IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z
by user
Comments
Transcript
IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z
Ernie Mancill – Executive IT Specialist Roy Panting – Guardium Technical Specialist 16 May 2013 IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z Information Management © 2013 IBM Corporation Information Management – InfoSphere Guardium Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat – Raise your hand in the SmartCloud meeting room if you want to ask a question verbally and we’ll call your name – You will need *6 to unmute phone line if you are dialed in 2 © 2013 IBM Corporation Information Management – InfoSphere Guardium Reminder: Upcoming Guardium Tech Talks Title: Integrating QRadar and Guardium Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis Date &Time: Wed, June 5, 2013 11:30 AM EDT Title: Planning a deployment Speakers: Boaz Barkai and Yosef Rozenblit Date &Time: Thursday, Jun 20, 2013 11:30 AM EDT Register here: http://bit.ly/Yf2TwY Register here: http://bit.ly/ZWznwA Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB Company Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner 3 © 2013 IBM Corporation Information Management – InfoSphere Guardium Polling Question At what stage is your InfoSphere Guardium implementation for DB2 for z/OS? 1. We don't have this product yet; we are just learning 2. We have Version 8.2 and are planning our deployment / upgrade to Version 9 3. We are planning a new deployment with Version 9 4. We have Version 9 deployed 5. None of the above 4 © 2013 IBM Corporation Ernie Mancill – Executive IT Specialist Roy Panting – Guardium Technical Specialist 16 May 2013 IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z/OS Information Management © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 6 © 2013 IBM Corporation Information Management – InfoSphere Guardium Our clients say… “Inconsistent data” North American Multi-Line Insurer: “Our new CEO became the most ardent supporter of Data Governance when he discovered that reports from different parts of the organization had inconsistent data.” “We have no control over the quality of data” United States Government Agency: “Our team is responsible for the trustworthiness of data to the field analysts but we have no control over the quality of data that flows into our Financials from SAP R/3 to BW.” “We need a policy and process to ensure we are protecting our data” Healthcare Insurer: “My team is responsible for sending data externally to many of our business partners and other entities. The number of these requests has grown significantly over the years and they are becoming increasingly involved and complicated. We need a policy and process to handle these requests to ensure we comply with all privacy/security regulations. We also need appropriate executive-level review and approval to ensure that each request for sharing our data externally is the right thing for us to do from a business perspective.” “We keep everything forever” A large chemical manufacturer fails to destroy content and records in accordance with their corporate retention policy and are now burdened with the high cost of managing storage and eDiscovery with no visibility into what to destroy and when. “During eDiscovery, we spent over $12 million dollars reviewing documents that were already past their retention dates and should have been disposed of … and this was on just 4 cases … at any point in time we have over 100 cases pending. “We need a systematic way to manage this growth.” CFO Survey: Current state & future direction, IBM Business Consulting Services. The top challenge for 43% of CFOs is improving governance, controls, and risk management. 7 © 2013 IBM Corporation Information Management – InfoSphere Guardium Information Governance creates order out of information chaos Information Governance is the exercise of decision rights to optimize, secure and leverage data as an enterprise asset. Orchestrate people, process and technology toward a common goal – Promotes collaboration – Derive maximum value from information Leverage data as an enterprise asset to drive opportunities – Safeguards information – Ensure highest quality – Manage it throughout lifecycle Governing the creation, management and usage of enterprise data is not an option any longer. It is: Expected by your customers Demanded by the executives Enforced by regulators/auditors 8 © 2013 IBM Corporation Information Management – InfoSphere Guardium Threats to database and legacy data Privileged User access to data from outside of the DBMS –Access to DB2 Linear VSAM datasets Privileged User access to DBMS Data via SQL/DL1 –Abuse of privilege without business Need to Know External Threats –SQL Injection (Hacking) Movement of data outside of the DBMS –Unloads –Clones –Test Data –Replication 9 © 2013 IBM Corporation 1 0 Information Management – InfoSphere Guardium Defense in depth of DBMS data Level 1: Encryption - Access to clear text data must be in the form of a DBMS statement Level 2: Database Activity Monitoring - Ensures each DBMS statement is inspected, audited, and subject to security policy control Level 3: Audit access to VSAM linear datasets Level 4: Implement business need to know control for critical data Reduce abuse of privilege access Level 5: Protect the use of unloads and extracts 1 0 10 10 © 2013 