IBM Security Systems

Encryption is Fundamental: A Technical Overview of

Guardium Data Encryption
October 2014

Tim Parmenter – InfoSphere Guardium Technical Professional

Mark Jamison – Accelerated Value Specialist

©
1 2014 IBM Corporation © 2013 IBM Corporation
Logistics
 This tech talk is being recorded. If you object, please hang up and
leave the webcast now.
 We’ll post a copy of slides and link to recording on the Guardium
community tech talk wiki page: http://ibm.co/Wh9x0o
 You can listen to the tech talk using audiocast and ask questions in
the chat to the Q and A group.
 We’ll try to answer questions in the chat or address them at
speaker’s discretion.
– If we cannot answer your question, please do include your email
so we can get back to you.
 When speaker pauses for questions:
– We’ll go through existing questions in the chat

2 © 2014 IBM Corporation

Reminder: Guardium Tech Talks
Next tech talk: Finding a needle in a haystack: A real-world case study
identifying security risk with InfoSphere Guardium

Speakers: Joe DiPietro and Oded Sofer

Date &Time: Wednesday, Nov 12th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/YQd6mO
Next tech talk +1: InfoSphere Guardium for DB2 for z/OS (Part 2) and
Guardium for Data Sets

Speakers: Ernie Mancill

Date &Time: Tuesday, Nov 18th 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/10lX5Gx

3 © 2014 IBM Corporation

 Agenda
• The Need for Encryption

• Encryption Techniques

• How Data Encryption Protects

• Data Encryption Architecture & Integration Key Take Aways

• Q&A
•InfoSphere Guardium is the leader
in data protection and synergizes
with the rest of the IBM Security
Portfolio to extend protection reach.

•Encrypting Data is essential to

ensure security/compliance for all
sensitive data.

4 © 2014 IBM Corporation

2014 – The Year of Encryption

5 © 2014 IBM Corporation

 Data Governance and Security have changed!
Consumerization Everything is Attack
Data Explosion
of IT Everywhere Sophistication

Moving from traditional perimeter- …to logical “perimeter” approach to

based security… security—focusing on the data and
where it resides

Antivirus
IPS

Firewall

• Cloud, Mobile and Data momentum is breaking down the traditional perimeter and forcing us to look at security differently
• Focus needs to shift from the perimeter to the data that needs to be protected
6 © 2014 IBM Corporation
Introducing IBM InfoSphere Guardium Data Encryption

EnsureEnsure compliance
compliance with
and protect
Requirements
enterprise data
datawith encryption
encryption • Protect sensitive enterprise
information and avoid data
breaches
Data Encryption
• Minimize impact to production
• Enforce separation of duties by
keeping security and data
administration separate
• Meet government and industry
regulations (eg. PCI-DSS)

Benefits
• Protect data from misuse
• Satisfy compliance
requirements including
proactive separation of duties
• Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes

7 © 2014 IBM Corporation

InfoSphere Guardium Data Encryption Value Proposition:
Continuously restrict access to sensitive data including databases, data
warehouses, big data environments and file shares to….
1 Prevent data breaches
– Prevent disclosure or leakages of sensitive data
2 Ensure the integrity of sensitive data
– Prevent unauthorized changes to data, database
structures, configuration files and logs
3 Reduce cost of compliance
– Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy
regulations, HIPAA/HITECH etc.
o Across heterogeneous environments such as databases,
applications, data warehouses and Big Data platforms like Hadoop
4 Protect data in an efficient, scalable, and cost effective
way
– Increase operational efficiency
– No degradation of infrastructure or business processes

8 © 2014 IBM Corporation

Regulations Requiring Data Encryption

Regulation/Driver Who is Effected? Requirements

Encryption of credit card data with
PCI DSS Major retailers and
associated secure key management
(Visa, MC, Discover, AMEX) processors world wide
processes

HIPAA Security Standard Organizations that handle Confidentiality, integrity and availability
(OCR) patient health information of patient health information
Data Breach Disclosure in
Publically held
over 50 Countries Notifications and investigations of
organizations or
(Example: EU, South Korea, security breaches
government agencies
Turkey)
Local Government Data Publically held
Protection Acts organizations or Encryption of sensitive data
(Local governments around the
world)
government agencies

Private and public Encryption employee and

Executive Mandates
organizations customer data
Private and public Encryption and control access to
IP/Trade Secret Protection
organizations intellectual property

9 © 2014 IBM Corporation

Encryption Approaches

 Storage Level
Encryption performed on path to the disks or on the disk itself

 Application Level / Column Level

Use application coding to encrypt data within columns of database data
Tokenization

 Database – TDE (tablespace)

Microsoft/Oracle – Encryption of database tablespaces

 File Level (GDE)

