IBM InfoSphere Guardium Tech Talk: Guardium 101 Information Management

Joe DiPietro – Center of Excellence lead
Kathy Zeidenstein – Guardium Evangelist
21 Feb 2013
IBM InfoSphere Guardium Tech Talk:
Guardium 101
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
2
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
3
Information Management – InfoSphere Guardium
Data is the key target for security breaches…..
… and Database Servers Are the Primary Source of Breached Data
WHY?
Database servers contain your clients’
most valuable information
–
–
–
–
–
Financial records
Customer information
Credit card and other account records
Personally identifiable information
Patient records
High volumes of structured data
Easy to access
2012 Data Breach Report from Verizon Business RISK Team
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2012_en_xg.pdf
“Go where the money is… and go
there often.” - Willie Sutton
3
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Verizon has a team that on a yearly basis analyzes risk and breaches in the
digital world, looking for attack trends and pattern changes. Akin to the work we
do with X-Force. For several years they have seen a trend, where the great
majority of records breached came from databases, regardless of the source of
the breach. So we reach a conclusion that databases are a major point of
compromise. This may not be surprising, since here is where we find the most
critical enterprise data worth stealing or violating. And since it is structured, it is
easier to find. This is where Guardium has focused its attention up to now, but
as more and more data gets stored in nosql databases or other nonrelational
databases, Guardium is tackling this problem as well and has an offering for
Hadoop data activity monitoring.
Insider attacks are another particularly big issue when viewed from the
perspective of production databases, because they are unique complex systems
that are generally completely under the control of the DBAs that administer them.
In fact survey of database administers routinely verify that issue; 62% of
organization have no way to control what administrators do with their
organizations most sensitive data; and the majority can’t even detect if
inappropriate activity is taking place.
3
Information Management – InfoSphere Guardium
Typical home grown solutions are costly and ineffective
Native
Database
Logging
Native
Database
Logging
Manual
remediation
dispatch
and tracking
• Pearl/UNIX Scripts/C++
• Scrape and parse the data
• Move to central repository
Native
Database
Logging
Native
Database
Logging
4
21 Feb 2013
Create
reports
•
•
•
•
•
•
Manual
review
Significant labor cost to review data and maintain process
High performance impact on DBMS from native logging
Not real time
Does not meet auditor requirements for Separation of Duties
Audit trail is not secure
Inconsistent policies enterprise-wide
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
At IBM we’ve been fortunate to consult with hundreds of enterprises world-wide that are seeking to secure
their sensitive databases. Most fall into one of two categories. Either they have no database security
solution in place, or they have attempted to build a “home grown” solution based on native auditing.
Most of the larger enterprises fall in the latter category.
Let’s take a moment to explore how these home grown solutions are built, and why you may not want to go
down that path. These systems are built on the native logging facilities of the databases; which are
turned on to enabling auditing. Since they are distributed, scripts are typically written to scrape those
logs, centralize the information and clean it up. Then reports are written to simplify examination of the
information. On a periodic basis some poor individual examines these logs looking for inappropriate
activity. When an anomaly is identified the individual responsible for that system is contacted, typically
through email, and some manual system; a spreadsheet or database is used to track the incidents and
responses.
This not a very good approach to securing your company’s most valuable assets for a variety of reasons:
1. It is a costly approach, involving significant labor to develop the software and do the manual remediation
discussed.
2. Secondly, many companies can not implement, or sustain the approach due to the overhead incurred
when the native logging facilities are enabled. The overhead typically ranges from 10% to 45% of CPU
cycles.
3. And it is obvious this type of system is not real time. By the time an anomaly is discovered, your
valuable data is long since gone.
4. From a compliance perspective this type of approach is now being challenged by auditors, as it does
not provide the separation of duties they require. Privileged users like DBAs are required to run the
system; they can turn off the native auditing if they want to do something inappropriate, or modify the
centralized logs
5. And of course the whole system is not secure; it can be compromised at many points
6. And last of all, this type of approach does not provide consistent information enterprise wide, as the
underlying audit facilities deliver inconsistent information.
4
5
Information Management – InfoSphere Guardium
Constraints
Define
Metrics
Data Growth &
Acquisitions
50,000 Foot Overview
Data Security & Risk (DSR)
•Reduced cost across the lifecycle
•Higher quality
•Improved understanding
•Lowered risk
•Improved compliance
Life-cycle
Classify
Find
Enforce
Increased Risk
Cost
Analyze
Audit
Harden
Empower
users
Assess
Outsourced &
Contractor Access
Challenges
Time to
understanding
5
21 Feb 2013
Measure
Results
$
Where is
Unauthorized Security Rising
sensitive data? Changes
Threats Costs
IBM InfoSphere Guardium Tech Talk
Increase
Protection
$
Monitor
DSR
Goals
Stay out of
the papers…
© 2013 IBM Corporation
This chart lays out the goals and challenges that many organizations face when trying to reduc
business goals.
The challenges on the bottom reflect on the fact that many organizations don’t really understan
you effectively protecting it? If a breach occurs, would you have the information you need t
The goals you probably have are to reduce risk, increase protection with a low TCO. You need
Yet data security is a way a moving target. Every time there is a merger or acquisition there is
private data in there as well.
And companies need to be able to deploy outsourced IT resources, including DBAs and devel
Later on in this presentation, you’ll learn about how to use this data security life cycle model to
Enforcement.
5
Information Management – InfoSphere Guardium
Historical perspective: What is Guardium?
Guardium, the company, was founded in 2002
–Innovated a non-invasive solution for
continuous database auditing
Guardium was acquired by IBM in 2009
The ‘Guardium’ name was extended to other products
in the IBM Information Management portfolio that focus
on data security and protection (that’s how good it is!)
The ‘original’ Guardium
and our focus for
today’s talk
6
21 Feb 2013
InfoSphere Guardium Data Activity Monitoring
InfoSphere Guardium Vulnerability Assessment
InfoSphere Guardium Data Encryption
InfoSphere Guardium Data Redaction
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
The focus of this topic is the technology acquired by IBM from Guardium and is
now marketed as two main offerings “InfoSphere Guardium Data Activity
Monitoring and IG Vulnerability Assessment.
InfoSphere Guardium Data Encryption encrypts databases and files “in place”
and avoids the need to re-architect databases, files, or storage networks.
Inserted above the file system and/or logical volume layers, InfoSphere Guardium
Data Encryption is transparent to users, applications, databases and storage
subsystems. It requires no coding, no modification to applications or databases.
http://www.ibm.com/software/data/guardium/encryption-expert/
InfoSphere Guardium Data Redaction protects sensitive data in documents,
forms and files from unintentional disclosure by detecting & removing the data
from the document version openly shared. It supports many document formats,
including scanned documents, PDF, TIFF, XML and Microsoft® Word. Redaction
usually happens as a result of a request, or a need to share select information.
redaction is not a replacement for: Encryption,Proper access control , Secure
document lifecycle management tools Web page:
http://www.ibm.com/software/data/guardium/data-redaction/
Information Management – InfoSphere Guardium
And where does it fit?
InfoSphere Information Governance
7
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Guardium has the privilege to be a key component in two IBM strategies: First
the InfoSphere Information Governance Strategy, where there is a need to
provide customers with trusted, relevant, and governed data throughout the
information lifecycle. And with the Security Systems framework, where the
protection of sensitive data is ultimately the essence of what enterprises want to
accomplish.
Guardium integrates with and complements IM products, such as InfoSphere
Discovery and Optim Archiving, as well as with Security products like QRadar
and AppScan.
