Download Three guiding principles to improve data security and

IBM Software
Thought Leadership White Paper
Three guiding principles to improve
data security and compliance
A holistic approach to data protection for a complex threat landscape
October 2012
2
Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Executive summary
News headlines about the increasing frequency of information
and identity theft have focused awareness on data security and
privacy breaches — and their consequences. In response to this
issue, regulations have been enacted around the world.
Although the specifics of the regulations may differ, failure to
ensure compliance can result in significant financial penalties,
criminal prosecution and loss of customer loyalty.
In addition, the information explosion, the proliferation of
endpoint devices, growing user volumes, and new computing
models like cloud, social business and big data have created
new vulnerabilities. To secure sensitive data and address
compliance requirements, organizations need to adopt a more
proactive and systematic approach.
Since data is a critical component of daily business operations,
it is essential to ensure privacy and protect data no matter
where it resides. Different types of information have different
protection requirements; therefore, organizations must take a
holistic approach to safeguarding information:
•
•
•
•
Understand where the data exists: Organizations can’t
protect sensitive data unless they know where it resides and
how it’s related across the enterprise.
Safeguard sensitive data, both structured and
unstructured: Structured data contained in databases must
be protected from unauthorized access. Unstructured data in
documents, forms, image files, GPS systems and more
requires privacy policies to redact (remove) sensitive informa­
tion while still allowing needed business data to be shared.
Protect non-production environments: Data in nonproduction, development, training and quality assurance
environments needs to be protected, yet still usable during
the application development, testing and training processes.
Secure and continuously monitor access to the data:
Enterprise databases, data warehouses, file shares and
Hadoop-based systems require real-time monitoring to
ensure data access is protected and audited. Policy-based
controls based on access patterns are required to rapidly
detect unauthorized or suspicious activity and alert key
personnel. In addition, sensitive data repositories need to be
•
protected against new threats or other malicious activity and
continually monitored for weaknesses.
Demonstrate compliance to pass audits: It’s not enough
to develop a holistic approach to data security and privacy;
organizations must also demonstrate and prove compliance
to third-party auditors.
IBM® solutions for data security and privacy are designed to
support this holistic approach and incorporate intelligence to
proactively address IT threats and enterprise risks. IBM has
developed three simple guiding principles (Understand and
Define, Secure and Protect, and Monitor and Audit) to help
organizations achieve better security and compliance without
impacting production systems or straining already-tight budgets.
Making sense of the buzz: Why the
growing focus on data protection?
Data security is a moving target; as data grows, more
sophisticated threats emerge, the number of regulations
increase, and changing economic times make it difficult to
secure and protect data. New attack vectors including cyber
security threats (worms, trojans, rootkits, rogues, dialers and
spyware) and security complexities resulting from changing IT
architectures (virtualization, big data, open enterprise
initiatives, consumerization and employee mobility) challenge
organizations to focus on data protection (see Figure 1).
According to the October 2011 report “Databases are More at
Risk Than Ever,” which surveyed 355 data security professionals,
one-fourth of respondents felt that a data breach in 2012 was
likely or inevitable. Only 36 percent of organizations have taken
steps to ensure their applications are not subject to SQL
injection attacks, and over 70 percent take longer than three
months to apply critical patch updates, giving attackers the
opportunity they are looking for. Most respondents are unable
to tell whether there has been unauthorized access or changes to
their databases. In many cases, a breach would go undetected for
months or longer, as only 40 percent of organizations audit their
databases on a regular basis.
Prevention strategies are almost non-existent at most
companies. Only one-fourth of respondents say they are able
IBM Software
3
to stop abuse of privileges by authorized database users,
especially highly privileged users such as database
administrators, before it happens. Only 30 percent encrypt
sensitive and personally identifiable information in all their
databases, despite data privacy regulations worldwide requiring
encryption for data at rest. Additionally, most admit to having
sensitive data in non-production environments that is
accessible to developers, testing and even third parties.
of the cases) followed by backdoor malware (26 percent),
use of stolen credentials (24 percent), exploiting backdoor
or command and control channels (23 percent), and keyloggers
and spyware (18 percent). SQL injection attacks accounted
for 13 percent of the breaches. As for the targets, 90 percent
of the breaches Verizon investigated went after servers,
mainly point-of-sale servers, web and app servers, and
database servers.
