Uploaded by aguilar_chris

GuardiumDAMV10 handouts 1

Slide 1
IBM Security Guardium Tech Talk
What's new in Guardium DAM V10: A technical
David Rozenblat
Director, Guardium Development
IBM Security
Kathy Zeidenstein
Guardium Evangelist and Community Advocate
IBM Security
September 17, 2015This call is being recorded.
© 2015 IBM Corporation
Slide 2
Please leave the web conference if you object.
 This tech talk is being recorded. If you object, please hang up
and leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions
in the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email so we
can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat
© 2015 IBM Corporation
Slide 3
This is proably the best place to find content. It
atttempts to provide links to all available
resources. Also, by signing up, you can get the
emails for new tech talks or other critical
Guardium community on developerWorks
© 2015 IBM Corporation
Slide 4
Reminder: Next Guardium Tech Talk
Next tech talk: A Technical Overview of IBM Security
Activity Monitor for Files
Speakers: Daniel Stanca, Product Manager
Sagi Shechter, Guardium Development Manager
Date and time: Thursday, October 15th
11:30 AM US Eastern (60 minutes)
Register here: https://ibm.biz/BdX5cZ
 Link to more information about this and upcoming tech talks can be
found on the Guardium developerWorks community:
 Please submit a comment on this page for ideas for tech talk topics.
© 2015 IBM Corporation
Slide 5
 Business overview
 Enhancement that support analysis
 Enhancements that support adaptability
 Enhancements that support protection
 Platform changes and upgrade roadmap - Important survey question
© 2015 IBM Corporation
Slide 6
As you’ll see in this presentation, IBM has
simplified the messaging around data
protection to three key themes: Analyze,
adapt, and protect. And that’s how we’ve
grouped together the related V10
enhancements as well. We’ll also do a
quick overview of the appliance platform
changes because it has implications for
upgrade. We have an important survey
question at the end about migration and
upgrade, so please try to stay through to
the end. If you cannot, please post in the
chat that you would be interested in
migration services.
Dynamic nature of the data
Data is multiplying, it’s dynamic (moving
around – all over the place) – in and out
of your infrastructure.
Data is challenging to secure
Data multiplies
continuously and
moves quickly
Data is everywhere,
across applications
and infrastructure
Users need to constantly access
and share data to do their jobs
© 2015 IBM Corporation
Disparate and distributed data
Disparate data platforms and formats. ,
Small security teams, lots of applications;
Developers lack secure coding skills;
Demand for the data is increasing
Bottleneck trying to control the usage; data
is everywhere; needs to be accessed
Slide 7
At the highest level, Guardium offers
complete data protection, using
analytics to help automate risk
identification and by providing broad
coverage and ability to dynamically adapt
and scale to a wide variety of IT
Guardium uses intelligence and automation to safeguard data
discover critical data
and uncover risk
Seamlessly handle
changes within your IT
Complete protection for sensitive
data, including compliance automation
IBM CONFIDENTIAL: NDA until August 25, 2015
Slide 8
© 2015 IBM Corporation
Discovery, classification,
vulnerability assessment,
entitlement management
Encryption, masking,
and redaction
Data and file activity
Dynamic blocking and
masking, alerts, and
Compliance automation
and auditing
IBM CONFIDENTIAL: NDA until August 25, 2015
© 2015 IBM Corporation
The analyze, protect and adapt themes are
manifested through a broad set of data
security capabilities, which are all under
one umbrella and are integrated with each
other to help you implement a complete
Analytics makes it possible to deal with
the quantity of data you have, the quantity
and velocity of data access to track, and
being unable to uncover patterns and
detect and pinpoint suspicious activities.
Centralization is the glue that makes the
whole data security functions manageable
within a whole array of heterogeneous data
sources required to run the IT environment.
This is the beauty of this approach: You
get a central place to ask the common data
security questions (for security, privacy or
compliance) across all the enterprise data
resources in a normalized way. And you
can start at any point in accordance to your
needs, maybe with simple compliance
reporting, …. and grow..
So let’s look at the set of new DAM
capabilities that fall under the theme of
Slide 9
© 2015 IBM Corporation
Slide 10
David will be doing a demo of some of the
new capabilities in the user interface and
also the enterprise quick search and
investigation dashboard. There are
additional enhancements that are included
in backup slides.
 New navigation and user experience
 Quick Search for Enterprise and Investigation Dashboard
 Classifier enhancements (backup)
© 2015 IBM Corporation
Slide 11
UI simplification and modernization
At a glance
Enterprise wide
Quick Search
tasks with
© 2015 IBM Corporation
Before I turn it over to David, I just want to
briefly give an overview. The new UI has
evolved and will continue to evolve along
the lines of simplicity and modernization.
The design is more task-oriented and
provides guided processes such as the end
to end discovery scenario that David will
IT’s also much easier to customize the UI,
as David will demonstrate. For example to
create a view-only user with limited access
is very easy to do.
Slide 12
© 2015 IBM Corporation
Slide 13
The banner is a powerful control center with
alerts, to-dos and an enhanced search bar.
The UI search bar will be your best friend in
helping you find a tool or report quickly by
Notifications are covered in more detail in
backup slide.
To-do list
Use to navigate through the
UI or to search data or files
(Quick Search)
© 2015 IBM Corporation
Slide 14
The left hand navigation is now simplified
and normalized across both administrator
and user roles.
Customizable navigation
Tools and reports related to
the task
Common navigation
© 2015 IBM Corporation
Slide 15
Report dashboard example
See tabular
Configure runtime
Mark as favorite
Same chart,
© 2015 IBM Corporation
Guardium includes hundreds of built-in
reports as well as a flexible reporting
capability to let you create as many custom
reports as you need. The sheer number of
reports can make finding your own
important reports a bit more challenging.
