IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z

Ernie Mancill – Executive IT Specialist
Roy Panting – Guardium Technical Specialist
16 May 2013
IBM InfoSphere Guardium Tech Talk:
Guardium Implementation for DB2 on z
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Logistics
ƒ This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
ƒ We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
ƒ You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
ƒ We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
ƒ When speaker pauses for questions:
– We’ll go through existing questions in the chat
– Raise your hand in the SmartCloud meeting room if you want to
ask a question verbally and we’ll call your name
– You will need *6 to unmute phone line if you are dialed in
2
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Upcoming Guardium Tech Talks
Title: Integrating QRadar and
Guardium
Speakers: Luis Casco-Arias and
Stephen Keim with Ty Weis
Date &Time: Wed, June 5, 2013
11:30 AM EDT
Title: Planning a deployment
Speakers: Boaz Barkai and Yosef
Rozenblit
Date &Time: Thursday, Jun 20, 2013
11:30 AM EDT
Register here: http://bit.ly/Yf2TwY
Register here: http://bit.ly/ZWznwA
ƒ Link to more information about these tech talks can be found on the InfoSpere Guardium
developerWorks community: http://ibm.co/Wh9x0o
Special event: Webcast: Best Practices for Securing and
Protecting MongoDB Data, hosted by 10gen, The
MongoDB Company
Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner
3
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Polling Question
At what stage is your InfoSphere Guardium implementation for DB2 for
z/OS?
1. We don't have this product yet; we are just learning
2. We have Version 8.2 and are planning our deployment / upgrade to
Version 9
3. We are planning a new deployment with Version 9
4. We have Version 9 deployed
5. None of the above
4
© 2013 IBM Corporation
Ernie Mancill – Executive IT Specialist
Roy Panting – Guardium Technical Specialist
16 May 2013
IBM InfoSphere Guardium Tech Talk:
Guardium Implementation for DB2 on z/OS
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
6
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Our clients say…
“Inconsistent data”
North American Multi-Line Insurer: “Our new CEO became the most ardent supporter of Data
Governance when he discovered that reports from different parts of the organization had
inconsistent data.”
“We have no control over the quality of data”
United States Government Agency: “Our team is responsible for the trustworthiness of data to the field
analysts but we have no control over the quality of data that flows into our Financials from SAP R/3 to BW.”
“We need a policy and process to ensure we are protecting our data”
Healthcare Insurer: “My team is responsible for sending data externally to many of our business partners and other entities. The
number of these requests has grown significantly over the years and they are becoming increasingly involved and complicated.
We need a policy and process to handle these requests to ensure we comply with all privacy/security regulations. We also need
appropriate executive-level review and approval to ensure that each request for sharing our data externally is the right thing for
us to do from a business perspective.”
“We keep everything forever”
A large chemical manufacturer fails to destroy content and records in accordance with their corporate
retention policy and are now burdened with the high cost of managing storage and eDiscovery with no
visibility into what to destroy and when. “During eDiscovery, we spent over $12 million dollars reviewing
documents that were already past their retention dates and should have been disposed of … and this
was on just 4 cases … at any point in time we have over 100 cases pending.
“We need a systematic way to manage this growth.”
CFO Survey: Current state & future direction, IBM Business Consulting Services. The top challenge for 43%
of CFOs is improving governance, controls, and risk management.
7
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Information Governance creates order out of information chaos
Information Governance is the exercise of decision rights to
optimize, secure and leverage data as an enterprise asset.