Changes in IT environments and evolving
business initiatives
Regulatory compliance mandates
Security policies and corresponding technologies must evolve
as organizations embrace new business initiatives such as
outsourcing, virtualization, cloud, mobile, Enterprise 2.0,
big data and social business. This evolution means
organizations need to think more broadly about where
sensitive data resides and how it is accessed. Organizations
must also consider a broad array of both structured and
unstructured sensitive data, including customer information,
trade secrets, intellectual property, development plans,
competitive differentiators and more.
Smarter, more sophisticated hackers
Many organizations are now struggling with the widening gap
between hacker capabilities and security defenses. The
changing nature, complexity and larger scale of outside attacks
are cause for concern. Previously, the most critical concern was
virus outbreaks or short denial-of-service attacks, which would
create a temporary pause in business operations. Today, hackers
are becoming more savvy and interconnected; they leverage
social networks, purchase pre-packaged “hacking” applications
and might even be state sponsored. By penetrating the
perimeter and infiltrating the network, new advanced
persistent threats (APTs) exploit employee knowledge gaps and
process weaknesses and technology vulnerabilities in random
combinations to steal customer data or corporate data, such as
trade secrets, resulting in the potential for billions of dollars of
lost business, fines and lawsuits, and irreparable damage to an
organization’s reputation.
According to the 2012 Verizon Data Breach Investigations
Report, the most commonly used venue for breaches was
exploiting default or easily guessed passwords (with 29 percent
The number and variety of regulatory mandates are too
numerous to name here, and they affect organizations around
the globe. Some of the most prevalent mandates include the
Sarbanes-Oxley Act (SOX), the Health Insurance Portability
and Accountability Act (HIPAA), the Payment Card Industry
Data Security Standard (PCI-DSS) (enforcement of which has
firmly started expanding beyond North America), the Federal
Information Security Management Act (FISMA), and the EU
Data Privacy Directive. Along with the rising number of
regulatory mandates is the increased pressure to show
immediate compliance. Enterprises are under tremendous
time pressure and need to show immediate progress to the
business and shareholders, or face reputation damage and stiff
financial penalties.
Information explosion
The explosion in digital information is mind-boggling. In
2009, the world had about 0.8 zettabytes of data. In 2012,
it is estimated to be 1.8 ZBs. This is an amazing number,
considering a zettabyte is a trillion gigabytes. The information
explosion has made access to public and private information
a part of everyday life. The digital explosion also brings
an increase in the volume, variety and velocity of data.
Organizations need to understand the unique challenges
that big data brings, such as large-scale cloud infrastructures,
diversity of data sources and formats, the streaming nature
of data acquisition, and high-volume data aggregation.
Critical business applications typically collect this information
for legitimate purposes; however, given the interconnected
nature of the Internet and information systems, as well as
enterprise ERP, CRM and custom business applications,
sensitive data is easily subject to theft and misuse.
4
Three Guiding Principles to Improve Your Data Security and Compliance Strategy
Insider threats
A high percentage of data breaches actually emanate from
internal weaknesses. These breaches range from employees
who may misuse payment card numbers and other sensitive
information to those who save confidential data on laptops that
are subsequently stolen. Furthermore, organizations are also
accountable for protecting data no matter where the data
resides — be it with business partners, consultants, contractors,
vendors or other third parties.
In summary, organizations are focusing more heavily on data
security and privacy concerns. They are looking beyond
developing point solutions for specific pains and toward
building security and privacy policies and procedures into
the enterprise. Building security into business and IT
policies is especially important as they embrace the new
era of computing.