Version 10 introduces the concept of “My
Dashboards”. A dashboard is a userpersonalized space in which you can drop
reports and organize reports for easy
access. Each user can name the
dashboards and create as many
dashboards as they need.
Using favorites enables you to filter reports
in audit processes or when creating new
dashboards so you don’t need to scroll
down through hundreds of reports or
devising your own naming scheme to
ensure that your reports filter to the top of
the list.
When adding a report to a dashboard you
can find them easily by name by typing in
the first few characters in a field that
requires selection from a list
Slide 16
Report dashboard creation
 Type-ahead filter
to quickly find
reports / charts
 Additional filters
– Favorites
– Charts
– User defined (not
pre-defined) reports
 Select report /
chart to add it to
© 2015 IBM Corporation
Slide 17
Dashboard layout
 Customize layout into 1, 2, or 3 columns
 Drag and drop to move reports / charts
© 2015 IBM Corporation
Slide 18
Administrators will love this new central
location to see the status of Guardium
services. And it provides one-stop
launchpad to get to where you need to go
to configure the service.
Services Status: before and after
Setup  Tools and Views  Services Status
view of services
Direct access to
enable or disable
the service
© 2015 IBM Corporation
Slide 19
Accelerators now included in the base
Access Manager
User with SOX and PCI roles
navigation menu
Add roles to a
© 2015 IBM Corporation
Prior to V10, the compliance accelerators
(PCI, SOX, Basel II, and Data Privacy) had
to be installed using separate patches. Now
they are part of the base product offering
and can be added to user interface simply
by configuring users with any of the
corresponding roles (pci, sox, etc). The first
screenshot above shows that the Guardium
Access Manager is giving a user the PCI
and SOX roles. When that user next logs
into Guardium, she sees the Accelerators
navigation menu and can see the content
for both accelerators.
Slide 20
Managing permissions has never been easier!
© 2015 IBM Corporation
Slide 21
The process to customize the user interface
and manage permissions for different roles
has been dramatically simplified in Version
10. Everything is in one central location and
uses a simple "slushbucket" approach.
For example, if you want to create a very
simple interface with only a few read only
reports for a particular auditor, it can be
done quickly and easily. The Guardium
access manager creates a new role called
"Myfavoriteauditor". For the role, she goes
to Manage Permissions and gives very
limited permissions to the user as shown
below, which includes report builder, results
viewing and audit to-do lists.
Then, the access manager goes to
Customize Navigation Menu for that role
and specifies which specific reports that
Myfavoriteauditor can see.
Customizing navigation is a snap
Specify what will show up in
© 2015 IBM Corporation
Slide 22
The resulting navigation is simple and
targeted for that role.
Customized navigation
Default navigation
Customized navigation
Simplified, targeted layout
for specific roles.
© 2015 IBM Corporation
Slide 23
Lifecycle workflow: Discover, review, schedule, protect
Creates a classification
process and policy
Creates a security policy
Creates an audit process
with receivers and a
© 2015 IBM Corporation
Slide 24
We leverage the analytic tools to provide
better ways to understand activity flows,
even in a multi-dimensional environment.
This allows for drill downs on specific areas
of activity and to see how they affect other
attributes in the environment.
Investigation Dashboard
Click to view details in
Quick Search without
losing context.
•Color depth represents Intensity of
•Hover over cells for details
•Click a cell or title for interactive
© 2015 IBM Corporation
Slide 25
Animation chart
Adds a time dimension to the investigation dashboard.
Size of bubble
reflects amount of
Hover over circle
to see details.
Activity over the
last 48 hours is
© 2015 IBM Corporation
An example of the direction that the
Guardium UI is taking can be seen in a new
task flow that takes you end to end through
a guided workflow that goes from sensitive
data discovery, to data protection (defining
security policies), to compliance (defining
audit process), without requiring users to
jump from place to place in the user
If you go through the entire workflow,
relevant artifacts are created such as a
classification policy, an audit process to
schedule the classification and even a
security policy with the relevant access
rules to protect discovered sensitive data.
You will see in the demo how a set of two
dimensional heat maps can give you a
glimpse of where most activity happens,
and then filter from there into how other
relationships are affected.
New animation chart
The animation chart adds an important
dimension, time, to the Investigation
Dashboard. This helps analysts to visualize
activity behavior over time using data in
motion. This chart uses animated bubbles
to represent activity over the last 48 hours
(at most). The data is “auto-played”, where
each frame is an hour in time, and can be
paused, much as you would when watching
any video.
All 4 dimensions used in the chart are
configurable: The bubbles, their sizes, as
well as the X and Y axes. For example, a
bubble can be defined as a DB User, its
area to the number of client IPs, its
horizontal position to ACCESS activity, and
its vertical position to the number of
ERRORS, as shown in the following image.
This view supports drill down; clicking on a
bubble adds the data elements selected to
the filters and all charts are filtered
Slide 26
A key focus this release has been in
making Guardium more adaptable and
easier to administer.
© 2015 IBM Corporation
Slide 27
Some of the capabilities are covered in the
backup slides.
Enterprise load balancing
GIM improvements for deployment and security
Enhanced instance discovery
S-TAP enhancements for performance and capability
Auto-run dependent jobs for scheduled processes (backup)
Database platform enhancements (backup)
MongoDB as an audit repository (backup)
Softlayer backup (backup)
Troubleshooting enhancements (backup)
© 2015 IBM Corporation
Slide 28
Enterprise load balancing
 Removes the headache of manually
managing collector allocation for new STAPs
– Configure S-TAP to connect to a Load Balancer
on CM and let load balancer find an appropriate
Managed Unit
 Dynamically rebalances workloads based
on relatively current load data (such as sniffer
 Complete redesign of 9.5 deliverable
© 2015 IBM Corporation
Slide 29
Enterprise load balancer keeps track of how busy the
collectors are
MU 1
Two types of collection:
• Full load collection
• Single MU load collection
Central Manager
Load Map
Full load collection happens
dynamically (recommended)
or statically
Single MU collection when
load characteristics change
(such as number of S-TAPs)
MU n
MU 1=loaded
MU n= vacant
Rebalancing occurs only
after full load collection
© 2015 IBM Corporation
Dynamic load balancing is available in
centrally managed environments and
reduces the workload on Guardium
administrators by automating several tasks
that required previously manual tracking
and intervention. Dynamic load balancing:
Eliminates the need to manually evaluate
the load of managed units before assigning
those managed units to an S-TAP agent.
