Embed Size (px)
Citation preview
4 Reasons to Love the New IBM Guardium Data Encryption v3.0GUARDIUM TECH TALK
October 3, 2017
Dan GoodesWW Technical Sales – Data Security
Rick RobinsonOffering Manager, Encryption and Key Management
2 IBM Security
Title: Hints and Tips for a Successful V10 Upgrade.
Date: Tuesday, October 24th, 2017
Time: 11:00 AM EDT, 8:00 AM PDT (60 minutes)
Speakers: Kathryn Zeidenstein, Vlad Langman, Yosef Rozenblit, Javaid Rajmohamed, Ron Ben-Natan
Register: http://ibm.biz/GTechUpgrade
Upcoming tech talk
3 IBM Security
Guardium community on developerWorks
bit.ly/guardwiki Right
nav
4 IBM Security
Agenda
• Overview of Encryption Offerings
• Introduction of GDE v3.0 Components – Four Things to Love about GDE
• Tokenization Demo Video
• Q&A
5 IBM Security
Safeguarding sensitive data requires intelligence and automation
PROTECTComplete protection for sensitive
data, including encryption
ADAPTSeamlessly handle
changes within your IT environment
Data
Security
ANALYZEAutomatically
discover critical data and uncover risk
6 IBM Security
2017 IBM Data Security Encryption Portfolio
Security Key Lifecycle Manager (SKLM)
• Enterprise Key Mgmt
• KMIP Certified
• Distributed and Z-versions available
Guardium Data Encryption (GDE)
• On-Prem File Encryption
• Agent-Server Architecture
• Tokenization
• App and Teradata Encryption
Guardium Data Encryption for IMS and DB2 (GDE4Z)
• Protects Database Contents with granular control
• Z-platform only
Multi-Cloud Data Encryption (MDE)
• File and Volume Encryption
• Agent-Server Architecture
7 IBM Security
2017 IBM Data Security Encryption Portfolio
Security Key Lifecycle Manager (SKLM)
• Enterprise Key Mgmt
• KMIP Certified
• Distributed and Z-versions available
Guardium Data Encryption (GDE)
• On-Prem File Encryption
• Agent-Server Architecture
• Tokenization
• App and Teradata Encryption
Guardium Data Encryption for IMS and DB2 (GDE4Z)
• Protects Database Contents with granular control
• Z-platform only
Multi-Cloud Data Encryption (MDE)
• File and Volume Encryption
• Agent-Server Architecture
V3.0
8 IBM Security
9 IBM Security
Different Enterprise Use Cases Require Different Approaches
Masking The ability to desensitize personal information and
make it unreadable from original form while
preserving format and referential integrity
▪ it is a one way algorithm – ie. No unmasking data
▪ SDM – Static Data Masking
▪ DDM – Dynamic
Data Masking
Tokenization▪ The process of substituting a “token” which can
be mapped to the original value
▪ Token is a non- personal data equivalent which
has no extrinsic value
▪ Must maintain a mapping between the tokens
and the original values
Redaction▪ The process of obscuring part of a text for
security purposes.
▪ The ability to replace real data with substitute
characters like (“*”)
Encryption▪ The process of encoding data in such a way
that only authorized individuals can read it by
decrypting the encoded data with a key
▪ Format Preserving Encryption (FPE) is a
special form of encryption
Original Value
4536 6382 9896 5200
Masked Value
ABCD GDIC JIJG VXYZ
Redacted Value
**** **** **** 5200
Token Value
4212 5454 6565 7780
Encrypted Value
1@#43$%!xy1K2L4P
IBM and Business Partner Confidential
10 IBM Security
IBM Guardium
Data Encryption
Encryption
Key Management
Protect on-premises enterprise data while meeting compliance mandates
• Protects on-premise data from misuse
• Supports separation of duties
• Meets government and industry compliance regulationse.g., PCI, GDPR, etc.
