IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z 1
by user
Comments
Transcript
IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z 1
Ernie Mancill – Executive IT Specialist Roy Panting – Guardium Technical Specialist 16 May 2013 IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z Information Management © 2013 IBM Corporation 1 Information Management – InfoSphere Guardium Logistics This tech talk is being recorded. If you object, please hang up and leave the webcast now. We’ll post a copy of slides and link to recording on the Guardium community tech talk wiki page: http://ibm.co/Wh9x0o You can listen to the tech talk using audiocast and ask questions in the chat to the Q and A group. We’ll try to answer questions in the chat or address them at speaker’s discretion. – If we cannot answer your question, please do include your email so we can get back to you. When speaker pauses for questions: – We’ll go through existing questions in the chat – Raise your hand in the SmartCloud meeting room if you want to ask a question verbally and we’ll call your name – You will need *6 to unmute phone line if you are dialed in 2 © 2013 IBM Corporation 2 Information Management – InfoSphere Guardium Reminder: Upcoming Guardium Tech Talks Title: Integrating QRadar and Guardium Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis Date &Time: Wed, June 5, 2013 11:30 AM EDT Title: Planning a deployment Speakers: Boaz Barkai and Yosef Rozenblit Date &Time: Thursday, Jun 20, 2013 11:30 AM EDT Register here: http://bit.ly/Yf2TwY Register here: http://bit.ly/ZWznwA Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB Company Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner 3 © 2013 IBM Corporation 3 Information Management – InfoSphere Guardium Polling Question At what stage is your InfoSphere Guardium implementation for DB2 for z/OS? 1. We don't have this product yet; we are just learning 2. We have Version 8.2 and are planning our deployment / upgrade to Version 9 3. We are planning a new deployment with Version 9 4. We have Version 9 deployed 5. None of the above 4 © 2013 IBM Corporation 4 Ernie Mancill – Executive IT Specialist Roy Panting – Guardium Technical Specialist 16 May 2013 IBM InfoSphere Guardium Tech Talk: Guardium Implementation for DB2 on z/OS Information Management © 2013 IBM Corporation 5 Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 6 © 2013 IBM Corporation 6 Information Management – InfoSphere Guardium Our clients say… “Inconsistent data” data” North American Multi-Line Insurer: “Our new CEO became the most ardent supporter of Data Governance when he discovered that reports from different parts of the organization had inconsistent data.” “We have no control over the quality of data” data” United States Government Agency: “Our team is responsible for the trustworthiness of data to the field analysts but we have no control over the quality of data that flows into our Financials from SAP R/3 to BW.” “We need a policy and process to ensure we are protecting our data data” Healthcare Insurer: “My team is responsible for sending data externally to many of our business partners and other entities. The number of these requests has grown significantly over the years and they are becoming increasingly involved and complicated. We need a policy and process to handle these requests to ensure we comply with all privacy/security regulations. We also need appropriate executive-level review and approval to ensure that each request for sharing our data externally is the right thing for us to do from a business perspective.” “We keep everything forever” forever” A large chemical manufacturer fails to destroy content and records in accordance with their corporate retention policy and are now burdened with the high cost of managing storage and eDiscovery with no visibility into what to destroy and when. “During eDiscovery, we spent over $12 million dollars reviewing documents that were already past their retention dates and should have been disposed of … and this was on just 4 cases … at any point in time we have over 100 cases pending. “We need a systematic way to manage this growth.” growth.” CFO Survey: Current state & future direction, IBM Business Consulting Services. The top challenge for 43% of CFOs is improving governance, controls, and risk management. 