IBM Security Systems

IBM Security Systems
Encryption is Fundamental: A Technical Overview of
Guardium Data Encryption
October 2014
Tim Parmenter – InfoSphere Guardium Technical Professional
Mark Jamison – Accelerated Value Specialist
©
1 2014 IBM Corporation
© 2013 IBM Corporation
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
2
© 2014 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk:
Finding a needle in a haystack: A real-world case study
identifying security risk with InfoSphere Guardium
Speakers: Joe DiPietro and Oded Sofer
Date &Time: Wednesday, Nov 12th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/YQd6mO
Next tech talk +1:
InfoSphere Guardium for DB2 for z/OS (Part 2) and
Guardium for Data Sets
Speakers: Ernie Mancill
Date &Time: Tuesday, Nov 18th 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/10lX5Gx
3
© 2014 IBM Corporation
Agenda
•
The Need for Encryption
•
Encryption Techniques
•
How Data Encryption Protects
•
Data Encryption Architecture & Integration
•
Q&A
Key Take Aways
•InfoSphere Guardium is the leader
in data protection and synergizes
with the rest of the IBM Security
Portfolio to extend protection reach.
•Encrypting Data is essential to
ensure security/compliance for all
sensitive data.
4
© 2014 IBM Corporation
2014 – The Year of Encryption
5
© 2014 IBM Corporation
Data Governance and Security have changed!
Data Explosion
Consumerization
of IT
Moving from traditional perimeterbased security…
Everything is
Everywhere
Attack
Sophistication
…to logical “perimeter” approach to
security—focusing on the data and
where it resides
Antivirus
IPS
Firewall
• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
• Focus needs to shift from the perimeter to the data that needs to be protected
6
© 2014 IBM Corporation
Introducing IBM InfoSphere Guardium Data Encryption
Ensure
compliance
with
Ensure
compliance
and protect
enterprise data
encryption
datawith
encryption
Data Encryption
Requirements
•
Protect sensitive enterprise
information and avoid data
breaches
•
Minimize impact to production
•
Enforce separation of duties by
keeping security and data
administration separate
•
Meet government and industry
regulations (eg. PCI-DSS)
Benefits
7
•
Protect data from misuse
•
Satisfy compliance
requirements including
proactive separation of duties
•
Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes
© 2014 IBM Corporation
InfoSphere Guardium Data Encryption Value Proposition:
Continuously restrict access to sensitive data including databases, data
warehouses, big data environments and file shares to….
1
2
3
Prevent data breaches
– Prevent disclosure or leakages of sensitive data
Ensure the integrity of sensitive data
– Prevent unauthorized changes to data, database
structures, configuration files and logs
Reduce cost of compliance
– Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy
regulations, HIPAA/HITECH etc.
o Across heterogeneous environments such as databases,
applications, data warehouses and Big Data platforms like Hadoop
4
8
Protect data in an efficient, scalable, and cost effective
way
– Increase operational efficiency
– No degradation of infrastructure or business processes
© 2014 IBM Corporation
Regulations Requiring Data Encryption
Regulation/Driver
Who is Effected?
Requirements
PCI DSS
(Visa, MC, Discover, AMEX)
Major retailers and
processors world wide
Encryption of credit card data with
associated secure key management
processes
HIPAA Security Standard
(OCR)
Organizations that handle
patient health information
Confidentiality, integrity and availability
of patient health information
Data Breach Disclosure in
over 50 Countries
(Example: EU, South Korea,
Turkey)
Publically held
organizations or
government agencies
Notifications and investigations of
security breaches
Publically held
organizations or
government agencies
Encryption of sensitive data
Executive Mandates
Private and public
organizations
Encryption employee and
customer data
IP/Trade Secret Protection
Private and public
organizations
Encryption and control access to
intellectual property
Local Government Data
Protection Acts
(Local governments around the
world)
9
© 2014 IBM Corporation
Encryption Approaches
 Storage Level
Encryption performed on path to the disks or on the disk itself
 Application Level / Column Level
Use application coding to encrypt data within columns of database data
Tokenization
 Database – TDE (tablespace)
Microsoft/Oracle – Encryption of database tablespaces
 File Level (GDE)
Data is encrypted at the File System level, as it’s created in the file
10
© 2014 IBM Corporation
Guardium Data Encryption Use Cases – Big Picture
Data Files
Usage: Sensitive data used
by systems and end users –
touched by privileged users
(DBA’s), Activity Monitoring
requirement for separation of
duties and consistent audit
policy. Also: Encrypt
Tablespace, Log, and other
Data files at File System to
protect against System OS
privileged user cred
Common Databases: DB2,
Informix, Oracle, MSSQL,
Sybase, MySQL…
11
Unstructured Data
Usage: Monitor WHO is
touching the files and for
WHAT purpose.
