IBM Security Systems Encryption is Fundamental: A Technical Overview of Guardium Data Encryption October 2014 Tim Parmenter – InfoSphere Guardium Technical Professional Mark Jamison – Accelerated Value Specialist © 1 2014 IBM Corporation © 2013 IBM Corporation Logistics  This tech talk is being recorded. If you object, please hang up and leave the webcast now.  We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o  You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group.  We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you.  When speaker pauses for questions: – We’ll go through existing questions in the chat 2 © 2014 IBM Corporation Reminder: Guardium Tech Talks Next tech talk: Finding a needle in a haystack: A real-world case study identifying security risk with InfoSphere Guardium Speakers: Joe DiPietro and Oded Sofer Date &Time: Wednesday, Nov 12th, 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/YQd6mO Next tech talk +1: InfoSphere Guardium for DB2 for z/OS (Part 2) and Guardium for Data Sets Speakers: Ernie Mancill Date &Time: Tuesday, Nov 18th 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/10lX5Gx 3 © 2014 IBM Corporation Agenda • The Need for Encryption • Encryption Techniques • How Data Encryption Protects • Data Encryption Architecture & Integration • Q&A Key Take Aways •InfoSphere Guardium is the leader in data protection and synergizes with the rest of the IBM Security Portfolio to extend protection reach. •Encrypting Data is essential to ensure security/compliance for all sensitive data. 4 © 2014 IBM Corporation 2014 – The Year of Encryption 5 © 2014 IBM Corporation Data Governance and Security have changed! Data Explosion Consumerization of IT Moving from traditional perimeterbased security… Everything is Everywhere Attack Sophistication …to logical “perimeter” approach to security—focusing on the data and where it resides Antivirus IPS Firewall • Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently • Focus needs to shift from the perimeter to the data that needs to be protected 6 © 2014 IBM Corporation Introducing IBM InfoSphere Guardium Data Encryption Ensure compliance with Ensure compliance and protect enterprise data encryption datawith encryption Data Encryption Requirements • Protect sensitive enterprise information and avoid data breaches • Minimize impact to production • Enforce separation of duties by keeping security and data administration separate • Meet government and industry regulations (eg. PCI-DSS) Benefits 7 • Protect data from misuse • Satisfy compliance requirements including proactive separation of duties • Scale to protect structured and unstructured data across heterogeneous environments without enterprise changes © 2014 IBM Corporation InfoSphere Guardium Data Encryption Value Proposition: Continuously restrict access to sensitive data including databases, data warehouses, big data environments and file shares to…. 1 2 3 Prevent data breaches – Prevent disclosure or leakages of sensitive data Ensure the integrity of sensitive data – Prevent unauthorized changes to data, database structures, configuration files and logs Reduce cost of compliance – Automate and centralize controls o Across diverse regulations, such as PCI DSS, data privacy regulations, HIPAA/HITECH etc. o Across heterogeneous environments such as databases, applications, data warehouses and Big Data platforms like Hadoop 4 8 Protect data in an efficient, scalable, and cost effective way – Increase operational efficiency – No degradation of infrastructure or business processes © 2014 IBM Corporation Regulations Requiring Data Encryption Regulation/Driver Who is Effected? Requirements PCI DSS (Visa, MC, Discover, AMEX) Major retailers and processors world wide Encryption of credit card data with associated secure key management processes HIPAA Security Standard (OCR) Organizations that handle patient health information Confidentiality, integrity and availability of patient health information Data Breach Disclosure in over 50 Countries (Example: EU, South Korea, Turkey) Publically held organizations or government agencies Notifications and investigations of security breaches Publically held organizations or government agencies Encryption of sensitive data Executive Mandates Private and public organizations Encryption employee and customer data IP/Trade Secret Protection Private and public organizations Encryption and control access to intellectual property Local Government Data Protection Acts (Local governments around the world) 9 © 2014 IBM Corporation Encryption Approaches  Storage Level Encryption performed on path to the disks or on the disk itself  Application Level / Column Level