7 © 2013 IBM Corporation 7 Information Management – InfoSphere Guardium Information Governance creates order out of information chaos Information Governance is the exercise of decision rights to optimize, secure and leverage data as an enterprise asset. Orchestrate people, process and technology toward a common goal – Promotes collaboration – Derive maximum value from information Leverage data as an enterprise asset to drive opportunities – Safeguards information – Ensure highest quality – Manage it throughout lifecycle Governing the creation, management and usage of enterprise data is not an option any longer. It is: Expected by your customers Demanded by the executives Enforced by regulators/auditors 8 © 2013 IBM Corporation SUMMARY Information Governance allows organizations to create order of this information chaos. It provides the means by which organizations can manage this explosion of information. Its about enabling people to do their jobs more effectively by providing them with the decision rights to optimize, secure and leverage enterprise data as an asset that can drive business opportunities. Information governance doesn’t have to be difficult or mysterious. At its most basic, it involves organizing people, processes and technology to optimize, protect and leverage information—both structured and unstructured—as an enterprise asset that must be protected, meet quality standards and managed throughout its lifecycle. Even if you feel removed from aspects of governance, you can still learn the vocabulary and rules. It’s easy, effective and it can help solve a lot of information-related problems that may have eluded resolution for years. The management of data through governance is no longer ‘optional’. Organizations have to do this to be competitive. Your customers expect you to know your data, the executives demand accuracy and expediency and the regulators/auditors will enforce it. Data custodians are being pushed from all sides to meet these demands. 8 Information Management – InfoSphere Guardium Threats to database and legacy data Privileged User access to data from outside of the DBMS –Access to DB2 Linear VSAM datasets Privileged User access to DBMS Data via SQL/DL1 –Abuse of privilege without business Need to Know External Threats –SQL Injection (Hacking) Movement of data outside of the DBMS –Unloads –Clones –Test Data –Replication 9 © 2013 IBM Corporation 9 Level 1: - Encryption – The first thought of providing data security is Level 2 – Database Activity Monitoring – Auditing is based on an aud Level 3: Audit access to VSAM linear datasets – Sensitive informatio Level 4: Business Need to Know – Security is everyone’s concern. T data. Level 5: Protect the use of unloads and extracts for the purpose of: Test data management and generation Unloaded data for batch processes Extracts for external uses Replicated data Backup and Recovery assets 10 Information Management – InfoSphere Guardium But…System z is already secure….why do we need more? Separation of duties –Privileged users “need to know” vs abuse or mistake –Trace-based auditing controlled by privileged users –SAF plays a vital role in protection of data on z/OS, but is not tamper-resistant and actionable Achieving audit readiness is labor-intensive and introduces latency –RACF lacks sufficient granularity for reporting –DB2 Audit Trace significantly improved in V10, but still requires externalization to SMF and customer provided reporting infrastructure Real time event collection – Batch processing of audit data from external sources prevents real time alerts 11 © 2013 IBM Corporation RACF and SAF exploitative security products provide control for resource access, but cannot determine access intent (Need to Know vs Privilege Abuse). Also RACF lacks granularity when generating audit reports. DB2 Audit Trace significantly improved in V10, but still requires externalization to SMF and customer provided reporting infrastructure. SMF based reporting can result in latency from event capture to subsequent reporting and actionable processing. Trace based auditing tends to be complex and controlled by privileged users (DBA or SYSPROGS – Separation of Roles) SAF plays a vital role in protection of data on z/OS, but audit event collection/reporting which is tamper resistant, real-time, and actionable is also needed. Guardium on z/OS provides this information. 11 Information Management – InfoSphere Guardium Capabilities for a layered “defense in depth” Network Infrastructure Availability IT DBA Application Network Mainframe Performance IT DBA App Admin Network Admin Focused on the Infrastructure Security IT DBA App Network Security Compliance CISO It’s all about the DATA Guardium VA Vulnerability Assessment Guardium DAM InfoSphere Guardium for DB2 on z/OS, IMS and VSAM Guardium Encryption InfoSphere Guardium Encryption Tool Meta-Data Meta-Data (configuration) (configuration) Dynamic Dynamic Data Data (in (in motion) motion) Static Static Data Data (at (at rest) rest) Compliance o Disc y ver cy Priva y Securit Classification Integ rity 12 © 2013 IBM Corporation IBM InfoSphere Guardium for DB2 on z/OS collects Collection of all DML (Inserts, Updates, Deletes, etc) Collection