Usage: Encrypt and Control
access to any type of data
used by LUW server
Common Data Types:
Logs, Reports, Images, ETL,
Audio/Video Recordings,
Documents, Big Data…
Examples: FileNet,
Documentum, Nice, Hadoop,
Home Grown, etc…
Cloud
Usage: Monitor and know
WHO is touching your data
stored in the cloud and for
WHAT purpose
Usage: Encrypt and Control
Access to data used by Cloud
Instances
Common Cloud Providers:
IBM, Amazon EC2,
Rackspace, MS Azure
© 2014 IBM Corporation
GDE File/Table/Volume based Encryption
Authentication/ Authorization
Authentication/ Authorization
Applications
Applications
Databases/Applications
Databases/Applications
Data Security Manager
•
•
•
•
•
Centralized Key Management
Policy Decision Point
Highly Available
Rules-Policy Engine
Detailed Auditing
File Level
LAN/
WAN
Security Manager
File System
File System
Device Level
• Implements Encryption, Access Control,
Auditing on Host
•Support for file systems and raw
partitions
Volume Manager
Volume Manager
SAN / NAS / DAS / VM / Cloud
SAN / NAS / DAS / VM / Cloud
12
• Protect ALL sensitive data
…wherever/however it’s stored
© 2014 IBM Corporation
Web Server
Application
Servers
Primary
Remote
Enterprise/HA Architecture
Application
Servers
Secondary
DSM
Encrypted Folder/Guardpoint
Web Server
Application
Servers
GDE File System Agent
Data Security Manager/DSM
DSM
Secure High Availability Connection
13
© 2014 IBM Corporation
InfoSphere Guardium Data Encryption (GDE) - Addresses
compliance requirements and protects data at the File System Level
File And Volume Encryption
• High Performance / Low overhead – Intel/AMD X86 processor
AES-NI hardware encryption available
• Transparent– No changes to application or management required
• Broad OS, file system and volume support
Data File & Distributed File System Encryption
• Heterogeneous, transparent and high performance
• Encrypts the tablespace at the file and volume level
• Broad support for multiple database and big data vendors
Policy Based Access Control to Encrypted Data
•
•
•
•
Policy-based - Transparent
Linked to LDAP and system level accounts
By process, user, time and more
Prevents Privileged User access to protected data while allowing
normal application and systems management use
Key Management
• Securely stores and manages keys used in the implementation
14
© 2014 IBM Corporation
File Encryption Management
File System
Metadata
Clear Text
Data
Encryption
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
Name: J Smith
Credit Card #:
6011579389213
Block-Writes
File Data
Bal: $5,145,789
Social Sec No:
514-73-8970
File
Data



15
Block-Reads
File
Data
dfjdNk%(Amg
8nGmwlNskd 9f
Sk9ineo93o2n*&*^
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
File
Data
File systems always read and write in fixed block sizes
Encryption takes place on the block IOs to a protected file
GDE simply encrypts or decrypts the block reads and writes
© 2014 IBM Corporation
Policy Rules
• WHO is attempting to access protected data?
 Configure one or more users, groups, or applications users may invoke who can access protected
data
• WHAT data is being accessed?
 Configure a mix of files and directories
• WHEN is the data being accessed?
 Configure a range of hours and days of the week for authorized access
• HOW is the data being accessed?
 Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, etc.
• EFFECT: Permit; Deny; Apply Key; Audit
16
© 2014 IBM Corporation
Describing Policy Processing
Subject
1. Access request
2. Agent intercepts I/O and
checks Subject’s credentials:
User = oracle
Process = oracle.exe
3. Agent checks policy rules.
Rule 1: User = root
Rule 2: User = oracle and
Process = tar
Rule 3: User = oracle and
Process = oracle.exe
17
No Match
No Match
Match;
4. Effect
applied
© 2014 IBM Corporation
Enterprise-Ready, Cloud-Ready
Automation




API and script accessible controls
Web and command line APIs
For policy management, deployment, integration
Enables fast rollouts, easy integration with other infrastructure
and policy management solutions
Logs to identify the latest threats / malicious insiders




RFC5424 and CEF compatible log formats for use with SIEM
Detailed access records and access attempts
For individual protected locations and for management infrastructure
Identify anomalous usage from APTs and malicious insiders
Data Security Management
 Software Appliance – HW appliance available through separate
contract if HSM required in bid.
