Upload
vuongtram
View
219
Download
3
Embed Size (px)
Citation preview
© 2008 IBM Corporation
®
IBM Data Governance
IBM Software Group | Information Management software
2
Agenda
IBM Data Governance Overview
Question & Answer
IBM Software Group | Information Management software
3
IBM Data GovernanceIBM Data Governance
IBM Software Group | Information Management software
4
The Guardian, Online Edition, Nov 20 2007
http://politics.guardian.co.uk/economics/story/0,,2214109,00.html
IBM Software Group | Information Management software
5
The Evolution of Security
Perimeter Security
– Firewalls
– Intrusion Detection Systems (IDS)
Systems Security
– Anti-virus
– Patch Management
– Host intrusion prevention
– Network Access Control (integrated with above)
Data Security
Late 1990s
Early 2002
2006
IBM Software Group | Information Management software
6
Some Major Regulations
Protection of consumer informationCredit card issuers
All financial svs.Gramm-Leach-Bliley(SEC, FTC, FDIC…)
Protection of credit card dataMajor retailers and processorsPCI
(Visa, MC, Discover, AMEX)
Protection of US power systemsPower CompaniesNERC/FERC(NERC)
Complete security program based on NIST (National Institute of Standards and Technology) guidelines
Federal AgenciesFISMA(OMB)
Notifications and investigations of security breach of Personally Identifiable Information
Collect information about US ResidentsData Breach Disclosure(20+ States)
Confidentiality, integrity and availability of patient health information
Organizations that handle patient health information
HIPAA(CMS)
Integrity of financial data/Confidentiality of forward looking financial data/Protect valuable assets
Publicly traded companiesSarbanes-Oxley(SEC)
IBM Software Group | Information Management software
7
IBM Data Governance Software
Secure
ProtectPrivacy
Audit
LifecycleMgmt
Data Governance
Secure• Prevent Access• Restrict Access• Monitor Access
Protect Privacy• Mask Data• Encrypt Data
Audit• Audit Access• Audit Privileges• Audit Users
Lifecycle Mgmt• Data Retention• Data Retirement
IBM Software Group | Information Management software
8
IBM Data Governance Software
Secure
ProtectPrivacy
Audit
LifecycleMgmt
Data Governance
• IBM Optim Archive• IBM Optim Test Data Management
• IBM Optim Archive• IBM Optim Test Data Management
•DB2 9.5•IDS 11
•DB2 9.5•IDS 11
Secure• Prevent Access• Restrict Access• Monitor Access
Protect Privacy• Mask Data• Encrypt Data
Audit• Audit Access• Audit Privileges• Audit Users
Lifecycle Mgmt• Data Retention• Data Retirement
•DB2 Audit Management Expert •Tivoli CIM
•DB2 Audit Management Expert •Tivoli CIM
•IBM Optim Data Privacy•IBM Database Encryption Expert
•IBM Optim Data Privacy•IBM Database Encryption Expert
IBM Software Group | Information Management software
9
DB2 9.5 & IDS 11 SecurityDB2 9.5 & IDS 11 Security
IBM Software Group | Information Management software
10
DB2 9.5 & IDS 11 Security
Authentication
Authorization
Database Roles
Label-Based Access Control
Trusted Contexts
Auditing
IBM Software Group | Information Management software
11
Authentication
Authentication TypesSERVERSERVER_ENCRYPT
User ID and password encryptedDATA_ENCRYPT
Data and User ID and password encryptedCLIENT KERBEROSGSSPLUGIN (Vendor security solution)LDAP
IBM Software Group | Information Management software
12
Authorization
The process of checking whether an authorization id is allowed to execute a database operation
SQL statementCommand (or API)
The process involves granting a set of permissions available to the authorization id
Permissions held by the authorization id itselfPermissions held by the authorization id’s groups and rolesPermissions held by PUBLIC
IBM Software Group | Information Management software
13
Database Roles
What is a database role?A database object that may group together one or more privileges, authorities, security labels or exemptions, and may be granted to users, groups, PUBLIC or other roles
What is the advantage of database roles?They simplify the administration and management of privileges in a database rather than via the operating system
SECADMs can control access to their databases at a level of abstraction that is close to the structure of their organizations (e.g., they can create roles in the database that map directly to those in their organizations)
IBM Software Group | Information Management software
14
LBAC
A flexible implementation of Mandatory Access Control (MAC)
A security label is associated with both users and data objects
Access control is governed by the predefined LBAC security rules
PO-BRIAN-1SN0000005
Release NotesSN0000004
InstructionsSN0000003
Jane S Results
PO-HARRY-1SN0000001
PO-TONY-1SN0000002
TITLESERIAL_NUMBER
Bob (Unclassified)
Jane (Secret)
MARS-35Top SecretSN0000006
PO-BRIAN-1UnclassifiedSN0000005
Release NotesSecretSN0000004
InstructionsConfidentialSN0000003
Unclassified
Unclassified
SECLABEL
Artifact Table (protected table)
PO-HARRY-1SN0000001
PO-TONY-1SN0000002
TITLESERIAL_NUMBER
PO-BRIAN-1SN0000005
Bob U Results
PO-HARRY-1SN0000001
PO-TONY-1SN0000002
TITLESERIAL_NUMBER
select serial_number, titlefrom artifact
IBM Software Group | Information Management software
15
Trusted Contexts
Security challengesApplications servers use of a single user id causes the following:
Loss of end user identity within the database serverDiminished user accountabilityOver granting of privileges to a single authorization id
The lack of control on when privileges are applied to a user canweaken overall security.