Security versus privacy
Security and privacy are related, but they are distinct
concepts. Security is the infrastructure-level lockdown
that prevents or grants access to certain areas or data
based on authorization. In contrast, privacy restrictions
control access for users who are authorized to access a
particular set of data. Data privacy ensures those who
have a legitimate business purpose to see a subset of that
data do not abuse their privileges. That business purpose
is usually defined by job function, which is defined in turn
by regulatory or management policy, or both.
Some examples of data security solutions include
database activity monitoring and database vulnerability
assessments. Some examples of data privacy solutions
include data redaction and data masking. In a recent case
illustrating this distinction, physicians at UCLA Medical
Center were caught going through celebrity Britney
Spears’ medical records. The hospital’s security policies
were honored since physicians require access to medical
records, but privacy concerns exist since the physicians
were accessing the file out of curiosity and not for a valid
medical purpose.
The stakes are high: Risks associated with
insufficient data security and privacy
Corporations and their officers may face fines from USD5,000
to USD1 million per day, and possible jail time if data is
misused. According to the Ponemon Institute, “2011: Cost of
Data Breach Study” (published March 2012), the average
organizational cost of a data breach in 2011 was USD5.5
million. Data breaches in 2011 cost their companies an average
of USD194 per compromised record. The number of breached
records per incident in 2011 ranged from approximately 4,500
records to more than 98,000 records. In 2011, the average
number of breached records was 28,349.
The most expensive breach studied by Ponemon Institute
(2010 Annual Study: U.S. Cost of a Data Breach, 2011) took
USD35.3 million to resolve, up USD4.8 million (15 percent)
from 2009. The least expensive data breach was USD780,000,
up USD30,000 (4 percent) from 2009. As in prior years, data
breach cost appears to be directly proportional to the number
of records compromised.
Hard penalties are only one example of how organizations can
be harmed; other negative impacts include erosion in share
price caused by investor concern and negative publicity
resulting from a data breach. Irreparable brand damage
identifies a company as one that cannot be trusted.
Five common sources of risk include:
•
•
•
Excessive privileges and privileged user abuse. When
users (or applications) are granted database privileges that
exceed the requirements of their job function, these privileges
may be used to gain access to confidential information.
Unauthorized privilege elevation. Attackers may take
advantage of vulnerabilities in database management
software to convert low-level access privileges to high-level
access privileges.
SQL injection. SQL injection attacks involve a user who
takes advantage of vulnerabilities in front-end web
applications and stored procedures to send unauthorized
database queries, often with elevated privileges. Using SQL
injection, attackers could even gain unrestricted access to an
entire database.
IBM Software
•
•
Denial of service. Denial of service (DoS) may be invoked
through many techniques. Common DoS techniques include
buffer overflows, data corruption, network flooding and
resource consumption. The latter is unique to the database
environment and frequently overlooked.
Exposure of backup data. Some recent high-profile attacks
have involved theft of database backup tapes and hard disks
which were not encrypted.
5
few organizations have the funding or resources to implement
another process-heavy initiative. Organizations need to build
security and privacy policies into their daily operations and
gather support for these policies across the enterprise
including IT staff, business leaders, operations, and legal
departments. Privacy requirements do vary by role, and
understanding who needs access to what data is not a trivial
task. Third, the manual or homegrown data protection
approaches many organizations use today lead to higher risk
and inefficiency. Manual approaches typically don’t protect a
diverse set of data types in both structured and unstructured
settings, and do not scale as organizations grow. Finally, the
rising number of compliance regulations with time-sensitive
components adds more operational stress, rather than
clarifying priorities.
Organizations require a fresh approach to data protection — one which ensures that they build security and privacy rules
into their best practices, and helps, rather than hinders, their
bottom line. Numerous driving factors combined with high
stakes make figuring out how to approach data security and
privacy an important priority.
Figure 1: Analysis of malicious or criminal attacks experienced according to
the 2011 Cost of Data Breach Study conducted by the Ponemon Institute
(published March 2012)
Barriers to implementation: Challenges
associated with protecting data
So with the market focused on security and the risks clearly
documented, why haven’t organizations adopted a holistic
approach to data protection? Why are organizations
overwhelmed by new threats?