Eliminates the need to define fail-over
managed units as part of post-installation
S-TAP configuration because the load
balancer dynamically manages fail-over
Eliminates the need to manually relocate STAP agents from loaded managed units to
less loaded managed units.
Restrictions: Dynamic load balancing is
not supported for z/OS and IBM i S-TAPs.
Load balancer is a servlet running on the
Central Manager
Change trackers are running on the
managed units (MUs)
Load balancer dynamically reallocates Mus
based on current load
• Collects a variety of statistics from each
MU to make a determination of ‘loaded’
vs. ‘vacant’.
The dynamic load balancer is an
application that runs only in the Central
Manager. It requires no special
configuration to run. The load balancer
application is enabled on the Central
Manager by setting
affect the behavior only of those S-TAPs
that are installed with the load_balancer_IP
(the Central Manager IP) specified.
The dynamic load balancer performs “load
collection” periodically, which entails
getting a snapshot of current activity load
for all active managed units and storing it in
a load map. This load collection does not
affect other activity on the Central Manager.
You can specify the load collection to
happen using a fixed interval or
dynamically. Dynamic collection is the
default and recommended setting. With
dynamic collection, intervals will be
determined by the number of Managed
Units (1 additional hour for every 10
managed units). Dynamic intervals will
guarantee more accurate load map without
the overhead of loading the CM with
unnecessary load collections.
When is single load collection triggered?
• Used when load patterns have been
changed on the MU. (e.g. If the number
of STAPs connected to specific MU has
Load change tracker agents on each MU
track load-contributing factor changes
• A tracker agent is a load balancer
instance (servlet) running on each MU..
This (mostly dormant) agent tracks
specific 'load change tracker' factors
changes (e.g. the
Load Balancer transparently supports two
types of collections
• Full Load Collection
– Load Information collection from all the
managed units in the site
• Single MU Load Collection
– Load Information collection from a
single MU caused by 'load-contributing'
factor changes.
If something changes for a particular
managed unit that affects its load, such as
a reduction or increase in the number of STAPs connected to it, the load balancer will
be notified through a change tracker on the
MU, updated information will be sent to the
load balancer.
Once the load balancer has the load map, it
can make informed decisions about which
collectors are best suited to failover, new
allocations, or for rebalancing of S-TAPs.
(Note that rebalancing can only happen
after a full load collection and is controllable
via a load balancer configuration
Slide 30
It’s likely that you have different ‘zones’ for
different groupings of database servers/STAPs and managed units. You can use the
following two types of groups to set up your
environment for load balancing:
S-TAP groups
MU groups
Using groups to create load balancing zones
Group 1
MU _Group1
Central Manager
Load Map
Zone 1
Zone 2
Group 2
MU 1=loaded
MU n= vacant
MU _Group2
© 2015 IBM Corporation
You can create and associate these groups
ahead of time in the Central Manager
interface. The group names are casesensitive. For the S-TAP groups, you must
specify exactly what you will use to install
the S-TAP itself (either the host name or
IP). You can use wildcards in your IP
addresses, such as 192.168.1.*.
You can also specify these groups during
S-TAP installation. (The MU group must
exist already. For S-TAP groups, if it
doesn’t already exist, Guardium will create
it for you. )
Slide 31
Guardium installation manager (GIM) enhancements
 Easier deployment of GIM clients
– From GIM server, remotely activate GIM clients
that were installed in “listener” mode
– Use GIM listener ‘auto discovery’ to find any
servers that have GIM clients and activate (next
– Guardium admins don’t need access to the
database server
 Improved security using remote certification authority
– Install the GIM client with the relevant certificate
information or update it using the GIM GUI or API.
 Installer enhancements to specify failover GIM server
when installing GIM Client for first time
– --failover_sqlguardip <ip or hostname>'
© 2015 IBM Corporation
What is GIM? GIM eases the burden of
maintaining modules that reside on the
database server such as CAS, S-TAP and
Discovery GIM Modules:
Consists of GIM Server (on Guardium
appliance) and GIM Client, a set of Perl
scripts that run on each managed server.
Checks for updates to installed software
Transfers and installs new software
Uninstalls software
Updates software parameters
Monitors and stops processes running on
the database server
Easier deployment of GIM clients
Before V10, whenever a new database
server was configured with the GIM client
on it, it was required to know the IP address
of the Guardium appliance it was
connecting to. For organizations that stand
up new database servers, this required
additional communication between the DBA
and the Guardium administrator, slowing
down the deployment of the database
server with Guardium monitoring.
Now, using remote activation, a database
server can be installed without specifying a
Guardium IP address, thereby putting the
GIM Client in “listener” mode. Any GIM
client in listener mode can be remotely
activated from a collector) without requiring
additional configuration changes on the
database server.
You can also auto-discover any servers
that have GIM clients in listener mode and
then remotely activate any or all of those
discovered clients.
In sum, this enhancement enables IT
organizations to roll out Guardium on all
new servers without requiring further
interactions with the Guardium team, which
can activate Guardium on the database
server on their own
Prior to V10, GIM connections between the
database server and the GIM server used
Guardium self-signed certificates. With
V10, you can now use an external
certificate authority to authenticate these
connections. It is fully backward compatible
with older GIM clients.
