IBM InfoSphere Guardium eNewsletter: January 2012
Tuesday, January 31st, 2012 | Author:
IBM January 2012

banner



In this Issue:

  • A Holistic Approach to Data Security and Privacy, IBM
  • 7 Housekeeping Duties for Better Database Security in 2012, Dark Reading
  • Stay Ahead of Insider Threats with Predictive, Intelligent Security, IBM Security
  • Live Webcast – Database Security and Privacy: A Key Component to Passing Your Compliance Audit
  • Tech Tip of the Month: Identifying and Placing Controls on Sensitive Data
  • InfoSphere Guardium Training Courses
  • InfoSphere Guardium Bootcamp for Business Partners
  • Upcoming Events
  • Quick Links
  • Renew Your Subscription

A Holistic Approach to Data Security and Privacy
IBM, Kimberly Madia

Happy New Year! It’s hard to believe January 2012 is just about over. It’s already shaping up to be another interesting year in terms of data security and compliance. According to recent articles published in NetworkWorld, “the cost of achieving regulatory security compliance is on average $3.5 million each year” and “one out of every two IT security professionals spends 50% of the work week on regulatory compliance initiatives.”  These articles mention that among the most stressful regulations are PCI DSS, HIPAA HITECH, FISMA, and SOX.

These regulatory mandates require a focus on data security and privacy.  Ignoring the requirements proves disastrous both in terms of fines and failed audits and in terms of data breaches.   Case in point, Dark Reading published an article on January 4, 2012 about a Lilupophilupop attack – Latest SQL Injection Campaign Infects 1 Million Webpages. Already this year we have seen some major breaches on high profile companies including: Zappos, Facebook, Care2.com, and China’s computer programmer network CSDN.  You might also be interested in Dark Reading’s thoughts on the 7 Coolest Hacks of 2011.

So how can InfoSphere Guardium help?  We are pleased to announce that IBM has been investing and expanding the InfoSphere Guardium data security portfolio to include new capabilities such as data encryption, static data masking and data redaction.  Organizations rely on data to support daily business operations, so it is essential to ensure privacy and protect data no matter where it resides— across online and offline environments, structured databases in production and non-production and in unstructured documents and forms.   Different types of data have different protection and privacy requirements; therefore, the expanded InfoSphere Guardium portfolio provides a holistic approach to protecting and securing information through:

  • Data Discovery and Classification: Organizations need to understand where data exists across the enterprise and how it’s related.  This will allow them to classify sensitive data properly so it gets proper treatment throughout its lifecycle.
  • Data Redaction: Sensitive data also resides in documents, forms and scanned images.  Protecting this unstructured data requires privacy policies to redact (remove) sensitive information while still allowing needed business data to be shared.  These unstructured documents could be attachments in the database.
  • Data Encryption: Encrypting databases is required by many regulatory mandates and organizations need a single solution which scales to protect heterogeneous data types.  A nice compliment to database activity monitoring because organizations can build a defense in depth approach.
  • Static Data Masking: Much focus is given to production environments, but the security of non-production environments shouldn’t be overlooked. De-identifying sensitive data in non-production databases yet ensuring it’s still usable for application development, testing, training processes and Q/A work will not only help facilitate business processes, but also ensure the principle of least privileges.  Those without a valid business need to know will not have access to sensitive data.
  • Monitoring: Securing and continuously monitoring access to databases, warehouses and fileshares gives insight into the who, what, when and how of transactions to help organizations validate the integrity of data.
  • Vulnerability assessments: Harden databases to mitigate risks such as mis-configurations or default settings.

All these offerings work together to help organizations demonstrate compliance and prove it to third party auditors.   IBM InfoSphere Guardium solutions for data security and privacy are designed to support a holistic approach, helping organizations protect against a complex threat landscape while remaining focused on your business goals.  You can read more about the expanded portfolio in thiswhitepaper.

Read more on our data security and compliance website.

7 Housekeeping Duties For Better Database Security In 2012
Dark Reading, Ericka Chickowski

Segmenting, hardening, encrypting, insuring, and planning— a few good New Year’s resolutions for database administrators

As organizations gear up for a new year, now is the perfect time to look at processes and technologies and reassess how well they really are mitigating risks. On the database level, there are a number of foundational activities that many organizations are still failing to carry out effectively.
The following action list is compiled from some of the advice doled out by database security experts in 2011. Use it wisely to come up with a sane plan in 2012 and beyond.

Click here to read the full article.

Stay Ahead of Insider Threats with Predictive, Intelligent Security
IBM Security

Today, organizations are faced with protecting data and applications against external and internal threats across a complex security landscape.  Modern trends in enterprise computing, the rise of social media, the cloud, mobility and the era of big data are making insider threats harder to identify, and giving insiders more ways to pass protected information to outsiders with less chance of discovery.  Security intelligence can help combat insider threats amid the digital information explosion. IBM security solutions have the ability to help identify and protect against internal threats through a distinctive combination of robust foundational controls and intelligent reporting and management tools. Our solutions can help you protect valuable business assets, foster secure and efficient collaboration, and effectively integrate security into existing business processes.

