Sie sind auf Seite 1von 9

IBM Security Systems

Encryption is Fundamental: A Technical Overview of

Guardium Data Encryption

2013 IBM Corporation

Introducing IBM InfoSphere Guardium Data Encryption

EnsureEnsure compliance
compliance with
and protect
enterprise data
datawith encryption
encryption Protect sensitive enterprise
information and avoid data
Data Encryption
Minimize impact to production
Enforce separation of duties by
keeping security and data
administration separate
Meet government and industry
regulations (eg. PCI-DSS)

Protect data from misuse
Satisfy compliance
requirements including
proactive separation of duties
Scale to protect structured and
unstructured data across
heterogeneous environments
without enterprise changes

7 2014 IBM Corporation

InfoSphere Guardium Data Encryption Value Proposition:
Continuously restrict access to sensitive data including databases, data
warehouses, big data environments and file shares to.
1 Prevent data breaches
Prevent disclosure or leakages of sensitive data
2 Ensure the integrity of sensitive data
Prevent unauthorized changes to data, database
structures, configuration files and logs
3 Reduce cost of compliance
Automate and centralize controls
o Across diverse regulations, such as PCI DSS, data privacy
regulations, HIPAA/HITECH etc.
o Across heterogeneous environments such as databases,
applications, data warehouses and Big Data platforms like Hadoop
4 Protect data in an efficient, scalable, and cost effective
Increase operational efficiency
No degradation of infrastructure or business processes

8 2014 IBM Corporation

Guardium Data Encryption Use Cases Big Picture

Data Files Unstructured Data Cloud

Usage: Sensitive data used Usage: Monitor and know

Usage: Monitor WHO is
by systems and end users WHO is touching your data
touching the files and for
touched by privileged users stored in the cloud and for
WHAT purpose.
(DBAs), Activity Monitoring WHAT purpose
requirement for separation of Usage: Encrypt and Control
duties and consistent audit access to any type of data
Usage: Encrypt and Control
policy. Also: Encrypt used by LUW server
Access to data used by Cloud
Tablespace, Log, and other Common Data Types: Instances
Data files at File System to Logs, Reports, Images, ETL,
protect against System OS Audio/Video Recordings, Common Cloud Providers:
privileged user cred Documents, Big Data IBM, Amazon EC2,
Examples: FileNet, Rackspace, MS Azure
Common Databases: DB2,
Documentum, Nice, Hadoop,
Informix, Oracle, MSSQL,
Home Grown, etc
Sybase, MySQL

11 2014 IBM Corporation

GDE File/Table/Volume based Encryption

Authentication/ Authorization Data Security Manager

Authentication/ Authorization
Centralized Key Management
Policy Decision Point
Applications Highly Available
Rules-Policy Engine
Detailed Auditing

File Level

File System Security Manager
File System

Implements Encryption, Access Control,

Device Level Auditing on Host
Support for file systems and raw

Volume Manager
Volume Manager

SAN / NAS / DAS / VM / Cloud Protect ALL sensitive data

SAN / NAS / DAS / VM / Cloud
wherever/however its stored

12 2014 IBM Corporation

Enterprise/HA Architecture


Web Server

Application Servers


Encrypted Folder/Guardpoint
Web Server Application
Servers GDE File System Agent

Data Security Manager/DSM

Secure High Availability Connection

13 2014 IBM Corporation

InfoSphere Guardium Data Encryption (GDE) - Addresses
compliance requirements and protects data at the File System Level
File And Volume Encryption
High Performance / Low overhead Intel/AMD X86 processor
AES-NI hardware encryption available
Transparent No changes to application or management required
Broad OS, file system and volume support

Data File & Distributed File System Encryption

Heterogeneous, transparent and high performance
Encrypts the tablespace at the file and volume level
Broad support for multiple database and big data vendors

Policy Based Access Control to Encrypted Data

Policy-based - Transparent
Linked to LDAP and system level accounts
By process, user, time and more
Prevents Privileged User access to protected data while allowing
normal application and systems management use

Key Management
Securely stores and manages keys used in the implementation

14 2014 IBM Corporation

File Encryption Management
Clear Text Encryption

Name: Jsmith.doc Name: Jsmith.doc

File System
Created: 6/4/99 Created: 6/4/99
Modified: 8/15/02 Modified: 8/15/02

Name: J Smith
Credit Card #:
8nGmwlNskd 9f
6011579389213 Block-Writes
File Data
Bal: $5,145,789
Social Sec No: Block-Reads Nac0&6mKcoS
File File qCio9M*sdopF
Data Data Data

File systems always read and write in fixed block sizes

Encryption takes place on the block IOs to a protected file
GDE simply encrypts or decrypts the block reads and writes

15 2014 IBM Corporation

Policy Rules

WHO is attempting to access protected data?

Configure one or more users, groups, or applications users may invoke who can access protected
WHAT data is being accessed?
Configure a mix of files and directories
WHEN is the data being accessed?
Configure a range of hours and days of the week for authorized access
HOW is the data being accessed?
Configure allowable file system operations allowed to access the data
e.g. read, write, delete, rename, etc.
EFFECT: Permit; Deny; Apply Key; Audit

16 2014 IBM Corporation