Use application coding to encrypt data within columns of database data Tokenization  Database – TDE (tablespace) Microsoft/Oracle – Encryption of database tablespaces  File Level (GDE) Data is encrypted at the File System level, as it’s created in the file 10 © 2014 IBM Corporation Guardium Data Encryption Use Cases – Big Picture Data Files Usage: Sensitive data used by systems and end users – touched by privileged users (DBA’s), Activity Monitoring requirement for separation of duties and consistent audit policy. Also: Encrypt Tablespace, Log, and other Data files at File System to protect against System OS privileged user cred Common Databases: DB2, Informix, Oracle, MSSQL, Sybase, MySQL… 11 Unstructured Data Usage: Monitor WHO is touching the files and for WHAT purpose. Usage: Encrypt and Control access to any type of data used by LUW server Common Data Types: Logs, Reports, Images, ETL, Audio/Video Recordings, Documents, Big Data… Examples: FileNet, Documentum, Nice, Hadoop, Home Grown, etc… Cloud Usage: Monitor and know WHO is touching your data stored in the cloud and for WHAT purpose Usage: Encrypt and Control Access to data used by Cloud Instances Common Cloud Providers: IBM, Amazon EC2, Rackspace, MS Azure © 2014 IBM Corporation GDE File/Table/Volume based Encryption Authentication/ Authorization Authentication/ Authorization Applications Applications Databases/Applications Databases/Applications Data Security Manager • • • • • Centralized Key Management Policy Decision Point Highly Available Rules-Policy Engine Detailed Auditing File Level LAN/ WAN Security Manager File System File System Device Level • Implements Encryption, Access Control, Auditing on Host •Support for file systems and raw partitions Volume Manager Volume Manager SAN / NAS / DAS / VM / Cloud SAN / NAS / DAS / VM / Cloud 12 • Protect ALL sensitive data …wherever/however it’s stored © 2014 IBM Corporation Web Server Application Servers Primary Remote Enterprise/HA Architecture Application Servers Secondary DSM Encrypted Folder/Guardpoint Web Server Application Servers GDE File System Agent Data Security Manager/DSM DSM Secure High Availability Connection 13 © 2014 IBM Corporation InfoSphere Guardium Data Encryption (GDE) - Addresses compliance requirements and protects data at the File System Level File And Volume Encryption • High Performance / Low overhead – Intel/AMD X86 processor AES-NI hardware encryption available • Transparent– No changes to application or management required • Broad OS, file system and volume support Data File & Distributed File System Encryption • Heterogeneous, transparent and high performance • Encrypts the tablespace at the file and volume level • Broad support for multiple database and big data vendors Policy Based Access Control to Encrypted Data • • • • Policy-based - Transparent Linked to LDAP and system level accounts By process, user, time and more Prevents Privileged User access to protected data while allowing normal application and systems management use Key Management • Securely stores and manages keys used in the implementation 14 © 2014 IBM Corporation File Encryption Management File System Metadata Clear Text Data Encryption Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: Jsmith.doc Created: 6/4/99 Modified: 8/15/02 Name: J Smith Credit Card #: 6011579389213 Block-Writes File Data Bal: $5,145,789 Social Sec No: 514-73-8970 File Data    15 Block-Reads File Data dfjdNk%(Amg 8nGmwlNskd 9f Sk9ineo93o2n*&*^ xIu2Ks0BKsjd Nac0&6mKcoS qCio9M*sdopF File Data File systems always read and write in fixed block sizes Encryption takes place on the block IOs to a protected file GDE simply encrypts or decrypts the block reads and writes © 2014 IBM Corporation Policy Rules • WHO is attempting to access protected data?  Configure one or more users, groups, or applications users may invoke who can access protected data • WHAT data is being accessed?  Configure a mix of files and directories • WHEN is the data being accessed?  Configure a range of hours and days of the week for authorized access • HOW is the data being accessed?  Configure allowable file system operations allowed to access the data e.g. read, write, delete, rename, etc. • EFFECT: Permit; Deny; Apply Key; Audit 16 © 2014 IBM Corporation Describing Policy Processing Subject 1. Access request 2. Agent intercepts I/O and checks Subject’s credentials: User = oracle Process = oracle.exe 3. Agent checks policy rules. Rule 1: User = root Rule 2: User = oracle and Process = tar Rule 3: User = oracle and Process = oracle.exe 17 No Match No Match Match; 4. Effect applied © 2014 IBM Corporation Enterprise-Ready, Cloud-Ready Automation     API and script accessible controls Web and command line APIs For policy management, deployment, integration Enables fast rollouts, easy integration with other infrastructure and policy management solutions Logs to identify the latest threats / malicious insiders     RFC5424 and CEF compatible log formats for use with SIEM Detailed access records and access attempts For individual protected locations and for management infrastructure Identify anomalous usage from APTs and malicious insiders Data Security Management  Software Appliance – HW appliance available through separate contract if HSM required in bid.  