Govern & Comply
Compliance requirements such as HIPAA and SOX no longer just apply to the largest of companies: they apply to those companies as well as their vendors, who can be small businesses required to meet the standards of their customers that DO have compliance requirements. In addition, today’s increasing number of data breaches requires securing and auditing data access, which can prevent the theft of personal and confidential data that can greatly impact a company’s business and reputation. Products include:
- Optim (archiving, securing, protecting)
- Guardium (diverse database auditing)
- Rational AppScan (app layer)
- IBM Encryption Expert
Improve Governance and Performance, Lower Risk and Cost Across ERP and CRM Applications, Databases and Platforms
CIOs report an average data growth of 40% year over year. Escalating data volumes negatively impact system performance and operational efficiency by adding complexity and risk.
Control Growth
Software upgrades and data migration projects require more resources to backup and convert data. Maintenance is more complex and resource intensive. Storage and infrastructure is more expensive. Legacy systems may be extended due to the difficulty in retiring them resulting in excessive capacity and resource use.
Reduce Corporate Risk
Database outages, aged data available past retention policy guidelines, inability to meet SLAs, unnecessary exposure in the event of litigation discovery, negative audit comments concerning the violations of company policy and standards, as well as government regulations.
Traditional Security Solutions Can't Deliver because they lack embedded knowledge about database protocols and structures:
- Perimeter and IDS/IPS defenses lack specialized awareness of database protocols and activity patterns.
- Database encryption requires major changes to applications and databases, and does not protect against privileged users or hackers who hijack application servers to gain access to back-end databases.
- Data Leak Prevention (DLP) technologies fail to protect enterprise data in the data center itself. Instead they catch sensitive data as it leaves end-points via USB devices or the network perimeter via IM or email.
- Native DBMS logging utilities either impose significant performance overhead or fail to capture sufficient information (such as read operations). In addition, they do not provide real-time protection or support separation of duties, and cannot identify end-users who access databases via multi-tier enterprise applications.
- Security Information and Event Management (SIEM) systems rely on native DBMS log data rather than collect database logs on their own. They also lack advanced, database-focused analytics.
IBM has two premier solutions: Optim and Guardium
IBM InfoSphere Optim Data Lifecycle Management can be used to manage the entire lifecycle (not just build and maintain) reducing the need for custom code, manual intervention and consultants. It allows you to manage current AND historic data, making archived data easily accessible.
Optim:
- Removes unnecessary records from production based on retention rules, yet allows users to search for them and recall them when needed.
- Masks sensitive data, such as credit card and social security numbers, in the test environment to ensure unauthorized personnel can't violate privacy regulations
- Automates test data refreshes to reduce DBA resources required to support testing and to reduce the risk of error otherwise inevitable with manual data manipulation.
- Works with ERP and CRM applications, such as PeopleSoft, Siebel, SAP, Lawson, JD Edward, Oracle, Baan, Retek, Microsoft and others, regardless of the database used, to allow archiving of data into a searchable format. Use it with Oracle, Informix, DB2, Sybase, SQL Server, and others, as well as files such as VSAM, HTML, and MVS, to control data growth from a single solution, with consistency.
Data Management
CIOs understand that data is a company asset that must be managed throughout its lifecycle. Optim:
- Is ready out-of-the-box to cap data growth, archive unnecessary records and reduce corporate risk.
- Reduces the size of production, development, test, QA, and disaster recovery databases, improving system performance, operations upgrades, batches & backups, and providing the ability to create "right-sized" testing environments, ensuring business continuity 24 x 365.
Test Data Control
Development teams need access to select test data to ensure quality and to recognize patters. Huge volumes of data in test slow project completion and are time-consuming to refresh. Optim allows you to:
- Create targeted, right-sized test environments.
- Improve application quality through effective test cases.
- Speed iterative testing processes by eliminating unnecessary records
Data Privacy Control
Unauthorized access to confidential data is a business risk which can result in penalty to the company. Optim can mask confidential data so that it isn't recognizable by the development team, allowing you to comply with privacy regulations and policies.