IBM Corporation Information Management – InfoSphere Guardium But…System z is already secure….why do we need more? Separation of duties –Privileged users “need to know” vs abuse or mistake –Trace-based auditing controlled by privileged users –SAF plays a vital role in protection of data on z/OS, but is not tamper-resistant and actionable Achieving audit readiness is labor-intensive and introduces latency –RACF lacks sufficient granularity for reporting –DB2 Audit Trace significantly improved in V10, but still requires externalization to SMF and customer provided reporting infrastructure Real time event collection – Batch processing of audit data from external sources prevents real time alerts 11 © 2013 IBM Corporation Information Management – InfoSphere Guardium Capabilities for a layered “defense in depth” Network Infrastructure Availability IT DBA Application Network Performance IT DBA App Admin Network Admin Focused on the Infrastructure Mainframe Security IT DBA App Network Security Compliance CISO It’s all about the DATA Guardium VA Vulnerability Assessment Guardium DAM InfoSphere Guardium for DB2 on z/OS, IMS and VSAM Guardium Encryption InfoSphere Guardium Encryption Tool 12 Meta-Data Meta-Data (configuration) (configuration) Dynamic Dynamic Data Data (in (in motion) motion) Static Static Data Data (at (at rest) rest) Compliance Security ry e v co Classification Dis cy a v i r P Integ rity © 2013 IBM Corporation Information Management – InfoSphere Guardium InfoSphere Guardium value proposition Continuously monitor access to sensitive data in databases, data warehouses, Hadoop big data environments and file shares to: 1 Prevent data breaches Mitigate external and internal threats 2 Ensure the integrity of sensitive data Prevent unauthorized changes to data, data infrastructure, configuration files and logs 3 13 Reduce cost of compliance - Automate and centralize controls - Simplify audit review processes © 2013 IBM Corporation Information Management – InfoSphere Guardium InfoSphere Guardium value proposition (cont.) 4 Do it all in an efficient, scalable, and cost effective way Increase operational efficiency 9Automate & centralize internal controls 9Across heterogeneous & distributed environments 9Identify and help resolve performance issues & application errors 9Highly-scalable platform, proven in most demanding data center environments worldwide No degradation of infrastructure or business processes 9Non-invasive architecture 9No changes required to applications or databases 14 © 2013 IBM Corporation Information Management – InfoSphere Guardium IBM InfoSphere Guardium provides real-time data activity monitoring for security & compliance – DB2 for z/OS high level architecture Web-based UI Alerts and reports SQL requests InfoSphere Guardium S-TAP for DB2 on z/OS Data Data DB2 Data InfoSphere Guardium Collector (Hardened repository) 9 Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users 9 Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities 9 Data protection compliance automation 15 © 2013 IBM Corporation Information Management – InfoSphere Guardium Guardium integrates with IT Infrastructure for seamless operations SIEM (IBM QRadar, Arcsight, RSA Envision, etc) (Tivoli Netcool, HP Openview, etc) Directory Services (Active Directory, LDAP, TDS, etc) SNMP Dashboards Send Alerts (CEF, CSV, Syslog, etc) Authentication Send Events Change Ticketing Systems (Tivoli Request Mgr, Remedy, Peregrine, etc) (RSA SecurID, Radius, Kerberos, LDAP) Vulnerability Standards Data Classification and Leak Protection (CVE, STIG, CIS Benchmark) (Credit Card, Social Security, phone, custom, etc) Security Management Platforms Long Term Storage (IBM TSM, IBM Nettezza, EMC Centera, FTP, SCP, etc) (IBM QRadar, McAfee ePO ) • STAP Application Servers Software Deployment (IBM Tivoli Provisioning Manager, RPM, Native Distributions) 16 (IBM Websphere, IBM Cognos, Oracle EBS, SAP, Siebel, Peoplesoft, etc ) © 2013 IBM Corporation Information Management – InfoSphere Guardium Polling Question What is the primary reason you are considering a monitoring solution? 1. Meeting regulatory compliance including PCI DSS, SOX, HIPPA, etc. 2. Monitoring privileged user activity 3. Monitoring data stored in sensitive tables 4. We have not defined a primary reason yet 5. N/A 17 © 2013 IBM Corporation Information Management – InfoSphere Guardium A sidebar discussion – Performance and product evolution 2012 STAP 9 Revamped Architecture Performance (2 – 4%) (2009 STAP 8.1 Phase 1) FTP Based Exchange Performance (9 – 15%) (2011 STAP 8.1 Phase 2) Real-time streaming Performance (~5 – 7%) (2006) AME -Local Repository on z/OS -Performance (20+%) Note: 18 Performance metrics are workload dependent, IBM IRWW workload used. Any performance data contained in this document were determined in various controlled laboratory environments and are for reference purposes only. Customers should not adapt these performance numbers to their own environments as system performance standards. The results that may be obtained in other operating © 2013 IBM Corporation environments may vary significantly. Information Management – InfoSphere Guardium The benefits of shared collection Utilizing Shared Collector technology, the Monitoring and Auditing products work together. – Common processes are used to minimize overhead. – Coordinated use of