of all DDL (Create, Alter, Drop, etc) Collection of DB2 Commands, Utilities, Authorizations Low overhead application impact IBM InfoSphere Guardium for IMS on z/OS provide visibility IMS Online regions IMS DLI/DBB batch jobs INSERT (ISRT), UPDATE (REPL), DELETE,(DLET) and GET Obtain concatenated key and segment data Links Get Hold and Replace for before/after reporting IBM InfoSphere Guardium for VSAM on z/OS Dataset (VSAM Cluster) Level Events (Open, Close, Alter, etc) All VSAM types supported Record level collection (key information) for KSDS and RRDS IBM InfoSphere Encryption Tool for IMS and DB2 Databases Row/Segment level Encryption for IMS Databases and DB2 Tables Leverage latest in zEnterprise encryption hardware and z/OS encryption exploitation Ensures that recovery assets (Image Copy and Recovery Log) are also encrypted 12 Information Management – InfoSphere Guardium InfoSphere Guardium value proposition Continuously monitor access to sensitive data in databases, data warehouses, Hadoop big data environments and file shares to: 1 Prevent data breaches Mitigate external and internal threats 2 Ensure the integrity of sensitive data Prevent unauthorized changes to data, data infrastructure, configuration files and logs 3 13 Reduce cost of compliance - Automate and centralize controls - Simplify audit review processes © 2013 IBM Corporation Guardium’s charter is in-depth handling of all aspects around the protection of critical data in databases, data warehouses, Hadoop big data environments and file shares. The value proposition (bullets below) has not changed in years; this has always been our mission and our goal. Our mission is to help customers: - First, Protect and prevent data breaches and fraud, from both internal and external sources - Second, It helps them control access to sensitive enterprise data (like in what is controlled through SAP, Peoplesoft, etc, and even some unstructure document data), thus assuring data governance - and Third, It streamlines the process for compliance around data protection. Guardium provides the tools to slash compliance cost, by automating and centralizing the controls you need to comply with a variety of mandates, such as SOX or PCI. Because of our extensive heterogeneous support, this can be accomplished across all popular databases and applications, ensuring you can deploy a single solution enterprise-wide. 13 Information Management – InfoSphere Guardium InfoSphere Guardium value proposition (cont.) 4 Do it all in an efficient, scalable, and cost effective way Increase operational efficiency 9Automate & centralize internal controls 9Across heterogeneous & distributed environments 9Identify and help resolve performance issues & application errors 9Highly-scalable platform, proven in most demanding data center environments worldwide No degradation of infrastructure or business processes 9Non-invasive architecture 9No changes required to applications or databases 14 © 2013 IBM Corporation A forth value proposition is focused on being enterprise ready. What it means is the ability to scale Guardium in an efficient, and cost effective manner. Every release Guardium introduces significant improvement in scalability, integrations and automation-related features, with one goal in mind – streamline the administration, configuration and usage of the solution in large environments. 14 Information Management – InfoSphere Guardium IBM InfoSphere Guardium provides real-time data activity monitoring for security & compliance – DB2 for z/OS high level architecture Web-based UI Alerts and reports SQL requests InfoSphere Guardium S-TAP for DB2 on z/OS Data Data DB2 Data InfoSphere Guardium Collector (Hardened repository) 9 Continuous, policy-based, real-time monitoring of all data traffic activities, including actions by privileged users 9 Database infrastructure scanning for missing patches, mis-configured privileges and other vulnerabilities 9 Data protection compliance automation 15 © 2013 IBM Corporation Lets take a quick look at how Guardium achieves these benefits: An essential component to Privacy and Protection is how to maintain real-time insight into database access and activity, to protect enterprise data and comply with regulatory requirements. Guardium enables IBM clients to maintain trusted information infrastructures by continuously monitoring access and activity to protect high-value databases against threats from legitimate users and potential hackers. Additionally, Guardium also assesses the vulnerability of the database infrastructure itself to ensure their continued highest level of security. And last, we also and reduce operational costs by automating regulatory compliance tasks. It does this using a single integrated appliance, which can be configured