The reality is that significant challenges and complexities exist.
For one, there are numerous vendor solutions available that
are focused on one approach or one aspect of data protection.
Few look across the range of threats and data types and sources
to deliver a holistic strategy which can be flexible as new
threats arise and new computing models are embraced. Next,
Leveraging a holistic data security and
privacy approach
Organizations need a holistic approach to data protection. This
approach should protect diverse data types across physical,
cloud and big data environments, and include the protection of
structured and unstructured data in both production and
non-production (development, test and training) environments.
Such an approach can help focus limited resources without
added processes or increased complexity. A holistic approach
also helps organizations to demonstrate compliance without
interrupting critical business processes or daily operations.
To get started, organizations should consider six key questions.
These questions are designed to help focus attention to the
most critical data vulnerabilities:
1.Where does sensitive data reside across the enterprise?
2.How can access to your enterprise databases be protected,
monitored and audited?
6
Three Guiding Principles to Improve Your Data Security and Compliance Strategy
3.How can data be protected from both authorized and
unauthorized access?
4.Can confidential data in documents be safeguarded while
still enabling the necessary business data to be shared?
5.Can data in non-production environments be protected,
yet still be usable for training, application development
and testing?
6.What types of data encryption are appropriate?
The answers to these questions provide the foundation for a
holistic approach to data protection and scales as organizations
embrace the new era of computing. The answers also help
organizations focus in on key areas they may be neglecting
with current approaches.
1.Organizations can’t protect data if they don’t know it exists.
Sensitive data resides in structured and unstructured formats
in production environments and non-production
environments. Organizations need to document and define
all data assets and relationships, no matter what the source.
It is important to classify enterprise data, understand data
relationships and define service levels. The data discovery
process analyzes data values and data patterns to identify the
relationships that link disparate data elements into logical
units of information, or “business objects” (such as customer,
patient or invoice).
2.Activity monitoring provides privileged and non-privileged
user and application access monitoring that is independent
of native database logging and audit functions. It can
function as a compensating control for privileged user
separation-of-duties issues by monitoring all administrator
activity. Activity monitoring also improves security by
detecting unusual database, data warehouse, file share or
Hadoop systems read and update activities from the
application layer. Event aggregation, correlation and
reporting provide an audit capability without the need to
enable native audit functions. Activity monitoring solutions
should be able to detect malicious activity or inappropriate
or unapproved privileged user access.
3.Data should be protected through a variety of data
transformation techniques including encryption, masking and
redaction. Defining the appropriate business use for enterprise
data will dictate the appropriate data transformation policy.
For example, a policy could be established to mask data on
screen or on the fly to prevent call center employees from
viewing national identification numbers. Another example
could be masking revenue numbers in reports shared with
business partners or third-party vendors.
4.Data redaction can remove sensitive data from forms and
documents based on job role or business purpose. For
example, physicians need to see sensitive information such as
symptoms and prognosis data, whereas a billing clerk needs
the patient’s insurance number and billing address. The
challenge is to provide the appropriate protection, while
meeting business needs and ensuring that data is managed
on a “need-to-know” basis. Data redaction solutions should
protect sensitive information in unstructured documents,
forms and graphics.
5.De-identifying data in non-production environments is
simply the process of systematically removing, masking or
transforming data elements that could be used to identify an
individual. Data de-identification enables developers, testers
and trainers to use realistic data and produce valid results,
while still complying with privacy protection rules. Data that
has been scrubbed or cleansed in such a manner is generally
considered acceptable to use in non-production
environments and ensures that even if the data is stolen,
exposed or lost, it will be of no use to anyone.
