DB2 Database Security and Privacy
advertisement
Integrated Data Management @db2Dean facebook.com/db2Dean www.db2Dean.com dcomphe@us.ibm.com Data Security & Privacy for iSeries ⦁Dean Compher ⦁Click to add text ⦁Big Data Portfolio Technical Sales Specialist © 2009 IBM Corporation Integrated Data Management Perimeter Defenses No Longer Sufficient “A fortress mentality will not work in cyber. We cannot retreat behind a Maginot Line of firewalls.” - William J. Lynn III, U.S. Deputy Defense Secretary Insiders (DBAs, developers, outsourcers, etc.) Outsourcing Stolen Credentials (Zeus, etc.) Web-Facing Apps Legacy App Integration/SOA Employee Self-Service, Partners & Suppliers 2 © 2009 IBM Corporation Integrated Data Management Addressing the Full Lifecycle of Database Security & Compliance © 2009 IBM Corporation Integrated Data Management Agenda • Data Security – Guardium Database Activity Monitoring • Alert on Access Policy Violations • Audit and Report Activity • Data Privacy – Otpim Test Data Management • Mask Data Copied to Test • Create Subsets • Automate Test Data Refresh • Improve Security with Better Testing © 2009 IBM Corporation Integrated Data Management Guardium Database Activity Monitoring © 2009 IBM Corporation Integrated Data Management Real-Time Database Monitoring with InfoSphere Guardium Host-based Probes (S-TAPs) • • • Collector Non-invasive architecture • Outside database • Minimal performance impact (13%) • No DBMS or application changes Cross-DBMS solution 100% visibility including local DBA access • • • – • Enforces separation of duties Does not rely on DBMS-resident logs that can easily be erased by attackers, rogue insiders Granular, real-time policies & auditing Who, what, when, how Automated compliance reporting, signoffs & escalations (SOX, PCI, NIST, etc.) © 2009 IBM Corporation Integrated Data Management Scalable Multi-Tier Architecture iSeries •Integration with LDAP, IAM, IBM Tivoli SIEM, IBM TSM, Remedy, … © 2009 IBM Corporation Integrated Data Management Extend real-time Data Activity Monitoring to also protect sensitive data in data warehouses, Big Data Environments and file shares DATA Big Data Environments NEW InfoSphere BigInsights Integration with LDAP, IAM, SIEM, TSM, Remedy, … © 2009 IBM Corporation Integrated Data Management Extended data security platform coverage • Providing complete and native data security solution for System I (DB2 6.1, 7.1) System i S-TAP for System i S-TAP for System i • Monitors privileged user activity in real time • Enables complete separation of duties • Helps satisfy auditor’s requirements and ensure compliance Protect sensitive data on your System i deployments, ensuring compliance to mandates like PCI easily and cost effectively © 2009 IBM Corporation Integrated Data Management 3 Types of Rules Exception (ie. Invalid table) 3 Result Set 2 1 SQL Query Database Database Server There are three types of rules: 1. An access rule applies to client requests 2. An extrusion rule evaluates data returned by the server 3. An exception rule evaluates exceptions returned by the server © 2009 IBM Corporation Integrated Data Management Fine-Grained Policies with Real-Time Alerts Application Server 10.10.9.244 Database Server 10.10.9.56 © 2009 IBM Corporation Integrated Data Management 2. Extrusion Definition to Alert on Unauthorized Results Set • Monitor 10.10.9.248 • SQL Server database • Not user Bill • Send Alert per match © 2009 IBM Corporation Integrated Data Management Monitoring Data Extrusion •Should my customer service rep view 99 records in an hour? •Is this normal? © 2009 IBM Corporation Integrated Data Management 3. Policy Exception Rule - Preventing Attacks Rogue users know what they’re looking for, but... They don’t always know where to find it! SQL injection leads to SQL errors! Brute force attacks result in failed logins! Guardium: 100% visibility with real-time alerts … © 2009 IBM Corporation Integrated Data Management Identifying Fraud via Application-Layer Monitoring •Joe •Marc • Issue: App server uses generic service account to access DB -- which doesn’t identify WHO initiated transaction (connection pooling) • Solution: Track access to application user associated with specific SQL commands • Deterministic identification vs. time-based “best guess” •AppUser • Out-of-the-box support for all major enterprise apps (Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects, Cognos, etc.) • Plus custom apps (WebLogic, WebSphere, Oracle AS, etc.) •Application Server •Database Server • No changes to applications © 2009 IBM Corporation Integrated Data Management Workflow Automation • Schedule & automate tasks • Compliance reporting • Automatically generate reports • Distribute to oversight team • Track electronic sign-offs • Escalate when required • Store process trail in secure repository • Demonstrates oversight process for auditors © 2009 IBM Corporation Integrated Data Management Accelerators • Software modules harnessing Guardium's extensive capabilities to address the requirements of security mandates • Customizable mandate-specific reports, policies, tools and workflows • Greatly improve security and streamline audit preparation • Increased operational efficiency through automation of compliance • Simplified validation of broad ranges of requirements SarbanesOxley 23 Base II HIPAA GLBA PCI © 2009 IBM Corporation Integrated Data Management Protect data in real-time and ensure compliance in unstructured Hadoop big data environments Big data environments help organizations: Process, analyze and derive maximum value from these new data formats as well as traditional structured formats in real-time Make more informed decisions instantaneously and cost effectively •Turn 12 terabytes of Tweets into improved product sentiment analysis • Monitor 100’s of live video feeds from surveillance cameras to identify security threats Big data brings big security challenges As big data environments ingest more data, organizations will face significant risks and threats to the repositories in which the data is kept NEW Introducing Hadoop Activity Monitoring Monitor and Audit Hadoop activity in real-time to support compliance requirements and protect data • • • • Real time activity monitoring of HDFS, MapReduce, Hive and HBASE data sources Automated compliance controls Fully integrated with InfoSphere Guardium solution for database activity monitoring View Hadoop systems with other data sources © 2009 IBM Corporation Integrated Data Management Expand system openness and integration with Universal Feed Universal Feed opens InfoSphere Guardium system, enabling all capabilities to be applied to custom applications and niche data sources • Open InfoSphere Guardium protocol (agent to Collector) integration to clients and 3rd party companies Provides a means of supporting fragmented segments of the market: custom applications, niche databases, etc. Data auditing model; not a SIEM • Customer/partner responsible for developing interface to system to be integrated (e.g. S-TAP equivalent) Open industry standard protocol used to simplify development • Supports full capabilities, or subset of InfoSphere Guardium capabilities Monitoring and protection Real-time Secure audit trail, compliance workflow automation, etc. © 2009 IBM Corporation Integrated Data Management Universal Feed Overview Agent developer Universal Feed Agent Guardium Toolkit Guardium Appliance Sending Audit Data via Guardium messages -- - --- - - - - - - --- -- - - - Capturing Events Sending Information Receiving & processing Universal Feed Agent Agent developer for universal feed agent Partner Customer 3rd Party Responsible for capturing events with audit interest Responsible for sending the audit data using Guardium defined messages Responsible for receiving and processing Guardium messages (policies, pings, etc) -- - --- - - - - - - --- -- - - - Send Alert Guardium Collector Accepting connections from the Universal Feed Agent Processing and storing audit data Sending information to Universal Feed agent (policy, pings, etc) Alerting if Universal Feed Agent doesn’t send heart beat © 2009 IBM Corporation Integrated Data Management InfoSphere Optim Data Privacy & Test Data Management © 2009 IBM Corporation Integrated Data Management InfoSphere Optim: Intelligent Move of Structured Data Production Data Privacy for Test Data Production Archive or Development Test Data Extract Retrieved Source Data Reference Data Contextual Data Restore Current SQL access to Archived Data Universal Access to Archived Data Application ODBC / JDBC XML Report Writer IBM Mashup Intelligent Move of Structured Data is a process that captures contextual source data for the purpose of Archiving and Accessing historical data or Populating Test Databases with privatized data © 2009 IBM Corporation Integrated Data Management Supporting Enterprise Environments Discovery Test Data Management Data Privacy Data Growth Application Retirement Organization environments are diverse, yet interrelated therefore what you use to manage the data MUST support across your environment © 2009 IBM Corporation Integrated Data Management Our Unique Capability: The Complete Business Object Business view “reference snapshot” of business activity DBA view Referentially-intact subset of data Federated access to data and metadata Related LUW Files or Documents Oracle DB2 Sybase Adabas © 2009 IBM Corporation Information Management Integrated Data Management Example: JD Edwards Accounts Payable Archiving Ledger Tag F0911T Account Ledger Company Master Tax Area F4008 