GIM client bundles are pre-installed with
Guardium self-signed certificates. By
default, new installations of GIM clients will
attempt to establish secure and
authenticated connections with GIM server
over port 8446. You can use your own keys
and certificates either by installing the GIM
client with the relevant certificate
information or by updating it using the GIM
Updating key/certificates throughout a large
site can be a long process. During that time
there might be a mismatch between GIM
server and GIM client's certificates/keys.
When GIM client fails to connect to a GIM
server (appliance) over port 8446 (secured
and authenticated), it will switch to the
traditional secured port 8444 and write an
event in the GIM Events report.
Slide 32
This shows the output of a GIM auto
discovery process.
GIM Auto-discovery process results in support of listener
The original
scanned IP
Host name where
listener is running
Specific IP where GIM
listener is running
“Check” to
Make the
© 2015 IBM Corporation
Slide 33
Enhanced instance discovery using S-TAP
 Removed dependency on Java and external libraries
 Enable on S-TAP installation:
– Noninteractive install flag --use-discovery
– GIM install – set STAP_USE_DISCOVERY to 1
 When S-TAP is installed, inspection engines will be configured for discovered instances
 After install, invoke process from S-TAP control
 Can also invoke inspection engine creation via API from Discovered Instances report
© 2015 IBM Corporation
Guardium with auto-discovery enabled, lets
you use the power of S-TAP to discover
running instances on that server, including
the information you need to automatically
populate the inspection engine definitions.
V10 makes it much easier by not requiring
Java or any external libraries to accomplish
this task.
To enable instance discovery, use the
following flags during S-TAP installation:
Noninteractive install flag --use-discovery
to 1
When installation is completed, S-TAP will
be configured with Inspection Engines for
all running databases.
To invoke instance discovery after
installation, go to Manage > Activity
Monitoring > S-TAP Control and select
the Send Command icon as shown in the
screenshot below. Notice that you can
optionally replace all inspection engines in
that S-TAP with the newly discovered
configurations. The other option is to review
the results in the Discovered Instances
report and invoke the
create_stap_inspection_engine API for one
or more discovered instances.
Slide 34
S-TAP enhancements
 S-TAP multithreading for intensive workloads such as warehouse
– Preserves ‘threadedness’ from point of interception through to the collector
– Configure using participate_in_load_balancing = 4 and specify sql_guard sections up to 5 - this
determines number of main threads
– No failover support in this release.
 64-bit UNIX/Linux binaries, which increases amount of data that can be buffered (approx.
2GB per collector IP)
 Recommended performance parameters turned on by default
– ktap_fast_tcp_verdict: Port information loaded into K-TAP on startup
– ktap_fast _shmem_verdict: Used for DB2 shared memory improvements
 New platforms
RHEL 7 x86_64
SUSE 12 x86_64
Ubuntu 14 x86_64
Debian (supported via Ubuntu installer)
Dropped support for AIX 5.3, SLES 9, Solaris 9
© 2015 IBM Corporation
S -TAP multithreading
S-TAP multithreading can be used in
certain workloads to prevent overrunning
buffers in the S-TAP and associated KTAP. It works by preserving multiple
threads from the point of traffic interception
through to the point at which traffic is sent
to the appliance.
To enable S-TAP multithreading, configure
the guard_tap.ini file with
participate_in_load_balancing=4 and
specify multiple sqlguard sections. The
number of sqlguard sections determines
the number of main threads up to a
maximum of 5. When used with pooled
connections, the total number of threads to
handle data can be up to 50 (10 * 5).
Considerations for use: In this
configuration, no one Guardium receives all
the data from the S-TAP. The distribution is
similar to that used when
participate_in_load_balancing is set to 1.
However, when a Guardium system
becomes unavailable, no failover is
provided in this release. Data will be
queued until the reconnection occurs or the
buffer is full.
Important: Although
participate_in_load_balancing 1 and 4 are
similar, they do notsend the same sessions
to the same place, so if you are using 1 and
switch to 4, your sessions will move
machines and you'll lose the access
information for those sessions.
Also, as when
participate_in_load_balancing is set to 1,
encrypted and unencrypted A-TAP traffic
may not be sent to the same Guardium
Make sure to use the same policy on all the
connected Guardium systems. If the
policies are different, there's no guarantee
which policy is in effect on a given session.
64bit session keys reduce the likelihood of
collisions causing dropped traffic
- Part of the improvement for STAP multithreading improvements and the change to
- multi-threading preserves some of the
threadedness from the kernel side through
to the collector to reduce lock contention
and improve the amount of traffic we're able
to collect
- multi-threading helps primarily when there
are large numbers of sessions, but a 32bit
session key has an increased likelihood of
colliding on an existing session and causing
a loss of interception in this environment
- switching to a 64bit session key reduces
the chances of a collision impacting the
traffic collected
ktap_fast_tcp_verdict: This is an existing
parameter that is now on by default. When
set to 1, the TCP port information is loaded
into K-TAP when S-TAP starts up. The
result is that K-TAP is no longer dependent
on S-TAP to determine which TCP
connections should be monitored, which
reduces the likelihood of experiencing
database performance degradation if STAP becomes slow . For more information
about this parameter, see the IBM
Redbook, Deployment Guide for
InfoSphere Guardium.
ktap_fast _shmem_verdict: Similar to the
behavior that is already supported Informix,
this is a new parameter that pushes the
recommended information for DB2 shared
memory configurations to the K-TAP. This
means that K-TAP is not dependent on STAP to determine which shared memory
connections should be monitored. In
general, don't turn this off.
Slide 35
Guardium supports complex IT environments …
Examples of supported databases, Big Data environments, file shares,
Data Warehouses
Big Data Environments
PureData for
Cloud Environments
Database Tools
Content Managers
Windows, Linux,
© 2015 IBM Corporation
In V10, Guardium has expanded its DAM
capabilities to keep current with new
releases. In addition, there are sometimes
significant enhancements in our support,
such as improved support for Teradata
encryption and improved capabilities for
parsing and logging Hadoop activity.