6.Data encryption is not a new technology, and many different
approaches exist. Encryption is explicitly required by many
regulations including PCI DSS, and also enables safe harbor
provisions in many regulatory mandates. This means
organizations are exempt from disclosing data breaches if the
data is encrypted. It is challenging for an organization to
identify the best encryption approach due to prolific
offerings from various vendors. For encrypting structured
data, consider a file-level approach. This will protect both
structured data in the database management system (DBMS)
and also unstructured files such as DBMS log or
configuration files, and is transparent to the network, storage
and applications. Look for encryption offerings which
provide a strong separation of duties and a unified policy and
key management system to centralize and simplify data
security management.
IBM Software
Meeting data security and compliance
challenges
Cloud and Managed
Services
Security Intelligence,
Analytics and GRC
Professional
Services
What makes IBM’s approach to data protection unique?
Expertise. The alignment of people, process, technology and
information separates the IBM data security and privacy
solutions from the competition. The goal of the IBM portfolio
is to help organizations meet legal, regulatory and business
obligations without adding additional overhead. This helps
organizations support compliance initiatives, reduce costs,
minimize risk and sustain profitable growth. In addition, IBM
has integrated data security into a broader security framework.
The IBM Security Framework (see Figure 2) and associated
best practices provide the expertise, data analysis, and maturity
models to give IBM’s clients the opportunity to embrace
innovation with confidence.
Software and
Applicances
Figure 2: IBM is the only vendor providing a sophisticated security
framework with security intelligence across people, data, applications
and infrastructure.
7
To address data security and compliance, IBM has defined
three guiding principles to ensure a holistic data protection
approach: Understand and Define, Secure and Protect, and Monitor
and Audit. By following these three principles, organizations
can improve their overall security posture and help meet
compliance mandates with confidence.
Understand and define
Organizations must discover where sensitive data resides,
classify and define data types, and determine metrics and
policies to ensure protection over time. Data can be distributed
over multiple applications, databases and platforms with little
documentation. Many organizations rely too heavily on system
and application experts for this information. Sometimes, this
information is built into application logic, and hidden
relationships might be enforced behind the scenes.
Finding sensitive data and discovering data relationships
requires careful analysis. Data sources and relationships should
be clearly understood and documented so no sensitive data is
left vulnerable. Only after understanding the complete
landscape can organizations define proper enterprise data
security and privacy policies.
IBM InfoSphere® Discovery is designed to identify and
document what data you have, where it is located and how
it’s linked across systems by intelligently capturing
relationships and determining applied transformations
and business rules. It helps automate the identification
and definition of data relationships across complex,
heterogeneous environments.
Without an automated process to identify data relationships
and define business objects, organizations can spend
months performing manual analysis — with no assurance
of completeness or accuracy. IBM InfoSphere Discovery,
on the other hand, can help automatically and accurately
identify relationships and define business objects in a
fraction of the time required using manual or profiling
approaches. It accommodates a wide range of enterprise
data sources, including relational databases, hierarchical
databases and any structured data source represented in
text file format.
8
Three Guiding Principles to Improve Your Data Security and Compliance Strategy
In summary, IBM InfoSphere Discovery helps organizations:
•
•
•
•
•
Locate and inventory the data sources across the enterprise
Identify and classify sensitive data
Understand data relationships
Define and document privacy rules
Document and manage ongoing requirements and threats
and VSAM. A holistic data protection approach ensures a
360-degree lockdown of all organizational data.
For each type of data (structured, unstructured, offline and
online), we recommend different technologies to keep it safe.
Keep in mind that the various data types exist in both
production and non-production environments.
Secure and protect
Data security and privacy solutions should span a
heterogeneous enterprise, and protect both structured and
unstructured data across production and non-production
environments (see Figure 3). IBM InfoSphere solutions help
protect sensitive data in ERP/CRM applications, databases,
warehouses, file shares and Hadoop-based systems, and also in
unstructured formats such as forms and documents. Key
technologies include activity monitoring, data masking, data
redaction and data encryption. InfoSphere Guardium provides
enterprise-wide controls and capabilities across many platforms
and data sources, enhancing the investments made in platforms,
such as RACF on System z, that provide built-in security
models that leverage data sources such as DB2 for z/OS, IMS,
Structured data: This data is based on a data model, and is
available in structured formats like databases or XML.
