440 likes | 666 Views
Data Security & Privacy for iSeries. Dean Compher Big Data Portfolio Technical Sales Specialist. @db2Dean. facebook.com/db2Dean. www.db2Dean.com dcomphe@us.ibm.com. Perimeter Defenses No Longer Sufficient.
E N D
Data Security & Privacy for iSeries Dean Compher Big Data Portfolio Technical Sales Specialist @db2Dean facebook.com/db2Dean www.db2Dean.com dcomphe@us.ibm.com
Perimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Insiders (DBAs, developers, outsourcers, etc.) Outsourcing Stolen Credentials (Zeus, etc.) Web-Facing Apps Legacy App Integration/SOA Employee Self-Service, Partners & Suppliers 2
Addressing the Full Lifecycle of Database Security & Compliance
Agenda • Data Security – Guardium Database Activity Monitoring • Alert on Access Policy Violations • Audit and Report Activity • Data Privacy – Otpim Test Data Management • Mask Data Copied to Test • Create Subsets • Automate Test Data Refresh • Improve Security with Better Testing
Real-Time Database Monitoring with InfoSphere Guardium Host-based Probes (S-TAPs) Collector • Enforces separation of duties • Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders • Granular, real-time policies & auditing • Who, what, when, how • Automated compliance reporting, sign-offs & escalations (SOX, PCI, NIST, etc.) • Non-invasive architecture • Outside database • Minimal performance impact (1-3%) • No DBMS or application changes • Cross-DBMS solution • 100% visibility including local DBA access
Scalable Multi-Tier Architecture iSeries • Integration with LDAP, IAM, IBM Tivoli SIEM, IBM TSM, Remedy, …
Extend real-time Data Activity Monitoring to also protect sensitive data in data warehouses, Big Data Environments and file shares DATA Big Data Environments NEW InfoSphere BigInsights Integration with LDAP, IAM, SIEM, TSM, Remedy, …
Providing complete and native data security solution for System I (DB2 6.1, 7.1) Extended data security platform coverage System i S-TAP forSystem i S-TAP for System i • Monitors privileged user activity in real time • Enables complete separation of duties • Helps satisfy auditor’s requirements and ensure compliance Protect sensitive data on your System i deployments, ensuring compliance to mandates like PCI easily and cost effectively
3 Types of Rules Exception (ie. Invalid table) 3 Result Set 2 1 SQL Query Database Database Server There are three types of rules: • An access rule applies to client requests • An extrusion rule evaluates data returned by the server • An exception ruleevaluates exceptions returned by the server
Fine-Grained Policies with Real-Time Alerts Database Server 10.10.9.56 Application Server 10.10.9.244
2. Extrusion Definition to Alert on Unauthorized Results Set Monitor 10.10.9.248 SQL Server database Not user Bill Send Alert per match
Monitoring Data Extrusion • Should my customer service rep view 99 records in an hour? • Is this normal?
3. Policy Exception Rule - Preventing Attacks Rogue users know what they’re looking for, but... They don’t always know where to find it! SQL injection leads to SQL errors! Brute force attacks result in failed logins! Guardium: 100% visibility with real-time alerts …
Issue: App server uses generic service account to access DB -- which doesn’t identify WHO initiated transaction (connection pooling) Solution: Track access to application user associated with specific SQL commands Deterministic identification vs. time-based “best guess” Out-of-the-box support for all major enterprise apps (Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects, Cognos, etc.) Plus custom apps (WebLogic, WebSphere, Oracle AS, etc.) No changes to applications Identifying Fraud via Application-Layer Monitoring • Joe • Marc • AppUser • Application Server • Database Server
Workflow Automation Schedule & automate tasks Compliance reporting Automatically generate reports Distribute to oversight team Track electronic sign-offs Escalate when required Store process trail in secure repository Demonstrates oversight process for auditors
Accelerators Software modules harnessing Guardium's extensive capabilities to address the requirements of security mandates Customizable mandate-specific reports, policies, tools and workflows Greatly improve security and streamline audit preparation Increased operational efficiency through automation of compliance Simplified validation of broad ranges of requirements Base II HIPAA GLBA PCI Sarbanes-Oxley 23
Protect data in real-time and ensure compliance in unstructured Hadoop big data environments Big data environments help organizations: Process, analyze and derive maximum value from these new data formats as well as traditional structured formats in real-time Make more informed decisions instantaneously and cost effectively • Turn 12 terabytes of Tweets into improved product sentiment analysis • Monitor 100’s of live video feeds from surveillance cameras to identify security threats Big data brings big security challenges As big data environments ingest more data, organizations will face significant risks and threats to the repositories in which the data is kept NEW Introducing Hadoop Activity Monitoring Monitor and Audit Hadoop activity in real-time to support compliance requirements and protect data • Real time activity monitoring of HDFS, MapReduce, Hive and HBASE data sources • Automated compliance controls • Fully integrated with InfoSphere Guardium solution for database activity monitoring • View Hadoop systems with other data sources
Expandsystem openness and integration with Universal FeedUniversal Feed opens InfoSphere Guardium system, enabling all capabilities to be applied to custom applications and niche data sources • Open InfoSphere Guardium protocol (agent to Collector) integration to clients and 3rd party companies • Provides a means of supporting fragmented segments of the market: custom applications, niche databases, etc. • Data auditing model; not a SIEM • Customer/partner responsible for developing interface to system to be integrated (e.g. S-TAP equivalent) • Open industry standard protocol used to simplify development • Supports full capabilities, or subset of InfoSphere Guardium capabilities • Monitoring and protection • Real-time • Secure audit trail, compliance workflow automation, etc.