F0911 Tax table F0018 F0901 Account Balances Account Master F0006 AP Ledger AP Header F0411 F0413 F0101 F0005 UDC F0008 AP Details F0013 F0909 - Reference Only - Archive Only - Archive & Delete AAI’s F0025 LT Master F0414 Currency Codes F0014 31 F0010 Fiscal Date Pattern F0902 Chart of A/C AB Master F0012 Batch Control F0011 BU Master Payment Terms F0401 Supplier Master F0015 Currency Ex. Rate F00151 Currency Exchange Rate Header F11151 F0004 UDC Types F1113 Currency Restatement Rate Currency Ex. Rate Calculation 31 © 2009 IBM Corporation Integrated Data Management A Word About Relationships... Optim DIRECTORY Tables Relationships Access Definitions OPTIM Referential Integrity Rules DB Aliases Stored in Database - Catalog - System Tables - Data Dictionary Maps • DB Relationships are automatically derived from database RI rules • Application Specified Relationships • Can be defined individually to Optim • Can be imported into Optim from DDL • Can be automatically discovered by InfoSphere Discovery • Shared by all Optim components © 2009 IBM Corporation Integrated Data Management Automate Discovery and Accelerate Information Understanding • Significant Acceleration of Information Agenda projects • Application/Data Consolidation, Migration & Retirement • Data Growth Management • Master Data Management and Data Warehousing • Test Data Management • Sensitive Data De-identification • Why is this Different? • Data-based discovery • Automate discovery of business entities, cross-source business rules & transformation logic • Evaluate multiple data sources simultaneously • Identify & remediate cross-system rules and inconsistencies © 2009 IBM Corporation Integrated Data Management InfoSphere Optim Deep Dive: Test Data Management © 2009 IBM Corporation Integrated Data Management Drivers for Test Data Management Projects • Quality • • • • Bad data Unidentified test cases Test Automation approach (Rational Borland MI…) Verification of test results • Parallelism (Multiple Sandboxes) • Tunnel effect • Multi project testing • Storage • Reduce storage • Include into a cost control project • Data Privacy / Compliance © 2009 IBM Corporation Integrated Data Management How Does Test Data Management Impact Storage Cost? Before TDM With TDM Production 500GB 500GB Training 500GB 25GB Unit Test 500GB 25GB System Test 500GB 500GB UAT 500GB 25GB Integration 500GB 25GB 2.5TB 0.6TB Training Unit Test Production Integration System Test UAT Test Data © 2009 IBM Corporation Integrated Data Management InfoSphere Optim Test Data Management Solution Create/Modify Application Copy Production Data for Testing Correct Errors in Production Data Relational Extract Relational Edit Subset and Privatize Relational Edit Inspect and Add Data to Test Error Routines Archive Old Data Optim Archive TEST Go Production !!! Refresh Test Data Compare Before/After Data Relational Extract 37 Relational Compare © 2009 IBM Corporation Integrated Data Management The Relational Extract Facility NewDB CUST -- ---- ---- ---- ------- ---- Extract a relationally intact subset from production database(s) ORD Create -- ---- ---- ---- ------- ---- DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- CUSTOMERS CUSTOMERS -- ---- ---- ---- ------- ------- ------- ------- ------- ------------- -------- ---- ---- ---- ------- ---- INSERT/ UPDATE DETAILS DETAILS CUST -- ---- ---- ---- ------- ---- ORD ORDERS ORDERS -- -- ------ -- --------- ------- ---- ----------- ---- ----------------- ---------- ---- ----------- ---- ----------------- ---------- ---- ----------- ---- ----------------- -------- -- ------ -- --------- ---- TESTDB -- ---- ---- ---- ------- ---- Extract File -- ---- ---- ---- ------- ------- ------- ------- ------- ------------- ---------- ------- ------- ------- ----------------------- ------- ------- ------- ------------- -------- ---- ---- ---- ------- ---- DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- QADB Load Files CUST -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- LOAD • Extract data and/or object definitions • From multiple tables (files) that are related • From multiple tables (files) that are not related • From single tables (files) • All data or subset • Define a new set of test tables • Populate Target databases • Refresh Target databases DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- New_DB CUST -- ---- ---- ---- ------- ---- Create ORD -- ---- ---- ---- ------- ---- DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- Saves: Programmer/DBA time Disk space utilization Testing interference © 2009 IBM Corporation Integrated Data Management Traditional vs. Relational Tools Single Table Editors One table/view at a time No edit of related data from multiple tables FIND DETAILS NOTE INFO EXIT TABLE The Relational Editor Simultaneous browse/edit of related data from multiple tables CUSTOMERS FIND ORDERS NOTE INFO EXIT TABLE FIND CUSTOMER NOTE INFO EXIT TABLE ORDERS ........................ ........................ ........................ ........................ ........................ DETAILS Speeds time to create boundary test cases. Simplifies edit process. © 2009 IBM Corporation Integrated Data Management Optim’s Relational Compare Facility Optim COMPARE FILE SOURCE 1 ........................ ........................ ........................ ........................ ........................ Interactive Browse COMPARE PROCESS SOURCE 2 • Single-table or multi-table compare • Creates compare file and/or compare Report of results • For application testing, QA, and to verify database contents • Enhances productivity by finding unexpected changes in the data Optim Compare REPORT Verify Test Results Saves QA Validation time Improves Test Accuracy © 2009 IBM Corporation Integrated Data Management Architecture: Test Data Management/Data Privacy Server Name • Server address or name •DB Alias • Connectivity via DB Client software Work Directory • Server File System Storage Profile • Storage and retention policy QFED CUSTOMER -- ---- ---- ---- ------- ---- Windows EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- Test system 1 Optim Workstation HR -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- Mask on insert -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- Extract files Test system 2 Optim Server Oracle 9 DB2/i HP UX Windows, Unix, Linux, zOs FINANCE/BUDGET Load Files -- ---- ---- ---- ------- ---- EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- Application 2 FINANCE/BUDGET -- ---- ---- ---- ------- ---- Test System 3 EMPL -- ---- ---- ---- ------- ---- -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- Sql Svr 2K ?? Windows ?? Optim Repository (OptimDir) Test System 4 © 2009 IBM Corporation Integrated Data Management Optim Data Privacy © 2009 IBM Corporation Integrated Data Management Optim™ Data Privacy Solution Test Production Siebel / DB2 Siebel / DB2 EBS / Oracle Custom / Sybase Contextual, Application- Aware, Persistent Data Masking Custom / Sybase EBS / Oracle • Substitute confidential information with fictionalized data • Deploy multiple masking algorithms • Provide consistency across environments and iterations • Enable off-shore testing • Protect private data in non-production environments © 2009 IBM Corporation Integrated Data Management Drivers for Privacy of non production data • Regulatory & Compliance • PCI • HIPPA • EU Safe Harbour • …. • Offshoring test • Sub subcontracting test & dev. • Good business practice • Sensitive data • Training environnements © 2009 IBM Corporation Integrated Data Management Data Privacy in Application Testing Only Users authorized to see Private data Extract a relationally intact subset from production database(s) INSERT/ UPDATE CUSTOMERS ----- ---- ---- ------- ---CUSTOMERS ---- ------- ------- ------- ------------- -------- ---- ---- ---- ------- ---- CUST -- ---- ---- ---- ------- ---- ORD ORDERS ORDERS -- -- ------ -- --------- ------- ---- ----------- ---- ----------------- ---------- ---- ----------- ---- ----------------- ---------- ---- ----------- ---- ----------------- -------- -- ------ -- --------- ---- TESTDB -- ---- ---- ---- ------- ---- Transform / mask sensitive data DETAILS DETAILS Extract File -- ---- ---- ---- ------- ------- ------- ------- ------- ------------- ---------- ------- ------- ------- ----------------------- ------- ------- ------- ------------- -------- ---- ---- ---- ------- ---- DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- QADB Load Files CUST -- ---- ---- ---- ------- ---- ORD -- ---- ---- ---- ------- ---- LOAD • Most Secure Approach DETL -- ---- ---- ---- ------- ----- ---- ---- ---- ------- ---- • Extract data only • Convert during extract •Extract file already contains masked data •Can be shared with testers to reuse © 2009 IBM Corporation Integrated Data Management M a s k i n g F u n c t i o n s Column Map Map unlike column names Social Security (US ……) Credit Card Transform/mask sensitive data Email Datatype conversions Hash Lookup Column-level semantic date aging Literals Lookup Random Lookup NAME tables (US) Registers ADDRESS table (US) Calculations Shuffle Default values Substring Exits String manipulation … … … Currency conversion © 2009 IBM Corporation Integrated Data Management Consistent Masking and Propagation across the Enterprise Client Billing Application DB2 SS#s SS#s 157342266 157342266 132009824 132009824 Data is masked SSN#s 134235489 323457245 SSN#s Masked fields are consistent 134235489 323457245 © 2009 IBM Corporation Integrated Data Management Thank You © 2009 IBM Corporation