For example, Guardium complements Optim Test Data Management solutions by monitoring sensitive data access in test environments/ It
also can complement Optim Data Growth solutions with the ability to monitor access to both active and inactive (archived) data
7
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
8
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Products and capabilities
InfoSphere Guardium Data
Activity Monitoring (DAM)
InfoSphere Guardium
Vulnerability Assessment (VA)
For data security & compliance
Best practice & secure configuration
• Data discovery and classification
• Configuration assessment
• Real-time activity monitoring
• Vulnerability assessments
• Application end-user identification
• Vulnerability reports
• Security alerts and audit reports
• Suggested remediation steps
• Compliance workflow
• Data Protection Subscription
• Blocking unauthorized access
• Masking sensitive data
•Configuration audit system (CAS)
Hardware, virtual or
software appliances
•Entitlement reporting (VA Advanced)
Central Management & Aggregation
Manage and use large deployments as a single federated system
9
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
And so, at high level, Guardium offers two product suites
1.Guardium Data Activity Monitoring (DAM) - to monitor dynamic data in real time, log the activity for
compliance purposes and respond in real-time on any unauthorized or suspicious activity, either by
triggering an alert on any unauthorized activity. Data discover and classification Crawls the network as
directed by the user's configuration settings to find new database instances. Also finds and classifies
sensitive data inside databases, using an intelligent database crawler to search for customizable patterns.
Once sensitive objects have been located, they are automatically tagged with meta-data classifications such
as “Regulated Record” and added to groups of items with similar properties, which ensures that appropriate
policies are automatically applied to groups of objects with similar properties. Application end-user ID
application (part of the DAM offering) identifies application users associated with specific database queries
and transactions, in connection pooling environments where applications use a generic service account to
access the database.
The Advanced DAM package adds prevention functions such as blocking and masking – to actively prevent
unauthorized activity and protect leakage of sensitive data.
2.Database Vulnerability Assessment (VA) - Scans database infrastructure for vulnerabilities such as
missing patches, misconfigured privileges and default accounts. Also checks for behavioral or dynamic
vulnerabilities by analyzing monitored activities, such as excessive number of failed logins or privileged
users sharing credentials.
The Advanced VA package also include the following functions:
1. Configuration Audit System (CAS): Tracks all changes to objects external to the database
that have security implications – such as configuration files, environment variables, registry
variables and executables such as shell scripts, Java and XML programs. To accelerate
deployment, CAS includes a best practices library with hundreds of preconfigured knowledge
templates for all major OS and DBMS combinations.
2. Entitlement Reports (ER): Provide a simple means of understanding user rights across the
enterprise, including those granted through roles and groups, by aggregating and presenting
in pre-defined reports entitlement information from across database instances.
Central Management and Aggregation
Provides centralized management of multiple collectors via a single Web-based console. Includes
centralized management of cross-DBMS security policies and hardware appliancesettings such as archiving
schedules. Creates federated system from multiple Collectors.
9
In order to protect your information, you first need to understand where your sensitive data live
Database discovery to identify where your databases are located on your network. The agent
Instance discovery (using an agent) is only with DAM. "Instance Discovery" requires an agent
STAP. This is why this discovery needs an agent.
Sensitive data finder - Guardium can locate databases via network IP scan and open database
(http://en.wikipedia.org/wiki/Regular_expression) to locate matching patterns. e.g. Creditca
database. Actions can then be taken AUTOMATICALLY; e.g. log a policy violation, send a
10
10
Actions
a. alert (real time alert and log policy violation) This is useful especially when you run sensitiv
b. The adding of object to a group enables the system to automatically update the real-time s
policy that references this group will be updated next time it’s installed. You can install and
c. The adding of an object to group also allows the system toautomatically update the complia
are aware of the new sensitive data and can take appropriate administrative actions.
11
11
Here’s an example of a realtime alert from the classification policy that indicates sensitive data
In Oracle when you delete a table it gets into a temp table until it’s permanently purged.
That just shows that you can have sensitive data lying around in temp tables.
12
12
Information Management – InfoSphere Guardium
Vulnerability and Configuration Assessment Architecture
Included with VA
Based on industry standards: DISA STIG and CIS Benchmark
Extensive library of pre-built tests for all supported platforms
Customizable tests to address your specific corporate security policies
– Via custom scripts, SQL queries, environment variables, etc.
Combination of tests ensures comprehensive coverage:
1.Database settings
2.Operating system
3.Observed behavior
DB Tier
Database
User Activity
(Oracle, SQL
Server, DB2,
Informix, Sybase,
MySQL, Netezza,
Teradata)
OS Tier
(Windows,
Solaris, AIX, HPUX, Linux, z/OS)
Tests
• Permissions
• Roles
• Configurations
• Versions
• Custom tests
• Configuration files
• Environment variables
• Registry settings
• Custom tests
13
© 2013 IBM Corporation
Vulnerability Assessment (VA) is an important process to help secure and harden
your infrastructure.
DISA STIG= Defense Information Systems Agency Security Technical
Implementation Guides http://iase.disa.mil/stigs/
CIS=Center for Internet Security http://www.cisecurity.org/
VA helps identify common security configuration issues like:
-Patch levels on database servers
-Administrators are sharing credentials
-Users are still using default passwords
There are three important categories (Observed traffic, Database configuration,
Operating System configuration) of tests to ensure complete analysis of your
database infrastructure.
Here are the testing methods used (from the Guardium Help Book)
Guardium’s Database Vulnerability Assessment combines three essential testing
methods to guarantee full depth and breadth of coverage. It leverages multiple
sources of information to compile a full picture of the security health of the
database and data environment.
1. Agent-based-Using software installed on each endpoint (e.g. database server).
They can determine aspects of the endpoint that cannot be determined remotely,
such as administrator’s access to sensitive data directly from the
13
Information Management – InfoSphere Guardium
Guardium Assessment Results
Overall score
Detailed
scoring matrix
Are you
making
progress?
Recommendations
on how to fix the
failure
14
© 2013 IBM Corporation
Assessment tests give you information to help you correct failures and to show
improvement over time. You can also create your own tests. A query based test
is either a pre-defined or user-defined test that can be quickly and easy created
by defining or modifying a SQL query, which will be run against database
datasource and results compared to a predefined test value. See backup slides
for an example. Once you've established a good VA score, you know your
configuration is in good shape and you want to "lock down" the system by
installing the Guardium Configuration Audit System (CAS) module, that will alert
you on any change in configuration, file permissions, environment variables, etc."
-- and it is part of the VA Advanced, which makes it a natural next-step for VA.
CAS Tracks all changes that can affect the security of database environments
outside the scope of the database engine
• Tracks changes to database configuration files and other external objects that
can affect your database security posture, such as ––Environment/registry
variables, ––Configuration files (e.g. SQLNET.ORA, NAMES.ORA), ––Shell
scripts, ––OS files, ––Executables such as Java programs
• Required for all governance and risk management implementations
• Implements security best practices with no administrator work
CAS is a light-weight agent that runs on the server where database instances
are installed. CAS monitors all changes to various constructs, including changes
to files, file ownership and permission definitions, registry values, environment
variables, and database structures. It will then poll these constructs based on a
set of periods defined by the user and, if there are any changes, it will notify the
InfoSphere Guardium server precisely which element was changed, what the
new value is (versus the old value), etc. CAS works from a template that defines
what to monitor. The InfoSphere Guardium system includes a set of predefined
templates that define the best practices for monitoring in several different
14
The PCI and SOX accelerators are included with your DAM standard edition license as of V9.
They are still a separate download patch and install but will likely be incorporated into the base produc
To see the PCI tabs, you need to be a user with the PCI role as assigned by the Access Manager of your
The accelerators provide you with out of the box reports and predefined group definitions (you can pop
Keep an eye on developerWorks – there will be an article on using the PCI accelerator sometime in 1H
15
15
Information Management – InfoSphere Guardium
Fine-Grained Policies with Real-Time Alerts
Included with DAM
EmployeeTable
SELECT
Application
Server
10.10.9.244
Database
Server
10.10.9.56
Heterogeneous
support including
System z and
IBM i data servers
16
© 2013 IBM Corporation
Example of detecting access to the database server from someone using the App
Server credentials.
Alerting is one of the options you have for policy rules. You can set up pretty finegrained rules. Alerts can be sent to email, syslog and/or to a SIEM system such
as QRAdar. They will also appear on the Incident Management tab of the
Guardium UI. Be careful about how yo uset the Action – Alert per match could
end up sending a lot of emails to someone depending on the type of SQL
statement.