Download the whitepaper.

Live Webcast – Database Security and Privacy: A Key Component to Passing Your Compliance Audit

Date: February 15, 2012
Time: 2:00 pm ET
Register here.

It seems as if every time we turn around these days, we are welcomed with new regulations and auditing requirements, but how can we be prepared before the auditor comes knocking?  At the same time, according to a January 31, 2011 NetworkWorld article, “the cost of achieving regulatory security compliance is on average $3.5 million each year”.

So, how does database security and privacy fit in?

Compliance starts with having the information that auditors require at your fingertips and ensuring the process is in place to make it repeatable.  Many of these regulations including HIPAA, PCI, SOX, EU Protection Directive and others require organizations to protect data and produce regular reports. While protecting the integrity of data, standardized processes and automated controls can give the auditors what they need.  For example, many regulations require you to document data access and database changes.

In this webcast, we will discuss how securing your databases and protecting your sensitive data can help you pass your compliance audits.  By continuously monitoring database activity, you will have the reports you need to validate compliance. The discussion will include:

  • Understanding where your data resides
  • Monitoring database activity
  • Assessing database vulnerabilities
  • Protecting data at rest and in motion
  • Protecting non-production data


Register for the Webcast.

On-Demand Webcasts:

Tech Tip of the Month – Identifying and Placing Controls on Sensitive Data

Question: As a large enterprise which has gone through several acquisitions, our database infrastructure is diverse and dynamic.  We aim to improve our security posture and reduce compliance costs by implementing and automating controls on sensitive data including customer records, payment card information and financial records with a solution like InfoSphere Guardium.  The location of some of this data, like the financials, is well known.  However other sensitive data exists in a variety of legacy systems, and some of that data may have been duplicated for purposes like creating test sets, local repositories for analysis and so forth.  Can InfoSphere Guardium help ensure we place controls on all our sensitive data?

Answer:
Yes, InfoSphere Guardium has a variety of features that can help you achieve your goal.  InfoSphere Guardium is able to identify uncatalogued database instances.  Once your instances are identified, you can use the Classification application to examine the contents of those instances to see if they contain sensitive data, and take appropriate action if they do.  Classification policies are created using a simple GUI, and can be scheduled to run on a regular or ad hoc basis.
A classification policy can be built using four different search techniques, which are easily selected from a pull-down menu in the policy builder (see “Rule Type” in Figure 1):

  1. Search for data: This technique searches for a particular data value, or a particular pattern, using InfoSphere Guardium’s POSIX 1003.2 compliant regular expression builder.  Templates for common expressions like credit cards, phone number and national identity numbers are provided.  Luhn algorithm support is also provided.  The Luhn algorithm was invented by an IBM scientist, and is widely used to validate identification number matches, such as credit cards.
  2. Catalog search: This technique searches the database catalog for tables or column names matching specified patterns.
  3. Search by permissions:  This option searches the database catalog for tables based on permissions granted to users and/or roles.
  4. Search for unstructured data: This technique searches a non-database file for a particular value or pattern.

Suppose, for example, you want to build a simple test case to see if a newly discovered database in your banking network contains credit card information.  You can build a simple regex to search for 16 digit patterns used by the major payment card brands (see Search Expressions in Figure 1 ).  To invoke the Luhn algorithm as an additional check to validate matches, you would simply add “guardium://CREDIT_CARD” to the Rule Name (see Figure 1).



Figure 1:
InfoSphere Guardium provides a Classification Policy Builder for discovering sensitive data in databases, using 4 different search techniques.  In this example a regular expression (Search Expression) is used to search tables for text containing the patterns corresponding to American Express card numbers.  The Luhn algorithm is also invoked to provide an additional check on matches (Rule Name).

When a match is found, the rule can specify a wide variety of responsive actions.  These include simple actions such as logging the match or sending an alert to an oversight team.  More sophisticated actions include automatically adding the object to an existing group (e.g. PCI DSS objects) so policies related to that group are automatically applied to the newly discovered object, or inserting a new access rule into an existing security policy definition when a classification match occurs.

2011 InfoSphere Guardium Training Courses

Guardium’s training courses help you achieve results quickly and easily. For more information about training, to sign up for a training course, or to schedule a training session, go to: Guardium Training.

GU201: IBM InfoSphere Guardium Technical Training
This three day course offers a balanced mix of lectures, hands-on lab work, case studies, and testing. Students will learn how to create reports, audits, alerts, metrics, compliance oversight processes, and database access policies and controls. Students will also learn about system administration, archiving, purging, and back-ups.

InfoSphere Guardium Bootcamp for Business Partners

This technical workshop is for IBM business partners who are currently working with or are interested in working with IBM InfoSphere Guardium. It provides training on InfoSphere Guardium in a classroom setting. Detailed presentations and hands-on labs on Guardium 8 are included where attendees will gain in-depth knowledge on topics including:

  • InfoSphere Guardium product overview
  • Guardium installation concepts, planning, and configuration
  • Auditing database servers with the Guardium system
  • Monitoring for unusual traffic
  • S-GATE and S-TAP Terminate Functions
  • Vulnerability Assessments
  • Enhanced Enforcement Actions
  • And much more

Learn how IBM InfoSphere Guardium can add value to your security and data management solutions and extend your market opportunity. Business partners working in the consulting industry who are currently working with or plan to work with InfoSphere Guardium are also welcome to attend.