Universal Feed Overview Send Alert Capturing Events Guardium Toolkit Agent developer Universal Feed Agent Guardium Appliance Sending Audit Data via Guardium messages Process & Store Audit messages • - - - • -- - - - - - - - -- • - -- - - - Sending Information • - - - • -- - - - - - - - -- • - -- - - - Receiving & processing Universal Feed Agent • Agent developer for universal feed agent • Partner • Customer • 3rd Party Guardium Collector • Accepting connections from the Universal Feed Agent • Processing and storing audit data • Sending information to Universal Feed agent (policy, pings, etc) • Responsible for capturing events with audit interest • Alerting if Universal Feed Agent doesn’t send heart beat • Responsible for sending the audit data using Guardium defined messages • Responsible for receiving and processing Guardium messages (policies, pings, etc)
Reference Data Contextual Data Universal Access to Archived Data XML Report Writer Application ODBC / JDBC IBM Mashup InfoSphere Optim: Intelligent Move of Structured Data Data Privacyfor Test Data Production or Development Test Data Production Archive Source Data Extract Retrieved Restore Current SQL access to Archived Data or Populating Test Databases with privatized data Intelligent Move of Structured Data is a process that captures contextual source data for the purpose of Archiving and Accessing historical data
Discovery Test Data Management Data Privacy Data Growth Application Retirement Supporting Enterprise Environments Organization environments are diverse, yet interrelated therefore what you use to manage the data MUST support across your environment
Business view“reference snapshot” of business activity Related LUW Files or Documents Federated access to data and metadata Oracle DB2 Sybase Adabas Our Unique Capability: The Complete Business Object DBA viewReferentially-intact subset of data
Example: JD Edwards Accounts Payable Archiving Ledger Tag Account Ledger Company Master BU Master AB Master F0015 F0025 F00151 F0414 F11151 F0004 F0010 F0011 F0014 F0413 F0006 F0902 F0901 F4008 F0012 F0013 F0401 F0101 F0909 F0008 F0911T F0005 F1113 F0911 F0018 F0411 AAI’s Batch Control AP Ledger AP Header Tax table UDC Tax Area Account Master Account Balances Fiscal Date Pattern LT Master AP Details Chart of A/C UDC Types Currency Codes Payment Terms Supplier Master - Reference Only Currency Restatement Rate Currency Ex. Rate - Archive Only - Archive & Delete Currency Ex. Rate Calculation Currency Exchange Rate Header Information Management 31 31
Referential Integrity Rules A Word About Relationships... Relationships OptimDIRECTORY Tables Stored in Database- Catalog- System Tables- Data Dictionary OPTIM AccessDefinitions DB Aliases Maps • DB Relationships are automatically derived from database RI rules • Application Specified Relationships • Can be defined individually to Optim • Can be imported into Optim from DDL • Can be automatically discovered by InfoSphere Discovery • Shared by all Optim components
Automate Discovery and Accelerate Information Understanding • Significant Acceleration of Information Agenda projects • Application/Data Consolidation, Migration & Retirement • Data Growth Management • Master Data Management and Data Warehousing • Test Data Management • Sensitive Data De-identification • Why is this Different? • Data-based discovery • Automate discovery of business entities, cross-source business rules & transformation logic • Evaluate multiple data sources simultaneously • Identify & remediate cross-system rules and inconsistencies
Drivers for Test Data Management Projects • Quality • Bad data • Unidentified test cases • Test Automation approach (Rational Borland MI…) • Verification of test results • Parallelism (Multiple Sandboxes) • Tunnel effect • Multi project testing • Storage • Reduce storage • Include into a cost control project • Data Privacy / Compliance
How Does Test Data Management Impact Storage Cost? Training Unit Test Production Integration System Test UAT 76% Less storage
InfoSphere Optim Test Data Management Solution Create/Modify Application Copy Production Data for Testing Correct Errors inProduction Data Relational Extract Relational Edit Subset and Privatize Archive Old Data Inspect and Add Datato Test Error Routines Relational Edit Optim Archive TEST Go Production !!! Refresh Test Data Compare Before/AfterData Relational Extract Relational Compare 37