as a Collector, a Central Policy Manager, or Vulnerability Assessment Server with the simple use of license keys. The key to monitoring non-intrusively is the STAP, which is a light-weight Software TAP (STAP) that taps all incoming traffic. Basically, Guardium is a gateway to all data flows. No DB, app, or network changes are necessary. All this traffic that meets the auditing policy is sent to the Collector, which runs policy against it and provides real-time alerting. The Central Policy Manager is the central point of control for all collectors. You may notice that all major DB infrastructures and some major applications are supported. This is where Guardium provides extra value-add. By in-depth understanding of all these protocol/schema differences. The appliances can be redundantly configured to provide a high available solution. The STAP takes only a small performance footprint which is much less than turning native auditing on, with the additional benefit of SOD, since the DBAdmin does not have control over the appliance and cannot affect its audit collection. Once setup, the Collector or Central Policy Manager can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan the DB2 on z/OS databases for needed patches or configuration hardening, based on periodically updated vulnerability templates. All this information (configuration, vulnerability, audit) can easily be packaged and reported for the major regulations. We have pre-packaged modules for each major regulation. And to the part that may interest you the most, Guardium can readily integrate with several Security and Systems Management solutions, providing a complementary in-depth view of the database security posture. ************************************************************************** • • • Secures and protects high-value databases, identifies application-layer fraud Enables consistent enforcement of governance policies; demonstrates compliance Lowers compliance costs and effort compared to manual auditing, with no impact on existing business processes Guardium’s portfolio complements IBM’s offerings for: • Extends Test Data Management solutions by monitoring sensitive data access in test environments • Extends Data Growth solutions with ability to monitor both active and inactive (archived) data • Extends Data Privacy and protection solutions enabling consistent governance and compliance with regulatory mandates such as PCI, HIPAA, DPP and more • Extends capabilities to automatically locate all databases, in both production and test environments, for monitoring and protection 15 Information Management – InfoSphere Guardium Guardium integrates with IT Infrastructure for seamless operations SIEM (IBM QRadar, Arcsight, RSA Envision, etc) Directory Services (Active Directory, LDAP, TDS, etc) SNMP Dashboards (Tivoli Netcool, HP Openview, etc) Send Alerts (CEF, CSV, Syslog, etc) Authentication Send Events Change Ticketing Systems (Tivoli Request Mgr, Remedy, Peregrine, etc) (RSA SecurID, Radius, Kerberos, LDAP) Vulnerability Standards Data Classification and Leak Protection (CVE, STIG, CIS Benchmark) (Credit Card, Social Security, phone, custom, etc) Security Management Platforms Long Term Storage (IBM TSM, IBM Nettezza, EMC Centera, FTP, SCP, etc) (IBM QRadar, McAfee ePO ) • STAP Application Servers Software Deployment (IBM Tivoli Provisioning Manager, RPM, Native Distributions) 16 (IBM Websphere, IBM Cognos, Oracle EBS, SAP, Siebel, Peoplesoft, etc ) © 2013 IBM Corporation Integration and reducing TCO is a major theme for us. We also ensure that there is seamless integration with how the customers run their IT operations. We have support for the diverse ecosystem where Guardium will deploy, including support for different authentication protocols, directories, SIEM solutions, Ticketing Systems, Event Dashboards, Application Servers, Software Distribution, Archival and Long term storage, etc. 16 Information Management – InfoSphere Guardium Polling Question What is the primary reason you are considering a monitoring solution? 1. Meeting regulatory compliance including PCI DSS, SOX, HIPPA, etc. 2. Monitoring privileged user activity 3. Monitoring data stored in sensitive tables 4. We have not defined a primary reason yet 5. N/A 17 © 2013 IBM Corporation 17 Information Management – InfoSphere Guardium A sidebar discussion – Performance and product evolution 2012 STAP 9 Revamped Architecture Performance (2 – 4%) (2009 STAP 8.1 Phase 1) FTP Based Exchange Performance (9 – 15%) (2011 STAP 8.1 Phase 2) Real-time streaming Performance (~5 – 7%) (2006) AME -Local Repository on z/OS -Performance (20+%) 18 Note: Performance metrics are workload dependent, IBM IRWW workload used. Any performance data contained in this document were determined in various controlled laboratory environments and are for reference purposes only. Customers should not adapt these performance numbers to their own environments as system performance standards. The results that may be obtained in other operating © 2013 IBM Corporation environments may vary significantly. 