IBM Software Group | Information Management software
16
Trusted Contexts (Cont.)
What is a trusted context?A trust relationship between the database and an external entity such as an application server
Stored in the database
The trust relationship is based on the following trust attributes
Authorization idIP address (or domain name)
Data stream encryption
IBM Software Group | Information Management software
17
Auditing
Audit PolicyA database object that specifies what categories of events are to be audited
An audit policy can be applied to:A databaseA tableA trusted contextAn authorization id (user, role, group)An authority (SYSADM, SYSMAINT, SYSCTRL, SYSMON,
DBADM, SECADM)
IBM Software Group | Information Management software
18
DB2 Audit Management ExpertDB2 Audit Management Expert
IBM Software Group | Information Management software
19
DB2 Audit Management Expert Overview
Provides centralized auditing tools to bring together information from many different sources into a correlated, coherent view
Enables auditors to collect, view, analyze and report on existing audit logs and save it into an audit repository
Allows auditors to automatically generate their own reports and export the data into other applications such as Excel spreadsheets
IBM Software Group | Information Management software
20
DB2 Audit Management Expert (Con’t)
A powerful tool targeted at auditors, not database administrators.
With DB2 Audit Management Expert, auditors have a centralized set of tools that allow them to:
Selectively audit inserts, updates, deletes and reads in DB2 systems using automatic processes.
View all reported activity on specific DB2 objects (such as read, change and utility access).
Generate meaningful reports on the data collected in the audit repository.
Perform log analysis of collected data.
IBM Software Group | Information Management software
21
IBM Database Encryption ExpertIBM Database Encryption Expert
IBM Software Group | Information Management software
22
IBM Database Encryption Expert
Offline data protection– Encryption and/or Compression of database backups– Integrated into the backup and restore process– Ensure privacy and compliance
Online data protection– Flexible Encryption of online database files
• Control files• Log files• Database Tablespaces/Containers
– Tables, Indexes, LOBs, XML, etc– Privileged OS user access control to database files– Ensure privacy and compliance
IBM Software Group | Information Management software
23
IBM Database Encryption ExpertCentrally managed security for DB2 data files
DB2• tables• views• indexes
Database Backup Files
On-Line Database Files
Tablespace
Log
Configuration
Data Import/Extract
• Encrypts DB2 backups• Audit and prevent unauthorized
restores
• Selectively encrypt DB2 files• Control decryption by user, process• Audit unauthorized access attempts• Control privileged OS users
• Automatic key management• Transparent to existing
applications
IBM Software Group | Information Management software
24
IBM Optim solutionsIBM Optim solutions
IBM Software Group | Information Management software
25
Enterprise Data Management (EDM)
Enabling High Availabilty and Integrity across all EnterpriseApplication Data
IBM Software Group | Information Management software
26
Challenges Impact
Enterprise Data ChallengesEnterprise Data Challenges
Test Data CreationTest Data Creation
Data Theft In Data Theft In NonNon--ProductionProduction
Data RetentionData RetentionRegulationsRegulations
Quality and Time Of Quality and Time Of Application TestingApplication Testing
Time To MarketTime To Market
Loss Of Brand Equity,Loss Of Brand Equity,FinesFines
Costs Of Compliance/Costs Of Compliance/StoringStoring
Costs Of AuditCosts Of Audit
IBM Software Group | Information Management software
27
Optim Solution - Solves Business challenges
Data Growth & Archiving– Improve performance
– Control data growth, save storage
– Support retention compliance
– Enable application retirement
– Streamline upgrades
Test Data Management– Create targeted, right sized
test environments
– Improve application quality
– Speed iterative testing processes
Data Privacy– Mask confidential data
– Comply with privacy policies
© 2008 IBM Corporation 28
DB2 Information Management
Customin-house… other
Data PrivacyArchive Prod & History
Data
Oracle SQLServer Sybase Informix DB2 LUW DB2 z/OS MORE….