Notes:
The most common type of exception rule created is to alert on x number of failed
login attempts within x minutes; for example 3 failed login attempts within 5
minutes.
To create this alert, create a new exception rule as follows:
•Action = Alert Per Match
•Minimum Count = 3
•Reset Interval = 5
•Excpt. Type = LOGIN_FAILED
•DB User = . <period>. Placing a period in DB User causes to the system to
place a counter on DB User, so that you will only receive an alert the same user
attempts to login three times with in five minutes. Otherwise, it will alert
whenever there are three failed logins from any three users within five minutes,
which could result in a great deal of false positives.
16
Information Management – InfoSphere Guardium
Included with DAM
Advanced
S-GATE: Blocking Access
“DBMS software does not protect data from administrators, so DBAs today have the ability to
view or steal confidential data stored in a database.” Forrester, “Database Security: Market Overview,” Feb. 2009
Application Servers
SQL
Privileged
Users
Oracle, DB2,
MySQL, Sybase,
etc.
Issue SQL
S-GATE
S-GATE
Hold SQL
Outsourced DBA
Connection terminated
Policy Violation:
Drop Connection
Check Policy
On Appliance
Session Terminated
17
© 2013 IBM Corporation
Preventing Unauthorized Access
Configurable behavior to block access for example of privileged users on sensitive data.
Guardium solution works across multiple different database types and does not rely on an
appliance between the App Server and database to do this. No impact to the legitimate
Application Server traffic.
SGATE – an extension of the S-TAP Agent resides at the kernel level on the Database Server. SGATE can look for Privileged User access specifically and hold only this traffic for validation
Guardium will hold the transaction – do an analysis – and allow it only if it doesn’t violate a policy.
If the Privileged User violates a policy – Guardium can block this and report or alert on the
violation.
Other solutions that rely on using an inline apliance, would add latency to the application traffi and
would not be able to block a user at the database console – it can’t block local
access.
Using this reqiures you configure the guard_tap.ini file and create a policy rule
Here’s part of guard_tap.ini.
firewall_default_state=0
firewall_fail_close=0
firewall_force_unwatch=NULL
firewall_force_watch=NULL
firewall_installed=1
firewall_timeout=10
For more detail on using S-GATE for blocking: See the Guardium “Protect” Help book.
Information Management – InfoSphere Guardium
Mask Unauthorized Access To Sensitive Information Included with DAM
Advanced
Cross-DBMS Dynamic Data Masking (DDM)
Application Servers
SQL
Unauthorized
Users
Oracle, DB2,
MySQL,
Sybase, etc.
Cross-DBMS policies
Mask sensitive data
No database changes
No application changes
Issue SQL
Actual data
stored in the
database
S-TAP
S-TAP
Outsourced DBA
Redact and Mask
Sensitive Data
User view of the data in the database
18
© 2013 IBM Corporation
It’s critical to keep private data private, and that includes keeping it private from
authorized users such as DBAs.
Guardium can mask data using a single solution across multiple database types.
Redaction (Scrub) rules should be set on the session level (meaning, trigger rules
on session attributes like IPs, Users, etc), not on the SQL level / attributes (like OBJECT_NAME or VERB), because if you set the scrub rule on the SQL that
needs to be scrubbed it probably will take a few miliseconds for the scrub
instructions to make it to the S-TAP where some results may go though
unmasked. To guarantee all SQL is scrubbed, set the S-TAP (S-GATE) default
mode to "attach"for all sessions (in guard_tap.ini). This will guarantee that no
command goes through without being inspected by the rules engine and holding
each request and waiting for the policy's verdict on the request. This deployment
will introduce some latency but this is the way to ensure 100% scrubbed data.
For more information, see the Guardium “Protect” Help Book.
Information Management – InfoSphere Guardium
InfoSphere Guardium Data Encryption
Clear Text
File
System
Metadata
File Data
File
Data
•
•
•
•
Block-Level
MetaClear
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
fAiwD7nb$
Nkxchsu^j2
3nSJis*jmSL
Name: Jsmith.doc
Created: 6/4/99
Modified: 8/15/02
Name: J Smith
CCN:60115793892
Exp Date: 04/04
Bal: $5,145,789
SSN: 514-73-8970
dfjdNk%(Amg
8nGmwlNskd 9f
Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
dfjdNk%(Amg
8nGmwlNskd 9f
Nd&9Dm*Ndd
Nd&9Dm*Ndd
xIu2Ks0BKsjd
Nac0&6mKcoS
qCio9M*sdopF
qCio9M*sdopF
File
Data
File
Data
File
Data
Protects Sensitive Information Without Disrupting Data Management
High-Performance Encryption
Root Access Control
Data Access as an Intended Privilege
© 2013 IBM Corporation
InfoSphere Guardium Encryption Expert uses a proven and highly effective
encryption process called MetaClear. MetaClear encryption protects the file data
while leaving the File System MetaData (the data about the data) in the clear.
There are three benefits of MetaClear encryption
* Transparency : because the outward appearance of the files do
not change there is not impact to the OS, databases, storage, end-users, etc.
* Need to know : Applications and privilege administrators can still
access protected data but may not be allowed to see the file data in clear-text.
This meets separation of duties requirements. It also enforces need to know
policies.
* Performance : we only encrypt/decrypt the specific portion of the
file that is being processed. This has major implications in databases since a
database doesn’t use all of it’s data at once, only a few rows at a time.
Information Management – InfoSphere Guardium
Entitlement Reporting:
Reducing the Cost of Managing User Rights
Included with VA
Advanced
Provides a simple means of aggregating and
understanding entitlement information
–Scans and collects information on a
scheduled basis, including group and role
information
Out-of-the box reports for common views
–Report writer for custom views
Integrated with all other modules including
workflow, etc.
Eliminates resource intensive and error prone process
of manually examining each database and stepping
through roles
© 2013 IBM Corporation
Entitlement reviews are the process of validating and ensuring that users only
have the privileges required to perform their duties. Along with authenticating
users and restricting role-based access privileges to data,even for the most
privileged database users, there is a need to periodically perform entitlement
reviews, the process of validating and ensuring that users only have the
privileges required to perform their duties. This is also known as database user
rights attestation reporting.
Use Guardium’s predefined database entitlement (privilege) reports (for example)
to see who has system privileges and who has granted these privileges to other
users and roles. Database entitlement reports are important for auditors tracking
changes to database access and to ensure that security holes do not exist from
lingering accounts or ill-granted privileges.Custom database entitlement reports
have been created to save configuration time and facilitate the uploading and
reporting of data. Entitlement reports for DB2 for z/OS are also provided.
20
Information Management – InfoSphere Guardium
DB2 Entitlement Reports
© 2013 IBM Corporation
Here’s an example of a DB2 entitlement report..
21
Information Management – InfoSphere Guardium
Heterogeneous Database Entitlement Reports – Oracle Sample Reports
© 2013 IBM Corporation
Here’s an Oracle report. And alisting for all the databases for which entitlement
reporting is supported. Remember, you need VA Advanced or thiswill not appear
in your console.
22
Information Management – InfoSphere Guardium
Audit Process Overview
Included with DAM
Included with VA
Create a process to review entitlement reports and new connections to the database
Use separation of duties to validate the process
Entitlement Report can be
used to identify “new”
connections to the database
© 2013 IBM Corporation
Here’s an example of using the audit process (workflow) to automate review of
entitlement reports. To ensure that no one person is solely in control of allowing
new connections or entitlements, use Guardium separation of duties capability to
automatically route the report through the appropriate approvers. The next few
slides step through how to do that.