Please read the release notes or the what’s
new article for more details.
And of course, the biggest enhancement
was in adding support for files beyond what
we have already on z/OS. This is a whole
new offering, and our next tech talk will
cover that in much more detail.
Now we’ll look at the capabilities that fall
under the category of data protection and
which are available with advanced versions
of DAM.
Slide 36
© 2015 IBM Corporation
Slide 37
The biggest enhancement in this space is
called fine-grained access control, which is
a dynamic, policy-based method to change
queries on the way to the database.
You may hear this called ‘query rewrite’
since that is what we call the tooling inside
Protect (Advanced)
 Fine grained access control
 Blocking and redaction for Hadoop queries from Hive and Impala (Backup)
© 2015 IBM Corporation
We’ve also added blocking and redaction
for hive and impala queries in Hadoop. We
already support both for big sql, so now it’s
included also for Hive queries and impala,
which is Cloudera’s query language. That
is covered in the backup.
Slide 38
Fine-grained access control
Protect sensitive data without impacting your business
Column-Level Masking (only dept#)
Row-Level Masking (only dept #20)
Use cases:
• Outsource production DB access
• Protect PII from privileged users
• Testing on production data
• Honey pot
Supported databases: DB2 (LUW), Oracle,
SQL Server
© 2015 IBM Corporation
With Guardium’s
implementation of fine-grained
access control, administrators
have the ability to protect
sensitive data without making
database changes. Basically, it
provides the ability to modify the
SQL statement that gets sent to
the database, based on the
current runtime user and the
other policy conditions you
specify, such as client IP,
database object, time of day,
For a classic dynamic data
masking scenario, you can
mask which columns are
returned, so you can make sure
that salary and commission data
are not returned to unauthorized
Or you can hide the rows that
are returned by adding a
WHERE clause for example, In
this case you could evaluate the
dbuser and ensure that the
managers of the relevant
departments see only data from
their departments. In both
cases shown here, you can see
that the statement entered by
the user is the same. All the
magic happens behind the
This is extremely powerful. You
can even use this capability to
RESTRICT activity. For
example, to prevent deletions
from a database, you could
always change a delete
statement to be a noop.
Use cases could be:
• Need to open up production DB
perhaps to an outsourced DBA
without affecting DB access
controls or compromise private
• Need to Enforce access to PII to
comply with PCI, HIPAA. Keep
track of who requested masked
Need to transform data
(anonymization) without affecting
application logic, but protecting
original data privacy.
Provide fictitious data to possible
attackers to allow time for
Slide 39
Here’s the runtime architecture for the
solution. For those of you familiar with
S-GATE terminate, it’s much the same.
You need to set up the S-TAP ahead of
time to enable query rewrite.
Fine-grained access control architecture
1. User issues SQL
2. STAP holds SQL and
checks policy rules for
3. If conditions are met,
Guardium rewrites
query and sends to STAP
4. S-TAP releases
rewritten query to
database server.
5. Results are sent back
to user.
Select * from
FGAC and firewall cannot be used on
same session.
Results of
Select EMPNO,
Check Guardium policy:
When DBuser=DB2INST and
Object=Employee, apply query
rewrite definition
Rule actions: query rewrite attach, query rewrite apply
definition, query rewrite detach
© 2015 IBM Corporation
The flow is,
 the user enters a SQL statement for
one of the supported databases. We
can assume in this case that this
particular user session has put a query
rewrite “watch” on their session.
 When this user enters a SQL statement
in a watched session, the STAP holds
the statement and checks against the
policy rules.
 If the conditions are met –maybe in this
case the object is employee and the
user is DB2inst, Guardium rewrites the
query and sends it back to the S-TAP.
It rewrites the query based on query
definitions that the administrator has
already defined. The query rewrite
policy rule points to that definition.
 The S-TAP releases it to the database
 The results from the rewritten query are
sent back to the user.
Output: a modified SQL based on the
user-specified QRW definitions
User gets the query results evaluated by
the modified SQL
New rule actions in v10
- Query Rewrite Attach
- Query Rewrite Detach
- Query Rewrite: Apply Definition
Triggered by installed access policy rules.
Slide 40
Workflow through runtime
Create query rewrite definition…
Create security policy…
When database type = Oracle and
User = Joe and Object =
Joe queries the Customer table…
Do not return
rows of
© 2015 IBM Corporation
This just shows the overall workflow and an
example of the UI in which you create the
query rewrite definitions. The UI provides
an interface in which you can enter a model
query and modify it by adding a WHERE
clause, adding a UDF, or basically
changing it any way. In this case, any
select on customer is rewritten to add a
WHERE clause to not return customers of
type government. (hiding rows).
That query write definition is applied in the
query rewrite apply definition policy action
by name. So only when the specific
conditions are met will the query rewrite
rule be applied on customer queries and
only when Joe is the user and the database
type is Oracle.
Slide 41
You can see here that Guardium does
record the input and output SQL when a
query definition has been applied at
Use case: Production database for testing
Exposing a database to a production environment for testing purposes without
exposing private data
Query rewrite report
shows actual
runtime queries.
After – Guardium uses fine grained access
control to change columns / mask data
Before – Displaying all values in the database
© 2015 IBM Corporation
Slide 42
Use case: Multi tenancy Scenario
Enhance access controls in which multiple users and applications share a
single database.
Rows and columns
returned for nongovernment customers
Display data based on run
time parameters (eg
Enhance existing access
User TSHIRAI cannot
see name or birth date
User ADMIN cannot see
© 2015 IBM Corporation
Slide 43
Dynamic data masking at database layer
May reduce dependence on test data systems
Support multi-tenancy environments
Does not require the involvement of the DBA
Centralized policy for supported database types
(MS SQL, Oracle, and DB2)
IBM Confidential
Enforcing security in multi-tenancy
scenarios where multiple users and
applications share a single database, but
where not all users and applications should
have access to all data.