Data is encrypted at the File System level, as it’s created in the file

10 © 2014 IBM Corporation

Guardium Data Encryption Use Cases – Big Picture

Data Files Unstructured Data Cloud

Usage: Sensitive data used Usage: Monitor and know

Usage: Monitor WHO is
by systems and end users – WHO is touching your data
touching the files and for
touched by privileged users stored in the cloud and for
WHAT purpose.
(DBA’s), Activity Monitoring WHAT purpose
requirement for separation of Usage: Encrypt and Control
duties and consistent audit access to any type of data
Usage: Encrypt and Control
policy. Also: Encrypt used by LUW server
Access to data used by Cloud
Tablespace, Log, and other Common Data Types: Instances
Data files at File System to Logs, Reports, Images, ETL,
protect against System OS Audio/Video Recordings, Common Cloud Providers:
privileged user cred Documents, Big Data… IBM, Amazon EC2,
Examples: FileNet, Rackspace, MS Azure
Common Databases: DB2,
Documentum, Nice, Hadoop,
Informix, Oracle, MSSQL,
Home Grown, etc…
Sybase, MySQL…

11 © 2014 IBM Corporation

GDE File/Table/Volume based Encryption

Authentication/ Authorization Data Security Manager

Authentication/ Authorization
• Centralized Key Management
• Policy Decision Point
Applications • Highly Available
Applications
• Rules-Policy Engine
• Detailed Auditing
Databases/Applications
Databases/Applications

File Level

LAN/
WAN
File System Security Manager
File System

• Implements Encryption, Access Control,

Device Level Auditing on Host
•Support for file systems and raw
partitions

Volume Manager
Volume Manager

SAN / NAS / DAS / VM / Cloud • Protect ALL sensitive data

SAN / NAS / DAS / VM / Cloud
…wherever/however it’s stored

12 © 2014 IBM Corporation

 Enterprise/HA Architecture

Remote

Web Server

Primary
Application
Application Servers
Servers

DSM
Secondary

Encrypted Folder/Guardpoint
Web Server Application
Servers GDE File System Agent

Data Security Manager/DSM

DSM
Secure High Availability Connection

13 © 2014 IBM Corporation

InfoSphere Guardium Data Encryption (GDE) - Addresses
compliance requirements and protects data at the File System Level
File And Volume Encryption
• High Performance / Low overhead – Intel/AMD X86 processor
AES-NI hardware encryption available
• Transparent– No changes to application or management required
• Broad OS, file system and volume support

Data File & Distributed File System Encryption

• Heterogeneous, transparent and high performance
• Encrypts the tablespace at the file and volume level
• Broad support for multiple database and big data vendors

Policy Based Access Control to Encrypted Data

• Policy-based - Transparent
• Linked to LDAP and system level accounts
• By process, user, time and more
• Prevents Privileged User access to protected data while allowing
normal application and systems management use

Key Management
• Securely stores and manages keys used in the implementation

14 © 2014 IBM Corporation

 File Encryption Management
Data
Clear Text Encryption

Name: Jsmith.doc Name: Jsmith.doc

File System
Created: 6/4/99 Created: 6/4/99
Metadata
Modified: 8/15/02 Modified: 8/15/02

Name: J Smith
dfjdNk%(Amg
Credit Card #:
8nGmwlNskd 9f
6011579389213 Block-Writes
Sk9ineo93o2n*&*^
File Data
Bal: $5,145,789
xIu2Ks0BKsjd
Social Sec No: Block-Reads Nac0&6mKcoS
514-73-8970
File File qCio9M*sdopF
File
Data Data Data

 File systems always read and write in fixed block sizes

 Encryption takes place on the block IOs to a protected file
 GDE simply encrypts or decrypts the block reads and writes

15 © 2014 IBM Corporation

Policy Rules

• WHO is attempting to access protected data?

 Configure one or more users, groups, or applications users may invoke who can access protected
data
• WHAT data is being accessed?
 Configure a mix of files and directories
• WHEN is the data being accessed?
 Configure a range of hours and days of the week for authorized access
• HOW is the data being accessed?
 Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, etc.
• EFFECT: Permit; Deny; Apply Key; Audit

16 © 2014 IBM Corporation

 Describing Policy Processing
Subject
1. Access request

2. Agent intercepts I/O and

checks Subject’s credentials:
User = oracle
Process = oracle.exe

3. Agent checks policy rules.

Rule 1: User = root No Match

Rule 2: User = oracle and No Match

Process = tar
Match;
Rule 3: User = oracle and
4. Effect
Process = oracle.exe
applied