• Scales in heterogeneous environments
• NEW! Tokenization support
• Files and Databases, now (NEW!) with Live Data Transformation
• NEW! Application Encryption
• NEW! Encryption for Teradata environments
Guardium Data Encryption v3.0
GuardiumData
Encryption
Protectfiles
Protect databasesand Big Data
NoSQLTeradataHadoop
DB2Oracle
Protectapps
11 IBM Security
IBM Guardium Data Encryption helps provide distributed encryption and centralized management to protect
sensitive data for traditional, on-premises environments
Imagine encryption… anywhere!
On-Prem
Encryption Agents
Data Security
Manager (DSM)
REST API
Encryption Agents
Encryption Agents
Encryption Agents
Encryption Agents
Encryption Agents
12 IBM Security
IBM Guardium
Data Encryption
Encryption
Key Management
Guardium Data Encryption v3.0 Offers FIVE Different Chargeable Components
Guardium for File and Database Encryption
• Encrypts Structured and Unstructured Data
• Agent-based solution with management server virtual appliance
• Next generation version of GDE v2.0 for files and database encryption
Guardium for File and DB Encryption WITH Live Data Transformation
• Extends capabilities of Guardium for File and Database Encryption by allowing customers to encrypt files and databases WITHOUT taking them offline for encryption
• Agent-based solution with management server virtual appliance
Guardium for Application Encryption
• SDK that allows customers to directly integrate their applications with the encryption agents
• Agent-based solution with management server virtual appliance
Guardium for Teradata Encryption
• Encrypts structured and unstructured data within a Teradata environment
• Agent-based solution with management server virtual appliance
Guardium for Tokenization
• Supports Database Tokenization though REST API calls
• Solution includes a tokenization server and management server virtual appliances
= new with GDE v3.0
File and Database Encryption
© 2017 IBM Corporation14
Guardium Data Encryption
Existing Offering components
GDE v2.0
TODAY
© 2017 IBM Corporation15
Guardium Data Encryption
Guardium Data
Encryption
(GDE) v3.0
Included (New):
• Virtual Appliance (VM/OVA)
Included (New):
• Live Data Transformation
extension to GDE
16 IBM Security
File and Database Encryption
Agents
GDE v3,.0 DSM
Virtual Appliance
File I/OApplications
File Server
File Access
Agents intercept File I/O
calls and apply
encryption and access
policy based on DSM
settings
Application and Teradata Encryption
© 2017 IBM Corporation18
Guardium Data Encryption
Guardium Application
Encryption
(GAE) v3.0
New:
• Application Encryption Agent
Included (New):
• Virtual Appliance (VM/OVA)
© 2017 IBM Corporation19
Guardium Data Encryption
Guardium Teradata
Encryption
(GTE) v3.0
New:
• Teradata Encryption Agent
Included (New):
• Virtual Appliance (VM/OVA)
© 2017 IBM Corporation20
Application Encryption and Teradata Encryption
Agents
GDE v3,.0 DSM
Virtual Appliance
User Defined FunctionsApplications
Application Server
Agents intercept
UDF/API calls and apply
encryption and access
policy based on DSM
settings
Tokenization
© 2017 IBM Corporation22
Guardium Data Encryption
Guardium Tokenization
(GTO) v3.0
New:
• Tokenization/Masking Agent
• Tokenization Server (VM/OVA)
Included (New):
• Virtual Appliance (VM/OVA)
© 2017 IBM Corporation23
Vaulted vs Vault-less Tokenization
Plain Text : G786303
Policy:
Token Format
Dynamic Data Masking
256-bit
key/seed
GDE v3.0
Tokenization Server
Virtual Appliance
GDE v3,.0 DSM
Virtual Appliance
Token: C940494
RESTAPI CallsApplication
Servers
Optional Oracle Database (Vault)
© 2017 IBM Corporation24
RBAC Access
Plain Text : ****303
LDAP integration allows
policies to restrict the
information that is provided
when a token is reversed
256-bit
key/seed
GDE v3.0
Tokenization Server
Virtual Appliance
GDE v3,.0 DSM
Virtual Appliance
Token: C940494
RESTAPI CallsApplication
Servers
LDAP
© 2017 IBM Corporation25
Items to Consider
Items to consider prior to adopting tokenization:
▪ Vaulted vs. Vault-less
▪ Vault (option) provided by customer-provided Oracle database
▪ Tokenization Performance
▪ One Tokenization VM can reach performance rates of 1 Mtps (transactions per second)
▪ Operational Considerations
▪ Policies, Masking, Tokenization, DB updates, etc.