ƒ Orchestrate people, process and
technology toward a common goal
– Promotes collaboration
– Derive maximum value from
information
ƒ Leverage data as an enterprise
asset to drive opportunities
– Safeguards information
– Ensure highest quality
– Manage it throughout
lifecycle
Governing the creation, management and usage of
enterprise data is not an option any longer. It is:
Expected by your customers ‹ Demanded by the executives ‹ Enforced by regulators/auditors
8
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Threats to database and legacy data
ƒ Privileged User access to data from outside of the DBMS
–Access to DB2 Linear VSAM datasets
ƒ Privileged User access to DBMS Data via SQL/DL1
–Abuse of privilege without business Need to Know
ƒ External Threats
–SQL Injection (Hacking)
ƒ Movement of data outside of the DBMS
–Unloads
–Clones
–Test Data
–Replication
9
© 2013 IBM Corporation
1
0
Information Management – InfoSphere Guardium
Defense in depth of DBMS data
Level 1: Encryption - Access to clear text data must be in
the form of a DBMS statement
Level 2: Database Activity Monitoring - Ensures each DBMS
statement is inspected, audited, and subject to security
policy control
Level 3: Audit access to VSAM linear datasets
Level 4: Implement business need to know control for critical data
Reduce abuse of privilege access
Level 5: Protect the use of unloads and extracts
1
0
10
10
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
But…System z is already secure….why do we need more?
ƒ Separation of duties
–Privileged users “need to know” vs abuse or
mistake
–Trace-based auditing controlled by privileged users
–SAF plays a vital role in protection of data on z/OS,
but is not tamper-resistant and actionable
ƒ Achieving audit readiness is labor-intensive and
introduces latency
–RACF lacks sufficient granularity for reporting
–DB2 Audit Trace significantly improved in V10, but
still requires externalization to SMF and customer
provided reporting infrastructure
ƒ Real time event collection
– Batch processing of audit data from external
sources prevents real time alerts
11
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Capabilities for a layered “defense in depth”
Network
Infrastructure
Availability
IT
DBA
Application
Network
Performance
IT
DBA
App Admin
Network Admin
Focused on the Infrastructure
Mainframe
Security
IT
DBA
App
Network
Security
Compliance
CISO
It’s all about the
DATA
Guardium VA
Vulnerability Assessment
Guardium DAM
InfoSphere Guardium for DB2
on z/OS, IMS and VSAM
Guardium Encryption
InfoSphere Guardium
Encryption Tool
12
Meta-Data
Meta-Data
(configuration)
(configuration)
Dynamic
Dynamic Data
Data
(in
(in motion)
motion)
Static
Static Data
Data
(at
(at rest)
rest)
Compliance
Security
ry
e
v
co
Classification
Dis
cy
a
v
i
r
P
Integ
rity
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
InfoSphere Guardium value proposition
Continuously monitor access to sensitive data in databases,
data warehouses, Hadoop big data environments and file shares
to:
1
Prevent data breaches
Mitigate external and internal threats
2
Ensure the integrity of sensitive data
Prevent unauthorized changes to
data, data infrastructure, configuration
files and logs
3
13
Reduce cost of compliance
- Automate and centralize controls
- Simplify audit review processes
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
InfoSphere Guardium value proposition (cont.)
4
Do it all in an efficient, scalable, and cost effective
way
Increase operational efficiency
9Automate & centralize internal controls
9Across heterogeneous & distributed
environments
9Identify and help resolve performance
issues & application errors
9Highly-scalable platform, proven in
most demanding data center
environments worldwide
No degradation of infrastructure or
business processes
9Non-invasive architecture
9No changes required to applications or
databases
14
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
IBM InfoSphere Guardium provides real-time data activity monitoring
for security & compliance – DB2 for z/OS high level architecture
Web-based UI
Alerts and
reports
SQL requests
InfoSphere
Guardium S-TAP
for DB2 on z/OS
Data
Data
DB2
Data
InfoSphere Guardium
Collector (Hardened
repository)
9 Continuous, policy-based, real-time monitoring
of all data traffic activities, including actions by
privileged users
9 Database infrastructure scanning for missing
patches, mis-configured privileges and other
vulnerabilities
9 Data protection compliance automation
15
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Guardium integrates with IT Infrastructure for seamless operations
SIEM
(IBM QRadar, Arcsight, RSA
Envision, etc)
(Tivoli Netcool, HP Openview, etc)
Directory Services
(Active Directory, LDAP, TDS, etc)
SNMP Dashboards
Send Alerts
(CEF, CSV,
Syslog, etc)
Authentication
Send
Events
Change Ticketing
Systems
(Tivoli Request Mgr, Remedy,
Peregrine, etc)
(RSA SecurID, Radius, Kerberos,
LDAP)
Vulnerability
Standards
Data Classification
and Leak Protection
(CVE, STIG, CIS Benchmark)
(Credit Card, Social Security, phone,
custom, etc)
Security Management
Platforms
Long Term Storage
(IBM TSM, IBM Nettezza, EMC Centera,
FTP, SCP, etc)
(IBM QRadar, McAfee ePO )
• STAP
Application Servers
Software Deployment
(IBM Tivoli Provisioning Manager, RPM, Native
Distributions)
16
(IBM Websphere, IBM Cognos, Oracle
EBS, SAP, Siebel, Peoplesoft, etc )
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Polling Question
What is the primary reason you are considering a monitoring solution?
1. Meeting regulatory compliance including PCI DSS, SOX, HIPPA, etc.
2. Monitoring privileged user activity
3. Monitoring data stored in sensitive tables
4. We have not defined a primary reason yet
5. N/A
17
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
A sidebar discussion – Performance and product evolution
2012 STAP 9
Revamped Architecture
Performance (2 – 4%)
(2009 STAP 8.1 Phase 1)
FTP Based Exchange
Performance (9 – 15%)
(2011 STAP 8.1 Phase 2)
Real-time streaming
Performance (~5 – 7%)
(2006) AME
-Local Repository on z/OS
-Performance (20+%)
Note:
18
Performance metrics are workload dependent, IBM IRWW workload used. Any performance data contained in this document
were determined in various controlled laboratory environments and are for reference purposes only. Customers should not adapt these
performance numbers to their own environments as system performance standards. The results that may be obtained in other operating
© 2013 IBM Corporation
environments may vary significantly.
Information Management – InfoSphere Guardium
The benefits of shared collection
ƒ Utilizing Shared Collector technology, the Monitoring and Auditing products work
together.
– Common processes are used to minimize overhead.
– Coordinated use of algorithms, memory, and gathered information reduces the
impact on the statement being observed.
– This results in lower CPU consumption and better elapsed time.
– Shared Collector code is also more reliable and stability is improved
P+A
P A
19
SQL Statement Execution
Shared Collection
SQL Statement Execution
Non-Shared Collection
P+A
P
A
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Advantages of Query Common Collector
Minimum resources / minimum overhead / maximum usability /
maximum reliability and serviceability
z/OS
TCP/IP Stream
Guardium
Collector
WEB
SERVER
Audit
Task
S
U
P
P
O
R
T
Query Collector
Manager
S
E
R
V
I
C
E
S
Query Collector
Manager
Monitor
Task
A
D
D
R
E
S
S
Query Collector
Manager
S
P
A
C
E
DB2 Query Monitor
TCP/IP Stream
Capture
Task
DB2A
Subsystem
Query Common
Collector
OQCR
20
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
21
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Planning that first implementation
ƒ Start with the basics
– Identify a non-production DB2 environment
– Determine how many DB2 systems to audit
– Identify the support people (systems programmer, security administrator, auditor)
– Obtain management approval
– Establish agreement on the implementation schedule
ƒ Establish the Guardium details
– Determine what type of collector will be used (VM or hardware)
– Identify what features are needed (redundant collectors, zIIP availability, integration
with distributed Guardium systems, etc.)
– Identify the TCP/IP addresses
– Coordinate the Guardium training and professional services
– Size the environment for a collector, aggregator and central manager
– Determine what groups to be used to simplify the Guardium implementation
ƒ Identify success criteria
– What needs to be audited (very important!)?
– What reports are required and desired?
– Is integration with another product, like a SIEM product, required?
– Is a performance test required?
– Are Vulnerability Assessments and Entitlement Reports required?
22
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Sample implementation timeline
1.