Information Management – InfoSphere Guardium
Audit Process Overview
Business Owner approves or rejects
new connections to database
Business Owner
(PCI Role)
Guardium Admin only makes changes
for “authorized” connections
Information Security
(InfoSec Role)
Guardium Admin
(Admin Role)
Information Security confirms
Business Owner recommendation
If there are no new connections, report will
be empty and automatically approved…
(ie. Don’t waste anyone’s time)
© 2013 IBM Corporation
One thing all auditors are going to want to see is a process that ensures all
incidents are investigated and remediated. InfoSphere Guardium is
unique in providing an integrated compliance workflow automation
application that automates the process of ensuring all incidents are
addressed; which reduces your operational costs while quickly providing
the audit trail required for compliance.
The compliance workflow tool gives you the flexibility to define unique
custom processes for their different organizations or efforts, for example a
different escalation or review steps for different parts of the organization to
ensure checks and balances. In this example, we are using this workflow
process to ensure review and approval of new database connections. It
needs to be routed from the businessd owner, through information security
and then to the Guardium Admin who can actually move the new
connections to the “approved connections” group.
The workflow process also provides enough granularity to handle
individual line items in a report, like rerouting a subset of issues for
escalation or outside review.
These capabilities enable the cost benefits of automation to be realized;
even in large, complex organizations where you have a variety of different
processes, and a variety of incidents with differing remediation profiles this
custom workflow can fit seamlessly into your organizational processes.
24
Information Management – InfoSphere Guardium
Audit Process Trail Created For Authorization Process
Here are the
connections
that need to be
approved.
© 2013 IBM Corporation
Here you can see the auditable review process signoffs.
Information Management – InfoSphere Guardium
Audit Process Trail Created For Authorization Process
Reviewer can
add comments.
© 2013 IBM Corporation
You can add your comments and sign results when routed to you.
Information Management – InfoSphere Guardium
Use Guardium API linkage with Reports to Automatically Add Connections
Four
connections
added to
group
© 2013 IBM Corporation
Now that our 4 connections have been approved, the Guardium Administrator
can move them into a group of ‘Authorized’ connections directly from the
‘unauthorized connections’ report. This is done by invoking the
“create_member_to_group_by_desc” API directly from the report as shown here.
Select the connections to add and, voila!, they are added to the authorized group
and should no longer appear in the unauthorized connection report.
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
28
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
2
9
Information Management – InfoSphere Guardium
InfoSphere Guardium Architecture
Application Servers
(SAP, Oracle EBS,
Custom Apps, etc)
Role Based GUI
Provides access to
audit data
(Information Security,
Auditors, DBA, etc)
S-TAP – Software Tap
(Light weight probe which
copies information to the appliance)
Agent Required
Auditing
Real time alerting
Blocking
Dynamic Data Masking (DDM)
29
21 Feb 2013
Guardium
Appliance
Secure Audit
Records
Support Separation of Duties
Collect and normalize data for
efficient storage
Single repository for all audit data
Data is immediately available and
highly secure
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
The Guardium appliance is hardened, by which we mean that there is no root access allowed to the data stored there.
The heavy duty lifting of parsing and logging data traffic is done there. The appliance is easily deployable
Once setup, the Collector can gather all the audit information in a normalized format (like an SIEM for DBs). The Vulnerability Assessment tool will scan these DBs and DB Servers for needed patches
or configuration hardening, based on periodically updated vulnerability templates.
STAP Agents are very lightweight. They require
nochanges to the Database or Applications. Collectors (appliance) handle the heavy lifting (parsing, logging,
etc) to reduce the impact on the database server. They are OS-specific (aka Linux, Windows) The S-TAP is listening for network packets between the db client and
the db server. The Guardium Admin configures each S-TAPto listen to the correct database ports and to interpret the specific type of database that Guardium needs
to listen for. These configurations are called ‘inspection engines’. There is also an automatic discovery process to do the db discovery for you and configure the
inspection engines with the correct ports. The S-TAPS Monitor ALL Access via network (TCP) or local connections (Bequeath, Shared memory, named pipes, etc). A
Privileged User working on the server console won’t be detected by any solution that only monitors network traffic, so be careful of SPAN port solutions only.
The GUI is a web-based and is out of the box customized for different roles such as PCI auditor. It’s also quite customizable with the ability add and delete portlets for specific functions. Those
customizations can be rolled out to others.
29
Information Management – InfoSphere Guardium
What Can Be Audited?
Key Message
Information is based on a database session
Typical Database
Session
Understand what needs to be audited
Database Server
Activity from the DB client
to the DB server
Activity from the DB
Server to the DB Client
Client/Server network
connections
Failed Login
Messages
Session starts (log in)
SQL Errors
SQL Requests
(commands)
Result sets
Session ends (log out)
What needs to be audited?
Session information
User information
SQL statements
Responses
– Failed Events
– Result Sets
Database Client
30
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Once STAP has been installed and the inspection engines configured, STAP will start forwarding all
database traffic to the collector. This traffic is analyzed, parsed, and logged by the sniffer process
on the collector, as follows:
Traffic sent by STAP
Database Client -> Database Server
•Client/server network connections
•Sessions (logins/logouts)
•SQL requests (commands)
Database Server-> Database Client
•Failed login messages
•SQL errors
•Result sets
Traffic analyzed, parsed and logged by the sniffer
Database Client -> Database Server
•Client/server network connections
•Sessions (logins/logouts)
•SQL requests (commands)
Database Server-> Database Client
•Failed login messages
•SQL errors
•Result sets
© Copyright IBM Corporation 2010
30
30
Information Management – InfoSphere Guardium
Capture and Parsing Overview
Information is copied
and sent to appliance
Guardium
Collector
Select name, cardid
from Creditcard
S-TAP
Database
Server
Analysis
engine
Select name, cardid
from Creditcard
Joe
Database
Client
How do you get access
to this information?
31
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Parse SQL
Statements
Select name, cardid
from Creditcard
Read Only
Hardened Repository
(no direct access)
Sessions
Commands
Joe
Select
SQL
Select name, cardid
from Creditcard
Objects
Creditcard
Columns/Fields
name
cardid
© 2013 IBM Corporation
Here’s a simple example to illustrate the flow of a select statement. Remember, we learned that
from the client to the server, we will pass on not just the ‘command’ (the Select statement in the
above example) but relevant about the client/server network connection (client IP, server IP etc) and
the session information (login, logout). This process does not introduce latency for the database
server – it is completely unintrusive.
The Analysis Engine (colloquially known as ‘sniffer’) will parse the information and store it in the
internal Guardium repository on the hardened appliance. There is no direct access to this data- you
have to go to go through UI or API to run reports or set u palerts etc to make use of that data. As
you will see in the next slide, the data is externalized as domains, entities and attributes, not usually
the direct table names.
31
31
Information Management – InfoSphere Guardium
Reports/Query Builder
Entities and Attributes
Query builder for reports
Read Only
Hardened Repository
(no direct access)
Sessions
SQL
Commands
Objects
Exceptions
Returned
Data
Entities and
attributes
Columns/Fields
Parsed, analyzed,
logged in repository
Network Packet
1.1.1.1 23345 10.12.1.12 1433 select name, cardid from Creditcard;
32
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Traffic is filtered at
different stages
based on policy
rules
© 2013 IBM Corporation
Policy rules determine where filtering occurs between the S-TAP and the time it gets logged. There
are some filters that happen at the S-TAP level which can help reduce the traffic sent to the
appliance.
Network Information
Filter client/Server IP
Filter TCP ports
Which sessions to monitor/ignore (based on OS User, DB User, etc.)
What traffic (SQLs, Exceptions, Returned data) to audit , and in what granularity (based on
the command, the tables, the user, etc.)
Now that the audit data is in the repository of the hardened collector, how do you get at it.. ? There
are many out of the box reports, but it’s good to have an understanding of how those reports are
created so you can really take advantage of the stored audit data for your own needs.
The audit data is represented in the Guardium system as a collection of domains, with appropriate
entities and attributes associated with that domain. (The Appendices Help book includes more
details about this.) Each Guardium role typically has access to a subset of domains, depending on
the function of that role within the company. Guardium admin role users typically have access to all
reporting domains.