NewDB CUST -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- TESTDB DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- INSERT/ CUST UPDATE -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- ExtractFile DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- New_DB CUST -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- The Relational Extract Facility Extract a relationally intact subset from production database(s) Create CUSTOMERS CUSTOMERS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- ORDERS ORDERS -- -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ---- -- -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ---- DETAILS QADB DETAILS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- CUST -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- LoadFiles -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- LOAD DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- • Extract data and/or object definitions • From multiple tables (files) that are related • From multiple tables (files) that are not related • From single tables (files) • All data or subset • Define a new set of test tables • Populate Target databases • Refresh Target databases Create Saves:Programmer/DBA timeDisk space utilizationTesting interference
Traditional vs. Relational Tools • One table/view at a time • No edit of related datafrom multiple tables Single Table Editors The Relational Editor • Simultaneous browse/edit of related data from multiple tables FIND DETAILSNOTE INFOEXIT TABLE CUSTOMERS FIND ORDERSNOTE INFOEXIT TABLE ........................ ........................ ........................ ........................ ........................ FIND CUSTOMERNOTE INFOEXIT TABLE ORDERS DETAILS Speeds time to create boundary test cases. Simplifies edit process.
........................ ........................ ........................ ........................ ........................ Optim’s Relational Compare Facility • Single-table or multi-table compare • Creates compare file and/or compare Report of results • For application testing, QA, and to verify database contents • Enhances productivity by finding unexpected changes in the data Optim COMPAREFILE SOURCE 1 Interactive Browse COMPAREPROCESS Optim Compare REPORT Verify Test Results SOURCE 2 Saves QA Validation time Improves Test Accuracy
CUSTOMER -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- HR -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- FINANCE/BUDGET -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- FINANCE/BUDGET -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- Architecture: Test Data Management/Data Privacy Server Name • Server address or name • DB Alias • Connectivity viaDB Client software Work Directory • Server File System Storage Profile • Storage and retention policy Windows Test system 1 Mask on extract QFED Mask on insert Extract files Test system 2 Mask on load DB2/i Windows, Unix, Linux, zOs LoadFiles Application 2 Test System 3 Test System 4
Test Siebel / DB2 Siebel / DB2 Custom / Sybase Custom / Sybase EBS / Oracle EBS / Oracle Optim™ Data Privacy Solution Production • Substitute confidential information with fictionalized data • Deploy multiple masking algorithms • Provide consistency across environments and iterations • Enable off-shore testing • Protect private data in non-production environments Contextual, Application- Aware, Persistent Data Masking
Drivers for Privacy of non production data • Regulatory & Compliance • PCI • HIPPA • EU Safe Harbour • …. • Offshoring test • Sub subcontracting test & dev. • Good business practice • Sensitive data • Training environnements
TESTDB INSERT/ CUST UPDATE -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- ExtractFile DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- QADB CUST LoadFiles -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- LOAD DETL -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- Data Privacy in Application Testing Only Users authorized to see Private data Extract a relationally intact subset from production database(s) CUSTOMERS CUSTOMERS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- ORDERS ORDERS -- -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ---- -- -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ------ -- ------ -- --------- ---- Transform / mask sensitive data DETAILS DETAILS -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ------ ---- ---- ---- ------- ------ ---- ---- ---- ------- ---- • Most Secure Approach • Extract data only • Convert during extract • Extract file already contains masked data • Can be shared with testers to reuse Sanitized Data
Social Security (US ……) Credit Card Email Hash Lookup Lookup Random Lookup NAME tables (US) ADDRESS table (US) Shuffle String manipulation … … … Masking Functions • Column Map • Map unlike column names • Transform/mask sensitive data • Datatype conversions • Column-level semantic date aging • Literals • Registers • Calculations • Default values • Substring • Exits • Currency conversion
Consistent Masking and Propagation across the Enterprise Client Billing Application DB2 Data is masked Masked fields are consistent