18 IBM IOD 2011 5/14/2013 Information Management – InfoSphere Guardium The benefits of shared collection Utilizing Shared Collector technology, the Monitoring and Auditing products work together. – Common processes are used to minimize overhead. – Coordinated use of algorithms, memory, and gathered information reduces the impact on the statement being observed. – This results in lower CPU consumption and better elapsed time. – Shared Collector code is also more reliable and stability is improved P+A P A 19 Prensenter name here.ppt SQL Statement Execution Shared Collection SQL Statement Execution Non-Shared Collection P+A P A © 2013 IBM Corporation 19 Information Management – InfoSphere Guardium Advantages of Query Common Collector Minimum resources / minimum overhead / maximum usability / maximum reliability and serviceability z/OS TCP/IP Stream Guardium Collector WEB SERVER Audit Task S U P P O R T Query Collector Manager S E R V I C E S Query Collector Manager Monitor Task A D D R E S S Query Collector Manager S P A C E DB2 Query Monitor TCP/IP Stream Capture Task DB2A Subsystem Query Common Collector OQCR 20 © 2013 IBM Corporation 20 Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 21 © 2013 IBM Corporation 21 Information Management – InfoSphere Guardium Planning that first implementation Start with the basics – Identify a non-production DB2 environment – Determine how many DB2 systems to audit – Identify the support people (systems programmer, security administrator, auditor) – Obtain management approval – Establish agreement on the implementation schedule Establish the Guardium details – Determine what type of collector will be used (VM or hardware) – Identify what features are needed (redundant collectors, zIIP availability, integration with distributed Guardium systems, etc.) – Identify the TCP/IP addresses – Coordinate the Guardium training and professional services – Size the environment for a collector, aggregator and central manager – Determine what groups to be used to simplify the Guardium implementation Identify success criteria – What needs to be audited (very important!)? – What reports are required and desired? – Is integration with another product, like a SIEM product, required? – Is a performance test required? – Are Vulnerability Assessments and Entitlement Reports required? 22 © 2013 IBM Corporation Although each implementation is unique, there are several best practices principals that can be applied to a Guardium implementation. The goal is to have solid communication with all involved parties and to develop a project plan that is acceptable to all participants. Start with the Basics – The basics are similar to project implementations. Assigning the proper people with the proper skill sets is critical The implementation may take several weeks so having team members that can support the project from beginning to end is important. Establish the Guardium details – Guardium is different from several other products because there are two components. One is the STAP which is installed on the mainframe and the other is the collector which is installed off the mainframe. Guardium professional services has experience with many implementations which will reduce the risk of the implementation. Identify the success criteria – Having a solid success criteria provides the vision for the project. 22 Information Management – InfoSphere Guardium Sample implementation timeline 1. Perform parallel activities – 2 days – Obtain S-TAP software and maintenance from Shop z – Obtain collector software and maintenance from Passport Advantage – Coordinate implementation activities 2. Install S-TAP and collector software – 1 day 3. Begin collecting basic auditing – 2 days 4. Refine auditing and create custom reports – 8 days 5. Integrate InfoSphere Guardium with other products – 5 days Total deployment of first implementation = 18 days (Your mileage may vary) 23 © 2013 IBM Corporation 23 Information Management – InfoSphere Guardium Guardium for DB2 on z/OS architecture z/OS Workstation Audited DB2 Subsystem InfoSphere Guardium S-TAP Collector Agent Filter Manager Define Audit Policy View Reports Filter SQL Collector SQL data Filter IFI Collector Data Data Data IFI data Policy push-down Persisted Policy Guardium Appliance 24 © 2013 IBM Corporation 24 Information Management – InfoSphere Guardium DB2 collection policy definition Identifies what activity is to be sent to the Guardium collector for auditing