This slide shows use of the query builder for creating reports and how the entities and attributes
appear on the builder.
32
32
Information Management – InfoSphere Guardium
Policy Primer - Accessing the Policy Builder
33
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Notes:
To access the Policy Builder:
•As a user with the admin role go to Tools -> Policy Builder
•As a user with the user role go to Protect-> Security Policies -> Policy builder
Note:
For a policy, or any changes to a policy, to take effect, it must be installed.
To install a policy:
•Go to the Administration Console, Policy Installation
•Highlight the policy that you would to install and choose Install from the drop down list
If the groups contained within the policy are updated regularly, the installation should be scheduled
by clicking Modify Schedule to open the general-purpose scheduling utility. For example, if you
are using ‘Populate from Query’ to update a group of privileged users nightly, the policy should be
scheduled to be reinstalled after the group update.
More than one installed policy is permitted at the same time. All installed policies are available for
action and are run sequentially. The only limitation is that policies defined as selective audit policies
can not be mixed with polices not defined as selective audit policies. If trying to mix policies, an
error message will result when installing these mixed policies. The order of appearance can be
controlled during the policy installation, such as first, last or somewhere in between. But the order of
appearance can not be edited at a later date.
Remember –The policy must be installed after any modifications (such as new or changed
rules) for the changes to take effect. You would use install&override option on the
installation.
© Copyright IBM Corporation 2010
33
33
Information Management – InfoSphere Guardium
3 Types of Policy Rules
Exception (SQL Errors and more)
3
Result Set
2
SQL Query
1
Database Server
There are three types of rules:
1.
An access rule applies to client requests
2.
An extrusion rule evaluates data returned by the server
3.
An exception rule evaluates exceptions returned by the server
34
© 2013 IBM Corporation
Concept information – Rule Types
There are three types of rules, which will determine which fields are available in
the policy rule builder.
Access rule – An access rule evaluates client accesses and enables the
creation of real time alerts.
Exception rule - An exception rule evaluates real-time exceptions returned by
the server. For example, it might test for five file permission exceptions within one
minute.
Extrusion rule - An extrusion rule) evaluates real-time data returned by the
server (in response to requests). For example, it might test the returned data for
numeric patterns that could be social security or credit card numbers. For
extrusion rules only, portions of database query output (for example, credit card
numbers) may be masked for certain users..
34
Information Management – InfoSphere Guardium
SAP PCI Policy Overview
35
© 2013 IBM Corporation
This is a sample predefined policy. It has three different types of rules:
-Access Rules
-Extrusion Rules
-Exception Rules
Each of these types of rules helps security your environment. It’s also helpful to
understand the impact on the system depending on what type of information you
are trying to audit.
Concept information – Rule Types
There are three types of rules, which will determine which fields are available in
the policy rule builder.
Access rule – An access rule evaluates client accesses and enables the
creation of real time alerts.
Exception rule - An exception rule evaluates real-time exceptions returned by
the server. For example, it might test for five file permission exceptions within one
minute.
Extrusion rule - An extrusion rule) evaluates real-time data returned by the
server (in response to requests). For example, it might test the returned data for
numeric patterns that could be social security or credit card numbers. For
extrusion rules only, portions of database query output (for example, credit card
numbers) may be masked for certain users..
Note:
35
Information Management – InfoSphere Guardium
One Unauthorized Access Violates 4 Security Rules
36
© 2013 IBM Corporation
This presentation doesn’t show all the individual rules, but some are included in
the backup slides. This slide highlights a couple of rules that were violated as a
result of the query that returns a credit card number. You can see that the credit
card value is masked in the report.
36
Information Management – InfoSphere Guardium
Quiz question!
What are the three types of policy rules? Pick
the best answer from below:
1. Masking, extrusion, access
2. Access, PCI, compliance
3. Access, exception, extrusion
4. None of the above
37
The correct answer is 3.
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
38
21 Feb 2013
© 2013 IBM Corporation
IBM InfoSphere Guardium Tech Talk
Information Management – InfoSphere Guardium
Deployment flexibility and scalability
Standalone unit
Collector
Central Manager and
Aggregator (“Manager unit”)
Central Manager (CM) contains central
location for policies and definitions for
the entire federated system
Central Manager
Aggregator
Aggregator
Collectors
(“Managed units”)
Collectors
“Aggregation”=Nightly audit
data uploaded from Collectors
Built in redundancy for audit
data (collector and aggregator)
39
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Collectors
Central Manager provides
“Enterprise Views”
© 2013 IBM Corporation
Appliance Types
Collector
Used to collect database activity, analyze it in real time and log it in the internal repository for further analysis and/or
reacting in real-time (alerting, blocking, etc.). Use this unit for the real-time capture and analysis of the database activity.
Aggregator
Used to collect and merge information from multiple appliances (collectors and other aggregators) to produce a holistic
view of the entire environment and generate enterprise-level reports. The Aggregator does not collect data itself; it just
aggregates data from multiple sources.
Central Manager
Use this Appliance to manage and control multiple Guardium appliances.With Central Manager (CM), manage the entire
Guardium deployment (all the collectors and aggregators) from a single console (the CM console). This includes patch
installation, software updates and the management and configuration of queries, reports, groups, users, policies, etc.
Note:
In many environments, the Central Manager is also the Aggregator. Central Manager and Aggregator can be installed on
the same appliance.
Hierarchical Aggregation
Guardium also supports hierarchical aggregation, where multiple aggregation appliances merge upwards to a higherlevel, central aggregation appliance. This is useful for multi-level views. For example, you may need to deploy one
aggregation appliance for North America aggregating multiple units, another aggregation appliance for Asia aggregating
multiple units, and a central, global aggregation appliance merging the contents of the North America and Asia
aggregation appliances into a single corporate view. To consolidate data, all aggregated Guardium servers export data to
the aggregation appliance on a scheduled basis. The aggregation appliance imports that data into a single database on
the aggregation appliance, so that reports run on the aggregation appliance are based on the data consolidated from all
of the aggregated Guardium servers.
Aggregation Process
v Accomplished by exporting data on a daily basis from the source appliances to the Aggregator (copying daily export
files to the aggregator).
v Aggregator then goes over the uploaded files, extracts each file and merges it into the internal repository on the
aggregator.
For example, if you are running Guardium in an enterprise deployment, you may have multiple Guardium servers
monitoring different environments (different
geographic locations or business units, for example). It may be useful to collect all data in a central location to facilitate
an enterprise view of database usage. You can accomplish this by exporting data from a number of servers to another
server that has been configured (during the initial installation procedures) as an aggregation appliance. In such a
deployment, you typically run all reports, assessments, audit processes, and so forth, on the aggregation appliance to
achieve a wider view, not always an enterprise view.
39
Information Management – InfoSphere Guardium
Included with CM/AGG
Central Manager
Admin Console -> System
Need same shared secret to register
40
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Once you have a Central Manager, you must connect the other machines into a
Central Management system. For security reasons, it is a requirement that the
communication between the machines be encrypted using the same "shared
secret".
To do this, do the following:
1. For each machine (including the Central Manager), log into the Guardium GUI
as the admin user
2. Click on the Administrator Console tab
3. Click on the System link in the left hand column menu
4. Set the Shared Secret to the same string on all systems
Information Management – InfoSphere Guardium
Central Manager
Included with CM/AGG
Admin Console -> System
Need same shared secret to register
Install Policy
Patch Distribution
Registration
etc
41
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here you can see the collectors that are connected in this central management
system.
From here, you can install policies, distribute patches, etc.
In a central management configuration, one Guardium unit is designated as the
Central Manager. That unit can be used to monitor and control other Guardium
units, which are referred to as managed units. Unmanaged units are referred to
as
standalone units.
The concept of a "local machine" can refer to any machine in the Central
Management system. There are some applications (Audit Processes, Queries,
Portlets, etc.) which can be run on both the Managed Units and the Central
Manager. In both cases, the definitions come from the Central Manager and the
data comes from the local machine (which could also be the Central Manager).