Unstructured data: This data is in forms or documents which
may be handwritten, typed or in file repositories, such as word
processing documents, email messages, pictures, digital audio,
video, GPS data and more.
Online data: This is data used daily to support the business,
including metadata, configuration data or log files.
Offline data: This is data in backup tapes or on storage devices.
Data not in databases
Data in heterogeneous databases
• Data Encryption
duction
Offline
Data
Systems
Data extracted from
databases
Unstructured
Data
n-Produ
o
ct
N
&
(Hadoop, File Shares, ex. SharePoint,
.TIF, .PDF, .doc, scanned documents)
• Data Redaction
• Activity Monitoring
• Data Masking
n
io
• Activity Monitoring
• Vulnerability Assessment
• Data Masking
• Data Encryption
Structured
Data
Pro
(Oracle, DB2, Netezza, Informix,
Sybase, Sun MySQL, Teradata)
Online
Data
Data in daily use
• Activity Monitoring
• Vulnerability Assessment
• Data Masking
• Data Encryption
Figure 3: When developing a data security and privacy strategy, it is important to consider all data types across production and non-production environments
IBM Software
Keep in mind these four basic data types are exploding in
terms of volume, variety and velocity. Many organizations are
looking to include these data types in big data systems such as
Netezza or Hadoop for deeper analysis.
IBM InfoSphere Guardium® Activity Monitor and
Vulnerability Assessment provide a security solution which
addresses the entire database security and compliance life cycle
with a unified web console, back-end data store and workflow
automation system, enabling you to:
•
•
•
•
•
•
•
Assess database and data repository vulnerabilities and
configuration flaws
Ensure configurations are locked down after recommended
changes are implemented
Provide 100-percent visibility and granularity into all data
source transactions — across all platforms and
protocols — with a secure, tamper-proof audit trail that
supports separation of duties
Monitor and enforce policies for sensitive data access,
privileged user actions, change control, application user
activities and security exceptions such as failed logins
Automate the entire compliance auditing
process — including report distribution to oversight teams,
sign-offs and escalations — with preconfigured reports for
SOX, PCI DSS and data privacy
Create a single, centralized audit repository for enterprisewide compliance reporting, performance optimization,
investigations and forensics
Easily scale from safeguarding a single database to
protecting thousands of databases, data warehouses, file
shares or Hadoop-based systems in distributed data centers
around the world
Traditionally, protecting unstructured information in forms,
documents and graphics has been performed manually by
deleting electronic content and using a black marking pen on
paper to delete or hide sensitive information. But this manual
process can introduce errors, inadvertently omit information
and leave behind hidden information within files that exposes
sensitive data. Today’s high volumes of electronic forms and
documents make this manual process too burdensome for
practical purposes, and increase an organization’s risk of exposure.
9
IBM InfoSphere Guardium Data Redaction protects
sensitive information buried in unstructured documents and
forms from unintentional disclosure. The automated solution
lends efficiency to the redaction process by detecting sensitive
information and automatically removing it from the version of
the documents made available to unprivileged readers. Based
on industry-leading software redaction techniques, InfoSphere
Guardium Data Redaction also offers the flexibility of human
review and oversight if required.
IBM InfoSphere Optim™ Data Masking Solution provides
a comprehensive set of data masking techniques that can
support your data privacy compliance requirements on
demand, including:
•
•
•
•
Application-aware masking capabilities help ensure that
masked data, like names and street addresses, resembles the
look and feel of the original information. (see Figure 4)
Context-aware, prepackaged data masking routines make
it easy to de-identify elements such as payment card
numbers, Social Security numbers, street addresses and
email addresses.
Persistent masking capabilities propagate masked
replacement values consistently across applications,
databases, operating systems and hardware platforms.
Static or dynamic data masking supports both production
and non-production environments.
With InfoSphere Optim, organizations can de-identify data in
a way that is valid for use in development, testing and training
environments, while protecting data privacy.
