Beruflich Dokumente
Kultur Dokumente
Agenda
Guardium overview
Why fine-grained access control?
Architecture
Defining the rewrite definitions
Policy considerations
Demo
ANALYZE
ADAPT
Automatically
discover critical data
and uncover risk
Seamlessly handle
changes within your IT
environment
PROTECT
Complete protection for sensitive
data, including compliance automation
Discovery, classification,
vulnerability assessment,
entitlement management
Encryption, masking,
and redaction
Data and file activity
monitoring
Dynamic blocking and
masking, alerts, and
quarantine
Compliance automation
and auditing
ANALYTICS
6
2015 IBM Corporation
Outsourcing
production DB
access
Need to open up
production DB without
affecting DB access
controls or
compromise private
information
Need to Enforce
access to PII to
comply with PCI,
HIPAA. Keep track
of who requested
masked data.
Real time
application
testing (nonproduction)
Create a honey
pot to track
attackers
Need to transform
data (anonymization)
without affecting
application logic, but
protecting original
data privacy.
.
TEST
7
2015 IBM Corporation
At Its Essence
Databases supported:
Oracle, MS SQL, DB2 (Linux/UNIX)
Select *
from
salary
Policy rules
Query rewrite
definitions
Change salary to
vsalary when Joe
issues the query
DBuser: Joe
Clientip:
10.10.123.3
Modified SQL
Select *
from
vsalary
Oracle, DB2,
IBM Confidential
Workflow Example
Adding a predicate
Predicate applied
10
qrw_installed=1
qrw_default_state=0
qrw_force_watch=NULL
qrw_force_unwatch=NULL
Firewall_timeout=10
4
Select * from
Employee
DB2INST
Results of
rewritten
SQL
S-TAP
Select EMPNO,
FRSTNAME,
LASTNAME
From EMPLOYEE
5
2
Rewritten
SQL
3
Guardium
Collector
11
IBM Confidential
12
Changed elements
13
From
Salary
From
VSalary
2. You change it to
SELECT
Element
From
To
Level
Object
Salary
VSalary
4. With no additional runtime context from the policy, you may not get what you expect at runtime
Test query
Rewritten query
14
A rule with
QUERY
REWRITE:
ATTACH
Conditions
indicate when to
start watching
using on a
session level but
could be based
on user
Possibly an
access rule with
QUERY
REWRITE:
DETACH
If you want to
deactivate query
rewrite before
end of session
Guard_tap.ini
qrw_installed=1
qrw_default_state=0
qrw_force_watch=NULL
qrw_force_unwatch=NULL
Firewall_timeout=10
IBM Confidential
15
16
17
Deployment tips
Ensure that the policy for Fine Grained Access control does not catch online/high traffic
applications
Cannot use qrw_installed and firewall_installed on the same set of IPs
Ensure you have the object/verb that you want to trigger the rewrite
Fine grained Access Control works on traffic between client and server and so it will not
work on database procedures
Use grdapis for automation and to create definitions to support more complex rewrite
use cases
18
Demo
Takahiro Shiraiwa
Workflow
Create query definitions based on what
you want to control
Restrict columns
Restrict rows
Limit what users can do
Restrict what user can access
Completely replace part or all of a query
Query
Rewrite
Builder
Query
Rewrite
Builder
Policy
Builder
Query
rewrite
report
20
21
Q&A
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks
on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access.
IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other
systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE
IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.
THANK YOU
www.ibm.com/security
Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any
kind, express or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor
shall have the effect of, creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use
of IBM software. References in these materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or
capabilities referenced in these materials may change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product
or feature availability in any way. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries
or both. Other company, product, or service names may be trademarks or service marks of others.
Grdapi overview
IBM Confidential
24
TOP 3
20
133
10K
24
Follow us on Twitter
@ibmsecurity
25
Backup
Section descriptor
Resources
27