Once a Central Management system is set up, you can use either the Central
Manager or a Managed Unit to create or modify most definitions. Keep in mind
that most of the definitions reside on the Central Manager, regardless of which
machine the actual editing is done from.
Information Management – InfoSphere Guardium
Included with CM/AGG
42
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Here are reports that you can see to help manage the health of your central
management system. The TAP Monitor tab is where administratos can access STAP reports
Information Management – InfoSphere Guardium
Enterprise S-TAP View
43
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Included with CM/AGG
© 2013 IBM Corporation
The "Detailed Enterprise S-TAP view" shows, from the Central Manager,
information on all active and passive S-TAPs on all collectors and/or managed
units.
Information Management – InfoSphere Guardium
Scale from small to VERY large
Enterprise Architecture with
dynamic scalability
Non-invasive/disruptive,
cross-platform architecture
No environment changes
Integration with:
•LDAP
•SIEM
•Change Mgt
•Archiving
•and more…
44
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Guardium is designed to handle scalability and cross-geographical deployments. We talked about how the aggregators
and central managers can help you scale out and scale up. Here’s how it could look in a large distributed environment.
Multiple STAPs and Collectors as needed to handle monitoring and auditing requirements for those
systems
SGATE – blocking for only the traffic you need to block!
STAP for Z – monitoring MainFrames as well as Distributed platforms – roll those results up into your
enteprise reports.
Centralized Policy Management
Centralized Audit Repository
Scalable
Auditing millions of transactions
Add Collectors when and where needed to handle whatever throughput and auditing requirements
you need
STAP Agents provide failover and redundancy options as we will talk about in the next slide.
44
Information Management – InfoSphere Guardium
Failover, Load Balancing, and “Grid”
3. Load Balancing
1. Basic
2. Failover
45
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
In many cases only a single Guardium appliance will be defined as the host for
an S-TAP. Additional hosts can be defined to provide a fail over and load
balancing capability.
Failover.
S-TAP collects and sends data to a Guardium host in near real time. S-TAP
buffers the data, so that it can continue to work if the Guardium host is
momentarily
unavailable. If the primary host is unavailable for an extended period of time (time
can be shorter if the buffer is filling up), S-TAP can fail over to a secondary
Guardium host. It will continue to send data to the secondary host until either that
appliance becomes unavailable, until the S-TAP is restarted or a connection to
the primary server has been reestablished and remains up for a period of
5*connection_timeout_sec seconds.
(configurable in guard_tap.ini file, default is 60 seconds). In this case STAP will
fail over from secondary Guardium host back to Primary Guardium host.
When a failover of S-TAP occurs, session information can also be sent over to
the current active Guardium host.
45
45
Information Management – InfoSphere Guardium
Failover, Load Balancing, and “Grid”
3. Load Balancing
1. Basic
2. Failover
4. Grid
Same
collector
settings
for all
s-taps
sqlguard_ip=virtual IP
sqlguard_port=16016
primary=1
Test with Load
Balancers from
F5 & Cisco
46
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
3. There are optoins for load balancing you can set in the stap configuration file.
(Participate_load_balancing=)
0 = Report all traffic to a single appliance (the default).
1 = Load balancing; distribute sessions evenly to all appliances, by client port
number (all traffic for a single session must go to the same appliance).
2 = Full redundancy; report all traffic to all appliances.
3 = In an IP load balancer environment, if the Guardium appliance goes down,
allows the IP load balancer to reconnect S-TAP to a different Guardium
appliance/collector) – see Grid slide next.
46
46
Information Management – InfoSphere Guardium
Failover, Load Balancing, and “Grid”
http://www.f5.com/pdf/deployment-guides/ibm-guardium-dg.pdf
3. Load Balancing
1. Basic
2. Failover
4. Grid
Same
collector
settings
for all
s-taps
sqlguard_ip=virtual IP
sqlguard_port=16016
primary=1
Test with Load
Balancers from
F5 & Cisco
47
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Grid: Elasticity for supporting large deployments - Simplify configuration management for STAPs to a primary Virtual IP
and a secondary, etc Virtual IP. Benefits:
Better uptime, easier scalability, less configuration complexity and less chance
of lost S-Tap data.
Tested with Cisco and F5.
Seamlessly add audit capacity when adding/changing your database infrastructure such as during
Enterprise deployments / upgrades
Automate the relationship between STAPs and the Collectors - Add or remove collectors with no effect on the deployment.
Simply and consistently configure STAPs.
Provide a high degree of failover and load balancing.
From a capacity management perspective, add resources, monitor infrastructure, adjust capacity as needed (or when something fails ☺)
The main value is connection balancing. Guardium S-Tap is a long lived connection. When the
initial connection setup happens, the F5 BIG-IP or other load balancer will direct the connection to
the least loaded Guardium host. The load balancer will at connection setup time, choose the least
loaded Guardium server based on connections.. The other benefits of this solution are that the BIGIP or other supported load balancer will detect an outage, take that Guardium Appliance out of
service and then send a TCP reset which will force a new connection. All of this happens without
the intervention of an administrator.
A final benefit is that the configuration complexity is reduced. Instead of mapping the IP addresses of
multiple Guardium hosts in the appropriate .INI file, only the Virtual IP address is included, load balancer
does the rest.
Configure the S-TAP to work with Load Balancer environment:
Sqlguard_ip = Virtual IP address/hostname of the Load
balancer (depending on load balancer setup)
Participate_load_balancing = 3 (to send pre-exsisting
session information on every failover to the appliance)
All_can_control = 1 (in order to be able to edit STAP
configurations through GUI)
47
47
Information Management – InfoSphere Guardium
Quiz question!
If you need to create corporate audit reports
as well as manage a large number of
Collectors, which configuration do you
need? Pick BEST answer:
1. Central Manager directly managing Collectors
2. Aggregator connected to Collectors
3. A web application to roll up your reports
4. A Central Manager and one or more
Aggregators
© 2013 IBM Corporation
The correct answer is 4. Central managers cannot directly manage collectors.
Note that answer 2 could work if you had a central manager on the same
appliance on the aggregator but it doesn’t say that! But in either case you will
likely need a Central Manager to help you manage policies and definitions across
the enterprise and aggregators to roll up data/reports.
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information?
49
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Roles and responsibilities – The TEAM
Access
control
Provide DBA level
understanding and
review
Guardium
Access Manager
Database
Advisor
Provide application
level understanding
and review
Data
collection and
reporting
Guardium Admin
Application
Advisor
Identify requirements
for compliance
System health
Guardium System
Administrator
50
21 Feb 2013
Compliance
Advisor
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
These may vary, and in some situations a single person may perform multiple roles, but each role will have tasks to
perform.
Guardium Access Manager (user: accessmgr)
This user controls access to the system.
They cannot access data under this user, but they can perform user management.
Guardium Admin
This person is primarily responsible for the data collection and reporting, and will perform most of the tasks within the guardium
application
This is most often the responsibility of staff within the security department.
Guardium SysAdmin
This person will be responsible for the administration of the Guardium system.
They may or may not view the data on the system, but they are responsible for monitoring the health of the system (status,
usage, errors, etc.).
DBA Advisor
This will be a DBA or DBA manager within your organization that will be the contact point for Guardium requests, and will work closely with the Guardium Admin. This person will have the following responsibilities:
Helps identify sensitive objects (tables, views, procedures, etc.) in the databases.
Provide database understanding – assistance with understanding commands, sensitive objects, etc.
Receive database alerts if defined.
Review error reports from database standpoint.
Review database access reports.
Application Advisor
This will be an Application developer that will be the contact point for issue relating to applications.
This person will have the following responsibilities:
Helps identify sensitive objects (tables, views, procedures, etc.) in the databases.
Provide application understanding of different application users
Receive application alerts if defined.
Review error reports from application standpoint.
Review application access reports for discrepancies.
Compliance Advisor
This will be an auditor responsible for database activity compliance. This person will have the following responsibilities:
Identify the required reports for compliance.