▪ Application and/or Database Modification
▪ Rekey Process (for the tokenization server)
▪ Master wrapping key can be rotated
26 IBM Security
IBM is integral to data security
Know your sensitive data and intelligently safeguard it – wherever it resides
ANALYZE. PROTECT. ADAPT
Discovery, classification,vulnerability assessment, masking, redaction
Encryption and key management
Data and file activity monitoring
Dynamic blocking and masking, alerts, and quarantine
Compliance automation and auditing
ANALYTICS
Visit: ibm.com/Guardium
27 IBM Security27
Questions?
28 IBM Security
Notices and disclaimers
• Copyright © 2016 by International Business Machines Corporation (IBM). No part of this document may be reproduced or transmitted in any form without written permission from IBM.
• U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM.
• Information in these presentations (including information relating to products that have not yet been announced by IBM) has been reviewed for accuracy as of the date of initial publication and could include unintentional technical or typographical errors. IBM shall have no responsibility to update this information. THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL IBM BE LIABLE FOR ANY DAMAGE ARISING FROM THE USE OF THIS INFORMATION, INCLUDING BUT NOT LIMITED TO, LOSS OF DATA, BUSINESS INTERRUPTION, LOSS OF PROFIT OR LOSS OF OPPORTUNITY. IBM products and services are warranted according to the terms and conditions of the agreements under which they are provided.
• IBM products are manufactured from new parts or new and used parts. In some cases, a product may not be new and may have been previously installed. Regardless, our warranty terms apply.”
• Any statements regarding IBM's future direction, intent or product plans are subject to change or withdrawal without notice.
• Performance data contained herein was generally obtained in a controlled, isolated environments. Customer examples are presented as illustrations of how those customers have used IBM products and the results they may have achieved. Actual performance, cost, savings or other results in other operating environments may vary.
• References in this document to IBM products, programs, or services does not imply that IBM intends to make such products, programs or services available in all countries in which IBM operates or does business.
• Workshops, sessions and associated materials may have been prepared by independent session speakers, and do not necessarily reflect the views of IBM. All materials and discussions are provided for informational purposes only, and are neither intended to, nor shall constitute legal or other guidance or advice to any individual participant or their specific situation.
• It is the customer’s responsibility to insure its own compliance with legal requirements and to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to take to comply with such laws. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the customer is in compliance with any law.
29 IBM Security
• Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products in connection with this publication and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. IBM does not warrant the quality of any third-party products, or the ability of any such third-party products to interoperate with IBM’s products. IBM EXPRESSLY DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
• The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.
• IBM, the IBM logo, ibm.com, Aspera®, Bluemix, Blueworks Live, CICS, Clearcase, Cognos®, DOORS®, Emptoris®, Enterprise Document Management System™, FASP®, FileNet®, Global Business Services ®, Global Technology Services ®, IBM ExperienceOne™, IBM SmartCloud®, IBM Social Business®, Information on Demand, ILOG, Maximo®, MQIntegrator®, MQSeries®, Netcool®, OMEGAMON, OpenPower, PureAnalytics™, PureApplication®, pureCluster™, PureCoverage®, PureData®, PureExperience®, PureFlex®, pureQuery®, pureScale®, PureSystems®, QRadar®, Rational®, Rhapsody®, Smarter Commerce®, SoDA, SPSS, Sterling Commerce®, StoredIQ, Tealeaf®, Tivoli®, Trusteer®, Unica®, urban{code}®, Watson, WebSphere®, Worklight®,X-Force® and System z® Z/OS, are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks isavailable on the Web at "Copyright and trademark information" at: www.ibm.com/legal/copytrade.shtml.
Notices and disclaimers(continued)
ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,
express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products
and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service
marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your
enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.
No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products
or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU
