IBM Security Guardium Tech Talk

Dynamic data privacy using Guardium finegrained access control

Sundari Voruganti,IBM
QA Lead and Solution Architect
Takahiro Shiraiwa,IBM
Software Engineer
Kathy Zeidenstein
Guardium Envangelist and Community Advocate
2016 IBM Corporation

Upcoming Tech Talk

Next tech talk: DB2 for i data security and

compliance: Powered by IBM

Security Guardium
Speaker:
Scott Forstie, DB2 for i Business Architect
Date and time: Thursday, March 17th
12:00 PM US Eastern, 9:00 AM US Pacific
Register here: http://ibm.biz/GTechIBMi

2015 IBM Corporation

Agenda

Guardium overview
Why fine-grained access control?
Architecture
Defining the rewrite definitions
Policy considerations
Demo

2015 IBM Corporation

Guardium Uses Intelligence and Automation to Safeguard Data

ANALYZE

ADAPT

Automatically
discover critical data
and uncover risk

Seamlessly handle
changes within your IT
environment

PROTECT
Complete protection for sensitive
data, including compliance automation

2015 IBM Corporation

ANALYZE. PROTECT. ADAPT.

Discovery, classification,
vulnerability assessment,
entitlement management
Encryption, masking,
and redaction
Data and file activity
monitoring
Dynamic blocking and
masking, alerts, and
quarantine
Compliance automation
and auditing
ANALYTICS

2015 IBM Corporation

Why Fine-grained Access Control?

Preventing exposure of sensitive or private data to
people who should not be able or allowed to see
that data

Meeting compliance and legal requirements and

avoiding penalties

Making the best use of existing applications in new

business environments while still maintaining
control of sensitive and private data

Keeping the company assets and data under

control

Enhancing or complementing access controls in

the DB

Curtailing the power of privileged uses, while still

providing partial access to information

6
2015 IBM Corporation

Guardium for Fine-grained Access Control Use Cases

Protect sensitive and critical data without impacting your business.

Outsourcing
production DB
access

Need to open up
production DB without
affecting DB access
controls or
compromise private
information

Protect PII from

privileged users
(insiders like
employees, contractors,
business partner,
administrators)

Need to Enforce
access to PII to
comply with PCI,
HIPAA. Keep track
of who requested
masked data.

Real time
application
testing (nonproduction)

Create a honey
pot to track
attackers

Need to transform
data (anonymization)
without affecting
application logic, but
protecting original
data privacy.
.

Provide fictitious data

to possible attackers
to allow time for
investigation

TEST

7
2015 IBM Corporation

At Its Essence

Column-Level Masking (only dept#)

Row-Level Masking (only dept #20)

Databases supported:
Oracle, MS SQL, DB2 (Linux/UNIX)

Available with IBM Secuirty Guardium Activity Monitor Advanced

Edition V10
8
2015 IBM Corporation

Making It Work High Level

1. Create query rewrite definitions
to tell Guardium how to change or
augment queries dynamically after
the query leaves the client and
before it gets to the database server
2. Specify the runtime context in
which replacement or augmentation
occurs using policy rules

Select *
from
salary
Policy rules
Query rewrite
definitions
Change salary to
vsalary when Joe
issues the query

DBuser: Joe
Clientip:
10.10.123.3

Modified SQL

Select *
from
vsalary
Oracle, DB2,

IBM Confidential

2015 IBM Corporation

Workflow Example

Create query rewrite

definition

Create and install security

policy

When database type = Oracle and User

= Joe and Object = Customer.then

Adding a predicate

Joe queries the Customer table

Predicate applied

2015 IBM Corporation

10

Fine-grained Access Control Architecture

1. User issues SQL

2. S-TAP holds SQL and
checks policy rules for
conditions.
3. If conditions are met,
Guardium rewrites
query and sends to STAP
4. S-TAP releases
rewritten query to
database server.
5. Results are sent back
to user.

qrw_installed=1
qrw_default_state=0
qrw_force_watch=NULL
qrw_force_unwatch=NULL
Firewall_timeout=10
4

Select * from
Employee

DB2INST

Results of
rewritten
SQL

S-TAP

Select EMPNO,
FRSTNAME,
LASTNAME
From EMPLOYEE

5
2

Rewritten
SQL
3

Check Guardium policy:

When DBuser=DB2INST and
Object=Employee, apply query
rewrite definition

Guardium
Collector

Rule actions: query rewrite attach, query rewrite apply

definition, query rewrite detach

2015 IBM Corporation

11

What can be rewritten?

Rewrite parts of query precisely based on the fine-grained SQL structure:

add additional where clause

rewrite whole select list
rewrite specific fields in the select list
replace fields in various SQL clauses: where, group on, order by, etc.
replace commands
replace objects
replace whole SQL sentence at the specified levels.

Rewrite query dynamically based on the session (connection) attributes.