Ensure reports are distributed and signed off on a regular basis.
Receive compliance alerts if defined.
50
Information Management – InfoSphere Guardium
Getting started on a monitoring project
0.
0. Education
Education and
and
training
training
1.
1. Installation
Installation
Planning
Planning
Project Manager
DBA Advisor
Security
Auditor
Network Admin
System Admin
Guardium administrator
3.
3. S-TAP
S-TAP agent
agent
Installation
Installation
Guardium Administrator
DBA Advisor
Database server system
administrator
51
21 Feb 2013
4.
4. Monitoring
Monitoring
Requirements
Requirements
Those responsible for
monitoring, security and
review of the logged data.
This typically includes:
Information Security
Audit
DBA Advisor
Data Stewards/Architects
IBM InfoSphere Guardium Tech Talk
2.
2. Appliance
Appliance
Installation
Installation
Project Manager
Network Administrator
Guardium Administrator
5.
5. Guardium
Guardium
Operations
Operations
IT infrastructure
Guardium SysAdmin
Disk storage Admin
© 2013 IBM Corporation
1. Installation Planning
Analyze Requirements
Identify Database servers in scope
Data centers, locations and network considerations
Installation of the appliances (process, steps and requirements)
Basic configuration of the appliances
Deployment plan of the Guardium appliances
Installation of the S-TAP (process, steps and requirements)
Basic configuration of the STAP
Appliance Installation
Rack and connect each Guardium appliance to power and network
Configure each Guardium appliance with Basic Configuration parameters.
Verify systems are on the network
(If applicable) Register all Guardium appliances to the “Central Manager”
Review and complete basic configuration of each appliance
S-TAP agent Installation
S-TAP agents are installed on database servers
S-TAP agents are configured to capture traffic.
Verification that the S-TAP is registered and is sending local traffic.
Verify S-TAP traffic is captured by the collector
Monitoring Requirements
Configure Groups
Privileged users
Commands
Applications
Servers ips
Source programs
Sensitive objects
Setup of Reports
Setup of automated Audit process
Setup of Policy rules based on the “Monitoring Plan
Alerting processes and procedures
Guardium Operations
Aggregation
Archiving
51
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information?
52
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Default user view
Navigate
tabs
Search,
Map and
Help
Navigate
menus
Portlets
53
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Users access the appliance over a secure (HTTPS) connection, using a Web
browser. All users are defined on the system by the access manager.
The Guardium UI is web-based and includes many configurable portlets,, a few of
which are highlighted above. A portlet can be a report, application, or tool. Each
pane may contain any number of report portlets, and a single application or tool
portlet. Note you can often double click on a report to drill down into further detail.
When you log in for the first time, your portal displays with a layout determined by
the roles that the access manager has assigned to your user account. Although
the access manager controls the initial layout, you can customize your layout
easily, changing the panes displayed and the placement of portlets on each
pane. The upper right contains the icons for searching the UI, mapping the
portlets and the help system.
Information Management – InfoSphere Guardium
Default user view – Quick Start
One-page quick start to generate and install a policy, define
vulnerability tests (if licensed) and define an audit process.
Portlets
54
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
This user application permits a quick start to the Guardium solution. Based on a
profile (one profile per user), this application generates a policy (and installs it),
an assessment, and defines an audit process.
Information Management – InfoSphere Guardium
Default user view – Quick Start
Governance, risk and compliance heat map
Double-click for
detailed reports
55
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
This high-level management report shows a snapshot of the current state of the
Guardium system in terms of three areas that matter most: Governance, Risk,
and Compliance (GRC). There are 16 speedometer views. Each has a title and a
tool tip explaining what it reports on. Double-clicking on the view produces a drilldown tabular report with full details. The view is organized as a heatmap.
Black color within the speedo view indicates that there is underlying data
that can be accessed by double-clicking on the view. White color within the
speedo view indicates that there is no underlying data available.
Compliance, there are two rows - the first for the database environment and the
second for the appliance (for example, whether data is being backed up or not).
A proper Governance strategy implements systems to monitor and record current
business activity, takes steps to ensure compliance with agreed policies, and
provides for corrective action in cases where the rules have been ignored or
misconstrued. Risk Management is the process by which an organization sets the
risk tolerance, identifies potential risks and prioritizes the tolerance for risk based
on the organization’s business objectives. Compliance is the process that records
and
monitors the policies, procedures and controls needed to enable compliance with
legislative or industry mandates as well as internal policies.
Information Management – InfoSphere Guardium
Default user view
Build policies,
reports
DB discovery and
classification
VA and
configuration
access (if
licensed)
Create audit process
workflows…
Create policies,
alerts and see policy
violations
56
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Tip: Use Portal Map or Portal Search to quickly find what you need
Map
Search
Someone’s custom portlet
57
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
The Map is basically a directory of the portlets in the UI.
Search on most important word..
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Help System
The Appendices
Help book has
useful reference
info such as APIs,
entities and
attributes, etc
Download a
help pdf for
offline reading
58
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Default admin user view
Create groups,
policies,
workflows….
Configuration
Reports for daily
monitoring
Policy violations and
alerts here
Double-click
for tabular
report
59
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
59
Information Management – InfoSphere Guardium
Default access manager
Add users
and roles
Configure
data-level
security
Granularity and flexibility in roles
Ability to create your own roles
Ability to create user hierarchies to ensure
automatic filtering of results based on user’s
database
60
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Access managers define users and their roles in the system.
I call out Data level security here because that’s a way you can define a hierarchy
of users in the system and map that hierarchy to data sources. This allowsyou for
example, to create a single report that will be automatically filtered based on the
report receiver’s role in the hierarchy and whether they are associated with the
data in the report. The same report on database access could be sent to the
Oracle DBA and the DB2 DBA and the Oracle DBA would see only data related
to Oracle.. And the DB2 DBA would only see data related to DB2. And the DBA
manager could see both sets of data.
60
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
61
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Command Line Interface (CLI) and APIs (GuardAPI)
Command line interface used for configuration, troubleshooting and
management of Guardium System
The extensive set of GuardAPIs can be used by a user with either admin
or CLI Role for automation of repetitive tasks or for ongoing maintenance
– Creating datasources, adding user/members to groups, connection profiling, entitlement
report automation and more
– Many are invokable from reports in the UI!
GuardAPIs are documented in the Appendices help book or from the Cli
–To see a list of all grdapi commands, enter:
CLI> grdapi
–To see the parameters for a particular command:
CLI> grdapi list_entry_location --help=true
62
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
The Guardium command line interface (CLI) is an administrative tool that allows for configuration,
troubleshooting, and management of the Guardium system.
Access to the CLI is either through the admin CLI account cli or one of the five CLI accounts
(guardcli1,...,guardcli5). The five CLI accounts exist to aid in the separation of administrative
duties. Access to the GuardAPI, which is a set of CLI commands to aid in the automation of
repetitive tasks, requires the creation of a user by access manager and giving those accounts
either the admin or cli role. Proper login to the CLI for the purpose of using GuardAPI requires the
login with one of the five CLI accounts (guardcli1,...,guardcli5) and an additional login with guiuser
by issuing the 'set guiuser' command.
For information about creating a user with CLI authority, see this ‘how to’ in the Information Center
http://publib.boulder.ibm.com/infocenter/igsec/v1/topic/com.ibm.guardium.using.d
oc/topics/how-to-create-a-user-with-the-proper-entitlements-to-login-to-cli.html
To list all GuardAPI commands available, enter the grdapi command with no arguments or use the
'grdapi commands' command with no search argument.
For example:
CLI> grdapi
To display the parameters for a particular command, enter the command
followed by '--help=true'. For example:
CLI> grdapi list_entry_location --help=true
62
Information Management – InfoSphere Guardium
APIs enable automation and ease maintenance
Example: Add a member to a group from a report
This example shows how you can use
the API to add an ‘authorized’
MapReduce job to a group so it won’t
appear in this report anymore.
63
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Invoke API
to add
member to
group
© 2013 IBM Corporation
In this example, we wanted to add Hadoop MapReduce job names to a group
after they have been vetted so they won’t appear in the ‘unauthorized list’ report
anymore.
There is configuration work to add APIs to reports if they are not already included
with the system. We have a document on this process if you’re interested,
contact me [email protected].
Information Management – InfoSphere Guardium
APIs enable automation and ease maintenance
Example: Add a member to a group from a script
-- Create group and members of the group
grdapi create_group desc=SensitiveObjectsMonitored type=objects appid=Public
owner=admin
grdapi create_member_to_group_by_desc
member=creditcard
desc=SensitiveObjectsMonitored
grdapi create_member_to_group_by_desc
desc="Cardholder Objects"
grdapi create_member_to_group_by_desc
member="10.10.9.56"
desc="Authorized Client IPs"
grdapi create_member_to_group_by_desc
member="10.10.9.251"
desc="Authorized Client IPs"
member=creditcard
This example shows how you can use
the API to quickly get up and running
with groups for PCI compliance.
64
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
What we’ll cover today
What is Guardium and what problems does it address?
Overview of some capabilities
Architectural overview and policy primer
Deployment topologies
Guardium team and projects
Whirlwind tour of the UI
Administration/automation (CLI and API)
Where to find more information
65
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Information and training
InfoSphere Guardium YouTube Channel – includes overviews and technical demos
InfoSphere Guardium newsletter
developerWorks forum (very active)
Guardium DAM User Group on Linked-In (very active)
Community on developerWorks (includes content and links to a myriad of sources, articles, etc)
Guardium Info Center (Installation, System Z S-TAPs and some how-tos, more to come)
Technical training courses (classroom and self-paced)
Business Partner bootcamps
Hands on! Ask your IBM sales rep about
upcoming Proof of Technologies. For example:
March 12, KC, MO
March 19, Tulsa, OK
66
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
there are currently two Guardium certification tests.
If you are looking into taking an IBM professional product certification exam, you
may look into taking the 000-463 certification (http://www03.ibm.com/certify/tests/ovr463.shtml).
Upon completion of the 000-463 certification, you will become an IBM Certified
Guardium Specialist (http://www-03.ibm.com/certify/certs/28000701.shtml).
The certification requires deep knowledge of the IBM InfoSphere Guardium
product. It is recommended that the individual to have experiences in
implementing the product to take the exam. You can view the detailed topics
here: http://www-03.ibm.com/certify/tests/obj463.shtml
Details each topics are covered in the product manuals. You will also find the
Guardium InforCenter a useful resource when you prepare for the exam:
http://publib.boulder.ibm.com/infocenter/igsec/v1/index.jsp
66
Information Management – InfoSphere Guardium
Next Guardium Tech Talk
Next tech talk: Roadmap to a successful V9 upgrade
Speakers: Vlad Langman and Abdiel Santos
Date &Time: Wednesday March 14, 2013
11:30 AM Eastern
Register here: http://bit.ly/Vkc8g2
Link to more information about this and upcoming tech talks can be found on the InfoSpere
Guardium developerWorks community: http://ibm.co/Wh9x0o
Please submit a comment on this page for ideas for tech talk topics.
67
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Dziękuję
Polish
Traditional Chinese
Thai
Gracias
Spanish
Merci
French
Russian
Arabic
Obrigado
Danke
Brazilian Portuguese
German
Tack
Swedish
Simplified Chinese
Grazie
Japanese
68
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
Italian
© 2013 IBM Corporation
Thank you very much for time today.
68
Backup
Information Management
© 2013 IBM Corporation
Information Management – InfoSphere Guardium
Discovering Sensitive Data in Databases
• Discover database instances on network
• Catalog Search: Search the database
catalog for table or column name
– Example: Search for tables where
column name is like “%card%”
• Search by Permission: Search for the types
of access that have been granted to users
or roles
• Search for Data: Match specific values or
patterns in the data
– Example: Search for objects matching
guardium://CREDIT_CARD (a built-in
pattern defining various credit card
patterns)
• Search for Unstructured Data: Match
70
specific values or patterns in an
unstructured data file (CSV, Text, HTTP,
HTTPS, Samba)
© 2013 IBM Corporation
70
Information Management – InfoSphere Guardium
Identifying Fraud at the Application Layer
Marc
Joe
Issue: Application server uses generic service account to access DB
– Doesn’t identify who initiated transaction (connection
pooling)
Solution: Guardium tracks access to application user associated with
specific SQL commands
– Out-of-the-box support for all major enterprise applications
(Oracle EBS, PeopleSoft, SAP, Siebel, Business Objects,
Cognos…) and custom applications (WebSphere,
WebLogic, ….)
– Deterministic vs. time-based “best guess”
– No changes to applications
User
Application
Server
71
21 Feb 2013
Database
Server
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Identifying fraud or Application Mis-Use
You need a solution that shows WHO did WHAT!
Native Auditing solutions and logging tools, don’t show this depth
Track access back to the application user associated with a specific command
Deterministically – not by ‘best guess’!
Whatever middleware you are using!
And with NO changes to the application or the database!
71
Information Management – InfoSphere Guardium
Enforcing Change Controls + Integrating with Change Management
Systems
Tag DBA actions
with ticket ID
Identify
unauthorized
changes (red)
or changes with
invalid ticket IDs
Compare observed
changes to
approved changes
72
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
72
Information Management – InfoSphere Guardium
Monitoring Data Leakage from High-Value Databases
Should my customer service rep view 99 records in an hour?
Is this
normal?
What exactly
did Joe see?
73
21 Feb 2013
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Another Example
Traditional Solutions can’t identify suspicious behavior within legitimate traffic
Joe is viewing an abnormally high number of customer information!
We can even take a look at what he saw!
Notice that the audit information is masked,
so that someone viewing these reports doesn’t also see the customer information that
we’re auditing Joe for…
Knowing what was breached and to what extent is what we’re looking for!
Native logs won’t give you this information!
73
Information Management – InfoSphere Guardium
Tracking privileged users who switch accounts
1. Joe logs in to
Linux
Privileged
User
User activity
2. He switches to
the Oracle
shell account
3. Logs into
Oracle as
system
4. Gives himself a
big bonus!
74
21 Feb 2013
What InfoSphere Guardium shows you:
IBM InfoSphere Guardium Tech Talk
© 2013 IBM Corporation
Native database logging/auditing & SIEM tools can't capture OS user information
Other database monitoring solutions only provide OS shell account that was used
Do you have Privileged Users that use both generic DB accounts as well as generic OS
accounts?
In many companies, users login with their OS account and then switch to a shell account that has
the needed environment to access the database.
If they also use a generic database account,
how do you track them back?!
Joe’s bumping his bonus!
Native auditing will only show you the DB Username
Other monitoring solutions can only show you the OS shell account that was used!
You need everything!
74
Information Management – InfoSphere Guardium
Query Based Test Results
Test the database to validate that all triggers are actually owned by the table owner
SQL = Select count(*) from all_triggers where owner<> table_owner
If the count exceeds a threshold of 7 items, fail the test
75
© 2013 IBM Corporation
75
Information Management – InfoSphere Guardium
SAP PreDefined PCI Policy Rule (Access Rule)
Track - PCI CardHolder Data
76
© 2013 IBM Corporation
This is an example of an access rule
76
Information Management – InfoSphere Guardium
Unauthorized Users Accessing Credit Cards -- Guardium Verifies
Credit Card Validity With Luhn Algorithm
© 2013 IBM Corporation
77
Information Management – InfoSphere Guardium
PCI Track Data…
Guardium Tracks PCI “Track Data”
DO NOT store the full contents of
any track from the magnetic stripe
DO NOT store the card-validation
code (three-digit or four-digit value
printed on the front or back of a
payment card (e.g., CVV2 and
CVC2 data))
DO NOT store the PIN Verification
Value (PVV)
78
© 2013 IBM Corporation
78