Mask
Figure 4: Personal identifiable information is masked with realistic but
fictional data
10
Three Guiding Principles to Improve Your Data Security and Compliance Strategy
IBM InfoSphere Guardium Data Encryption provides
a single, manageable and scalable solution to encrypt
enterprise data without sacrificing application performance
or creating key management complexity. InfoSphere
Guardium Data Encryption helps solve the challenges of
invasive and point approaches through a consistent and
transparent approach to encrypting and managing enterprise
data security. Unlike invasive approaches such as columnlevel database encryption, PKI-based file encryption or native
point encryption, IBM InfoSphere Guardium Data
Encryption offers a single, transparent solution that is also
easy to manage. This unique approach to encryption provides
the best of both worlds: seamless support for information
management needs combined with strong, policy-based data
security. Agents provide a transparent shield that evaluates
all information requests against easily customizable policies
and provides intelligent decryption-based control over
reads, writes, and access to encrypted contents. This highperformance solution is ideal for distributed environments,
and agents deliver consistent, auditable and non-invasive
data-centric security for virtually any file, database or
application — anywhere it resides.
In summary, InfoSphere Guardium Data Encryption provides:
•
•
•
•
•
•
•
A single, consistent, transparent encryption method across
complex enterprises
An auditable, enterprise-executable, policy-based approach
Among the fastest implementation processes achievable,
requiring no application, database or system changes
Simplified, secure and centralized key management across
distributed environments
Intelligent, easy-to-customize data security policies for
strong, persistent data security
Strong separation of duties
Top-notch performance with proven ability to meet SLAs
for mission-critical systems
IBM Tivoli® Key Lifecycle Manager helps IT organizations
better manage the encryption key life cycle by enabling them
to centralize and strengthen key management processes. It can
manage encryption keys for IBM self-encrypting storage
devices as well as non-IBM encryption solutions that use the
Key Management Interoperability Protocol (KMIP). IBM
Tivoli Key Lifecycle Manager provides the following data
security benefits:
•
•
•
•
•
•
•
Centralize and automate the encryption key management
process
Enhance data security while dramatically reducing the
number of encryption keys to be managed
Simplify encryption key management with an intuitive user
interface for configuration and management
Minimize the risk of loss or breach of sensitive information
Facilitate compliance management of regulatory standards
such as SOX and HIPAA
Extend key management capabilities to both IBM and
non-IBM products
Leverage open standards to help enable flexibility and
facilitate vendor interoperability
Monitor and audit
After data has been located and locked down, organizations
must prove compliance, be prepared to respond to new internal
and external risks, and monitor systems on an ongoing basis.
Monitoring of user activity, object creation, data repository
configurations and entitlements help IT professionals and
auditors trace users between applications and databases. These
teams can set fine-grained policies for appropriate behavior
and receive alerts if these policies are violated. Organizations
need to quickly show compliance and empower auditors to
verify compliance status. Audit reporting and sign-offs help
facilitate the compliance process while keeping costs low and
minimizing technical and business disruptions. In summary,
organizations should create continuous, fine-grained audit
trails of all database activities, including the “who, what, when,
where and how” of each transaction.
IBM InfoSphere Guardium Activity Monitor provides granular,
database management system (DBMS) — independent auditing
with minimal impact on performance. InfoSphere Guardium is
also designed to help organizations reduce operational costs via
automation, centralized cross-DBMS policies and audit
repositories, and filtering and compression.
IBM Software
Conclusion: Better Data Security
and Compliance
Protecting data security and privacy is a detailed, continuous
responsibility which should be part of every best practice. IBM
provides an integrated data security and privacy approach
delivered through these three guiding principles.
1.Understand and Define
2.Secure and Protect
3.Monitor and Audit
Protecting data requires a 360-degree, holistic approach. With
deep, broad expertise in the security and privacy space, IBM can
help your organization define and implement such an approach.
