2010 BM Corporation

Information Management
nfoSphere Guardium Technical Training
Introduction and TechnicaI Overview
Guardium & Optim Technology Ecosystem
IBM Toronto Lab
Summer/Fall 2010
2
2010 BM Corporation
nformation Management
Agenda

ntroduction to Guardium

Challenges of Database Security

Technical Overview of Guardium

Guardium's Advantage

Case Studies
3
2010 BM Corporation
nformation Management
ntroduction to Guardium
Market Ieader in Database Activity
Monitoring (DAM) and safeguarding
high-vaIue databases
Comprehensive compIiance
automation system
ScaIabIe architecture with support
for heterogeneous environments
Industry-Ieading patented software
agent soIution for greater data
access monitoring and controI

Key product in IBM's
Information Governance portfoIio

Continued support for
heterogeneous environments
2010 BM Corporation
g g
atabases
compIiance
system
re with support
environments
ented software
greater data
g and controI
Continued support for
heterogeneous environments
4
2010 BM Corporation
nformation Management
Reality of Data Security

Database servers are the major

source of breached records

Payment Card Data and PersonaI

Information account for Iarge
majority of compromised data

"OffIine data, mobiIe devices, and

end-user systems are simpIy not
a major point of compromise."
*Verizon Business 2009 Data Breach nvestigations Report:
http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf
jor
s
onaI
ge
ata
and
not
e."
5
2010 BM Corporation
nformation Management
Biggest T Security Challenges
nformationWeek survey of 593 business technology and security professionals*
Managing the CompIexity
Enforcing PoIicies
Data Breaches from Outside
Data Theft by Insiders
CompIiance Requirements
Assessing Risks
*http://www.strategicsecurity.informationweek.com/
IT ChaIIenges = Business Drivers
6
2010 BM Corporation
nformation Management
What makes it chaIIenging?
What is Guardium's soIution?
7
2010 BM Corporation
nformation Management
Complex Data Environments
Data Servers
ments
vers
Guardium CoIIector
S-TAP
CoIIector Non-invasive hardened appliance enforces policies and performs logging
S-TAP Light-weight DBMS-independent software agent monitors database activity
AppIication Servers

MinimaI
Performance
Impact
8
2010 BM Corporation
nformation Management
User Complexity and Threats
Data Servers
Guardium CoIIector
S-TAP
AppIication Servers
PriviIeged User
(Database Administrator)
AppIication
User
Security
Administrator
Auditor
Separation of security
administration duties
Integration of
compIiance process
and auditing roIe
Monitoring and
prevention of
unauthorized access
by priviIeged users
Identification of
user and potentiaI
fraud in appIication
transactions
10
2010 BM Corporation
nformation Management
Compliance and Governance
Enterprise data environments require information governance based on
corporate poIicies, government reguIations, and industry standards:
PC-DSS Payment Card ndustry Data Security Standard
SOX Sarbanes-Oxley Act
EUDPD European Union Data Protection Directive
Most solutions depend on costly and burdensome manuaI processes
Potential confIict of interest when database admins handle compliance
Enforcement of separation of duties by design
Comprehensive and easy to use out-of-box reporting capabilities
Reduction in operation costs using compIiance workfIow automation
Simplified governance with centraIized poIicies for heterogenous environments
13
2010 BM Corporation
nformation Management
Simple Web nterface
14
2010 BM Corporation
nformation Management
Comprehensive Data Security and Compliance
19
2010 BM Corporation
nformation Management
Guardium in the reaI worId
20
2010 BM Corporation
nformation Management
Large Scale mplementation
2010 BM Corporation
24
2010 BM Corporation
nformation Management
Questions?
2010 BM Corporation
Information Management
nfoSphere Guardium Technical Training
Introduction and TechnicaI Overview
Guardium & Optim Technology Ecosystem
IBM Toronto Lab
Summer/Fall 2010
2010 BM Corporation
Information Management
nfoSphere Guardium Technical Training
Guardium Architecture
Guardium & Optim Technology Ecosystem
IBM Toronto Lab
Summer/Fall 2010
2
2010 BM Corporation
nformation Management
Agenda

ntroduction

Database Activity Monitoring Options

S-TAP Architecture

CAS Architecture

Collector Architecture

Failover and Load Balancing

Aggregator and Central Manager

mplementation Options
3
2010 BM Corporation
nformation Management
nfrastructure
Data Servers Application Servers
Network
Switch
Client
nternet
Local
Access
Network
Access
Guardium
Collector
GGuuaarrddiiuumm
Collector
4
2010 BM Corporation
nformation Management
Database Activity Monitoring