In this case, we’ve restricted the rows that
are returned to show only nongovernment
customers for all users. Also, in this case
user Tshirai is not allowed to see complete
values for name or birthdate, but ADMIN is
restricted only from name.
So, Guardium has had dynamic data
masking that allowed you to apply regular
expressions based on results sets. The
capability provided by query rewrite is much
more powerful and flexible.
Benefits of fine-grained access control
In this example, we want to mask data for
testing purposes … so you can call UDF to
change the results.
© 2015 IBM Corporation
We’ve demonstrated a few possible use
If you have SQL skills, you do not
necessarily need to involve the DBA in this.
And you can the centralized policy
management capabilities provided by
Guardium across all supported platforms.
We don’t have much time to spend on this
and we’ll have a separate tech talk on this
subject. But I wante to make sure we give
you a brief overview of the new appliance
specs and please do stick around for the
survey question.
Slide 44
Upgrade/migration roadmap
© 2015 IBM Corporation
Slide 45
Original v9.5 OS - RHEL 5.11
Original v9.5 MySQL – to v5.6.24
We’re enforcing the 24GB minimums.
Appliance technical specs
 Underlying appliance OS upgraded to RHEL v6.5 64-bit version (v9.5
RHEL 5.11)
 MySQL DB version upgraded to v5.6.24
 RAM -Minimum 24GB
 CPU/vCPU – Minimum 4 cores
 HD – Minimum 300 GB
– Upgraded system hard drive range (300 < 2 TB)
– Newly built system (300 GB to >2TB (MUCH GREATER)
© 2015 IBM Corporation
Slide 46
Hard drive support is vastly extended for
those of you who do new installations on
GPT (GUID Partition Tables) allocates 64
bits for logical block addresses, therefore
allowing a maximum disk size of 264 = 9.4
Upgrade is a major procedure in V10
because of the new operating system and
other reasons. Thus, there are some
restrictions listed here.
Upgrade limitations
Upgrade procedure limitations
– V10 upgrade patch available only for 64-bit version appliances at GPU level
v9.0p200 or higher
– Upgrade procedure is not available for customers with customized partitions
– Upgrade procedure does not support resizing or realignments of the partitions.
Restore from system backup stored in previous version
– V10 supports restoring system backup file from any v9.x version.
© 2015 IBM Corporation
Slide 47
This is a high level roadmap. Basically it
says what I said before in terms of when
you HAVE to use rebuild/ restore from
backup vs an upgrade path.
Upgrade roadmap
See the V10 Knowledge Center upgrade topic for more details.
For a limited time: Customers on 64-bit 9.5 environments may be eligible for a
controlled upgrade program for a limited number of appliances. Send a note to
Carrie Rogers ([email protected]) to see if you are eligible.
Transition path to V10 appliance
Rebuild/Restore backup
64-bit v9.0p200 or later
32-bit v9.0200 or later
v9.0 - v9.0p100
v8.2 or earlier
Source appliance
© 2015 IBM Corporation
For those of you who are already yon a
64bit 9.5 environment, you may wish to get
some added assistance from the lab to try
the upgrade out on a limited number of
Slide 48
Important survey question
 If you are currently running 32-bit Guardium, would you be
interested in having IBM services contact you about a migration to
Version 10?
N/A (We have 64-bit Guardium)
N/A (I am an IBMer or BP)
© 2015 IBM Corporation
Slide 49
Guardium supports the whole data protection journey
data protection
Dynamic blocking, alerting, quarantine, encryption
and integration with security intelligence
data discovery
Perform vulnerability assessment, discovery
and classification
data privacy
platform coverage
Find and address PII, determine who is reading
data, leverage masking
Big data platforms, file systems or other platforms
also require monitoring, blocking, reporting
Database monitoring focused on changed data,
automated reporting
© 2015 IBM Corporation
Today we’ve talked about one slice of the
Guardium data protection suite and even
with that we could have talked for hours.
Guardium includes so much more to
support your data protection roadmap, no
matter where you are starting from, such as
those who have an immediate compliance
need through to those who grow to
comprehensive data protection that
includes full use of our analytics capabilities
and integration with IBM Security
intelligence capabilities.
Slide 50
 V10 Overview webcast (includes activity
monitoring for files)
 Overview Solution Brief
 DAM solution brief
 Announcement letter
 Detailed Release notes
 System requirements
 DeveloperWorks article – coming soon!
 UI demo on YouTube (more coming)
 High level Upgrade Roadmap
Activity Monitoring for Files resources:
 Activity Monitoring for Files Demo on
 Supported files for FAM
© 2015 IBM Corporation
Slide 51
there are currently two Guardium certification
If you are looking into taking an IBM
professional product certification exam, you
may look into taking the 000-463 certification
Information, training, and community cheat sheet
 Guardium Tech Talks – at least one per month. Suggestions welcome!
 Guardium YouTube Channel – includes overviews, technical demos, tech talk
 developerWorks forum (very active)
 Guardium DAM User Group on Linked In (very active)
 Community on developerWorks (includes discussion forum, content and links
to a myriad of sources, developerWorks articles, tech talk materials and
 Guardium on IBM Knowledge Center (was Info Center)
 Deployment Guide for InfoSphere Guardium Red Book
 Technical training courses (classroom and self-paced)
IBM Security Guardium Virtual User Group. Open, technical
discussions with other users. Not recorded!
Send a note to [email protected] if interested.
© 2015 IBM Corporation
Upon completion of the 000-463 certification,
you will become an IBM Certified Guardium
Specialist (http://www03.ibm.com/certify/certs/28000701.shtml).