Optim Relationship Engine
Power of the Optim SolutionData Growth
JD E
dwar
ds
Ora
cle
App
s
Sieb
el
Peop
leSo
ft
Test Data Management / Subsetting
Customin-house… other
JD E
dwar
ds
Ora
cle
App
s
Sieb
el
Peop
leSo
ftWindows Solaris HP/UX AIX Linux OS/390 z/OS
Governance, Risk, Compliance
© 2008 IBM Corporation 29
DB2 Information Management
IBM Optim Data Growth solutionsIBM Optim Data Growth solutions
© 2008 IBM Corporation 30
DB2 Information Management
Current
Production
Historical
RetrieveRetrieved
Archives
Reporting Data
Historical Data
Reference Data
Archive
● Complete Business Object provides historical reference snapshot of business activity● Storage device independence enables ILM● Immutable file format enables data retention compliance
Universal Access to Application Data
Application Application XML ODBC / JDBC
Optim™ Data Growth Solution: Archiving
© 2008 IBM Corporation 31
DB2 Information Management
Non DBMSRetention PlatformATA File ServerIBM RS550EMC CenteraHDS
Universal Access to Data
CurrentData
1-2 years
ActiveHistorical
3-4 years
Offline Retention Platform
CDTapeOptical
ProductionDatabase
Archive Database
Archive
OnlineArchive
5-6 years
OfflineArchive
7+ years
Restore
Report WriterXMLODBC / JDBCNative Application
Universal Access to Application Data
Application Independent Access
© 2008 IBM Corporation 32
DB2 Information Management
IBM Optim Data Privacy solutionsIBM Optim Data Privacy solutions
© 2008 IBM Corporation 33
DB2 Information Management
Optim™ Data Privacy Solution
Production
Contextual,Application- Aware,
Persistent Data Masking
Contextual,Application- Aware,
Persistent Data Masking
EBS / Oracle
Custom / Sybase
Siebel / DB2
Test
EBS / Oracle
Custom / Sybase
Siebel / DB2
● Substitute confidential information with fictionalized data● Deploy multiple masking algorithms ● Provide consistency across environments and iterations● Enable off-shore testing● Protect private data in non-production environments
ProtectPrivacy
© 2008 IBM Corporation 34
DB2 Information Management
Optim Test Data Solution
● Create targeted, “right-sized” subsets faster and more efficiently than cloning
● Easily refresh, reset and maintain test environments
● Compare data to pinpoint and resolve application defects faster
● Accelerate release schedule
Production or Production
CloneExtract
Extract Files
DevQA
Test
LoadInsert / Update
Compare
© 2008 IBM Corporation 35
DB2 Information Management
Transform or mask sensitive data using :
Standard rules: Literals, Special Registers, Expressions, Default Values, Look-up tables
Intelligent transformation rules: PCI, Addresses etc.Custom mapping rules: user exits
OPTIM Data Privacy - De-identifying test data
Production Data
Extract and
Mask
Masked Test Data
© 2008 IBM Corporation 36
DB2 Information Management
First Names and Last Names Data Sets
Stacey
Dave
Danielle
Bob
John
First Name Last Name GPA High School Advisor State
Paul Smith 3.2 Princeton Johnson NJ
Kate Jones 2.7 Albany Kline NY
First Name Last Name GPA High School Advisor State
Stacey Nelson 3.2 Princeton Johnson NJ
Dave Reese 2.7 Albany Kline NY
1) Client is a University who wishes to mask the first and last name fields in their admissions database
2) Optim now has a first name lookup table with over 5,000 male/female names and a last name lookup table with over 80,000 names
Test Database
Reese
Howell
Kline
Nelson
Newton
First Name Lookup Table
Production Database
Last Name Lookup Table
3) Use Lookup Tables to randomly replace table first and last names
© 2008 IBM Corporation 37
DB2 Information Management
Intelligent Masking Capability
154-74-7788
254-77-6644
SSN#
4324115574123654JonesVanessa
5298774132478855DenverJohn
Credit Card#L. NameF. Name
154-74-7788
854-77-6644
SSN#
4972584612457744JonesVanessa
5326458711224956DenverJohn
Credit Card#L. NameF. Name
Production Database
Data before Masking
Data after Masking…
Masked with Valid CC# and SS#How are these numbers valid?
Test DatabaseValidValid
Most credit card numbers are encoded with a "Check Digit". A check digit is a digit added to a number (either at the end or the beginning) that validates the authenticity of the number. A simple algorithm is applied to the other digits of the number which yields the check digit.
A Social Security Number (SSN) consists of nine digits. The first three digits is called the "area number'. The central, two-digit field is called the "group Number". The final four-digit field is called the "serial Number". All numbers must fit the latest available criteria for each section.
For Credit Card NumbersFor Social Security Numbers
© 2008 IBM Corporation 38
DB2 Information Management
Propagating Masked Data
●Key propagationPropagate values in the
primary key to all related tables Necessary to maintain
referential integrity
Cust ID Item # Order Date
27645 80-2382 20 June 2004
27645 86-4538 10 October 2005
Customers Table
Orders Table
Cust ID Name Street08054 Alice Bennett 2 Park Blvd19101 Carl Davis 258 Main27645 Elliot Flynn 96 Avenue