Database activity needs to be captured to perform parsing, analysis, and auditing

Session information
Failed log-in attempts
SQL commands
SQL errors
Returned data

Mechanisms in which the database is accessed

Network access
Local access
Encrypted connection

Monitoring options
Port Mirroring
Network Tap
Software Tap
5
2010 BM Corporation
nformation Management
Port Mirroring
Copy of network packets observed on the switch port
connected to the data server is sent to the CoIIector

No impact on data server performance

Requires network switch with port mirroring:

Switched Port Analyzer (SPAN)
Roving Analysis Port (RAP)

Requires direct connection to the Collector

Existing switch may not be able to accommodate multiple

data servers connected to that switch

Added cost of network switch with port mirroring feature

Encrypted and local connections will not be monitored

Only recommended if network hardware already exists and
data server cannot handle any additional software load
Data Server
Database
Traffic
Guardium
Collector
Mirrored
Database
Traffic
CoIIector
Access
Network
Switch
GGuuardium
Collector
Mirroredd
Database
Traffic
C II t
6
2010 BM Corporation
nformation Management
Network Tap
Data Server
Guardium
Collector
Network
Switch
Network
Tap
Mirrored
Database
Traffic
CoIIector
Access
Database
Traffic
Dedicated network tap hardware sends copy of data
server traffic is to CoIIector (similar to port mirroring)

No dependency on existing network hardware

No impact on data server performance

Added cost of network tap for each data server

Requires direct connection to the Collector

Data server has to be taken offline for installation

Encrypted and local connections will not be monitored

Only recommended if data server has a high load and
cannot handle any additional software load
GGuuardium
Collector
Mirrored
Database
Traffic
7
2010 BM Corporation
nformation Management
Software Tap (S-TAP)
Data Server
Guardium
Collector
Network
Switch
Database
Traffic
+
Mirrored
Database
Traffic
(fiItered)
S-TAP
CoIIector
Access
+
Mirrored
Database
Traffic
Software Tap (S TAP
Guardium
Collector
CoIIector
Access
+
Mirrored
Host-based DBMS-independent software agent that sends
network and IocaI database activities to CoIIector

Monitors all database activities at Operating System level:

TCP, Shared Memory, Named Pipes, Bequeath

Handles encrypted traffic:

SSH/PSEC, Oracle ASO, SQL Server SSL

Does not require any changes to database environment

nstalled only once on every system regardless of how many

database instances and types are running on that system

No additional hardware cost and lower implementation cost

Specific traffic can be filtered such that not all traffic is sent
to the Collector. This reduces network load significantly.

Less than 5% performance impact on data server

S-TAP is the recommended database activity monitoring option
8
2010 BM Corporation
nformation Management
S-TAP Architecture
K-TAP A-TAP
Application/User Level
Kernel Level
DBMS
Data Server
LocaI
AppIication/User
Network AppIication/User
CoIIector
K-TAP (Kernel Tap)

Kernel module that hooks into

client/server communication

Monitors DBMS network port

Different module for varying

versions of Linux/Unix kernel
A-TAP (Application Tap)

Monitors communication at the

application level

DB2, nformix, Oracle ASO

Dependent on K-TAP
Network Layer
Shared Memory
S-TAP
9
2010 BM Corporation
nformation Management
CAS Architecture
K-TAP A-TAP
S-TAP
Network Layer
Shared Memory
Application/User Level
Kernel Level
DBMS
Data Server
LocaI
AppIication/User
CAS
CoIIector
Config FiIe C fi FiI
CAS (Change Audit System)

Java module that monitors for

changes in baseline config:

Environment variables

Configuration files

Script outputs

Optional component

Requires Java Virtual Machine

Does not require S-TAP

10
2010 BM Corporation
nformation Management
Collector G2000 Appliance
Hardware Specification
Form factor: 1U rack server
Processor: 2x quad core
Storage: 2x 300GB - RAD-1
Network Configuration
Gigabit network adaptor with 4 network interfaces
eth0 port: Management port and S-TAP communication
other ports: Monitoring port for N-TAP/SPAN connection
Network adaptor expansion option for additional N-TAP/SPAN
Software Configuration
Kernel: Hardened Linux kernel (limited command line access)
Storage: Relational database (not directly accessible to users)
Option available to log to flat files stored on the Collector
nterface: Secure web server providing graphical web interface
CoIIector - G2000 CoIIector - G2000
11
2010 BM Corporation
nformation Management
Collector Architecture