Perform parallel activities – 2 days
– Obtain S-TAP software and maintenance
from Shop z
– Obtain collector software and maintenance
from Passport Advantage
– Coordinate implementation activities
2.
Install S-TAP and collector software – 1 day
3.
Begin collecting basic auditing – 2 days
4.
Refine auditing and create custom reports – 8
days
5.
Integrate InfoSphere Guardium with other
products – 5 days
Total deployment of first implementation = 18 days
(Your mileage may vary)
23
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Guardium for DB2 on z/OS architecture
z/OS
Workstation
Audited DB2 Subsystem
InfoSphere Guardium
S-TAP Collector Agent
Filter
Manager
Define
Audit
Policy
View
Reports
Filter
SQL
Collector
SQL data
Filter
IFI
Collector
Data
Data
Data
IFI data
Policy
push-down
Persisted
Policy
Guardium Appliance
24
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
DB2 collection policy definition
ƒ Identifies what activity is to be sent to the Guardium collector for auditing
ƒ Uses groups to simplify administration
ƒ Key component in performance. For example:
– Granular control over connection type
– Connection type provides efficient filtering
25
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
26
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Conducting that first implementation
ƒ Install the Guardium collector / aggregator / central
manager
–Install the software and maintenance
–Configure the installation
–Power up the collector
ƒ Install the Guardium STAP
–Install the STAP and maintenance on all DB2
systems to be audited
–Configure the installation and start STAP
ƒ Validate auditing
–Create a simple audit collection policy
–Use reports to validate that DB2 activity is being
stored in the repository
ƒ Refine the auditing
–Filter unneeded audit data using policy
–Create custom reports, Vulnerability
Assessment, integration, etc.
27
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Conducting that first implementation
ƒ Meet all functional requirements
– Develop detailed custom reports
– Modify the collection profile for efficiency, alerts,
exceptions, etc.
– Develop an archive strategy
– Implement report workflow
ƒ Conduct performance testing
– Build a repeatable performance test
– Run the test
– Review the results and make modifications until
results are satisfactory
ƒ Plan for ongoing maintenance
– Recommendation: Use same maintenance
philosophy that you use for DB2 (eg LPAR or group
level)
ƒ Plan for the next stages
– Obtain approvals to migrate software to production
– Schedule migration to next stage
– Coordinate migration plan
28
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z provides value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
29
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Rolling Guardium into production
ƒ Building the production Guardium solution
–Size Guardium for the number of STAPs, collectors, aggregators, etc.
–Size the number of collectors based on estimated audit data volume
and include failover contingency
• And plan for the unexpected!
–Integrate Guardium into your disaster recovery strategy
ƒ Post production deployment
–Monitor the collector usage closely for the first few weeks
–Validate reports are meeting business requirements
–Adjust collector sizing as appropriate
–Adjust collection policy as appropriate
–Deploy the archive strategy
30
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How InfoSphere Guardium on System z Provides Value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
31
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Getting started with database monitoring
ƒ Produce the audit reports
–Identify the contents of the report
–See if there is a pre-built report that meets your
requirements
–Use the Guardium GUI to build a custom report
ƒ Monitor the system for "expected" results - make
sure things are reasonable and expected
ƒ Apply changes based on experience
32
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Building the Guardium reports from the collected data
ƒ Guardium has over 100 pre-built
reports including accelerators for
PCI, HIPAA, SOX
Query builder for reports
ƒ Copy and modify existing reports
or build your own using rich
custom report builder
ƒ Use runtime parameters for rapid
subsetting of the data:
–Changing the date ranges
Changing the DBMS
subsystem names
–Changing the user(s) ID that
submitted the requests
–Many more options
33
Entities and
attributes
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Sample DB2 for z/OS Audit Report
ƒ Can mask values to avoid sensitive data leakage
ƒ Reports can be automated and run on a schedule
ƒ Reports can be routed to reviewers and approvers
SQL with bind
values
SQL with
redacted values
Network vs local
traffic
34
34
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Automating reviews and signoffs - Example
Business Owner
(PCI Role)
Information Security
(InfoSec Role)
Guardium Admin
(Admin Role)
Reviewer can add
comments, which
are saved in audit
trail.