The certification requires deep knowledge of the
IBM InfoSphere Guardium product. It is
recommended that the individual to have
experiences in implementing the product to take
the exam. You can view the detailed topics
here: http://www03.ibm.com/certify/tests/obj463.shtml
Details each topics are covered in the product
manuals. You will also find the Guardium
InforCenter a useful resource when you prepare
for the exam: http://www01.ibm.com/support/knowledgecenter/SSMPH
Slide 52
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
Mandatory closing slide with copyright and
legal disclaimers
© Copyright IBM Corporation 2015. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBM’s sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Slide 53
Classifier enhancements
 Classifier has seen an upsurge of interest from the user community
 Improvements in user experience, performance, and management of false positives
One match per column
Classifier will record the first hit for any given column and
ignore it thereafter for subsequent rules.
Easy to set up exclusion groups
© 2015 IBM Corporation
Slide 54
Database platform support highlights
NOT a complete list.
UID chain captured through DB2_Exit
DB2 for i
TLS encryption to collector and S-tAP-based load balancing
Multi-stream load balancing. Quarantine for DB2 users. (many more to be
covered in a separate talk).
Improved collection/parsing (targeted inspection engines). Blocking and
redaction for Hive and Impala. (will be coveredin detail in a separate talk)
New exit (ifxguard) for Informix shared memory processing (replaces A-TAP).
Supports firewall (blocking) and UID chaining. Informix 12.10xC5W1 and later.
Added SSL for 12c. Added ASO for Windows 12c
Added support for 16
Sybase IQ
Added shared memory support via A-TAP
Added support for 15.10 including A-TAP for encrypted user names and traffic
© 2015 IBM Corporation
In addition to the incorporation of
classification into an overall workflow as
described above, the following
enhancements are also included:
Better controlling false positives by using
“excluded groups” for schema, table, and
Previously, it could be a complex process
to set up Guardium to ignore false positive
results for future classification scans. Now,
when you review classifier results, you can
easily add false positive results to an
exclusion group as shown below, and add
that group to the classification policy to
ensure those results are ignored in future
Current informix interception via standard
IEs on UNIX and ATAP on Linux has a
number of limitations (limitation of 50 or
less shm connections per poll thread,
occasional blank DB_USER and
SOURCE_PROGRAM). New exit relieves
KTAP and ATAP interception have been
improved to significantly reduce the blank
issues and other traffic loss issues
- Improved Informix ATAP
applicable only to Informix 11.50+
- Informix EXIT library developed in
conjunction with Informix team for the most
reliable interception
- similar to DB2 exit
- supports firewall and UID chain
- applicable to Informix
12.10xC5W1 and above
Sybase ASE ATAP supports IPs and ports
- Previously, IP and ports would not be
populated in the decrypted session.
ANALYZE_CLIENT_IP, unlike Oracle,
would not get populated by the collector.
- When ports are configured during ATAP
configuration, real IPs and ports will be
captured along with the decrypted traffic
and sent to the collector for population in
the tables
- Classic Sybase ASE ATAP without IPs
and ports is still usable by not specifying
the ports during configuration
Oracle 12 SSL ATAP (not just Linux)
- Version 9 supports Oracle 12 with ATAP
for ASO but not SSL
- SSL requires instrumentation on all
platforms (unlike previous Oracle versions
which only required instrumentation on AIX)
Slide 55
MongoDB as audit repository
 For uses cases such as:
– Post processing audit data
– For longer online retention requirements
 Audit data is written simultaneously to Guardium repo and JSON files on collector
 Use grdapi to send JSON data to a MongoDB database
© 2015 IBM Corporation
Some organizations would like to write
audit data outside of Guardium collector for
reasons such as:
To “post-process" the audit information for
fraud and other analytic analysis
To store information into another data store
that can scale larger than our current
collector capacity for longer on-line
retention requirements.
In Version 10, it’s possible to concurrently
write audit data to both the collector
database and JSON-formatted files that
can be transferred to a MongoDB
document database.
Important: Unlike the Guardium collector,
the MongoDB database is not a hardened
repository. Access to the audit data should
be carefully restricted and monitored using
How it works
whn properly configured, the parsed audit
data is sent simultaneously to the
Guardium collector repository and written in
JSON format to a file in the following
directory: /var/IBM/Guardium/data/auditlog
When a file is ready to be loaded into to
MongoDB, it will be marked with the suffix
.ready. Use the Guardium API command
grdapi mongodb_load to send all ready
files to MongoDB.
Slide 56
Job scheduling dependency management
 Helps ensure accurate data before running a job (eg groups populated from classifier)
 Applies to all ‘schedulable’ jobs (audit processes, policy installations, group population from
 Scheduler will automatically find all the subordinate jobs and run them in order
– For example, group population for groups in the policy should run first
 There is a retry sequence in case of a failure (default is 3 tries)
 APIs to list job dependency tree, scheduled jobs, job dependencies….
© 2015 IBM Corporation
Job Dependency Scheduler
The Guardium collector has many tasks
such as Policy Installation, Audit
Processes, Group updates, etc. that are
scheduled to run periodically. The Job
dependencies feature finds all jobs that
have a direct relationship and impact on the
success of the execution of the task you
are trying to schedule. Unless you find the
jobs that are defined as prerequisites for
the job you are trying to schedule, there is a
chance the task will relay on inaccurate
data , which might lead to false or
inaccurate results.
Feature Highlights User marks a scheduled
job to find and run dependencies at run
When the scheduler runs the job, it
automatically finds all the subordinate jobs
and runs them in order.
There is a retry sequence in case of a
Find dependencies Identify scenarios that
require dependencies.
Identify Runnable vs. Non-Runnable jobs.
Calculate pre-defined job dependencies.