algorithms, memory, and gathered information reduces the impact on the statement being observed. – This results in lower CPU consumption and better elapsed time. – Shared Collector code is also more reliable and stability is improved P+A P A 19 SQL Statement Execution Shared Collection SQL Statement Execution Non-Shared Collection P+A P A © 2013 IBM Corporation Information Management – InfoSphere Guardium Advantages of Query Common Collector Minimum resources / minimum overhead / maximum usability / maximum reliability and serviceability z/OS TCP/IP Stream Guardium Collector WEB SERVER Audit Task S U P P O R T Query Collector Manager S E R V I C E S Query Collector Manager Monitor Task A D D R E S S Query Collector Manager S P A C E DB2 Query Monitor TCP/IP Stream Capture Task DB2A Subsystem Query Common Collector OQCR 20 © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 21 © 2013 IBM Corporation Information Management – InfoSphere Guardium Planning that first implementation Start with the basics – Identify a non-production DB2 environment – Determine how many DB2 systems to audit – Identify the support people (systems programmer, security administrator, auditor) – Obtain management approval – Establish agreement on the implementation schedule Establish the Guardium details – Determine what type of collector will be used (VM or hardware) – Identify what features are needed (redundant collectors, zIIP availability, integration with distributed Guardium systems, etc.) – Identify the TCP/IP addresses – Coordinate the Guardium training and professional services – Size the environment for a collector, aggregator and central manager – Determine what groups to be used to simplify the Guardium implementation Identify success criteria – What needs to be audited (very important!)? – What reports are required and desired? – Is integration with another product, like a SIEM product, required? – Is a performance test required? – Are Vulnerability Assessments and Entitlement Reports required? 22 © 2013 IBM Corporation Information Management – InfoSphere Guardium Sample implementation timeline 1. Perform parallel activities – 2 days – Obtain S-TAP software and maintenance from Shop z – Obtain collector software and maintenance from Passport Advantage – Coordinate implementation activities 2. Install S-TAP and collector software – 1 day 3. Begin collecting basic auditing – 2 days 4. Refine auditing and create custom reports – 8 days 5. Integrate InfoSphere Guardium with other products – 5 days Total deployment of first implementation = 18 days (Your mileage may vary) 23 © 2013 IBM Corporation Information Management – InfoSphere Guardium Guardium for DB2 on z/OS architecture z/OS Workstation Audited DB2 Subsystem InfoSphere Guardium S-TAP Collector Agent Filter Manager Define Audit Policy View Reports Filter SQL Collector SQL data Filter IFI Collector Data Data Data IFI data Policy push-down Persisted Policy Guardium Appliance 24 © 2013 IBM Corporation Information Management – InfoSphere Guardium DB2 collection policy definition Identifies what activity is to be sent to the Guardium collector for auditing Uses groups to simplify administration Key component in performance. For example: – Granular control over connection type – Connection type provides efficient filtering 25 © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 26 © 2013 IBM Corporation Information Management – InfoSphere Guardium Conducting that first implementation Install the Guardium collector / aggregator / central manager –Install the software and maintenance –Configure the installation –Power up the collector Install the Guardium STAP –Install the STAP and maintenance on all DB2 systems to be audited –Configure the installation and start STAP Validate auditing –Create a simple audit collection policy –Use reports to validate that DB2 activity is being stored in the repository Refine the auditing –Filter unneeded audit data using policy –Create custom reports, Vulnerability Assessment, integration, etc. 27 © 2013 IBM Corporation Information Management – InfoSphere Guardium Conducting that first implementation Meet all functional requirements – Develop detailed custom reports – Modify the collection profile for efficiency, alerts, exceptions, etc. – Develop an archive strategy – Implement report workflow Conduct performance testing – Build a repeatable performance test – Run the test – Review the results and make modifications until results are satisfactory Plan for ongoing maintenance – Recommendation: Use same maintenance philosophy that you use for DB2 (eg LPAR or group level) Plan for the next stages – Obtain approvals to migrate software to production – Schedule migration to next stage – Coordinate migration plan 28 © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 29 © 2013 IBM Corporation Information Management – InfoSphere Guardium Rolling Guardium into production Building the production Guardium solution –Size Guardium for the number of STAPs, collectors, aggregators, etc. –Size the number of collectors based on estimated audit data volume and include failover contingency • And plan for the unexpected! –Integrate Guardium into your disaster recovery strategy Post production deployment –Monitor the collector usage closely for the first few weeks –Validate reports are meeting business requirements –Adjust collector sizing as appropriate –Adjust collection policy as appropriate –Deploy the archive strategy 30 © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z Provides Value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 31 © 2013 IBM Corporation Information Management – InfoSphere Guardium Getting started with database monitoring Produce the audit reports –Identify the contents of the report –See if there is a pre-built report that meets your requirements –Use the Guardium GUI to build a custom report Monitor the system for "expected" results - make sure things are reasonable and expected Apply changes based on experience 32 © 2013 IBM Corporation Information Management – InfoSphere Guardium Building the Guardium reports from the collected data Guardium has over 100 pre-built reports including accelerators for PCI, HIPAA, SOX Query builder for reports Copy and modify existing reports or build your own using rich custom report builder Use runtime parameters for rapid subsetting of the data: –Changing the date ranges Changing the DBMS subsystem names –Changing the user(s) ID that submitted the requests –Many more options 33 Entities and attributes © 2013 IBM Corporation Information Management – InfoSphere Guardium Sample DB2 for z/OS Audit Report Can mask values to avoid sensitive data leakage Reports can be automated and run on a schedule Reports can be routed to reviewers and approvers SQL with bind values SQL with redacted values Network vs local traffic 34 34 © 2013 IBM Corporation Information Management – InfoSphere Guardium Automating reviews and signoffs - Example Business Owner (PCI Role) Information Security (InfoSec Role) Guardium Admin (Admin Role) Reviewer can add comments, which are saved in audit trail. 35 © 2013 IBM Corporation Information Management – InfoSphere Guardium Agenda How Guardium on System z Provides Value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 36 © 2013 IBM Corporation Information Management – InfoSphere Guardium Keys to a successful implementation The more you plan the fewer surprises you will have –Know the difference between monitoring and auditing –Log only what the business needs –Get the broader team involved as necessary (network, DBA, infosec) Take advantage of IBM Professional Services –Quickly and efficiently deploy Guardium while minimizing disruption to ongoing projects –Create deployment plans and architecture that can expand and scale –Deploy basic monitoring and provide step by step guidance for advanced monitoring if required –Educate your team at every step to accelerate self-sufficiency 37 © 2013 IBM Corporation Information Management – InfoSphere Guardium Bottom line SAF (IBM RACF and CA products) plays a vital role in protection of resources on z/OS, but you also need audit event collection/reporting which is tamper resistant, real-time, and actionable. InfoSphere Guardium on z/OS provides – Real-time, actionable activity monitoring and alerting – Tamper resistant audit repository – Clear separation of Roles and Responsibilities – Granular insights into activity – Automation, process consistency, and unique security insights Bottom line…..you need both RACF and Guardium for a robust security environment on z/OS 38 © 2013 IBM Corporation Information Management – InfoSphere Guardium Resources Data Sheet:InfoSphere Guardium for z/OS http://public.dhe.ibm.com/common/ssi/ecm/en/imd14429usen/IMD14429USEN .PDF Replay of webcast: InfoSphere Guardium 9.0 – Delivering Big Data Protection for System z and beyond. http://www01.ibm.com/software/os/systemz/webcast/18dec/ (register to access replay.) Short Youtube demo of InfoSphere Guardium monitoring on DB2 for z/OS: http://www.youtube.com/watch?v=UeYYvSJiTuM&feature=plcp InfoSphere Guardium S-TAP for DB2 on z/OS User’s Guide – PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.db2t ools.adhz.doc.ug/adhugb90.pdf InfoSphere Guardium S-TAP for VSAM on z/OS User’s Guide - PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.imst ools.auv.doc.ug/auvugh90.pdf 39 © 2013 IBM Corporation Information Management – InfoSphere Guardium Information, training, and community InfoSphere Guardium YouTube Channel – includes overviews and technical demos InfoSphere Guardium newsletter developerWorks forum (very active) Guardium DAM User Group on Linked-In (very active) World of DB2 for z/OS Security, compliance and audit subgroup Community on developerWorks (includes content and links to a myriad of sources, articles, etc) Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come) Technical training courses (classroom and self-paced) New! InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to [email protected] if interested. 40 © 2013 IBM Corporation Information Management – InfoSphere Guardium Reminder: Upcoming Guardium Tech Talks Title: Integrating QRadar and Guardium Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis Date &Time: Wed, June 5, 2013 11:30 AM EDT Title: Planning a deployment Speakers: Boaz Barkai and Yosef Rozenblit Date &Time: Thursday, Jun 20, 2013 11:30 AM EDT Register here: http://bit.ly/Yf2TwY Register here: http://bit.ly/ZWznwA Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB Company Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner 41 © 2013 IBM Corporation Information Management – InfoSphere Guardium Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 42 Italian © 2013 IBM Corporation