35
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Agenda
How Guardium on System z Provides Value
Planning an implementation
Implementing Guardium on System z into a non-production system
Rolling out Guardium on System z into production
Getting started with monitoring
Wrap up
36
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Keys to a successful implementation
ƒ The more you plan the fewer surprises you will have
–Know the difference between monitoring and
auditing
–Log only what the business needs
–Get the broader team involved as necessary
(network, DBA, infosec)
ƒ Take advantage of IBM Professional Services
–Quickly and efficiently deploy Guardium while
minimizing disruption to ongoing projects
–Create deployment plans and architecture that
can expand and scale
–Deploy basic monitoring and provide step by step
guidance for advanced monitoring if required
–Educate your team at every step to accelerate
self-sufficiency
37
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Bottom line
ƒ SAF (IBM RACF and CA products) plays a vital role in protection
of resources on z/OS, but you also need audit event
collection/reporting which is tamper resistant, real-time, and
actionable.
ƒ InfoSphere Guardium on z/OS provides
– Real-time, actionable activity monitoring and alerting
– Tamper resistant audit repository
– Clear separation of Roles and Responsibilities
– Granular insights into activity
– Automation, process consistency, and unique security
insights
ƒ Bottom line…..you need both RACF and Guardium for a
robust security environment on z/OS
38
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Resources
ƒ Data Sheet:InfoSphere Guardium for z/OS
http://public.dhe.ibm.com/common/ssi/ecm/en/imd14429usen/IMD14429USEN
.PDF
ƒ Replay of webcast: InfoSphere Guardium 9.0 – Delivering Big Data
Protection for System z and beyond. http://www01.ibm.com/software/os/systemz/webcast/18dec/ (register to access
replay.)
ƒ Short Youtube demo of InfoSphere Guardium monitoring on DB2 for
z/OS: http://www.youtube.com/watch?v=UeYYvSJiTuM&feature=plcp
ƒ InfoSphere Guardium S-TAP for DB2 on z/OS User’s Guide – PDF
http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.db2t
ools.adhz.doc.ug/adhugb90.pdf
ƒ InfoSphere Guardium S-TAP for VSAM on z/OS User’s Guide - PDF
http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.imst
ools.auv.doc.ug/auvugh90.pdf
39
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Information, training, and community
ƒ InfoSphere Guardium YouTube Channel – includes overviews and technical demos
ƒ InfoSphere Guardium newsletter
ƒ developerWorks forum (very active)
ƒ Guardium DAM User Group on Linked-In (very active)
ƒ World of DB2 for z/OS Security, compliance and audit subgroup
ƒ Community on developerWorks (includes content and links to a myriad of sources, articles, etc)
ƒ Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
ƒ Technical training courses (classroom and self-paced)
New! InfoSphere Guardium Virtual User Group.
Open, technical discussions with other users.
Send a note to [email protected] if
interested.
40
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Reminder: Upcoming Guardium Tech Talks
Title: Integrating QRadar and
Guardium
Speakers: Luis Casco-Arias and
Stephen Keim with Ty Weis
Date &Time: Wed, June 5, 2013
11:30 AM EDT
Title: Planning a deployment
Speakers: Boaz Barkai and Yosef
Rozenblit
Date &Time: Thursday, Jun 20, 2013
11:30 AM EDT
Register here: http://bit.ly/Yf2TwY
Register here: http://bit.ly/ZWznwA
ƒ Link to more information about these tech talks can be found on the InfoSpere Guardium
developerWorks community: http://ibm.co/Wh9x0o
Special event: Webcast: Best Practices for Securing and
Protecting MongoDB Data, hosted by 10gen, The
MongoDB Company
Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner
41
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
42
Italian
© 2013 IBM Corporation