Slide 57
Softlayer as a backup store
IBM SoftLayer Object
Object Storage Account
Backup and
Backup and
Guardium System
Guardium System
© 2015 IBM Corporation
Slide 58
Update notifications filtered based on the
relevancy to the specific customers
Supportability enhancements
 Banner notifications
– Low system memory (RAM)
– Quick Search memory + CPU cores minimum
– Certificate expiration (mysql, GUI, GIM, etc.)
– Central Management failure
– SSLv3 enabled
– No License
 Improved user-friendly license acceptance
process through UI
 Centralized supportability and troubleshooting
tools in Manage>Maintenance
 See tech talk “Best kept secrets of
Guardium supportability” for other items
you may not be aware of. Contact Kathy
Zeidenstein for replay links and slides.
Long term storage is a critical consideration
for satisfying audit requirements that may
require storage of audit data for up to 7
years. The ability to archive and backup to
the cloud gives you another option for
storage off premises.
In addition, backing up the configuration of
Guardium appliances to the cloud is useful
for maintaining a disaster recovery
environment so that if a local data center
has a failure, you can restore the
configuration of the appliance from the
image that is stored in the cloud.
Guardium now supports SoftLayer Object
Storage as a repository for both audit data
and configurations, whether your Guardium
system is in a local data center or in the
cloud. SoftLayer object storage provides
self-healing, storage for massive amounts
of data. There are object storage centers
around the world so you can avoid issues
of moving sensitive data across country
Banner notification
License acceptance status
Troubleshooting tools
© 2015 IBM Corporation
Filtering based on the Guardium Appliance
major version (only v10 or later)
Filtering based on the GPU level of the
– AdHoc patches dependent on the same
GPU level
– Universal sniffer updates (no
– Security updates (no dependency)
– More recent GPU patches
Slide 59
Hadoop blocking (Hive/Impala) (S-GATE TERMINATE)
Policy: Block privileged user access to customer data through Hive
Privileged user attempts to read customer data and is blocked
Access attempt is reported as a policy violation
Important: Because of the way Hive and Impala traffic is processed in Hadoop,
you must do the following in the blocking policy rules:
• Specify the DBTYPE in the blocking (S-GATE ATTACH and S-GATE
TERMINATE) policy rules; that is, either Impala or Hive.
• Ensure that ATTACH happens on a combination of user and object/command.
© 2015 IBM Corporation
Slide 60
Hadoop Redaction (Hive / Impala)
Important: Specify Hive
or Impala in DBTYPE for
Redact rules
Masked Hive data in Hue/Beeswax
Masked Hive data command line
Slide 61
© 2015 IBM Corporation
© 2015 IBM Corporation
Query rewrite workflow
Create query definitions based on
what you want to control
• Restrict columns
•Restrict rows
•Limit what users can do
•Restrict what user can access
•Completely replace part or all of a
Test the query rewrite definitions
with real test queries..
(Note, you will likely need to use
policies to fine tune the behavior)
Determine the conditions in which to
rewrite the query
•specific users, client IPs, objects,
Validate runtime effect in a QA
Redaction is configured by using extrusion
rules in Guardium policies. Again, be sure
to specify Hive or Impala in the DBTYPE for
these rules. Here is an example of a Hive
query in which social security and credit
card numbers have been redacted.
Slide 62
Legal notices and disclaimers
Copyright © 2015 by International Business Machines Corporation (IBM). No part of this
document may be reproduced or transmitted in any form without written permission from
U.S. Government Users Restricted Rights – Use, duplication or disclosure restricted by
GSA ADP Schedule Contract with IBM.
Information in these presentations (including information relating to products that have
not yet been announced by IBM) has been reviewed for accuracy as of the date of initial
publication and could include unintentional technical or typographical errors. IBM shall
have no responsibility to update this information. THIS document is distributed "AS IS"
without any warranty, either express or implied. In no event shall IBM be liable for any
damage arising from the use of this information, including but not limited to, loss of data,
business interruption, loss of profit or loss of opportunity.
IBM products and services are warranted according to the terms and conditions of the
agreements under which they are provided.
Any statements regarding IBM’s future direction, intent or product plans are subject to
change or withdrawal without notice. Performance data contained herein was generally
obtained in a controlled, isolated environments. Customer examples are presented as
illustrations of how those customers have used IBM products and the results they may
have achieved. Actual performance, cost, savings or other results in other operating
environments may vary. References in this document to IBM products, programs, or
services does not imply that IBM intends to make such products, programs or services
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by independent
session speakers, and do not necessarily reflect the views of IBM. All materials and
discussions are provided for informational purposes only, and are neither intended to,
nor shall constitute legal or other guidance or advice to any individual participant or their
specific situation.
It is the customer’s responsibility to insure its own compliance with legal requirements
and to obtain advice of competent legal counsel as to the identification and interpretation
of any relevant laws and regulatory requirements that may affect the customer’s business
and any actions the customer may need to take to comply with such laws. IBM does not
provide legal advice or represent or warrant that its services or products will ensure that
the customer is in compliance with any law.
Information concerning non-IBM products was obtained from the suppliers of those
products, their published announcements or other publicly available sources. IBM has
not tested those products in connection with this publication and cannot confirm the
accuracy of performance, compatibility or any other claims related to non-IBM products.
Questions on the capabilities of non-IBM products should be addressed to the suppliers
of those products. IBM does not warrant the quality of any third-party products, or the
ability of any such third-party products to interoperate with IBM’s products. IBM
The provision of the information contained herein is not intended to, and does not, grant
any right or license under any IBM patents, copyrights, trademarks or other intellectual
property right.
Other company, product, or service names may be trademarks or service marks of
others. A current list of IBM trademarks is available at “Copyright and
trademark information” www.ibm.com/legal/copytrade.shtml
Mandatory legal notices and disclaimers
slide for external presentations
Random flashcards
Arab people

15 Cards


17 Cards

Create flashcards