Centralized, scalable, highly available common management across all environments  Cluster-able for scalability, redundancy, remote location support  Simple web-based management UI  Separation of duties and roles – supports tenancy models, compliance requirements  Audit reporting for encrypted data access, data protection infrastructure use 18 © 2014 IBM Corporation Administrator Roles Roles provide separation of duties for Administrators System Administrator • System Administrator Role – Responsible for adding administrator IDs to the system, configuring the system’s logging and high availability, and creating domains. • Domain Administrator Role – Responsible for assigning roles to IDs within a domain Domain Administrator • Security Administrator Role – Responsible for implementing their assigned roles (i.e. creating keys, creating policies, managing hosts); perform the more regular routines of implementing encryption on managed systems Security Administrator 19 © 2014 IBM Corporation Protecting Big Data • • • • • 20 All data sources potentially contain sensitive information Data is distributed as needed throughout the cluster by the Big Data application Deploy IBM InfoSphere Guardium Data Encryption Agents to all systems hosting Data Stores Agents protect the data store at the file system or volume level Cloudera CDH4 Certified © 2014 IBM Corporation IBM Security Systems GDE Case Study for HIPAA Compliance © 212014 IBM Corporation © 2013 IBM Corporation GDE Case Study for HIPAA Compliance • Large retail customer:  Highly Distributed (More than 2000 stores with a local copy of files and databases)  Significant throughput (Handles hundreds of prescriptions at each store every day)  Central Management important • Needs a means to encrypt data at rest to Meet HIPAA compliance  Needs a low cost alternative to encrypted SAN 22 © 2014 IBM Corporation GDE Case Study for HIPAA Compliance • The Solution? IBM Guardium Data Encryption  A GDE agent on each box.  A DSM cluster to manage policies for all systems. • Why GDE?  Seemlessly transparent. – Had to do performance testing, but no applications were recompiled, and no database changes were required.  Limited Bandwidth usage. – Since polices are cached , can bring system up with limited network access. – Only does periodic heartbeats to DSM aside from bootup, so minimum impact on network. 23 © 2014 IBM Corporation GDE Case Study for HIPAA Compliance • Why GDE cont.  Built in access management if needed. – Compliance currently does not require data be locked from users at certain times, but if requirement changes no new product license is required.  Command Line Interface available for large deployment. – vmssc tool allows you to bypass the DSM gui and add hosts, and guardpoints, and even automate adding all the guardpoints to a large range of systems.  The ability to cluster DSM’s. – Giving an easy setup for your Policy Manager to be Highly Available. 24 © 2014 IBM Corporation GDE Case Study for HIPAA Compliance • Key Considerations Learned  Backup and Recovery process time increased  Database Query Performance largely unaffected – Initial query of tables might be up to 5% slower, but the nature of Bufferpool caching eliminated any subsequent performance issues.  Restoring onto a new guardpoint is significantly faster in nearly all cases – ‘dataxform’ tool is best used when restore is not an option.  Biggest performance hit is in the initial opening of a file. 25 © 2014 IBM Corporation Reminder: Guardium Tech Talks Next tech talk: Finding a needle in a haystack: A real-world case study identifying security risk with InfoSphere Guardium Speakers: Joe DiPietro and Oded Sofer Date &Time: Wednesday, Nov 12th, 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/YQd6mO Next tech talk +1: InfoSphere Guardium for DB2 for z/OS (Part 2) and Guardium for Data Sets Speakers: Ernie Mancill Date &Time: Tuesday, Nov 18th 2014 11:30 AM Eastern Time (75 minutes) Register here: http://bit.ly/10lX5Gx 26 © 2014 IBM Corporation Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 27 Italian © 2014 IBM Corporation