Uses groups to simplify administration Key component in performance. For example: – Granular control over connection type – Connection type provides efficient filtering 25 © 2013 IBM Corporation Defining a collection policy that filters based on connection type is a very efficient way to reduce SQL traffic being sent to the Guardium collector. For example. some organizations are not interested in auditing SQL traffic that comes from CICS. Traffic from CICS has already been authenticated and is often considered to be a trusted application. To exclude the CICS traffic, specify “NOT CICS” as a Connection Type group member. SQL is sent to DB2 from a variety of connection types. If specific connection types are not required for auditing, it is very easy to exclude these types from being audited. The connection type is one of the first filters applied to the input SQL being audited. If specific connection types can be excluded the benefit may be a significant reduction in MIPS processing, depending on quantity of SQL that can be filtered. Applying the proper filtering processes is key to improving Guardium STAP performance. 25 Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 26 © 2013 IBM Corporation 26 Information Management – InfoSphere Guardium Conducting that first implementation Install the Guardium collector / aggregator / central manager –Install the software and maintenance –Configure the installation –Power up the collector Install the Guardium STAP –Install the STAP and maintenance on all DB2 systems to be audited –Configure the installation and start STAP Validate auditing –Create a simple audit collection policy –Use reports to validate that DB2 activity is being stored in the repository Refine the auditing –Filter unneeded audit data using policy –Create custom reports, Vulnerability Assessment, integration, etc. 27 © 2013 IBM Corporation Determining what needs to be audited - some customers just need privileged users, some need to comply to regulatory regulations like PCI DSS where access to sensitive data is the most important requirement. 27 Information Management – InfoSphere Guardium Conducting that first implementation Meet all functional requirements – Develop detailed custom reports – Modify the collection profile for efficiency, alerts, exceptions, etc. – Develop an archive strategy – Implement report workflow Conduct performance testing – Build a repeatable performance test – Run the test – Review the results and make modifications until results are satisfactory Plan for ongoing maintenance – Recommendation: Use same maintenance philosophy that you use for DB2 (eg LPAR or group level) Plan for the next stages – Obtain approvals to migrate software to production – Schedule migration to next stage – Coordinate migration plan 28 © 2013 IBM Corporation Determining what needs to be audited - provide guidance here based on what you've seen from other customers. ie some customers just need privileged users, some need to comply to regulatory regulations like PCI DSS where access to sensitive data is the most important requirement. At a major bank in Brazil PCI is their requirement. The PCI accelerator helps to meet the requirements. 28 Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z provides value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 29 © 2013 IBM Corporation 29 Information Management – InfoSphere Guardium Rolling Guardium into production Building the production Guardium solution –Size Guardium for the number of STAPs, collectors, aggregators, etc. –Size the number of collectors based on estimated audit data volume and include failover contingency • And plan for the unexpected! –Integrate Guardium into your disaster recovery strategy Post production deployment –Monitor the collector usage closely for the first few weeks –Validate reports are meeting business requirements –Adjust collector sizing as appropriate –Adjust collection policy as appropriate –Deploy the archive strategy 30 © 2013 IBM Corporation Deploying Guardium into production is the last step of deployment. The risk is significantly reduced if the system has been implemented in other nonproduction environments and thoroughly tested. Sizing the Guardium is a key factor for a production deployment. Most production mainframe DBMS systems are highly utilized. It is not uncommon for there to be several million SQL statements processed pre day for a DBMS that supports a critical business application. Sizing of Guardium focuses on the allocation of the collectors. The collectors are highly scalable. Each STAP that audits a DBMS needs to send its audit data to a collector. Depending on the audit policy, there could be a very large percentage of incoming DBMS traffic that is not needed to be audited. As a result, there may be multiple DBMS STAPs that send the audit traffic to a single collector. We recommend that the number of collectors for an initial implementation be conservative. The reason is there may be times when the amount of incoming traffic is variable. For example, there may be end of period processing or unusual events that significantly increase the activity to the DBMS. The conservative collector allocation will provide the ability to capture all audit data during spikes in processing. After a period of time the Guardium administrators can determine if the number of collectors need to be adjusted. 