IBM Confidential

2015 IBM Corporation

12

Understanding the Query Rewrite Builder

Admin users access Query Rewrite Builder using Protect>Security Policies>Query Rewrite
Builder
Existing query rewrite definitions

Test model queries

Rewrite the parsed

model

Changed elements

2015 IBM Corporation

13

Query Rewrite Definition Basics

In the UI, you use model queries, which Guardium parses and translates to create query rewrite definitions,
which are semantic templates.
1. You enter the following model query
SELECT

From

Salary

From

VSalary

2. You change it to
SELECT

3. The query definition created by Guardium:

Element

From

To

Level

Object

Salary

VSalary

4. With no additional runtime context from the policy, you may not get what you expect at runtime
Test query

Rewritten query

Select Base_salary, Bonus from Salary

Select Base_salary, Bonus from Vsalary

Select Base_salary, Bonus from Hello

Select Base_salary, Bonus from VSalary

Create table Salary

Create table Vsalary

Create table Hello

Create table VSalary

Update Salary set Base_salary=:hv

Update VSalary set Base_salary=:hv

Update Salary set Base_salary=:hv where salary.empno=:hv

Update VSalary set Base_salary=:hv where

VSalary.empno=:hv

Delete from Salary where ..salary.empno=1

Delete from Vsalary where VSalary.empno = 1

Insert into Salary values (1', 2', 3')

Insert into VSalary values (1, 2, 3)

2015 IBM Corporation

14

Policy Builder define the policy and definitions

A rule with
QUERY
REWRITE:
ATTACH
Conditions
indicate when to
start watching
using on a
session level but
could be based
on user

A rule with action

QUERY
REWRITE:
APPLY
DEFINITON
will rewrite the
query based on
stored rewritten
query before
passing it to the
db.

Possibly an
access rule with
QUERY
REWRITE:
DETACH
If you want to
deactivate query
rewrite before
end of session

Guard_tap.ini
qrw_installed=1
qrw_default_state=0
qrw_force_watch=NULL
qrw_force_unwatch=NULL
Firewall_timeout=10
IBM Confidential

2015 IBM Corporation

15

Use Case: Multi Tenancy Scenario

Enforcing security in multi-tenancy scenarios where multiple users and applications share a
single database, but where not all users and applications should have access to all data

Display data based

on run time
parameters like user
Enhance existing
DB Access controls

Before: Everyone can see everything

After: TSHIRAI cannot see name or
birthday/month

After: ADMIN cannot see name

2015 IBM Corporation

16

Use Case: Production Database for Testing

Exposing a database to a production environment for testing purposes without
exposing the entire database

Report shows actual

runtime effect

After: Some fields are redacted and masked

Before: Displaying all values in the database

2015 IBM Corporation

17

Deployment tips

Ensure that the policy for Fine Grained Access control does not catch online/high traffic
applications
Cannot use qrw_installed and firewall_installed on the same set of IPs
Ensure you have the object/verb that you want to trigger the rewrite
Fine grained Access Control works on traffic between client and server and so it will not
work on database procedures
Use grdapis for automation and to create definitions to support more complex rewrite
use cases

2015 IBM Corporation

18

Demo
Takahiro Shiraiwa

2015 IBM Corporation

Workflow
Create query definitions based on what
you want to control
Restrict columns
Restrict rows
Limit what users can do
Restrict what user can access
Completely replace part or all of a query

Test the query rewrite definitions

with real test queries..
(Note, you will likely need to use
policies to fine tune the behavior)

Determine the conditions in which to

rewrite the query

Query
Rewrite
Builder

Query
Rewrite
Builder

Policy
Builder

specific users, client IPs, objects,

commands?

Validate runtime effect in a QA

environment

Query
rewrite
report

2015 IBM Corporation

20

Protect the need to know with Fine-grained Access Control

Augment or replace existing database controls for

data privacy
No database changes required
Powerful and flexible capability to customize
database access behavior
Testing and runtime tools available

Dynamically rewrite your query

2015 IBM Corporation

21

Q&A

2015 IBM Corporation

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

THANK YOU
www.ibm.com/security

Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.

Grdapi overview

IBM Confidential

2015 IBM Corporation

24

Learn more about IBM Security

TOP 3

enterprise security software

vendor in total revenue

20

industry analyst reports rank

IBM Security as a LEADER

133
10K
24

countries where IBM delivers

managed security services

Visit our web page

IBM.com/Security
Watch our videos
IBM Security YouTube Channel

clients protected including

Read new blog posts

SecurityIntelligence.com

of the top 33 banks in Japan,

North America, and Australia

Follow us on Twitter
@ibmsecurity

2015 IBM Corporation

25

Backup
Section descriptor

2015 IBM Corporation

Resources

Whats New in Guardium V10 Technical Article

2015 IBM Corporation

27