Optim provides for compliance, legal support and discovery by demonstrating compliance with privacy law, regulations and internal policies (SOX, PCI, GLBA). It reduces the time, effort and expense of discovering evidence for litigation.
Optim llows you to lower costs by reducing the "footprint" for hardware, database license and management.
Guardium is the Corporate Watchdog
Guardium's real-time monitoring technology addresses the Board-level database security issues of:
- Reputational Risk
- Fail Audits
- Data Breaches
- Insider Threats
- Compliance Cost
Guardium uses both policy-based controls and anomaly detection to prevent unauthorized activities by potential hackers, privileged insiders, and end-users of enterprise applications such as Oracle EBS, PeopleSoft, and SAP.
At the same time, it consolidates and normalizes audit information from disparate systems into a centralized audit repository. This audit data warehouse can then be used for enterprise-wide compliance auditing and reporting, correlation, and forensics by leveraging Guardium's integrated suite of applications and data mining tools.
The Guardium solution continuously tracks all DBMS traffic at the network level and on database servers themselves, across all major DBMS platforms, OS platforms, and applications. By doing so, it provides a full set of detective controls with visibility into all database activities, without impacting the performance of business-critical applications and databases.
Unique to the industry, we also provide a rich set of preventive policy-based actions for implementing granular access controls to sensitive data. These controls range from real-time alerts to blocking unauthorized local-access to connections to customizable policy actions such as automated lock-outs and VPN port shut-downs.
A Powerful Team
Optim and Guardium are a powerful IBM combination that allow you to improve overall performance while reducing corporate risk by allowing you to:
- Archive
- Decommission
- Encrypt
- Monitor
- Assess vulnerabilities
- Create test data
- Ensure data privacy
- Discover the data model
Most IT organizations are aware of the data governance and security challenges:
- Managing and enforcing enterprise-wide security on-site and in the cloud.
- Limiting privileged user access to sensitive data, globally.
- Protecting sensitive enterprise information, structured and unstructured, and avoiding production data breaches without impacting applications.
- Protecting confidential data available in development, test and training environments.
- Staying in compliance despite new and expanded regulatory requirements.
- Dynamically protecting SQL from malicious requests.
- Continuously monitoring database access and activity in real-time.
- Setting policy-based controls to detect unauthorized or suspicious activity.
- Conducting vulnerability assessments, modifying auditing and blocking rules.
Inherent Database and System Security is Not Sufficient
Basic database security tools and implementations are not sufficient:
- Privileged users or end-users override corporate policies, despite defined separation of duties, and can easily modify log files.
- No real-time monitoring capability to immediately detect or block unauthorized access.
- Unable to detect fraud at application layer, such as from SAP or PeopleSoft.
- No tools to assess vulnerabilities, discover (find/identify) data, detect leaks, and monitor file integrity.
- Sensitive data is available for global access in test environments.
- Policies are managed inconsistently across applications and databases.
- End-user fraud cannot be detected for connection-pooled applications that use generic service accounts, such as SAP, PeopleSoft.
- Significant labor cost to create, implement and maintain controls.
IBM follows the Information Governance Council Maturity Model
Based on the Information Governance Council Maturity Model, developed in collaboration with many organizations, IBM Information Governance helps reduce costs and complexity, increase understanding of the structure and location of data, ensure compliance with policy and regulatory requirements, and protect your organization from data breaches.
Information Governance Solution
Effective management requires automated, strong, enterprise-wide controls to:
- Locate and document the data and the databases across the enterprise.
- Identify and classify sensitive data, such as social security numbers, national ID numbers, credit card numbers, salary information, health information.
- Understand relationships required for compound sensitive data.
- Implement controls and shared policies consistently.
- Proactively enforce separation of duties.
- Control data access by cell (row and column) for both structured and unstructured data.
- Protect confidential data in documents while allowing them to be shared.
- Define and manage privacy and masking rules, and propagate test to ensure sensitive data will be protected
- Monitor and report on database access for audit purposes.