30 Information Management – InfoSphere Guardium Agenda How InfoSphere Guardium on System z Provides Value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 31 © 2013 IBM Corporation 31 Information Management – InfoSphere Guardium Getting started with database monitoring Produce the audit reports –Identify the contents of the report –See if there is a pre-built report that meets your requirements –Use the Guardium GUI to build a custom report Monitor the system for "expected" results - make sure things are reasonable and expected Apply changes based on experience 32 © 2013 IBM Corporation 32 Information Management – InfoSphere Guardium Building the Guardium reports from the collected data Guardium has over 100 pre-built reports including accelerators for PCI, HIPAA, SOX Query builder for reports Copy and modify existing reports or build your own using rich custom report builder Use runtime parameters for rapid subsetting of the data: –Changing the date ranges Changing the DBMS subsystem names –Changing the user(s) ID that submitted the requests –Many more options 33 Entities and attributes © 2013 IBM Corporation 33 Information Management – InfoSphere Guardium Sample DB2 for z/OS Audit Report Can mask values to avoid sensitive data leakage Reports can be automated and run on a schedule Reports can be routed to reviewers and approvers SQL with bind values SQL with redacted values Network vs local traffic 34 34 © 2013 IBM Corporation Sourceprogam – JobID LOCAL TCP –DRDA DB USER NAME – RACF ID/SQL ID 34 Information Management – InfoSphere Guardium Automating reviews and signoffs - Example Business Owner (PCI Role) Information Security (InfoSec Role) Guardium Admin (Admin Role) Reviewer can add comments, which are saved in audit trail. 35 © 2013 IBM Corporation One thing all auditors are going to want to see is a process that ensures all incidents are investigated and remediated. InfoSphere Guardium is unique in providing an integrated compliance workflow automation application that automates the process of ensuring all incidents are addressed; which reduces your operational costs while quickly providing the audit trail required for compliance. The compliance workflow tool gives you the flexibility to define unique custom processes for their different organizations or efforts, for example a different escalation or review steps for different parts of the organization to ensure checks and balances. In this example, we are using this workflow process to ensure review and approval of new database connections. It needs to be routed from the businessd owner, through information security and then to the Guardium Admin who can actually move the new connections to the “approved connections” group. The workflow process also provides enough granularity to handle individual line items in a report, like rerouting a subset of issues for escalation or outside review. These capabilities enable the cost benefits of automation to be realized; even in large, complex organizations where you have a variety of different processes, and a variety of incidents with differing remediation profiles this custom workflow can fit seamlessly into your organizational processes. 35 Information Management – InfoSphere Guardium Agenda How Guardium on System z Provides Value Planning an implementation Implementing Guardium on System z into a non-production system Rolling out Guardium on System z into production Getting started with monitoring Wrap up 36 © 2013 IBM Corporation 36 Information Management – InfoSphere Guardium Keys to a successful implementation The more you plan the fewer surprises you will have –Know the difference between monitoring and auditing –Log only what the business needs –Get the broader team involved as necessary (network, DBA, infosec) Take advantage of IBM Professional Services –Quickly and efficiently deploy Guardium while minimizing disruption to ongoing projects –Create deployment plans and architecture that can expand and scale –Deploy basic monitoring and provide step by step guidance for advanced monitoring if required –Educate your team at every step to accelerate self-sufficiency 37 © 2013 IBM Corporation