 Centralized, scalable, highly available common management
across all environments
 Cluster-able for scalability, redundancy, remote location support
 Simple web-based management UI
 Separation of duties and roles – supports tenancy models,
compliance requirements
 Audit reporting for encrypted data access, data protection
infrastructure use
18
© 2014 IBM Corporation
Administrator Roles
Roles provide separation of duties for Administrators
System
Administrator
• System Administrator Role – Responsible for adding administrator IDs to the
system, configuring the system’s logging and high availability, and creating
domains.
• Domain Administrator Role – Responsible for assigning roles to IDs within a
domain
Domain
Administrator
• Security Administrator Role – Responsible for implementing their assigned roles
(i.e. creating keys, creating policies, managing hosts); perform the more regular
routines of implementing encryption on managed systems
Security
Administrator
19
© 2014 IBM Corporation
Protecting Big Data
•
•
•
•
•
20
All data sources potentially
contain sensitive
information
Data is distributed as
needed throughout the
cluster by the Big Data
application
Deploy IBM InfoSphere
Guardium Data Encryption
Agents to all systems
hosting Data Stores
Agents protect the data
store at the file system or
volume level
Cloudera CDH4 Certified
© 2014 IBM Corporation
IBM Security Systems
GDE Case Study for HIPAA Compliance
©
212014 IBM Corporation
© 2013 IBM Corporation
GDE Case Study for HIPAA Compliance
• Large retail customer:
 Highly Distributed (More than 2000 stores with a local copy
of files and databases)
 Significant throughput (Handles hundreds of prescriptions
at each store every day)
 Central Management important
• Needs a means to encrypt data at rest to Meet
HIPAA compliance
 Needs a low cost alternative to encrypted SAN
22
© 2014 IBM Corporation
GDE Case Study for HIPAA Compliance
• The Solution? IBM Guardium Data Encryption
 A GDE agent on each box.
 A DSM cluster to manage policies for all systems.
• Why GDE?
 Seemlessly transparent.
– Had to do performance testing, but no applications were recompiled,
and no database changes were required.
 Limited Bandwidth usage.
– Since polices are cached , can bring system up with limited network
access.
– Only does periodic heartbeats to DSM aside from bootup, so
minimum impact on network.
23
© 2014 IBM Corporation
GDE Case Study for HIPAA Compliance
• Why GDE cont.
 Built in access management if needed.
– Compliance currently does not require data be locked from users at
certain times, but if requirement changes no new product license is
required.
 Command Line Interface available for large deployment.
– vmssc tool allows you to bypass the DSM gui and add hosts, and
guardpoints, and even automate adding all the guardpoints to a large
range of systems.
 The ability to cluster DSM’s.
– Giving an easy setup for your Policy Manager to be Highly Available.
24
© 2014 IBM Corporation
GDE Case Study for HIPAA Compliance
• Key Considerations Learned
 Backup and Recovery process time increased
 Database Query Performance largely unaffected
– Initial query of tables might be up to 5% slower, but the nature of
Bufferpool caching eliminated any subsequent performance issues.
 Restoring onto a new guardpoint is significantly faster in nearly all
cases
– ‘dataxform’ tool is best used when restore is not an option.
 Biggest performance hit is in the initial opening of a file.
25
© 2014 IBM Corporation
Reminder: Guardium Tech Talks
Next tech talk:
Finding a needle in a haystack: A real-world case study
identifying security risk with InfoSphere Guardium
Speakers: Joe DiPietro and Oded Sofer
Date &Time: Wednesday, Nov 12th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/YQd6mO
Next tech talk +1:
InfoSphere Guardium for DB2 for z/OS (Part 2) and
Guardium for Data Sets
Speakers: Ernie Mancill
Date &Time: Tuesday, Nov 18th 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/10lX5Gx
26
© 2014 IBM Corporation
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
27
Italian
© 2014 IBM Corporation