IBM solutions are open, modular and support all aspects of
data security and privacy, including structured, semi-structured
and unstructured data, no matter where it resides. IBM
solutions support virtually all leading enterprise databases and
operating systems, including IBM DB2®, Oracle, Teradata,
Netezza®, Sybase, Microsoft SQL Server, IBM Informix®, IBM
IMS™, IBM DB2 for z/OS, IBM Virtual Storage Access
Method (VSAM), Microsoft Windows, UNIX, Linux and IBM
z/OS®. InfoSphere also supports key ERP and CRM
applications — Oracle E-Business Suite, PeopleSoft Enterprise,
JD Edwards EnterpriseOne, Siebel and Amdocs CRM — as
well as most custom and packaged applications. IBM supports
access monitoring for file sharing software such as Microsoft
SharePoint and IBM FileNet. IBM also supports Hadoopbased systems such as Cloudera and InfoSphere BigInsights.
About IBM InfoSphere
IBM InfoSphere software is an integrated platform for defining,
integrating, protecting and managing trusted information across
your systems. The IBM InfoSphere platform provides the
foundational building blocks of trusted information, including
data integration, data warehousing, master data management
and information governance, all integrated around a core of
shared metadata and models. The portfolio is modular, allowing
you to start anywhere, and mix and match IBM InfoSphere
software building blocks with components from other vendors,
11
or choose to deploy multiple building blocks together for
increased acceleration and value. The IBM InfoSphere platform
provides an enterprise-class foundation for informationintensive projects, providing the performance, scalability,
reliability and acceleration needed to simplify difficult challenges
and deliver trusted information to your business faster.
About IBM Security
IBM’s security portfolio provides the security intelligence to
help organizations holistically protect their people,
infrastructure, data and applications. IBM offers solutions for
identity and access management, database security, application
development, risk management, endpoint management,
network security and more. IBM operates the world’s broadest
security research and development and delivery organization.
This consists of nine security operations centers, nine IBM
Research centers, 11 software security development labs and an
Institute for Advanced Security with chapters in the United
States, Europe and Asia Pacific. IBM monitors 13 billion
security events per day in more than 130 countries and holds
more than 3,000 security patents.
For more information
For more information on IBM security, please visit:
ibm.com/security.
To learn more about IBM InfoSphere solutions for protecting
data security and privacy, please contact your IBM sales
representative or visit: ibm.com/guardium.
To learn more about the new IBM DB2 for z/OS security
features, download the Redbook at www.redbooks.ibm.com/
Redbooks.nsf/RedbookAbstracts/sg247959.html
Additionally, financing solutions from IBM Global Financing
can enable effective cash management, protection from
technology obsolescence, improved total cost of ownership and
return on investment. Also, our Global Asset Recovery Services
help address environmental concerns with new, more energyefficient solutions. For more information on IBM Global
Financing, visit: ibm.com/financing.
© Copyright IBM Corporation 2012
IBM Corporation
Software Group
Route 100
Somers, NY 10589
Produced in the United States of America
October 2012
IBM, the IBM logo, ibm.com, DB2, Guardium, IMS, Informix, InfoSphere,
Optim, Tivoli, and z/OS are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and
service names might be trademarks of IBM or other companies. A current
list of IBM trademarks is available on the Web at “Copyright and trademark
information” at ibm.com/legal/copytrade.shtml.
Linux is a registered trademark of Linus Torvalds in the United States,
other countries or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks
of Microsoft Corporation in the United States, other countries or both.
Netezza is a trademark or registered trademark of Netezza Corporation,
an IBM Company.
UNIX is a registered trademark of The Open Group in the United States
and other countries.
This document is current as of the initial date of publication and may
be changed by IBM at any time. Not all offerings are available in every
country in which IBM operates.
THE INFORMATION IN THIS DOCUMENT IS PROVIDED
“AS IS” WITHOUT ANY WARRANTY, EXPRESS OR
MPLIED, INCLUDING WITHOUT ANY WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE AND ANY WARRANTY OR CONDITION OF
NON-INFRINGEMENT. IBM products are warranted according
to the terms and conditions of the agreements under which they
are provided.
Please Recycle
IMW14568-USEN-05