Why services? Our highly skilled experts have broad InfoSphere Guardium architectural knowledge and deep technical skills to help you quickly and efficiently deploy Guardium · We reduce project roadblocks to success by creating a deployment plan and architecture baseline to provide a technical foundation that can expand and scale · We identify the steps for deploying basic monitoring then provide step by step guidance to tune the monitor and implement advance monitoring if required. · We educate your team at each step to accelerate self-sufficiency through knowledge sharing · We help you accelerate the adoption of Guardium while minimizing disruption to ongoing projects 37 Information Management – InfoSphere Guardium Bottom line SAF (IBM RACF and CA products) plays a vital role in protection of resources on z/OS, but you also need audit event collection/reporting which is tamper resistant, real-time, and actionable. InfoSphere Guardium on z/OS provides – Real-time, actionable activity monitoring and alerting – Tamper resistant audit repository – Clear separation of Roles and Responsibilities – Granular insights into activity – Automation, process consistency, and unique security insights Bottom line…..you need both RACF and Guardium for a robust security environment on z/OS 38 © 2013 IBM Corporation 38 Information Management – InfoSphere Guardium Resources Data Sheet:InfoSphere Guardium for z/OS http://public.dhe.ibm.com/common/ssi/ecm/en/imd14429usen/IMD14429USEN .PDF Replay of webcast: InfoSphere Guardium 9.0 – Delivering Big Data Protection for System z and beyond. http://www01.ibm.com/software/os/systemz/webcast/18dec/ (register to access replay.) Short Youtube demo of InfoSphere Guardium monitoring on DB2 for z/OS: http://www.youtube.com/watch?v=UeYYvSJiTuM&feature=plcp InfoSphere Guardium S-TAP for DB2 on z/OS User’s Guide – PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.db2t ools.adhz.doc.ug/adhugb90.pdf InfoSphere Guardium S-TAP for VSAM on z/OS User’s Guide - PDF http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.imst ools.auv.doc.ug/auvugh90.pdf 39 © 2013 IBM Corporation 39 Information Management – InfoSphere Guardium Information, training, and community InfoSphere Guardium YouTube Channel – includes overviews and technical demos InfoSphere Guardium newsletter developerWorks forum (very active) Guardium DAM User Group on Linked-In (very active) World of DB2 for z/OS Security, compliance and audit subgroup Community on developerWorks (includes content and links to a myriad of sources, articles, etc) Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come) Technical training courses (classroom and self-paced) New! InfoSphere Guardium Virtual User Group. Open, technical discussions with other users. Send a note to [email protected] if interested. 40 © 2013 IBM Corporation there are currently two Guardium certification tests. If you are looking into taking an IBM professional product certification exam, you may look into taking the 000-463 certification (http://www03.ibm.com/certify/tests/ovr463.shtml). Upon completion of the 000-463 certification, you will become an IBM Certified Guardium Specialist (http://www-03.ibm.com/certify/certs/28000701.shtml). The certification requires deep knowledge of the IBM InfoSphere Guardium product. It is recommended that the individual to have experiences in implementing the product to take the exam. You can view the detailed topics here: http://www-03.ibm.com/certify/tests/obj463.shtml Details each topics are covered in the product manuals. You will also find the Guardium InforCenter a useful resource when you prepare for the exam: http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp 40 Information Management – InfoSphere Guardium Reminder: Upcoming Guardium Tech Talks Title: Integrating QRadar and Guardium Speakers: Luis Casco-Arias and Stephen Keim with Ty Weis Date &Time: Wed, June 5, 2013 11:30 AM EDT Title: Planning a deployment Speakers: Boaz Barkai and Yosef Rozenblit Date &Time: Thursday, Jun 20, 2013 11:30 AM EDT Register here: http://bit.ly/Yf2TwY Register here: http://bit.ly/ZWznwA Link to more information about these tech talks can be found on the InfoSpere Guardium developerWorks community: http://ibm.co/Wh9x0o Special event: Webcast: Best Practices for Securing and Protecting MongoDB Data, hosted by 10gen, The MongoDB Company Register at http://www.10gen.com/events/webinar/secureprotect-mongodb-data-partner 41 © 2013 IBM Corporation 41 Information Management – InfoSphere Guardium Dziękuję Polish Traditional Chinese Thai Gracias Spanish Merci French Russian Arabic Obrigado Danke Brazilian Portuguese German Tack Swedish Simplified Chinese Grazie Japanese 42 Italian © 2013 IBM Corporation Thank you very much for time today. 42