Schedule and registration information

Please Note: We will send an email confirmation to all registrants 1-2 weeks before the bootcamp begins.

Date Country City Registration Information
Feb 6 – 9, 2012 India Bangalore Register here
Feb 7 – 10, 2012 Russia Moscow Register here
Feb 12 – 15, 2012 Saudi Arabia Riyadh Register here
Feb 14 – 17, 2012 Singapore Singapore Register here
Feb 21 – 24, 2012 Australia Sydney Register here

For more information, go to: IBM InfoSphere Guardium Bootcamp

Upcoming Events

Please visit us at the following upcoming events:

Information Integration and Governance Forum
Toronto, ON – February 28, 2012; Four Season Toronto

New York, NY – March 1, 2012; New York Marriott East Side

Miami, FL – March 8, 2012; Hyatt Regency Miami


RSA Conference

San Francisco, CA – February 27 – March 2, 2012, Moscone Center

Join the IBM Security team at the upcoming RSA® Security conference, February 27 – March 2 at the Moscone Convention Center in San Francisco. Amidst the increasing frequency and growing onslaught of security attacks, data breaches and mobile threats, it’s critical to have access to the latest in security insights, solutions, products and a network of peers facing the same issues you do. See IBM Data Security and Compliance solutions in IBM booth 2233 and join our featured speakers in the following sessions:

Security Has Entered the Boardroom: Evolving the Role of the CISO
Session Track: Peer2Peer
Date/Time: 02/28/2012 @ 2:40 PM – 3:30 PM

How to Attack the Supply Chain (the Securing of)
Session Track: Policy & Government
Date/Time: 02/28/2012 @ 3:50 PM – 5:00 PM

Security Enters the Boardroom: How Does Security Articulate Business Value?
Session Track: Security Trends
Date/Time: 02/29/2012 @ 10:40 AM – 11:30 AM

How to Create a Software Security Practice
Session Track: Application Security
Date/Time: 03/01/2012 @ 10:40 AM – 11:30 AM

Register for a FREE expo pass using priority code: EC12IBM

Click here for more information and to register.
IBM Pulse
Las Vegas, NV – March 4 – 7, 2012, MGM Grand Hotel

Pulse 2012 is proud to announce that IBM Security will be a major focus of the conference this year. Join us at Pulse 2012 to hear compelling content and client best practices across all domains of information security including: security intelligence, data security, identity and access management, application security, vulnerability research,  and threat mitigation.

Featured presentations:

Data Security and Compliance Demo Exhibit Hall Hours
Data Security and Privacy: A Holistic Approach MCA-1753 Monday, March 5

2:00pm-2:20pm

Securing Your Most Sensitive Enterprise Data While Lowering Compliance Costs #1746 Tuesday, March 6

10:00am

Database Security & the Cloud: What the Experts Are Saying #1383 Tuesday, March 6

2:00pm

TKLM: Database Encryption Wednesday, March 7

2:00pm

Click here for more information and to register.

Proof of Technology and Technical Demonstrations:

Optim Information Life Cycle Management
March 1 & 13, 2012; IL

IBM InfoSphere Guardium V8 Proof of Technology
March 14, 2012; MN

Email an IBM Representative (Include in your email the session name, date
and location you are interested in attending.)

Guardium on Twitter

Follow Guardium on http://www.twitter.com/IBM_Guardium

Quick Links
IBM InfoSphere Guardium Home Page
Audit and Validate Compliance
Monitor Privileged Users
Monitor Enterprise Application Users for Fraud
Enforce Database Change Control
Prevent Database Leaks
Vulnerability Management
Mainframe Visibility
InfoSphere Guardium Library (Analyst Reports, White papers, Case Studies, Webcasts, etc.)
IBM InfoSphere Guardium 8 Data Sheet
IBM InfoSphere Guardium Encryption Expert: An Overview
IBM InfoSphere Guardium Encryption Expert: Secure and Protect your SAP Data
IBM InfoSphere Solutions for Data Security and Privacy, a whitepaper on Supporting HIPAA Compliance with Access to Sensitive Medical Information
IBM InfoSphere Solutions for Data Security and Privacy, a whitepaper on Protecting Payment Card Data to Help Ensure Compliance
Data Security and Privacy: A Holistic Approach
Market Overview: Database Security, 2011, Forrester Research
Look Beyond Native Database Auditing to Improve Security, Audit Visibility Compliance, and Real-time Protection, a white paper by Noel Yuhanna, Principal Analyst, Forrester Research
Ten Database Activities Enterprises Need to Monitor, a white paper by Jeffrey Wheatman, Research Director, Gartner
Databases at Risk, a white paper by Jon Oltsik, Principal Analyst, Enterprise Strategy Group