17 © 2014 IBM Corporation

Enterprise-Ready, Cloud-Ready
Automation
 API and script accessible controls
 Web and command line APIs
 For policy management, deployment, integration
 Enables fast rollouts, easy integration with other infrastructure
and policy management solutions
Logs to identify the latest threats / malicious insiders
 RFC5424 and CEF compatible log formats for use with SIEM
 Detailed access records and access attempts
 For individual protected locations and for management infrastructure
 Identify anomalous usage from APTs and malicious insiders
Data Security Management
 Software Appliance – HW appliance available through separate
contract if HSM required in bid.
 Centralized, scalable, highly available common management
across all environments
 Cluster-able for scalability, redundancy, remote location support
 Simple web-based management UI
 Separation of duties and roles – supports tenancy models,
compliance requirements
 Audit reporting for encrypted data access, data protection
infrastructure use
18 © 2014 IBM Corporation
Administrator Roles

Roles provide separation of duties for Administrators

• System Administrator Role – Responsible for adding administrator IDs to the

system, configuring the system’s logging and high availability, and creating
domains.
System
Administrator

• Domain Administrator Role – Responsible for assigning roles to IDs within a

domain
Domain
Administrator

• Security Administrator Role – Responsible for implementing their assigned roles

(i.e. creating keys, creating policies, managing hosts); perform the more regular
routines of implementing encryption on managed systems
Security
Administrator

19 © 2014 IBM Corporation

Protecting Big Data

• All data sources potentially

contain sensitive
information
• Data is distributed as
needed throughout the
cluster by the Big Data
application
• Deploy IBM InfoSphere
Guardium Data Encryption
Agents to all systems
hosting Data Stores
• Agents protect the data
store at the file system or
volume level
• Cloudera CDH4 Certified

20 © 2014 IBM Corporation

 IBM Security Systems

GDE Case Study for HIPAA Compliance

©
212014 IBM Corporation © 2013 IBM Corporation
GDE Case Study for HIPAA Compliance

• Large retail customer:

 Highly Distributed (More than 2000 stores with a local copy
of files and databases)
 Significant throughput (Handles hundreds of prescriptions
at each store every day)
 Central Management important
• Needs a means to encrypt data at rest to Meet
HIPAA compliance
 Needs a low cost alternative to encrypted SAN

22 © 2014 IBM Corporation

GDE Case Study for HIPAA Compliance

• The Solution? IBM Guardium Data Encryption

 A GDE agent on each box.
 A DSM cluster to manage policies for all systems.

• Why GDE?
 Seemlessly transparent.
– Had to do performance testing, but no applications were recompiled,
and no database changes were required.
 Limited Bandwidth usage.
– Since polices are cached , can bring system up with limited network
access.
– Only does periodic heartbeats to DSM aside from bootup, so
minimum impact on network.

23 © 2014 IBM Corporation

GDE Case Study for HIPAA Compliance

• Why GDE cont.

 Built in access management if needed.
– Compliance currently does not require data be locked from users at
certain times, but if requirement changes no new product license is
required.
 Command Line Interface available for large deployment.
– vmssc tool allows you to bypass the DSM gui and add hosts, and
guardpoints, and even automate adding all the guardpoints to a large
range of systems.
 The ability to cluster DSM’s.
– Giving an easy setup for your Policy Manager to be Highly Available.

24 © 2014 IBM Corporation

GDE Case Study for HIPAA Compliance

• Key Considerations Learned

 Backup and Recovery process time increased
 Database Query Performance largely unaffected
– Initial query of tables might be up to 5% slower, but the nature of
Bufferpool caching eliminated any subsequent performance issues.
 Restoring onto a new guardpoint is significantly faster in nearly all
cases
– ‘dataxform’ tool is best used when restore is not an option.
 Biggest performance hit is in the initial opening of a file.

25 © 2014 IBM Corporation

Reminder: Guardium Tech Talks
Next tech talk: Finding a needle in a haystack: A real-world case study
identifying security risk with InfoSphere Guardium

Speakers: Joe DiPietro and Oded Sofer

Date &Time: Wednesday, Nov 12th, 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/YQd6mO
Next tech talk +1: InfoSphere Guardium for DB2 for z/OS (Part 2) and
Guardium for Data Sets

Speakers: Ernie Mancill

Date &Time: Tuesday, Nov 18th 2014
11:30 AM Eastern Time (75 minutes)
Register here: http://bit.ly/10lX5Gx

26 © 2014 IBM Corporation

 Dziękuję
Polish
Traditional Chinese
Thai

Gracias Spanish

Merci
French

Russian

Arabic

Obrigado
Brazilian Portuguese
Danke
German

Tack
Swedish

Simplified Chinese

Japanese
Grazie
Italian

27 © 2014 IBM Corporation