Collector receives raw database activity data from S-TAP

Database activity data is parsed and evaluated on the Collector

nspection Engine applies action based on installed Security Policy

Logging stored in normalized relational database

Alerts sent based on notification configuration

Control signal sent to S-TAP for filtering control and termination actions
Data
Server
LOGIN USER ...
SELECT... FROM ...
CREATE TABLE .
INSERT .
DELETE ....
Security PoIicy
nventory Data Log SQL Construct
Sales Data Log Full SQL
Sensitive Data Alert
Unknown User Terminate
CoIIector
Database
S-TAP
Log
Terminate
AIert
12
2010 BM Corporation
nformation Management
Failover and Load Balancing

S-TAP sends periodic heartbeat check to Collector

Real-time alert can be generated if S-TAP is disabled or uninstalled

S-TAP stored database activity in temporary buffer if Collector cannot be reached

Buffer is a flat file located on the data server on which S-TAP is installed
Ensures that audit data is not lost in the event that Collector in unavailable

S-TAP can also be configured with multiple Collector for failover and/or load balancing

Load balancing would only be required to sustain logging in cases with extreme data
volumes and full audit condition
13
2010 BM Corporation
nformation Management
Collector Sizing
Note: These are simply guidelines. Sizing is dependent on user activity, security policy, and data sever load.
Deta||ed
Logg|ng
Deta||ed
Logg|ng
8as|c
Logg|ng
8as|c
Logg|ng
14
2010 BM Corporation
nformation Management
Managed Environment
kemote Locat|ons
Aggregator &
Centra| Manager
CoIIector
CoIIector
CoIIector
CoIIector
Aggregator &
Centra| Manager
15
2010 BM Corporation
nformation Management
Aggregator G5000 Appliance

Appliance dedicated to serve as central repository of audit

data from multiple Collectors

Similar hardware and software configuration as Collector

Collectors send data to Aggregator on a scheduled basis

Centralized repository allows for enterprise wide auditing

Querying for reports is performed on Aggregator, which

relieves Collectors from the performance impact of running
complex reports

Aggregator allows Collectors to be dedicated to monitoring

and policy enforcement tasks
Aggregator - G5000 Aggregator - G5000

Aggregator is highIy recommended for environments with two or more CoIIectors

16
2010 BM Corporation
nformation Management
Central Manager Functionality

Optional functionality for Aggregator appliance

Centralized management:
Monitoring the status of all managed Aggregator and Collectors
Centralized policy management for entire enterprise environment
Unified security policy pushed out to all managed Collectors
Centralized users and groups that is synchronized with managed units
Ability to query managed Collector's data from Central Manager
Note: this is not applicable to managed Aggregator units

Aggregator appliance can serve as:

Dedicated Aggregator
Dedicated Central Manager
Aggregator and Central Manager
17
2010 BM Corporation
nformation Management
Aggregator and Central Manager Scenario
Aggregator and CentraI Manager
CoIIector 1 CoIIector 2 CoIIector 3 CoIIector 4
Aggregate
Manages
18
2010 BM Corporation
nformation Management
Dedicated Aggregator Scenario
Aggregator and CentraI Manager
CoIIector H1
CoIIector H2
CoIIector H3
CoIIector H4
Aggregator
CoIIector S1
CoIIector S2
CoIIector S3
SaIes Databases
Human Resources Databases
gregator and CentraI Manage
CoIIector H
CoIIector H3
H2
C
H4 CoIIecttor
CoIIec ctor H1
CoIIector SS1
Aggregate
Manages
19
2010 BM Corporation
nformation Management
Dedicated Central Manager Scenario
Aggregator
CoIIector H1
CoIIector H2
CoIIector H3
CoIIector H4
Aggregator
CoIIector S1
CoIIector S2
CoIIector S3
SaIes Databases Human Resources Databases
H4
CoIIector S
CoIIector S2
SaIes Databases
S1
C II
oIIector S3
S2
Co
CentraI Manager
CoIIector HH22
Human Resources
CoIIeccttoorr HH3
Databases
CoIIector H
C
urces
CoIIecttor H1
anager Scenario
CeennttrraaII Manager
Aggregate
Manages
20
2010 BM Corporation
nformation Management
Questions?