user and processinformation provided by the OS. https GDE Security Server Failover SSL/TLS Key, Policy, Audit Log Store GDE Security Server • Policy and Key Management • Centralized administration • Separation of duties 7
Web Administration Data Encryption Architecture Authenticated Users Applications DBMS Server / File server ftp server DBMS Server / File server ftp server DBMS server / file server ftp server DBMS Server / File server ftp server DBMS Server / File server ftp server SSL x.509 Certificates DEAgent File System File System File System https IBM DE Server Active /Active Key, Policy, Audit Log Store Data Encryption Security Server • Policy and Key Management • Centralized administration • Separation of duties Online Files 8
GDE: How It Works Data Encryption Clear Text File Data File Data File Data File Management DE Agent Policy File SystemMetadata Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Writes Name: J Smith Credit Card #: 6011579389213 Exp Date: 04/04 Bal: $5,145,789 Social Sec No: 514-73-8970 File Data dfjdNk%(Amg 8nGmwlNskd 9f Nd&9Dm*Ndd xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF Reads • Protects Sensitive Information Without Disrupting Data Management • High-Performance Encryption • Data Access as an Intended Privilege 9
GDE Policies Authentication Authorization Audit Context-Aware Access Control • Filters Users or Groups Who May Access Protected Data • Filters the Applications Users May Invoke to Access Protected Data Who? • Identifies the File System Operations Available to the User/ Application Combination What? Where? • Identifies Protected Data (e.g., File, Directory, Wildcard) • Verifies Authorized Time Window Available for Access by Window-Sensitive Tasks (e.g., Backup, Contract Employees) When? How? • Separates the Ability to Access Data From the Ability to View Data
GDE Segregation of Duties Key Administrator Server Administrator Policy Administrator Audit Administrator Administrator Roles • Roles provide separation of duties for Data Encryption Administrators • Server Administrator Role - Provides administration/configuration capabilities relevant to the security server • Domain Administrator: Assigns accounts their security roles • Key Administrator Role – Allows administrator to generate/manage keys • Policy Administrator Role – Allows administrator to create/manage policies • Host Administrator Role – Applies Policies to hosts • Audit Administrator Role – This role is required to purge audit logs 11
LAN/WAN SAN NAS DAS Distributed Enforcement - Centralized Management Production DEV QA Centralized Security Servers • Centralized Security Server: • Multiple database instances • Online and Offline • Heterogeneous databases 12